This site is now 100% read-only, and retired.

Monitoring user activity, via snoopy

Posted by Steve on Sun 6 Feb 2005 at 19:12

If you're running a webserver which gets cracked due to an insecure CGI, or PHP, script you'll likely want to know what the attacker did. One simple way of doing that is to log all the commands which are executed on a machine.

Obviously logging all the commands that are executed on a machine is going to be a fairly intensive job on a server which has shell accounts for a large number of users - and you should consider the privacy implications carefully.

However for something like a standalone webserver, or a mailserver, where there shouldn't be more than one or two accounts which are used to upload content or to keep an eye upon the system it's not unreasonable to log commands (and arguments) which are executed.

With the use of the snoopy package setting up this logging is a simple matter.

Install the package with:

apt-get install snoopy

Once it has been downloaded and installed you will be asked if you wish to enable it to work on a system-wide basis (via the modification of the file /etc/ld.so.preload file). Answer yes and all commands executed will be logged.

You will need to restart the applications that are already running to ensure that the logging works - as this script works by injecting a shared library into all processes upon the machine.

To restart services you can use something like these commands, but this will vary depending on what you wish to restart:

/etc/init.d/apache restart
/etc/init.d/ssh restart

All commands will be logged via syslog and stored by default in the file /var/log/auth.log - don't forget that you can easily setup syslog to report to a remote machine.

As an example of the kind of output you can expect to see here is a sample:

Feb  6 17:02:23 skx snoopy[29191]: [steve, uid:1000 sid:28907]: ls --color=auto 
Feb  6 17:02:23 skx snoopy[29193]: [steve, uid:1000 sid:28907]: sudo -s 
Feb  6 17:02:28 skx sudo:    steve : TTY=pts/0 ; PWD=/home/steve ; USER=root ; C
OMMAND=/bin/bash
Feb  6 17:02:28 skx snoopy[29195]: [steve, uid:0 sid:28907]: uname -s 
Feb  6 17:02:28 skx snoopy[29197]: [steve, uid:0 sid:28907]: uname -r 

 

 


Re: Monitoring user activity, via snoopy
Posted by Serge (213.224.xx.xx) on Mon 7 Feb 2005 at 10:54
[ View Weblogs ]
Interesting package!
Any comments on performance or other issues?
Either way, at least there doesn't seem to be a lot of issues as far as I can tell when looking to the Debian pages about this package.

--

Serge van Ginderachter

[ Parent ]

Re: Monitoring user activity, via snoopy
Posted by Steve (82.41.xx.xx) on Tue 8 Feb 2005 at 09:07
[ View Weblogs ]

So far after two days of testing it appears to handle random cron jobs, CGI invocations, and the interactive processes of maybe 20 users happily.

If you have more users than that you might need to watch it to make sure you don't have a full /var partition, but otherwise I'm sure it will be OK.

Steve
-- Steve.org.uk

[ Parent ]

Re: Monitoring user activity, via snoopy
Posted by Anonymous (83.28.xx.xx) on Tue 27 Sep 2005 at 11:40
Anyone know how to ignore logcheck entries from snoopy???

[ Parent ]

Re: Monitoring user activity, via snoopy
Posted by knx (195.85.xx.xx) on Thu 21 Jun 2007 at 10:51
add

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snoopy.*

to /etc/logcheck/ignore.d.server/snoopy and /etc/logcheck/violations.ignore.d/snoopy

[ Parent ]

Re: Monitoring user activity, via snoopy
Posted by Anonymous (66.193.xx.xx) on Thu 27 Mar 2008 at 17:16
God bless you!

[ Parent ]

Re: Monitoring user activity, via snoopy
Posted by Anonymous (211.148.xx.xx) on Thu 14 Jan 2010 at 06:03
Hi,I am using debian 5.0
After I installed snoopy,the apt http sourelist didn't work,when I executed "apt-get update",
it complained "Connection failed".

The apt ftp sourelist worked well.Has anyone encountered this problem?

[ Parent ]

Re: Monitoring user activity, via snoopy
Posted by Anonymous (91.99.xx.xx) on Thu 4 Feb 2010 at 18:20
I was searching for same package for long time.
I am very happy for finding that.Thanks soooooooo much.
But I do not understand why I did not find more document for introducing this good tool!!

Thanks again

[ Parent ]

Re: Monitoring user activity, via snoopy
Posted by Anonymous (85.154.xx.xx) on Sun 8 Aug 2010 at 12:36
Hi,

Does anyone know of a way to audit/log only certain commands? With the default installation, everything is logged and the filesystem can grow very quickly

[ Parent ]