Open philip-teleport opened 1 week ago
when downloading a file, the "SFTP Open" audit event does not include file size information
This is largely by design and probably not something we will change.
Teleport's SFTP audit events are meant to indicate specific protocol-level actions. To "download" a file, what you are actually doing is:
The only actions that have a size associated with them are read/write actions. There is no concept of size when opening or closing a file.
What would you like Teleport to do?
Audit the size of files uploaded and downloaded via
tsh scp
(or via the web UI).What problem does this solve?
Currently, on the Teleport v15, when downloading a file, the "SFTP Open" audit event does not include file size information and when downloading a file, the
file_size
attribute in the "SFTP Setstat" is alway set tonull
.Auditing file sizes on file upload and download would allow alerts based on file size to be triggered from a SIEM solution, when Teleport audit events are exported.
If a workaround exists, please include it.
None