Chinaunix首页 | 论坛 | 博客
  • 博客访问: 871578
  • 博文数量: 204
  • 博客积分: 2433
  • 博客等级: 大尉
  • 技术积分: 2205
  • 用 户 组: 普通用户
  • 注册时间: 2011-04-05 13:32
文章分类

全部博文(204)

分类: LINUX

2017-08-18 09:50:27

snoopy是一款可以记录用户执行命令并输出到文件的一款日志审计软件,它的安装也不复杂,可以支持syslog...etc,需要具体介绍请自行度娘。下面记录一下:
下载完snoopy,直接./configure --prefix=/opt/snoopy;make;make install
创建一个nologin的用户:useradd -s /sbin/nologin -M snoopy;
修改snoopy的配置文件snoopy.ini,修改内容如下:

点击(此处)折叠或打开

  1. ;;; REQUIRED Section
  2. ;
  3. [snoopy]
  4. ;;; Log Message Format specification
  5. ;
  6. ; May consist of:
  7. ; - arbitrary text, which is copied to log message as-is,
  8. ; - calls to data sources without arguments: %{datasourcename}
  9. ; - calls to data sources with argument : %{datasourcename:arg1}
  10. ; - calls to data sources with arguments: %{datasourcename:arg1,arg2} <--- if data source supports it
  11. ;
  12. ; List of available data sources:
  13. ; - %{cmdline} ; (available=yes) Full command line, with arguments
  14. ; - %{cwd} ; (available=yes) Current working directory
  15. ; - %{datetime} ; (available=yes) Date and time in ISO 8601 format
  16. ; - %{domain} ; (available=yes) Domain of current system
  17. ; - %{egid} ; (available=yes) Effective gid that executed the command
  18. ; - %{egroup} ; (available=yes) Effective group name that executed the command
  19. ; - %{env:VAR} ; (available=yes) Environmental variable named 'VAR'
  20. ; - %{env_all} ; (available=yes) All environmental varibles, comma separated
  21. ; - %{euid} ; (available=yes) Effective uid that executed the command
  22. ; - %{eusername} ; (available=yes) Effective username that executed the command
  23. ; - %{filename} ; (available=yes) Full path to executable
  24. ; - %{gid} ; (available=yes) Group id that executed the command
  25. ; - %{group} ; (available=yes) Group name that executed the command
  26. ; - %{hostname} ; (available=yes) Hostname of current system
  27. ; - %{login} ; (available=yes) Login name (tries getlogin_r() first, then SUDO_USER env variabe, and LOGNAME env as last resort)
  28. ; - %{pid} ; (available=yes) ID of process that executed the command
  29. ; - %{ppid} ; (available=yes) Parent process ID of process that executed the command
  30. ; - %{rpname} ; (available=yes) Root process name of process that executed the command
  31. ; - %{sid} ; (available=yes) Process id of session group process leader
  32. ; - %{snoopy_threads} ; (available=yes) Number of threads that Snoopy currently is configured for
  33. ; - %{snoopy_version} ; (available=yes) Snoopy version
  34. ; - %{snoopy_literal:arg} ; (available=yes) Dummy data source, only returns its argument literally
  35. ; - %{tid} ; (available=yes) Thread ID of process that executed the command
  36. ; - %{tid_kernel} ; (available=yes) Thread ID of process that executed the command, as returned by Linux kernel
  37. ; - %{timestamp} ; (available=yes) Current Unix timestamp
  38. ; - %{timestamp_ms} ; (available=yes) Millisecond part of current Unix timestamp
  39. ; - %{timestamp_us} ; (available=yes) Microsecond part of current Unix timestamp
  40. ; - %{tty} ; (available=yes) Which TTY the command was run on
  41. ; - %{tty_uid} ; (available=yes) TTY uid
  42. ; - %{tty_username} ; (available=yes) TTY username
  43. ; - %{uid} ; (available=yes) User id that executed the command
