------------------------------------------------------------------------
Snoopy Logger
Created and maintained by:
[email protected][email protected][email protected]
------------------------------------------------------------------------
1. D E S C R I P T I O N
Snoopy is designed to aid the taks of a sysadmin by providing a log of
commands executed. Snoopy is completely transparent to the user and
applications it hooks in as a library providing a wrapper around calls
to execve() calls. Logging is done via syslogd and written to authpriv
allowing secure offsite logging of activity, generally the authpriv is
stored as /var/log/auth.log.
2. N O T E
execv() calls are now explicitly logged. Although, according to the
man page for execv(), it is supposed to call execve(). To this date
the reason why execv() calls weren't being logged is unknown, but we
are working to find out why.
3. I N S T A L L A T I O N & U S A G E
Snoopy supports various features that can be enabled by supplying
arguments to configure command. Consult `./configure --help' for more
information about details. Installation procedure is simple:
# If you have pulled snoopy from GIT, you must run autoconf first:
autoheader
autoconf
# Check configuration options:
./configure --help
# Then continue with normal build procedure:
./configure [OPTIONS]
make
make install
4. H O W T O E N A B L E
a) Enable for specific programs
If you wish to monitor only certain applications you can do so through
the LD_PRELOAD environment variable - simply set it to the full path
to snoopy.so shared library before loading the application. Example:
export LD_PRELOAD=/usr/local/lib/snoopy.so # default path
lynx http://linux.com/
unset LD_PRELOAD
----------------------------------------------------------------------
b) Enable system-wide snoopy on 32-bit-only or 64-bit-only systems
WARNING: Using this method on multilib systems (64-bit systems capable
WARNING: of running 32-bit applications) can cause malfunction because
WARNING: preload config file /etc/ld.so.preload makes no distinction
WARNING: between 32- and 64-bit programs and shared libraries.
# Enable it using entry in /etc/ld.so.preload
make enable
An entry is created in /etc/ld.so.preload file which causes execv()
and execve() system calls to be intercepted by snoopy and logged via
syslog.
----------------------------------------------------------------------
c) For multilib systems
Content of /etc/ld.so.preload should include the following line:
/usr/local/$LIB/snoopy.so
This applies only when you have installed both 32bit and 64bit version
of the library in the appropriate paths.
----------------------------------------------------------------------
d) For multilib systems with LD_PRELOAD_* environmental variables
On systems that support LD_PRELOAD_32 and LD_PRELOAD_64 you can use
those variables to force loading of snoopy. If you with to enable it
system-wide, ensure that correct values are held by those variables
at boot time. Consult section 4.a of this README on how to set
environmental variables. Setting them at boot time is usually distro-
dependent.
Users are also required to compile 32-bit version of library. To do so
on 64-bit systems it is usually enough to set appropriate CFLAGS:
CFLAGS=-m32 ./configure [OPTIONS]
Of course your system must be cross-compilation capable. Consult your
OS documentation for details on this subject.
5. H O W T O D I S A B L E
To disable snoopy later, simply edit /etc/ld.so.preload and remove the
reference to snoopy.so. Also unset any environmental variable that
references snoopy (LD_PRELOAD, LD_PRELOAD_32 and LD_PRELOAD_64). Then
you can also delete snoopy shared library from your system. Default
installation path of snoopy shared library is:
/usr/local/lib/snoopy.so
6. O U T P U T
The exact location of your snoopy output depends on your syslog
configuration. Usually it gets stored in one of the following files:
/var/log/auth*
/var/log/messages
/var/log/secure