Creating audit trails – Logging commands on Linux with Snoopy
Creating audit trails
Logging commands on Linux with Snoopy
Our customers often want to set-up an audit trail for accounting purposes. When something happens, they want to be able to see what happened, when it did and by whom. Defining an audit trail is also becoming mandatory for compliance, like PCI. One possible solution we cover is using Snoopy, a small library to log executed commands.
How it works
Snoopy is a wrapper around the execve() function. This is a Linux kernel call which instructs it to execute a command pointed to by a filename. This filename is then logged to syslog, together with any parameters. The related syslog level is authpriv. Usually these events on this level will show up in the file /var/log/auth.log.
Debian / Ubuntu
apt-get install snoopy
During installation it will ask your permission to add the wrapper to /etc/ld.so.preload, so it can be executed and act as a middle-man.
If the library is listed, new commands should be “intercepted” and logged to your auth.log.
The output will look similar to:
The installation of Snoopy is easy and quick. No further configuration is needed at this point, although you might want to consider to configure remote syslog. This way the log (and audit trail) is stored on an external location