Monitoring user activity, via snoopy
Posted by Steve on Sun 6 Feb 2005 at 19:12
If you're running a webserver which gets cracked due to an insecure CGI, or PHP, script you'll likely want to know what the attacker did. One simple way of doing that is to log all the commands which are executed on a machine.
Obviously logging all the commands that are executed on a machine is going to be a fairly intensive job on a server which has shell accounts for a large number of users - and you should consider the privacy implications carefully.
However for something like a standalone webserver, or a mailserver, where there shouldn't be more than one or two accounts which are used to upload content or to keep an eye upon the system it's not unreasonable to log commands (and arguments) which are executed.
With the use of the snoopy package setting up this logging is a simple matter.
Install the package with:
apt-get install snoopy
Once it has been downloaded and installed you will be asked if you wish to enable it to work on a system-wide basis (via the modification of the file /etc/ld.so.preload file). Answer yes and all commands executed will be logged.
You will need to restart the applications that are already running to ensure that the logging works - as this script works by injecting a shared library into all processes upon the machine.
To restart services you can use something like these commands, but this will vary depending on what you wish to restart:
/etc/init.d/apache restart /etc/init.d/ssh restart
All commands will be logged via syslog and stored by default in the file /var/log/auth.log - don't forget that you can easily setup syslog to report to a remote machine.
As an example of the kind of output you can expect to see here is a sample:
Feb 6 17:02:23 skx snoopy[29191]: [steve, uid:1000 sid:28907]: ls --color=auto Feb 6 17:02:23 skx snoopy[29193]: [steve, uid:1000 sid:28907]: sudo -s Feb 6 17:02:28 skx sudo: steve : TTY=pts/0 ; PWD=/home/steve ; USER=root ; C OMMAND=/bin/bash Feb 6 17:02:28 skx snoopy[29195]: [steve, uid:0 sid:28907]: uname -s Feb 6 17:02:28 skx snoopy[29197]: [steve, uid:0 sid:28907]: uname -r
[ Send Message | View Serge's Scratchpad | View Weblogs ]
Any comments on performance or other issues?
Either way, at least there doesn't seem to be a lot of issues as far as I can tell when looking to the Debian pages about this package.
--
Serge van Ginderachter
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
So far after two days of testing it appears to handle random cron jobs, CGI invocations, and the interactive processes of maybe 20 users happily.
If you have more users than that you might need to watch it to make sure you don't have a full /var partition, but otherwise I'm sure it will be OK.
Steve
-- Steve.org.uk
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snoopy.*
to /etc/logcheck/ignore.d.server/snoopy and /etc/logcheck/violations.ignore.d/snoopy
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
After I installed snoopy,the apt http sourelist didn't work,when I executed "apt-get update",
it complained "Connection failed".
The apt ftp sourelist worked well.Has anyone encountered this problem?
[ Parent | Reply to this comment ]
I am very happy for finding that.Thanks soooooooo much.
But I do not understand why I did not find more document for introducing this good tool!!
Thanks again
[ Parent | Reply to this comment ]