Tree [5b6b1f] master /
History



File Date Author Commit
contrib 2010-10-10 Bostjan Skufca Bostjan Skufca [e771d2] Fixed macros for generating sles .spec file
dev-scripts 2011-04-30 Bostjan Skufca Bostjan Skufca [4e5d9a] Remove comparions of configure.ac and generated...
filters 2011-03-26 Bostjan Skufca Bostjan Skufca [d87b38] - Added additional comments to sample filter an...
COPYING 2010-08-04 Bostjan Skufca Bostjan Skufca [f07024] Imported contents of SVN trunk/ at revision 31.
ChangeLog 2011-04-27 Boštjan Škufca Boštjan Škufca [ec0a0a] Moved root-only to configure time option, docum...
Makefile.in 2011-03-26 Bostjan Skufca Bostjan Skufca [d87b38] - Added additional comments to sample filter an...
README 2011-05-21 Bostjan Skufca Bostjan Skufca [71ea9e] Added info about $LIB in ld.so.preload
README.filtering 2011-03-26 Bostjan Skufca Bostjan Skufca [d87b38] - Added additional comments to sample filter an...
TODO 2011-11-08 Boštjan Škufca Boštjan Škufca [5b6b1f] Added TODO file
config.h.in 2011-04-27 Boštjan Škufca Boštjan Škufca [ec0a0a] Moved root-only to configure time option, docum...
configure.ac 2011-04-27 Boštjan Škufca Boštjan Škufca [ec0a0a] Moved root-only to configure time option, docum...
detect.c 2010-08-04 Boštjan Škufca Boštjan Škufca [97aca7] Removed SVN tags from file header comments
enable.sh 2010-08-04 Boštjan Škufca Boštjan Škufca [97aca7] Removed SVN tags from file header comments
install-sh 2010-08-04 Boštjan Škufca Boštjan Škufca [b47eb1] Re-added install-sh, required by configure
snoopy-filter.sh.in 2011-03-26 Bostjan Skufca Bostjan Skufca [d87b38] - Added additional comments to sample filter an...
snoopy.c 2011-04-27 Boštjan Škufca Boštjan Škufca [ec0a0a] Moved root-only to configure time option, docum...
snoopy.h 2011-04-27 Boštjan Škufca Boštjan Škufca [ec0a0a] Moved root-only to configure time option, docum...

Read Me

------------------------------------------------------------------------

                             Snoopy Logger

  Created and maintained by:
    bostjan@a2o.si
     marius@umich.edu
        mbm@linux.com
------------------------------------------------------------------------



1.   D E S C R I P T I O N

  Snoopy is designed to aid the taks of a sysadmin by providing a log of
  commands  executed. Snoopy is  completely transparent  to the user and
  applications it hooks in as a library providing a wrapper around calls
  to execve() calls. Logging is done via syslogd and written to authpriv
  allowing secure offsite logging of activity, generally the authpriv is
  stored as /var/log/auth.log.



2.   N O T E

  execv() calls are now explicitly logged.   Although,  according to the
  man page for execv(),  it is supposed to call execve().   To this date
  the reason why execv()  calls weren't being logged is unknown,  but we
  are working to find out why.



3.   I N S T A L L A T I O N   &   U S A G E

  Snoopy supports various features that  can  be  enabled  by  supplying
  arguments to configure command. Consult `./configure --help' for  more
  information about details. Installation procedure is simple:

    # If you have pulled snoopy from GIT, you must run autoconf first:
    autoheader
    autoconf

    # Check configuration options:
    ./configure --help

    # Then continue with normal build procedure:
    ./configure [OPTIONS]
    make
    make install



4.   H O W   T O   E N A B L E

  a) Enable for specific programs

  If you wish to monitor only certain applications you can do so through
  the LD_PRELOAD environment variable - simply set it to the  full  path
  to snoopy.so shared library before loading the application. Example:

    export LD_PRELOAD=/usr/local/lib/snoopy.so    # default path
    lynx http://linux.com/
    unset LD_PRELOAD


  ----------------------------------------------------------------------
  b) Enable system-wide snoopy on 32-bit-only or 64-bit-only systems

  WARNING: Using this method on multilib systems (64-bit systems capable
  WARNING: of running 32-bit applications) can cause malfunction because
  WARNING: preload config file /etc/ld.so.preload makes  no  distinction
  WARNING: between 32- and 64-bit programs and shared libraries.

    # Enable it using entry in /etc/ld.so.preload
    make enable

  An entry is created in /etc/ld.so.preload file  which  causes  execv()
  and execve() system calls to be intercepted by snoopy and  logged  via
  syslog.


  ----------------------------------------------------------------------
  c) For multilib systems

  Content of /etc/ld.so.preload should include the following line:

    /usr/local/$LIB/snoopy.so

  This applies only when you have installed both 32bit and 64bit version
  of the library in the appropriate paths.


  ----------------------------------------------------------------------
  d) For multilib systems with LD_PRELOAD_* environmental variables

  On systems that support LD_PRELOAD_32 and LD_PRELOAD_64  you  can  use
  those variables to force loading of snoopy. If you with to  enable  it
  system-wide, ensure that correct values are held  by  those  variables
  at boot time. Consult section  4.a  of  this  README  on  how  to  set
  environmental variables. Setting them at boot time is usually  distro-
  dependent.
  Users are also required to compile 32-bit version of library. To do so
  on 64-bit systems it is usually enough to set appropriate CFLAGS:

    CFLAGS=-m32 ./configure [OPTIONS]

  Of course your system must be cross-compilation capable. Consult  your
  OS documentation for details on this subject.



5.   H O W   T O   D I S A B L E

  To disable snoopy later, simply edit /etc/ld.so.preload and remove the
  reference to snoopy.so. Also unset  any  environmental  variable  that
  references snoopy (LD_PRELOAD, LD_PRELOAD_32 and LD_PRELOAD_64).  Then
  you can also delete snoopy shared library from  your  system.  Default
  installation path of snoopy shared library is:

     /usr/local/lib/snoopy.so



6.   O U T P U T

  The exact location  of  your  snoopy output  depends  on  your  syslog
  configuration. Usually it gets stored in one of the following files:

    /var/log/auth*
    /var/log/messages
    /var/log/secure