File contents gets audited with scp/rsync
When i copy a file with scp/rsync the contents of the file gets audited by the remote host and everything is shown in the records at the framework manager's reports. I guess it's not normal (im not an expert of PAM), so i'm looking for a way to disable/to something about it.
Best regards, Thomas
Re: File contents gets audited with scp/rsync
Check the Reporting Console for the "command" in this session and you'll want to create a command control rule specifically for this type of session (scp/rsync) if you don't yet already have one. Once you are targeting just this traffic using Command Control Rule Conditions (e.g. command IN filter), then you can set to Authorize the session, but then disable Session Capture. This will prevent the contents from being captured as you have described, but still track session-level audits and authorize it.