Monitoring user activity, via snoopy
Posted by Steve on Sun 6 Feb 2005 at 19:12
If you're running a webserver which gets cracked due to an insecure CGI, or PHP, script you'll likely want to know what the attacker did. One simple way of doing that is to log all the commands which are executed on a machine.
Obviously logging all the commands that are executed on a machine is going to be a fairly intensive job on a server which has shell accounts for a large number of users - and you should consider the privacy implications carefully.
However for something like a standalone webserver, or a mailserver, where there shouldn't be more than one or two accounts which are used to upload content or to keep an eye upon the system it's not unreasonable to log commands (and arguments) which are executed.
With the use of the snoopy package setting up this logging is a simple matter.
Install the package with:
apt-get install snoopy
Once it has been downloaded and installed you will be asked if you wish to enable it to work on a system-wide basis (via the modification of the file /etc/ld.so.preload file). Answer yes and all commands executed will be logged.
You will need to restart the applications that are already running to ensure that the logging works - as this script works by injecting a shared library into all processes upon the machine.
To restart services you can use something like these commands, but this will vary depending on what you wish to restart:
/etc/init.d/apache restart /etc/init.d/ssh restart
All commands will be logged via syslog and stored by default in the file /var/log/auth.log - don't forget that you can easily setup syslog to report to a remote machine.
As an example of the kind of output you can expect to see here is a sample:
Feb 6 17:02:23 skx snoopy: [steve, uid:1000 sid:28907]: ls --color=auto Feb 6 17:02:23 skx snoopy: [steve, uid:1000 sid:28907]: sudo -s Feb 6 17:02:28 skx sudo: steve : TTY=pts/0 ; PWD=/home/steve ; USER=root ; C OMMAND=/bin/bash Feb 6 17:02:28 skx snoopy: [steve, uid:0 sid:28907]: uname -s Feb 6 17:02:28 skx snoopy: [steve, uid:0 sid:28907]: uname -r