Snoopy logger

Snoopy logger is a powerful utility which makes the admin work more easy by providing a log of commands executed via shell. It logs each and every users shell command executions to “/var/log/secure”. We can later check the log and recognize the user and the command it executed from the uid.

I am pasting a portion of snoopy log below:

=======================================
Sep 10 05:38:20 serverXXX snoopy[206015]: [uid:0 sid:187552 tty:/dev/pts/2 cwd:/root filename:/usr/bin/tail]: tail -f /var/log/secure
Sep 10 05:38:21 serverXXX snoopy[206016]: [uid:99 sid:185700 tty: cwd:/home/user123/public_html/my-notepad.biz/forum/archive filename:/opt/suphp/sbin/suphp]: /opt/suphp/sbin/suphp
Sep 10 05:38:21 serverXXX snoopy[206016]: [uid:1002 sid:185700 tty: cwd:/home/user123/public_html/my-notepad.biz/forum/archive filename:/usr/bin/php]: /usr/bin/php /home/markwesl/public_html/my-notepad.biz/forum/archive/index.php
Sep 10 05:38:21 serverXXX snoopy[206017]: [uid:99 sid:185700 tty: cwd:/home/user456/public_html/current filename:/opt/suphp/sbin/suphp]: /opt/suphp/sbin/suphp
Sep 10 05:38:22 serverXXX snoopy[206024]: [uid:1006 sid:185700 tty: cwd:/home/user999/public_html/drwhofigures.co.uk/forum filename:/usr/bin/php]: /usr/bin/php /home/senseb/public_html/domain.com/forum/cron.php
=======================================

You can find the user using uid using the following command or from the /etc/passwd file.

=======================================
root@serverxxx [~]# getent passwd 99
nobody:x:99:99:Nobody:/:/sbin/nologin
root@serverxxx [~]# getent passwd 1002
user123:x:1002:997::/home/user123:/usr/local/cpanel/bin/noshellsnoopy-1.8.0.tar.gz
root@serverxxx [~]# getent passwd 1006
user999:x:1006:1001::/home/user999:/usr/local/cpanel/bin/noshell
=======================================


Snoopy Installation Steps
=========================
* cd /usr/src
* wget ftp://ftp.uwsg.indiana.edu/pub/FreeBSD/ports/distfiles/snoopy-1.8.0.tar.gz
* tar xvf snoopy-1.8.0.tar.gz
* cd snoopy-1.8.0
# Check configuration options:
./configure –help

# Then continue with normal build procedure:
./configure [OPTIONS]
make
make install

# Then you can actually enable snoopy:
make enable
=========================

Snoopy “/usr/local/lib/snoopy.so” is placed in /etc/ld.so.preload. To remove snoopy later, simply edit /etc/ld.so.preload and remove the
reference to snoopy.so and delete /usr/local/lib/snoopy.so. For more information, you can read the “README” file in the source directory.