Snoopy: log all executed commands

search_compBash history stores the commands executed by a user from the terminal. What if you want to log every command (and arguments) ever executed on a system? Enter Snoopy, a tiny library that intercepts all execv() and execve() syscalls.

Snoopy is loaded via the preload mechanism. When installed and activated, it adds and entry to /etc/ld.so.preload. The process is transparent to users and applications. Logging is done using syslog.

Features

  • Configure log output
  • Supports message filtering
  • Use optional configuration file (Spoopy’s config file is /etc/snoopy.ini)

Installation

Run the following commands to install the latest stable version of Snoopy:

$ rm -f snoopy-install.sh &&
$ wget -q -O snoopy-install.sh https://github.com/a2o/snoopy/raw/install/doc/install/bin/snoopy-install.sh &&
$ chmod 755 snoopy-install.sh &&
$ sudo ./snoopy-install.sh stable

Usage

To enable Snoopy after installation, run:

$ sudo snoopy enable

To disable:

$ sudo snoopy disable

The log file for Ubuntu is /var/log/auth.log. Check out the configuration file (/etc/snoopy.ini) for several options.

Logs from Snoopy look like:

2015-02-11T19:05:10+00:00 labrat-1 snoopy[896]: [uid:0 sid:11679 tty:/dev/pts/2 cwd:/root filename:/usr/bin/cat]: cat /etc/fstab.BAK
2015-02-11T19:05:15+00:00 labrat-1 snoopy[896]: [uid:0 sid:11679 tty:/dev/pts/2 cwd:/root filename:/usr/bin/rm]: rm -f /etc/fstab.BAK
2015-02-11T19:05:19+00:00 labrat-1 snoopy[896]: [uid:0 sid:11679 tty:/dev/pts/2 cwd:/root filename:/usr/bin/tail]: tail -f /var/log/messages

On GitHub: Snoopy

Alternative

You can also use the kernel userspace security audit feature. To install on Ubuntu, run:

$ sudo apt-get install auditd

To audit all execve() calls:

$ auditctl -a exit,always -S execve

For more options, refer to man auditctl.

You may also want to check out keysniffer, a kernel module I wrote to log pressed keys in debugfs.

2 thoughts on “Snoopy: log all executed commands”

  1. Greetings , I installed correctly but when you enable or disable snoopy shows me an error that there is no command ( snoopy : command not found) . I realido configuration changes and need restart . Thanks in advance.

Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s