Creating audit trails

Logging commands on Linux with Snoopy

Our customers often want to set-up an audit trail for accounting purposes. When something happens, they want to be able to see what happened, when it did and by whom. Defining an audit trail is also becoming mandatory for compliance, like PCI. One possible solution we cover is using Snoopy, a small library to log executed commands.

How it works

Snoopy is a wrapper around the execve() function. This is a Linux kernel call which instructs it to execute a command pointed to by a filename. This filename is then logged to syslog, together with any parameters. The related syslog level is authpriv. Usually these events on this level will show up in the file /var/log/auth.log.

Installing Snoopy

Debian / Ubuntu

apt-get install snoopy

During installation it will ask your permission to add the wrapper to /etc/ld.so.preload, so it can be executed and act as a middle-man.

Snoop library loaded in /etc/ld.so.preload

If the library is listed, new commands should be “intercepted” and logged to your auth.log.

tail /var/log/auth.log

The output will look similar to:

Display of the /var/log/auth.log file containing events captured by Snoopy.

The installation of Snoopy is easy and quick. No further configuration is needed at this point, although you might want to consider to configure remote syslog. This way the log (and audit trail) is stored on an external location