Snoopy: log all executed commands

search_compBash history stores the commands executed by a user from the terminal. What if you want to log every command (and arguments) ever executed on a system? Enter Snoopy, a tiny library that intercepts all execv() and execve() syscalls.

Snoopy is loaded via the preload mechanism. When installed and activated, it adds and entry to /etc/ The process is transparent to users and applications. Logging is done using syslog.


  • Configure log output
  • Supports message filtering
  • Use optional configuration file (Spoopy’s config file is /etc/snoopy.ini)


Run the following commands to install the latest stable version of Snoopy:

$ rm -f &&
$ wget -q -O &&
$ chmod 755 &&
$ sudo ./ stable


To enable Snoopy after installation, run:

$ sudo snoopy enable

To disable:

$ sudo snoopy disable

The log file for Ubuntu is /var/log/auth.log. Check out the configuration file (/etc/snoopy.ini) for several options.

Logs from Snoopy look like:

2015-02-11T19:05:10+00:00 labrat-1 snoopy[896]: [uid:0 sid:11679 tty:/dev/pts/2 cwd:/root filename:/usr/bin/cat]: cat /etc/fstab.BAK
2015-02-11T19:05:15+00:00 labrat-1 snoopy[896]: [uid:0 sid:11679 tty:/dev/pts/2 cwd:/root filename:/usr/bin/rm]: rm -f /etc/fstab.BAK
2015-02-11T19:05:19+00:00 labrat-1 snoopy[896]: [uid:0 sid:11679 tty:/dev/pts/2 cwd:/root filename:/usr/bin/tail]: tail -f /var/log/messages

On GitHub: Snoopy


You can also use the kernel userspace security audit feature. To install on Ubuntu, run:

$ sudo apt-get install auditd

To audit all execve() calls:

$ auditctl -a exit,always -S execve

For more options, refer to man auditctl.

You may also want to check out keysniffer, a kernel module I wrote to log pressed keys in debugfs.

2 thoughts on “Snoopy: log all executed commands”

  1. Greetings , I installed correctly but when you enable or disable snoopy shows me an error that there is no command ( snoopy : command not found) . I realido configuration changes and need restart . Thanks in advance.


Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s