snoopy是一款可以记录用户执行命令并输出到文件的一款日志审计软件,它的安装也不复杂,可以支持syslog...etc,需要具体介绍请自行度娘。下面记录一下:
下载完snoopy,直接./configure --prefix=/opt/snoopy;make;make install
创建一个nologin的用户:useradd -s /sbin/nologin -M snoopy;
修改snoopy的配置文件snoopy.ini,修改内容如下:
-
;;; REQUIRED Section
-
;
-
[snoopy]
-
-
-
-
;;; Log Message Format specification
-
;
-
; May consist of:
-
; - arbitrary text, which is copied to log message as-is,
-
; - calls to data sources without arguments: %{datasourcename}
-
; - calls to data sources with argument : %{datasourcename:arg1}
-
; - calls to data sources with arguments: %{datasourcename:arg1,arg2} <--- if data source supports it
-
;
-
; List of available data sources:
-
; - %{cmdline} ; (available=yes) Full command line, with arguments
-
; - %{cwd} ; (available=yes) Current working directory
-
; - %{datetime} ; (available=yes) Date and time in ISO 8601 format
-
; - %{domain} ; (available=yes) Domain of current system
-
; - %{egid} ; (available=yes) Effective gid that executed the command
-
; - %{egroup} ; (available=yes) Effective group name that executed the command
-
; - %{env:VAR} ; (available=yes) Environmental variable named 'VAR'
-
; - %{env_all} ; (available=yes) All environmental varibles, comma separated
-
; - %{euid} ; (available=yes) Effective uid that executed the command
-
; - %{eusername} ; (available=yes) Effective username that executed the command
-
; - %{filename} ; (available=yes) Full path to executable
-
; - %{gid} ; (available=yes) Group id that executed the command
-
; - %{group} ; (available=yes) Group name that executed the command
-
; - %{hostname} ; (available=yes) Hostname of current system
-
; - %{login} ; (available=yes) Login name (tries getlogin_r() first, then SUDO_USER env variabe, and LOGNAME env as last resort)
-
; - %{pid} ; (available=yes) ID of process that executed the command
-
; - %{ppid} ; (available=yes) Parent process ID of process that executed the command
-
; - %{rpname} ; (available=yes) Root process name of process that executed the command
-
; - %{sid} ; (available=yes) Process id of session group process leader
-
; - %{snoopy_threads} ; (available=yes) Number of threads that Snoopy currently is configured for
-
; - %{snoopy_version} ; (available=yes) Snoopy version
-
; - %{snoopy_literal:arg} ; (available=yes) Dummy data source, only returns its argument literally
-
; - %{tid} ; (available=yes) Thread ID of process that executed the command
-
; - %{tid_kernel} ; (available=yes) Thread ID of process that executed the command, as returned by Linux kernel
-
; - %{timestamp} ; (available=yes) Current Unix timestamp
-
; - %{timestamp_ms} ; (available=yes) Millisecond part of current Unix timestamp
-
; - %{timestamp_us} ; (available=yes) Microsecond part of current Unix timestamp
-
; - %{tty} ; (available=yes) Which TTY the command was run on
-
; - %{tty_uid} ; (available=yes) TTY uid
-
; - %{tty_username} ; (available=yes) TTY username
-
; - %{uid} ; (available=yes) User id that executed the command
-
; - %{username} ; (available=yes) Username that executed the command
-
;
-
; Availability (yes/no):
-
; This flag signifies whether this build of Snoopy has particular data source
-
; built-in or not. If particular data source is not available and its use is
-
; desired, then Snoopy must be rebuilt with flags that enable given data
-
; source.
-
;
-
; Default value:
-
; "[uid:%{uid} sid:%{sid} tty:%{tty} cwd:%{cwd} filename:%{filename}]: %{cmdline}"
-
;
-
; Examples:
-
;message_format = "useless static log entry that gets logged on every program execution"
-
;message_format = "uid=%{uid}" ; <--- this would only log uids who execute programs, nothing else;
-
;message_format = "uid=%{uid} tty=%{tty} cmdline=%{cmdline}" ; <--- logs uid + tty + command that is executed
-
message_format = "datetime:%{datetime} login:%{login} username:%{username} cmdline:%{cmdline} cwd:%{cwd}"
-
-
-
;;; Filter Chain specification
-
;
-
; Must comply with the following rules:
-
; - one or more filters may be specified, separated by semicolon,
-
; - each filter may contain argument that follows the colon,
-
; - filter may accept multiple arguments, separated by comma,
-
; - filter chain must not contain any spaces (allowed in filter arguments, but generally discouraged).
-
;
-
; List of available filters:
-
; - exclude_spawns_of ; (available=yes) Exclude log entries that occur in specified process trees
-
; - exclude_uid ; (available=yes) Exclude these UIDs from logging
-
; - only_root ; (available=yes) Only log root commands
-
; - only_tty ; (available=yes) Only log commands associated with a TTY
-
; - only_uid ; (available=yes) Only log commands executed by these UIDs
-
;
-
; Availability (yes/no):
-
; This flag signifies whether this build of Snoopy has particular filter
-
; built-in or not. If particular filter is not available and its use is
-
; desired, then Snoopy must be rebuilt with flags that enable given filter.
