Friday, April 13, 2012

Use SnoopyLogger to audit Linux

When it comes to security you better audit what is going on in your linux box. This is not intended to be a recipe for success on securing Linux boxes, you will be secure only if you are stronger than your enemies and that translates to "Do not stop here" when it comes to learning. We live in a world of "knowledge war".

So let us call it the poor sysadmin weapons as they are free like in beer and simple enough to install and use. The acct package is the first to have. Between others you have the lastcomm command available. But as you might have noticed it does not give you the whole command including parameters and options. SnoopyLogger to the rescue. I have tested all this in Ubuntu BTW.

Here is a recipe for you to install and check the power of this tiny C Open Source code.

You can install all this in your servers following the instructions from https://github.com/a2o/snoopy.

At this point you can review any command inspecting the proper log file. In Ubuntu:
tail -f  /var/log/auth.log
Note that acct and snoopy logger are different packages/programs. While you can use the acct package to look into the history of commands with commands like 'lastcomm -f /var/log/account/pacct' or point to a previous rotated pacct file you do not get the full command including parameters.

When it comes to security I also recommend using Logwatch

No comments:

Followers