Commandline auditing with Snoopy on Linux

Snoopy AuditSystem administrators often want to set-up an audit trail for accounting purposes. When something happens, they want to be able to know what happened, when it did and by whom. An effective way of audit trail is kind of mandatory for compliance.

There are ways for this, and the common example is by “PROMPT_COMMAND” in Bash. Snoopy comes as a generic way, and the audit log format can be easily defined with a config file. We will show how to use it on Linux in this post.

How snoopy works

Snoopy is a wrapper around the execve() function. execve() is a Linux kernel call which instructs it to execute a command pointed to by a filename.

The related syslog level is authpriv. Normally events on this level will show up in the file /var/log/auth.log.

Installing Snoopy

Debian / Ubuntu

apt-get install snoopy

During installation it will ask your permission to add the wrapper to /etc/ld.so.preload, so it can be executed and act as a middle-man. Snoop library loaded in /etc/ld.so.preload.

If the library is listed, new commands should be “intercepted” and logged to your auth.log.

tail /var/log/auth.log

The output will look similar to:

Feb 27 05:17:25 ns snoopy[3703]: [uid:0 euid:0 user:root sid:704 tty:(none) cwd:/ filename:/sbin/ldconfig]: /sbin/ldconfig -p
Feb 27 05:17:25 ns snoopy[3704]: [uid:0 euid:0 user:root sid:704 tty:(none) cwd:/ filename:/usr/sbin/ip]: /usr/sbin/ip link show
Feb 27 05:17:25 ns snoopy[3705]: [uid:0 euid:0 user:root sid:704 tty:(none) cwd:/ filename:/usr/sbin/ip]: /usr/sbin/ip addr show
The installation of Snoopy is easy and quick on Ubuntu/Debian, and further configuration can be done by editting /etc/snoopy.ini. snoopy.ini defines log format, syslog ident, and log level. You might want to consider to setup a remote syslog server to collect execution logs in a central node for further analysis.

CentOS/RedHat

Snoopy is not a standard package in CentOS and Redhat, and you need to compile from scrach. I just did that for you. you can either download the spece file here, or the precompiled package snoopy-2.4.6-2.el7.x86_64.rpm here. Then installation of snoopy is the same as normal.

rpm -ivh snoopy-2.4.6-2.ele.el7.x86_64.rpm

If you faced any issues, don’t forget to post to its official site at Github.com.

Share Button

Leave a comment

Your email address will not be published. Required fields are marked *