-
;
-
; Sample definitions with explanations:
-
; - filter_chain = "exclude_uid:0" # Log all commands, except the ones executed by root
-
; - filter_chain = "exclude_uid:1,2,3" # Log all commands, except those executed by users with UIDs 1, 2 and 3
-
; - filter_chain = "only_uid:0" # Log only root commands
-
; - filter_chain = "exclude_spawns_of:cron,my_daemon" # Do not log commands spawned by cron or my_daemon
-
; - filter_chain = "filter1:arg11;filter2:arg21,arg22;filter3:arg31,32,33"
-
;
-
; Default value:
-
; "" (empty string)
-
;
-
; Examples:
-
;filter_chain = ""
-
;filter_chain = "only_uid:0"
-
;filter_chain = "only_uid:10000"
-
;filter_chain = "exclude_uid:0"
-
filter_chain = ""
-
-
;;; Output
-
;
-
; Where messages get sent to
-
;
-
; List of available outputs:
-
; - devlog ; (available=yes) Default, writes directly to /dev/log.
-
; - devnull ; (available=yes) Black hole.
-
; - devtty ; (available=yes) Write to current tty via /dev/tty.
-
; - file ; (available=yes) Write directly to file. (NOTICE: Make sure file has proper permissions set for non-root users.)
-
; - socket ; (available=yes) Built-in output. As argument it requires an absolute path of socket to write to.
-
; - stderr ; (available=yes) Write to STDERR. Mainly useful for debugging purposes.
-
; - stdout ; (available=yes) Write to STDOUT. Mainly useful for debugging purposes.
-
; - syslog ; (available=no) Previuosly-default (WARNING: DO NOT USE syslog OUTPUT WITH systemd - IT WILL HANG YOUR SYSTEM ON BOOT)
-
;
-
; Availability (yes/no):
-
; This flag signifies whether this build of Snoopy has particular output
-
; built-in or not. If particular output is not available and its use is
-
; desired, then Snoopy must be rebuilt with flags that enable given output.
-
;
-
; List of outputs pending implementation (patches welcome!):
-
; - console ; TODO
-
; - journald ; TODO
-
;
-
; Default value:
-
; devlog
-
; (previously 'syslog' was default value, but due to systemd issues default was changed)
-
; (to raw device writing as syslogd blocks syslog() calls if journald is not running)
-
;
-
; Example:
-
;output = console
-
;output = devlog
-
;output = file:/var/log/snoopy.log
-
;output = socket:/var/run/socket-for-snoopy.sock
-
output = file:/var/log/snoopy
-
-
-
;;; Error Logging
-
;
-
; Whether to log error messages or not.
-
; This should generally be disabled, as it may generate lots of error logs.
-
;
-
; The most appropriate usage of this parameter is when:
-
; - you are developing new data source
-
; - you are trying to configure message format and are having problems with it
-
;
-
; Default value:
-
; no (unless changed by ./configure --enable-error-logging to yes)
-
;
-
; Example:
-
;error_logging = yes
-
;error_logging = yes
-
-
-
;;; Syslog Facility
-
;
-
; What syslog facility to use. Can be prefixed with 'LOG_'.
-
;
-
; Possible values:
-
; One of AUTH|AUTHPRIV|CRON|DAEMON|FTP|KERN|LOCAL[0-7]|LPR|MAIL|NEWS|SYSLOG|USER|UUCP
-
;
-
; Default value:
-
; LOG_AUTHPRIV (unless changed by ./configure --with-syslog-facility=FACILITY)
-
;
-
; Example:
-
;syslog_facility = LOG_AUTHPRIV
-
-
-
-
;;; Syslog Ident
-
;
-
; What syslog ident (program name) to use.
-
;
-
; Possible values:
-
; Any non-spaced string.
-
;
-
; Default value:
-
; "snoopy" (unless changed by ./configure --with-syslog-ident="other")
-
;
-
; Example:
-
;syslog_ident = "my-ident-string"
-
-
-
-
;;; Syslog Level
-
;
-
; What syslog level to use. Can be prefixed with 'LOG_'.
-
;
-
; Possible values:
-
; One of EMERG|ALERT|CRIT|ERR|WARNING|NOTICE|INFO|DEBUG
-
;
-
; Default value:
-
; LOG_INFO (unless changed by ./configure --with-syslog-level=LEVEL)
-
;
-
; Example:
-
;syslog_level = LOG_INFO
在/var/log/目录创建snoopy文件,修改拥有者,chown snoopy.snoopy /var/log/snoopy;chmod o+w /var/log/snoopy
启动snoopy,snoopy-enable,此时snoopy会在/etc/ld.so.preload添加/opt/snoopy/lib/libsnoopy.so,这个是语句是将snoopy自身的so预加载,已达到监控系统的exec调用
关于/opt/snoopy目录的权限,组和其他人需要有x权限,不然当其他用户登录的时候,会出现"ERROR:ld.so: object '/opt/snoopy/lib/libsnoopy.so' from /etc/ld.so.preload cannot be preloaded: ignored。
阅读(3485) | 评论(0) | 转发(0) |