From owner-freebsd-questions@FreeBSD.ORG Wed Jul 25 13:10:18 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 93E4B1065673 for ; Wed, 25 Jul 2012 13:10:18 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-ee0-f54.google.com (mail-ee0-f54.google.com [74.125.83.54]) by mx1.freebsd.org (Postfix) with ESMTP id 1E09B8FC1D for ; Wed, 25 Jul 2012 13:10:17 +0000 (UTC) Received: by eeke52 with SMTP id e52so99191eek.13 for ; Wed, 25 Jul 2012 06:10:17 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding :x-gm-message-state; bh=z744yhvZRlT/3HySLKk+m1y4dZSzXYAnj9twmFTxG/o=; b=XIay3QOkvfZXwZi8eA3iBPf7xo/2yYyjCnZcXLXm/J0Wl1ChFfcvNEPl5f6++0mn0s dCxh+gF0BNj6XYxxrtDlwEGPbKGqyF42tZ3qEKVKqfADe+M1Tqn7TzreUCYBq9DcdXOu RhSS9+C9EYuilHTYBR2uQ9hm/5sZuWC2yu3qPqmeqlNiaDGGs28M2Bvm5nw9lL/Gubd/ Ugc8/0os5gvsiIBXZnbKcdTd1MwUN4bA874HLwwpPeWLBtcdrkaWLlkj1U2pAKE00fZ0 kShZImWaNRCOXO29vmFtUfZgic8aFGByFuXfFP9Kv+kutTzxCZiaKE3NxDwODWE7Q+L0 xINw== Received: by 10.14.211.6 with SMTP id v6mr505706eeo.29.1343221817144; Wed, 25 Jul 2012 06:10:17 -0700 (PDT) Received: from dfleuriot-at-hi-media.com ([83.167.62.196]) by mx.google.com with ESMTPS id t6sm1748642eeo.17.2012.07.25.06.10.15 (version=SSLv3 cipher=OTHER); Wed, 25 Jul 2012 06:10:16 -0700 (PDT) Message-ID: <500FF037.4020302@my.gd> Date: Wed, 25 Jul 2012 15:10:15 +0200 From: Damien Fleuriot User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:14.0) Gecko/20120713 Thunderbird/14.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <500FDCE4.8060607@my.gd> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Gm-Message-State: ALoCoQl/DjE4uFEouKtnfb1wAk5ZrqtsdPvJ+YDAPtjlnstm2AyOkgYXLQubwYdpigfTjpYBACCU Subject: Re: Securituy - logging of user commands X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jul 2012 13:10:18 -0000 On 7/25/12 2:42 PM, jb wrote: > Damien Fleuriot my.gd> writes: > >> ... >> I notice it also exists on FreeBSD as /usr/ports/security/snoopy . >> >> However I face several problems with it, mainly it doesn't seem to log >> anything. >> >> As per the README, I have added "/usr/local/lib/snoopy.so" to >> /etc/ld.so.preload >> >> I'm not even sure this file is used on BSD ? >> ... > > /usr/ports/security/snoopy]# make clean; make > ... > # ls work/snoopy-1.8.0/ > ... > enable.sh > ... > > jb > Well that's my problem exactly, really. 1/ the enable script won't work and will always return an error, requiring a manual activation 2/ even once enabled, snoopy doesn't get loaded because /etc/ld.so.preload is not used on FBSD apparently 3/ even when enabled with "setenv LD_PRELOAD /usr/local/lib/snoopy.so", snoopy won't return any log >From config.h: /* Syslog facility to use */ #define SNOOPY_SYSLOG_FACILITY LOG_AUTHPRIV /* Syslog level to use */ #define SNOOPY_SYSLOG_LEVEL LOG_INFO >From my syslog.conf: auth.info;authpriv.info /var/log/auth.log Yet I'm seeing not a trail in /var/log/auth.log , or messages, or even in secure I have however validated that snoopy.so is called, as per the following: # truss ls /dev/null [snip] open("/usr/local/lib/snoopy.so",O_RDONLY,031) = 2 (0x2) fstat(2,{ mode=-r-xr-xr-x ,inode=548761,size=6952,blksize=16384 }) = 0 (0x0) fstatfs(0x2,0x7fffffffe220,0x19,0x0,0xffff80080053a068,0x0) = 0 (0x0) pread(0x2,0x80063e2a0,0x1000,0x0,0xffff80080053a068,0x0) = 4096 (0x1000) mmap(0x0,1056768,PROT_NONE,MAP_PRIVATE|MAP_ANON|MAP_NOCORE,-1,0x0) = 34366341120 (0x80064c000) mmap(0x80064c000,8192,PROT_READ|PROT_EXEC,MAP_PRIVATE|MAP_FIXED|MAP_NOCORE,2,0x0) = 34366341120 (0x80064c000) mmap(0x80074d000,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_FIXED,2,0x1000) = 34367393792 (0x80074d000) close(2) = 0 (0x0) And still no logs...