  44. ; - %{username} ; (available=yes) Username that executed the command
  45. ;
  46. ; Availability (yes/no):
  47. ; This flag signifies whether this build of Snoopy has particular data source
  48. ; built-in or not. If particular data source is not available and its use is
  49. ; desired, then Snoopy must be rebuilt with flags that enable given data
  50. ; source.
  51. ;
  52. ; Default value:
  53. ; "[uid:%{uid} sid:%{sid} tty:%{tty} cwd:%{cwd} filename:%{filename}]: %{cmdline}"
  54. ;
  55. ; Examples:
  56. ;message_format = "useless static log entry that gets logged on every program execution"
  57. ;message_format = "uid=%{uid}" ; <--- this would only log uids who execute programs, nothing else;
  58. ;message_format = "uid=%{uid} tty=%{tty} cmdline=%{cmdline}" ; <--- logs uid + tty + command that is executed
  59. message_format = "datetime:%{datetime} login:%{login} username:%{username} cmdline:%{cmdline} cwd:%{cwd}"
  60. ;;; Filter Chain specification
  61. ;
  62. ; Must comply with the following rules:
  63. ; - one or more filters may be specified, separated by semicolon,
  64. ; - each filter may contain argument that follows the colon,
  65. ; - filter may accept multiple arguments, separated by comma,
  66. ; - filter chain must not contain any spaces (allowed in filter arguments, but generally discouraged).
  67. ;
  68. ; List of available filters:
  69. ; - exclude_spawns_of ; (available=yes) Exclude log entries that occur in specified process trees
  70. ; - exclude_uid ; (available=yes) Exclude these UIDs from logging
  71. ; - only_root ; (available=yes) Only log root commands
  72. ; - only_tty ; (available=yes) Only log commands associated with a TTY
  73. ; - only_uid ; (available=yes) Only log commands executed by these UIDs
  74. ;
  75. ; Availability (yes/no):
  76. ; This flag signifies whether this build of Snoopy has particular filter
  77. ; built-in or not. If particular filter is not available and its use is
  78. ; desired, then Snoopy must be rebuilt with flags that enable given filter.
  79. ;
  80. ; Sample definitions with explanations:
  81. ; - filter_chain = "exclude_uid:0" # Log all commands, except the ones executed by root
  82. ; - filter_chain = "exclude_uid:1,2,3" # Log all commands, except those executed by users with UIDs 1, 2 and 3
  83. ; - filter_chain = "only_uid:0" # Log only root commands
  84. ; - filter_chain = "exclude_spawns_of:cron,my_daemon" # Do not log commands spawned by cron or my_daemon
  85. ; - filter_chain = "filter1:arg11;filter2:arg21,arg22;filter3:arg31,32,33"
  86. ;
  87. ; Default value:
  88. ; "" (empty string)
  89. ;
  90. ; Examples:
  91. ;filter_chain = ""
  92. ;filter_chain = "only_uid:0"
  93. ;filter_chain = "only_uid:10000"
  94. ;filter_chain = "exclude_uid:0"
  95. filter_chain = ""
  96. ;;; Output
  97. ;
  98. ; Where messages get sent to
  99. ;
  100. ; List of available outputs:
  101. ; - devlog ; (available=yes) Default, writes directly to /dev/log.
  102. ; - devnull ; (available=yes) Black hole.
  103. ; - devtty ; (available=yes) Write to current tty via /dev/tty.
  104. ; - file ; (available=yes) Write directly to file. (NOTICE: Make sure file has proper permissions set for non-root users.)
  105. ; - socket ; (available=yes) Built-in output. As argument it requires an absolute path of socket to write to.
