Log every executed command to syslog.
Display operating system.
$ lsb_release -a
No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 10 (buster) Release: 10 Codename: buster
Display default user, group, permissions, and umask for log files.
$ cat /etc/rsyslog.conf | grep "^\$File\|\$Umask"
$FileOwner root $FileGroup adm $FileCreateMode 0640 $Umask 0022
Ensure that executed commands are stored in a dedicated log file using clearly defined permissions.
$ cat << EOF | sudo tee /etc/rsyslog.d/01-snoopy.conf # Send snoopy messages to a dedicated logfile if (\$programname startswith "snoopy") then { action(type="omfile" fileOwner="root" fileGroup="root" fileCreateMode="0600" file="/var/log/snoopy.log") stop } EOF
# Send snoopy messages to a dedicated logfile if ($programname startswith "snoopy") then { action(type="omfile" fileOwner="root" fileGroup="root" fileCreateMode="0600" file="/var/log/snoopy.log") stop }
Restart rsyslog
daemon to reread configuration files.
$ sudo systemctl restart rsyslog
Ensure that snoopy
library will be preloaded after installation.
$ cat << EOF | sudo debconf-set-selections snoopy snoopy/install-ld-preload boolean true EOF
Install snoopy
a shared library that will be used as a wrapper to the execve() function provided by libc as to log every call to syslog (authpriv).
$ sudo apt install snoopy
Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: snoopy 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 46.0 kB of archives. After this operation, 123 kB of additional disk space will be used. Get:1 http://deb.debian.org/debian buster/main amd64 snoopy amd64 2.4.6-5 [46.0 kB] Fetched 46.0 kB in 0s (194 kB/s) Preconfiguring packages ... Selecting previously unselected package snoopy. (Reading database ... 31939 files and directories currently installed.) Preparing to unpack .../snoopy_2.4.6-5_amd64.deb ... Unpacking snoopy (2.4.6-5) ... Setting up snoopy (2.4.6-5) ... Processing triggers for libc-bin (2.28-10) ...
Verify owner, group, and permissions on the created log file.
$ ls -l /var/log/snoopy.log -rw------- 1 root root 1747 Jan 19 01:53 /var/log/snoopy.log
Display executed commands.
$ sudo cat /var/log/snoopy.log
Jan 19 01:53:33 debian snoopy[1275]: [login:milosz ssh:(10.0.2.2 57166 10.0.2.15 22) sid:999 tty:/dev/pts/0 (1000/milosz) uid:milosz(1000)/milosz(1000) cwd:/home/milosz]: /usr/bin/clear_console -q Jan 19 01:53:35 debian snoopy[1280]: [login:milosz ssh:((undefined)) sid:1277 tty:(none) ((none)/(none)) uid:root(0)/root(0) cwd:/]: /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d Jan 19 01:53:35 debian snoopy[1281]: [login:milosz ssh:((undefined)) sid:1277 tty:(none) ((none)/(none)) uid:root(0)/root(0) cwd:/]: /etc/update-motd.d/10-uname Jan 19 01:53:35 debian snoopy[1282]: [login:milosz ssh:((undefined)) sid:1277 tty:(none) ((none)/(none)) uid:root(0)/root(0) cwd:/]: uname -snrvm Jan 19 01:53:35 debian snoopy[1284]: [login:milosz ssh:(10.0.2.2 57176 10.0.2.15 22) sid:1284 tty:/dev/pts/0 (1000/milosz) uid:milosz(1000)/milosz(1000) cwd:/home/milosz]: -bash Jan 19 01:53:35 debian snoopy[1285]: [login:milosz ssh:(10.0.2.2 57176 10.0.2.15 22) sid:1284 tty:/dev/pts/0 (1000/milosz) uid:milosz(1000)/milosz(1000) cwd:/home/milosz]: id -u Jan 19 01:53:35 debian snoopy[1286]: [login:milosz ssh:(10.0.2.2 57176 10.0.2.15 22) sid:1284 tty:/dev/pts/0 (1000/milosz) uid:milosz(1000)/milosz(1000) cwd:/home/milosz]: dircolors -b Jan 19 01:53:40 debian snoopy[1299]: [login:milosz ssh:(10.0.2.2 57176 10.0.2.15 22) sid:1284 tty:/dev/pts/0 (1000/milosz) uid:milosz(1000)/milosz(1000) cwd:/home/milosz]: ls --color=auto -l /var/log/ Jan 19 01:53:42 debian snoopy[1304]: [login:milosz ssh:(10.0.2.2 57176 10.0.2.15 22) sid:1284 tty:/dev/pts/0 (1000/milosz) uid:milosz(1000)/milosz(1000) cwd:/home/milosz]: ls --color=auto -l /var/log/snoopy.log Jan 19 02:10:50 debian snoopy[1305]: [login:milosz ssh:(10.0.2.2 57176 10.0.2.15 22) sid:1284 tty:/dev/pts/0 (1000/milosz) uid:milosz(1000)/milosz(1000) cwd:/home/milosz]: sudo cat /var/log/snoopy.log Jan 19 02:10:50 debian snoopy[1306]: [login:milosz ssh:(10.0.2.2 57176 10.0.2.15 22) sid:1284 tty:/dev/pts/0 (1000/milosz) uid:root(0)/root(0) cwd:/home/milosz]: cat /var/log/snoopy.log
Excellent!