From owner-freebsd-questions@FreeBSD.ORG Thu Jul 26 10:23:50 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C936C106566C for ; Thu, 26 Jul 2012 10:23:50 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-ee0-f54.google.com (mail-ee0-f54.google.com [74.125.83.54]) by mx1.freebsd.org (Postfix) with ESMTP id 51D308FC18 for ; Thu, 26 Jul 2012 10:23:48 +0000 (UTC) Received: by eeke52 with SMTP id e52so325298eek.13 for ; Thu, 26 Jul 2012 03:23:48 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding :x-gm-message-state; bh=TF4HdARwiZUuPM9fFJy5Gigku73+Bw9adOLHe75dV+0=; b=EuIUqzic1RhBtCAR8iuxGG8UMaYrJEGG/HprIBEg7M15XgyQtFoxQKEMjFkTkJX8xV x6bUcEtv94CA9i4ehV69Fl1mGy4UVizan6vAKfxLdvPdpCbwF+/rb6cmqZyYOCy65UGC B/iXxxvUy6znVbkTM1SvlnAvonXIAxkjtzs+hD6hxsz8IjXMu9BcZVT/2nxm5SEYcJhP OkKWzNQaUVKr2NRaxBjpnf0k0Aimv2Tv2+qJKtzTBmNspPSwfLO+jMevXHYOuid8562G DfZmatYLZgHaTuJHN/IALkWRjA6WsgVtr9QukpW+ScWcirygCXkoEZ8Zhvf2l/TD6njH S+qw== Received: by 10.14.178.129 with SMTP id f1mr3414994eem.5.1343298227830; Thu, 26 Jul 2012 03:23:47 -0700 (PDT) Received: from dfleuriot-at-hi-media.com ([83.167.62.196]) by mx.google.com with ESMTPS id u48sm7445491eep.7.2012.07.26.03.23.45 (version=SSLv3 cipher=OTHER); Thu, 26 Jul 2012 03:23:46 -0700 (PDT) Message-ID: <50111AB1.7060205@my.gd> Date: Thu, 26 Jul 2012 12:23:45 +0200 From: Damien Fleuriot User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:14.0) Gecko/20120713 Thunderbird/14.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <500FDCE4.8060607@my.gd> <500FF037.4020302@my.gd> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Gm-Message-State: ALoCoQm+uH+pUsGZVYPKGIESQ1fVYQipy74Gg6L5EHS5HuiDQDaV8vXZ4MQ1NtuntMQ3VNZ9k0Pz Subject: Re: Security - logging of user commands X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jul 2012 10:23:50 -0000 On 7/25/12 6:15 PM, jb wrote: > Damien Fleuriot my.gd> writes: > >> ... >> >From my syslog.conf: >> auth.info;authpriv.info /var/log/auth.log >> >> Yet I'm seeing not a trail in /var/log/auth.log , or messages, or even >> in secure >> ... > > # less /var/log/auth.log > Feb 22 21:13:56 localhost newsyslog[1503]: logfile first created > Feb 22 21:14:07 localhost login: login on ttyv0 as jb > Feb 22 21:14:15 localhost su: jb to root on /dev/ttyv0 > ... > Jul 25 15:23:48 localhost su: jb to root on /dev/pts/3 > Jul 25 17:25:05 localhost snoopy[50059]: [uid:0 sid:45449 tty:/dev/pts/2 > cwd:/usr/ports/security/snoopy filename:/usr/bin/touch]: touch > /etc/ld.so.preload > Jul 25 17:25:05 localhost snoopy[50060]: [uid:0 sid:45449 tty:/dev/pts/2 > cwd:/usr/ports/security/snoopy filename:/usr/bin/grep]: grep -c > ^/usr/local/lib//snoopy.so /etc/ld.so.preload > Jul 25 17:52:29 localhost snoopy[50145]: [uid:0 sid:46687 tty:/dev/pts/3 > cwd:/usr/home/jb filename:/usr/bin/less]: less /var/log/auth.log > Jul 25 17:54:03 localhost snoopy[50148]: [uid:0 sid:46687 tty:/dev/pts/3 > cwd:/usr/home/jb filename:/usr/bin/touch]: touch test1 > Jul 25 17:54:08 localhost snoopy[50149]: [uid:0 sid:46687 tty:/dev/pts/3 > cwd:/usr/home/jb filename:/usr/bin/less]: less /var/log/auth.log > [root@localhost /home/jb]# > > jb > > Well, after some digging I am sorry to report that security/snoopy/ is, imho, quite bugged on 8-STABLE and 9-STABLE alike. Let's take the example of logging the current working directory: Below is the statement from ./configure --help : Optional Features: [snip] --disable-cwd-logging disable logging of Current Working Directory [default=enabled] >From config.h:66 /* Enable logging of Current Working Directory */ /* #undef SNOOPY_CWD_LOGGING */ >From configure:4298 #define SNOOPY_CWD_LOGGING 1 >From snoopy.c:127 /* Create logMessage */ #if defined(SNOOPY_CWD_LOGGING) Small edits to snoopy.c to check if current working directory logging is really enabled: --- snoopy.c.orig 2012-07-26 10:16:06.000000000 +0000 +++ snoopy.c 2012-07-26 10:18:05.000000000 +0000 @@ -123,12 +123,18 @@ logString[logStringSize-1] = '\0'; +/* Check wether SNOOPY_CWD_LOGGING is _really_ defined or not */ +int cwdlog=0; +#if defined(SNOOPY_CWD_LOGGING) +cwdlog=1; +#endif + /* Create logMessage */ #if defined(SNOOPY_CWD_LOGGING) getCwdRet = getcwd(cwd, PATH_MAX+1); - sprintf(logMessage, "[uid:%d sid:%d tty:%s cwd:%s filename:%s]: %s", getuid(), getsid(0), ttyPath, cwd, filename, logString); + sprintf(logMessage, "[uid:%d sid:%d tty:%s cwd:%s filename:%s]: %s", getuid(), getsid(0), ttyPath, cwd, filename, logString); #else - sprintf(logMessage, "[uid:%d sid:%d tty:%s filename:%s]: %s", getuid(), getsid(0), ttyPath, filename, logString); + sprintf(logMessage, "cwdlog: %d - [uid:%d sid:%d tty:%s filename:%s]: %s", cwdlog, getuid(), getsid(0), ttyPath, filename, logString); #endif And the result: gmake snoopy.so setenv LD_PRELOAD /usr/ports/security/snoopy/work/snoopy-1.8.0/snoopy.so /etc/rc.d/named status Yields, amongst others: Jul 26 10:19:00 pf1 snoopy[96561]: cwdlog: 0 - [uid:0 sid:92850 tty:/dev/pts/0 filename:/bin/ps]: /bin/ps -ww -o pid= -o jid= -o command= -p 1073 Notice how "cwdlog" is set to 0 which means we don't want to log the CWD, although configure reports "SNOOPY_CWD_LOGGING 1" I think that might not be the only bug, seeing only root actions seem to be logged although the default should be to log every user. I'd like to point out that apart from these edits for my tests this is a *vanilla* install of snoopy. Might anyone confirm the issue ? The above is true for 8.1-RELEASE, 8-STABLE , 9-STABLE with snoopy being at version 1.8.0 on all of them.