  106. ; - stderr ; (available=yes) Write to STDERR. Mainly useful for debugging purposes.
  107. ; - stdout ; (available=yes) Write to STDOUT. Mainly useful for debugging purposes.
  108. ; - syslog ; (available=no) Previuosly-default (WARNING: DO NOT USE syslog OUTPUT WITH systemd - IT WILL HANG YOUR SYSTEM ON BOOT)
  109. ;
  110. ; Availability (yes/no):
  111. ; This flag signifies whether this build of Snoopy has particular output
  112. ; built-in or not. If particular output is not available and its use is
  113. ; desired, then Snoopy must be rebuilt with flags that enable given output.
  114. ;
  115. ; List of outputs pending implementation (patches welcome!):
  116. ; - console ; TODO
  117. ; - journald ; TODO
  118. ;
  119. ; Default value:
  120. ; devlog
  121. ; (previously 'syslog' was default value, but due to systemd issues default was changed)
  122. ; (to raw device writing as syslogd blocks syslog() calls if journald is not running)
  123. ;
  124. ; Example:
  125. ;output = console
  126. ;output = devlog
  127. ;output = file:/var/log/snoopy.log
  128. ;output = socket:/var/run/socket-for-snoopy.sock
  129. output = file:/var/log/snoopy
  130. ;;; Error Logging
  131. ;
  132. ; Whether to log error messages or not.
  133. ; This should generally be disabled, as it may generate lots of error logs.
  134. ;
  135. ; The most appropriate usage of this parameter is when:
  136. ; - you are developing new data source
  137. ; - you are trying to configure message format and are having problems with it
  138. ;
  139. ; Default value:
  140. ; no (unless changed by ./configure --enable-error-logging to yes)
  141. ;
  142. ; Example:
  143. ;error_logging = yes
  144. ;error_logging = yes
  145. ;;; Syslog Facility
  146. ;
  147. ; What syslog facility to use. Can be prefixed with 'LOG_'.
  148. ;
  149. ; Possible values:
  150. ; One of AUTH|AUTHPRIV|CRON|DAEMON|FTP|KERN|LOCAL[0-7]|LPR|MAIL|NEWS|SYSLOG|USER|UUCP
  151. ;
  152. ; Default value:
  153. ; LOG_AUTHPRIV (unless changed by ./configure --with-syslog-facility=FACILITY)
  154. ;
  155. ; Example:
  156. ;syslog_facility = LOG_AUTHPRIV
  157. ;;; Syslog Ident
  158. ;
  159. ; What syslog ident (program name) to use.
  160. ;
  161. ; Possible values:
  162. ; Any non-spaced string.
  163. ;
  164. ; Default value:
  165. ; "snoopy" (unless changed by ./configure --with-syslog-ident="other")
  166. ;
  167. ; Example:
  168. ;syslog_ident = "my-ident-string"
  169. ;;; Syslog Level
  170. ;
  171. ; What syslog level to use. Can be prefixed with 'LOG_'.
  172. ;
  173. ; Possible values:
  174. ; One of EMERG|ALERT|CRIT|ERR|WARNING|NOTICE|INFO|DEBUG
  175. ;
  176. ; Default value:
  177. ; LOG_INFO (unless changed by ./configure --with-syslog-level=LEVEL)
  178. ;
  179. ; Example:
  180. ;syslog_level = LOG_INFO
在/var/log/目录创建snoopy文件,修改拥有者,chown snoopy.snoopy /var/log/snoopy;chmod o+w /var/log/snoopy
启动snoopy,snoopy-enable,此时snoopy会在/etc/ld.so.preload添加/opt/snoopy/lib/libsnoopy.so,这个是语句是将snoopy自身的so预加载,已达到监控系统的exec调用
关于/opt/snoopy目录的权限,组和其他人需要有x权限,不然当其他用户登录的时候,会出现"ERROR:ld.so: object '/opt/snoopy/lib/libsnoopy.so' from /etc/ld.so.preload cannot be preloaded: ignored。
阅读(3485) | 评论(0) | 转发(0) |
0

上一篇:docker的安装

下一篇:hbase的启动命令

给主人留下些什么吧!~~