Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 25 Jul 2012 15:10:15 +0200
From:      Damien Fleuriot <ml@my.gd>
To:        freebsd-questions@freebsd.org
Subject:   Re: Securituy - logging of user commands
Message-ID:  <500FF037.4020302@my.gd>
In-Reply-To: <loom.20120725T143820-718@post.gmane.org>
References:  <500FDCE4.8060607@my.gd> <loom.20120725T143820-718@post.gmane.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

On 7/25/12 2:42 PM, jb wrote:
> Damien Fleuriot <ml <at> my.gd> writes:
> 
>> ... 
>> I notice it also exists on FreeBSD as /usr/ports/security/snoopy .
>>
>> However I face several problems with it, mainly it doesn't seem to log
>> anything.
>>
>> As per the README, I have added "/usr/local/lib/snoopy.so" to
>> /etc/ld.so.preload
>>
>> I'm not even sure this file is used on BSD ?
>> ...
> 
> /usr/ports/security/snoopy]# make clean; make
> ...
> # ls work/snoopy-1.8.0/
> ...
> enable.sh
> ...
> 
> jb
> 


Well that's my problem exactly, really.

1/ the enable script won't work and will always return an error,
requiring a manual activation
2/ even once enabled, snoopy doesn't get loaded because
/etc/ld.so.preload is not used on FBSD apparently
3/ even when enabled with "setenv LD_PRELOAD /usr/local/lib/snoopy.so",
snoopy won't return any log



>From config.h:
/* Syslog facility to use */
#define SNOOPY_SYSLOG_FACILITY LOG_AUTHPRIV

/* Syslog level to use */
#define SNOOPY_SYSLOG_LEVEL LOG_INFO


>From my syslog.conf:
auth.info;authpriv.info                         /var/log/auth.log

Yet I'm seeing not a trail in /var/log/auth.log , or messages, or even
in secure


I have however validated that snoopy.so is called, as per the following:

# truss ls /dev/null
[snip]
open("/usr/local/lib/snoopy.so",O_RDONLY,031)	 = 2 (0x2)
fstat(2,{ mode=-r-xr-xr-x ,inode=548761,size=6952,blksize=16384 }) = 0 (0x0)
fstatfs(0x2,0x7fffffffe220,0x19,0x0,0xffff80080053a068,0x0) = 0 (0x0)
pread(0x2,0x80063e2a0,0x1000,0x0,0xffff80080053a068,0x0) = 4096 (0x1000)
mmap(0x0,1056768,PROT_NONE,MAP_PRIVATE|MAP_ANON|MAP_NOCORE,-1,0x0) =
34366341120 (0x80064c000)
mmap(0x80064c000,8192,PROT_READ|PROT_EXEC,MAP_PRIVATE|MAP_FIXED|MAP_NOCORE,2,0x0)
= 34366341120 (0x80064c000)
mmap(0x80074d000,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_FIXED,2,0x1000)
= 34367393792 (0x80074d000)
close(2)					 = 0 (0x0)


And still no logs...



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?500FF037.4020302>