Creating audit trails – Logging commands on Linux with Snoopy

Creating audit trails

Logging commands on Linux with Snoopy

Our customers often want to set-up an audit trail for accounting purposes. When something happens, they want to be able to see what happened, when it did and by whom. Defining an audit trail is also becoming mandatory for compliance, like PCI. One possible solution we cover is using Snoopy, a small library to log executed commands.

How it works

Snoopy is a wrapper around the execve() function. This is a Linux kernel call which instructs it to execute a command pointed to by a filename. This filename is then logged to syslog, together with any parameters. The related syslog level is authpriv. Usually these events on this level will show up in the file /var/log/auth.log.

Installing Snoopy

Debian / Ubuntu

apt-get install snoopy

During installation it will ask your permission to add the wrapper to /etc/, so it can be executed and act as a middle-man.

Snoop library loaded in /etc/

Snoop library loaded in /etc/

If the library is listed, new commands should be “intercepted” and logged to your auth.log.

tail /var/log/auth.log

The output will look similar to:

Output of cat /var/log/auth.log

Display of the /var/log/auth.log file containing events captured by Snoopy.

The installation of Snoopy is easy and quick. No further configuration is needed at this point, although you might want to consider to configure remote syslog. This way the log (and audit trail) is stored on an external location

Lynis Enterprise

Lynis Enterprise screenshot to help with system hardening

This blog post is part of our Linux security series and the mission to get Linux and Unix-based systems more secure.

Does system hardening take a lot of time, or do you have any compliance in your company? Have a look at Lynis Enterprise.

Or start today with the open source security scanner Lynis (GitHub)

Leave a Reply

Your email address will not be published. Required fields are marked *