renard/snoopylogger
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
master
Could not load branches
Nothing to show
Could not load tags
Nothing to show
{{ refName }}
default
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code
-
Clone
Use Git or checkout with SVN using the web URL.
Work fast with our official CLI. Learn more about the CLI.
- Open with GitHub Desktop
- Download ZIP
Sign In Required
Please sign in to use Codespaces.
Launching GitHub Desktop
If nothing happens, download GitHub Desktop and try again.
Launching GitHub Desktop
If nothing happens, download GitHub Desktop and try again.
Launching Xcode
If nothing happens, download Xcode and try again.
Launching Visual Studio Code
Your codespace will open once ready.
There was a problem preparing your codespace, please try again.
Latest commit
Git stats
Files
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
------------------------------------------------------------------------
Snoopy Logger
Created and maintained by:
bostjan@a2o.si
marius@umich.edu
mbm@linux.com
------------------------------------------------------------------------
1. D E S C R I P T I O N
Snoopy is designed to aid the taks of a sysadmin by providing a log of
commands executed. Snoopy is completely transparent to the user and
applications it hooks in as a library providing a wrapper around calls
to execve() calls. Logging is done via syslogd and written to authpriv
allowing secure offsite logging of activity, generally the authpriv is
stored as /var/log/auth.log.
2. N O T E
execv() calls are now explicitly logged. Although, according to the
man page for execv(), it is supposed to call execve(). To this date
the reason why execv() calls weren't being logged is unknown, but we
are working to find out why.
3. I N S T A L L A T I O N & U S A G E
Snoopy supports various features that can be enabled by supplying
arguments to configure command. Consult `./configure --help' for more
information about details. Installation procedure is simple:
# If you have pulled snoopy from GIT, you must run autoconf first:
autoheader
autoconf
# Check configuration options:
./configure --help
# Then continue with normal build procedure:
./configure [OPTIONS]
make
make install
4. H O W T O E N A B L E
a) Enable for specific programs
If you wish to monitor only certain applications you can do so through
the LD_PRELOAD environment variable - simply set it to the full path
to snoopy.so shared library before loading the application. Example:
export LD_PRELOAD=/usr/local/lib/snoopy.so # default path
lynx http://linux.com/
unset LD_PRELOAD
----------------------------------------------------------------------
b) Enable system-wide snoopy on 32-bit-only or 64-bit-only systems
WARNING: Using this method on multilib systems (64-bit systems capable
WARNING: of running 32-bit applications) can cause malfunction because
WARNING: preload config file /etc/ld.so.preload makes no distinction
WARNING: between 32- and 64-bit programs and shared libraries.
# Enable it using entry in /etc/ld.so.preload
make enable
An entry is created in /etc/ld.so.preload file which causes execv()
and execve() system calls to be intercepted by snoopy and logged via
syslog.
----------------------------------------------------------------------
c) For multilib systems
Content of /etc/ld.so.preload should include the following line:
/usr/local/$LIB/snoopy.so
This applies only when you have installed both 32bit and 64bit version
of the library in the appropriate paths.
----------------------------------------------------------------------
d) For multilib systems with LD_PRELOAD_* environmental variables
On systems that support LD_PRELOAD_32 and LD_PRELOAD_64 you can use
those variables to force loading of snoopy. If you with to enable it
system-wide, ensure that correct values are held by those variables
at boot time. Consult section 4.a of this README on how to set
environmental variables. Setting them at boot time is usually distro-
dependent.
Users are also required to compile 32-bit version of library. To do so
on 64-bit systems it is usually enough to set appropriate CFLAGS:
CFLAGS=-m32 ./configure [OPTIONS]
Of course your system must be cross-compilation capable. Consult your
OS documentation for details on this subject.
5. H O W T O D I S A B L E
To disable snoopy later, simply edit /etc/ld.so.preload and remove the
reference to snoopy.so. Also unset any environmental variable that
references snoopy (LD_PRELOAD, LD_PRELOAD_32 and LD_PRELOAD_64). Then
you can also delete snoopy shared library from your system. Default
installation path of snoopy shared library is:
/usr/local/lib/snoopy.so
6. O U T P U T
The exact location of your snoopy output depends on your syslog
configuration. Usually it gets stored in one of the following files:
/var/log/auth*
/var/log/messages
/var/log/secure
Packages 0
No packages published