


------------------------------------------------------------------------------
Snoopy 1.8

By:
  bostjan@a2o.si
   marius@umich.edu
      mbm@linux.com
------------------------------------------------------------------------------



D E S C R I P T I O N

  Snoopy is designed to aid the taks of a sysadmin by providing a log of
  commands  executed. Snoopy is  completely transparent  to the user and
  applications it hooks in as a library providing a wrapper around calls
  to execve() calls. Logging is done via syslogd and written to authpriv
  allowing secure offsite logging of activity, generally the authpriv is
  stored as /var/log/auth.log.



N O T E

  execv() calls are now explicitly logged.   Although,  according to the
  man page for execv(),  it is supposed to call execve().   To this date
  the reason why execv()  calls weren't being logged is unknown,  but we
  are working to find out why.



U S A G E

  Snoopy is  able to log all  users or just root,  this functionality is
  configured at compile through the snoopy.h header, #define ROOT_ONLY 1
  will restrict logging to root activities. Installation is as follows:

    # If you have pulled snoopy from GIT, you must run autoconf first:
    autoheader
    autoconf

    # Check configuration options:
    ./configure --help

    # Then continue with normal build procedure:
    ./configure [OPTIONS]
    make
    make install

    # Then you can actually enable snoopy:
    make enable

  Snoopy is placed in /etc/ld.so.preload to trap all occurances of exec,
  if you wish to monitor only certain applications you can do so through
  the $LD_PRELOAD environment variable - simply set it to 
  /usr/local/lib/snoopy.so before loading the application. For example:

    export LD_PRELOAD=/usr/local/lib/snoopy.so
    lynx http://linux.com/
    unset LD_PRELOAD

  To remove snoopy later, simply edit /etc/ld.so.preload and remove the
  reference to snoopy.so and delete /usr/local/lib/snoopy.so.



O U T P U T

  The exact location  of  your  snoopy output  depends  on  your  syslog
  configuration. Usually it gets stored in one of the following files:

    /var/log/auth*
    /var/log/messages
    /var/log/secure
