System administrators often want to setup audit trail for accounting purposes. When something abnormal happens, they want to know what happened on system side, when it happened and who did that. An effective way of audit trail is kind of mandatory for compliance.
There are some ways for this, and the common example is by system variable “PROMPT_COMMAND” in Bash. Snoopy comes as a generic and efficient way, and its audit log can be self defined with its config file. I’ll show you how to set Snoopy up on Linux here.
How snoopy works
Snoopy is a wrapper around the execve() function. execve() is a Linux kernel call which instructs it to execute a command pointed to by a filename.
The related syslog level is authpriv. Normally events on this level will show up in the file /var/log/auth.log.
On Debian / Ubuntu
apt-get install snoopy
During installation it will ask you your permission to add a wrapper to /etc/ld.so.preload, so it can be executed and act as a middle-man. Snoopy’s library is loaded in /etc/ld.so.preload.
When the library is listed and loaded (you can re-login to make it take effect), any new command will be “intercepted” and logged to the specified log file, which by default is /var/log/auth.log.
The output will look similar to:
Feb 27 05:17:25 ns snoopy: [uid:0 euid:0 user:root sid:704 tty:(none) cwd:/ filename:/sbin/ldconfig]: /sbin/ldconfig -p Feb 27 05:17:25 ns snoopy: [uid:0 euid:0 user:root sid:704 tty:(none) cwd:/ filename:/usr/sbin/ip]: /usr/sbin/ip link show Feb 27 05:17:25 ns snoopy: [uid:0 euid:0 user:root sid:704 tty:(none) cwd:/ filename:/usr/sbin/ip]: /usr/sbin/ip addr show
The installation of Snoopy is very handy on Ubuntu/Debian, and its configuration can be done by editing /etc/snoopy.ini. snoopy.ini defines log format, syslog ident, and log level. You might need to consider to setup a remote syslog server to collect auditing logs for further off shore analysis.
On CentOS 7 / RedHat Enterprise Linux 7
Snoopy is not a standard package in CentOS and Redhat, and you need to build your own package from scratch. I just did that for you. You can either download the spece file here, or the pre-compiled package snoopy-2.4.6-2.el7.x86_64.rpm. I’m running this version on several hundreds of CentOS-7 boxes. The installation of snoopy is as normal,
rpm -ivh snoopy-2.4.6-2.ele.el7.x86_64.rpm
Now it’s all set.