Logging commands for auditing with Snoopy in Linux

Snoopy AuditSystem administrators often want to setup audit trail for accounting purposes. When something abnormal happens, they want to know what happened on system side, when it happened and  who did that. An effective way of audit trail is kind of mandatory for compliance.

There are some ways for this, and the common example is by system variable “PROMPT_COMMAND” in Bash. Snoopy comes as a generic and efficient way, and its audit log can be self defined with its config file. I’ll show you how to set Snoopy up on Linux here.

How snoopy works

Snoopy is a wrapper around the execve() function. execve() is a Linux kernel call which instructs it to execute a command pointed to by a filename.

The related syslog level is authpriv. Normally events on this level will show up in the file /var/log/auth.log.

Installing Snoopy

On Debian / Ubuntu

apt-get install snoopy

During installation it will ask you your permission to add a wrapper to /etc/ld.so.preload, so it can be executed and act as a middle-man. Snoopy’s library is loaded in /etc/ld.so.preload.

When the library is listed and loaded (you can re-login to make it take effect), any new command will be “intercepted” and logged to the specified log file, which by default is /var/log/auth.log.

tail /var/log/auth.log

The output will look similar to:

Feb 27 05:17:25 ns snoopy[3703]: [uid:0 euid:0 user:root sid:704 tty:(none) cwd:/ filename:/sbin/ldconfig]: /sbin/ldconfig -p
Feb 27 05:17:25 ns snoopy[3704]: [uid:0 euid:0 user:root sid:704 tty:(none) cwd:/ filename:/usr/sbin/ip]: /usr/sbin/ip link show
Feb 27 05:17:25 ns snoopy[3705]: [uid:0 euid:0 user:root sid:704 tty:(none) cwd:/ filename:/usr/sbin/ip]: /usr/sbin/ip addr show

The installation of Snoopy is very handy on Ubuntu/Debian, and its configuration can be done by editing /etc/snoopy.ini. snoopy.ini defines log format, syslog ident, and log level. You might need to consider to setup a remote syslog server to collect auditing logs for further off shore analysis.

 

On CentOS 7 / RedHat Enterprise Linux 7

Snoopy is not a standard package in CentOS and Redhat, and you need to build your own package from scratch. I just did that for you. You can either download the spece file here, or the pre-compiled package snoopy-2.4.6-2.el7.x86_64.rpm. I’m running this version on several hundreds of CentOS-7 boxes. The installation of snoopy is as normal,

rpm -ivh snoopy-2.4.6-2.ele.el7.x86_64.rpm

Now it’s all set.

Finally if you faced any issues, don’t forget to post to its official site at Github.com or write to me.

Leave a comment

Your email address will not be published. Required fields are marked *