zmb3
commented
1 week ago when downloading a file, the "SFTP Open" audit event does not include file size information
This is largely by design and probably not something we will change.
Teleport's SFTP audit events are meant to indicate specific protocol-level actions. To "download" a file, what you are actually doing is:
- creating a new (empty) local file to store the result in
- telling the remote system to open a file for read
- reading N bytes from the remote file (over the SFTP connection)
- writing those N bytes to the local file
- telling the remote system to close the file
- closing the local file
The only actions that have a size associated with them are read/write actions. There is no concept of size when opening or closing a file.
What would you like Teleport to do?
Audit the size of files uploaded and downloaded via
tsh scp(or via the web UI).What problem does this solve?
Currently, on the Teleport v15, when downloading a file, the "SFTP Open" audit event does not include file size information and when downloading a file, the
file_sizeattribute in the "SFTP Setstat" is alway set tonull.Auditing file sizes on file upload and download would allow alerts based on file size to be triggered from a SIEM solution, when Teleport audit events are exported.
If a workaround exists, please include it.
None