From owner-freebsd-questions@FreeBSD.ORG  Wed Jul 25 20:30:05 2012
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id A8C78106564A
	for <freebsd-questions@freebsd.org>;
	Wed, 25 Jul 2012 20:30:05 +0000 (UTC) (envelope-from ml@my.gd)
Received: from mail-we0-f182.google.com (mail-we0-f182.google.com
	[74.125.82.182])
	by mx1.freebsd.org (Postfix) with ESMTP id 23CE38FC19
	for <freebsd-questions@freebsd.org>;
	Wed, 25 Jul 2012 20:30:04 +0000 (UTC)
Received: by weyx56 with SMTP id x56so1011375wey.13
	for <freebsd-questions@freebsd.org>;
	Wed, 25 Jul 2012 13:30:04 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20120113;
	h=references:in-reply-to:mime-version:content-transfer-encoding
	:content-type:message-id:cc:x-mailer:from:subject:date:to
	:x-gm-message-state;
	bh=F85rHXcXIebsyzQT1DO0HQAZhCtOYGaHFx/e2/J0zrc=;
	b=XwnFhQEHfhWWQ+Y5/Sli7MxinclbCtqueP3uAbWb5V0yzvfeWkvt7GGwq+vEv1UEu9
	/wL+X6pyhNJFuOiFyqu6J/8eXuH01rDF6EAWhsXWB5RRYcqiRPscKcn1rOykvYI3K/Yt
	hRwdN/13CfB92y7NujFwtU/JG5PhH9ZDlIeyWzYCjq/APweDZarJIw3sECr0GJzkJB7p
	YbvKkhOd95COtstbsf6sZhtJFXbipaJZv+3jUPp+6wMc2XWjAaLeJkV9X8ewRo3U5Y4H
	9cfNs+GeVzuAN/OXVQ82xjbpc/e86+VpjeLl8XEqiMiVH72AUKSBHs1LRpSecWdxEqCZ
	9+YQ==
Received: by 10.180.107.103 with SMTP id hb7mr7584405wib.3.1343248204042;
	Wed, 25 Jul 2012 13:30:04 -0700 (PDT)
Received: from [192.168.0.10] (did75-17-88-165-130-96.fbx.proxad.net.
	[88.165.130.96])
	by mx.google.com with ESMTPS id ex20sm6644241wid.7.2012.07.25.13.30.02
	(version=TLSv1/SSLv3 cipher=OTHER);
	Wed, 25 Jul 2012 13:30:02 -0700 (PDT)
References: <500FDCE4.8060607@my.gd> <loom.20120725T143820-718@post.gmane.org>
	<500FF037.4020302@my.gd> <loom.20120725T180820-933@post.gmane.org>
In-Reply-To: <loom.20120725T180820-933@post.gmane.org>
Mime-Version: 1.0 (1.0)
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
	charset=us-ascii
Message-Id: <9AF63C5D-D3C1-4E70-A1FB-3EC54FCFE90E@my.gd>
X-Mailer: iPhone Mail (9A405)
From: Damien Fleuriot <ml@my.gd>
Date: Wed, 25 Jul 2012 22:29:59 +0200
To: jb <jb.1234abcd@gmail.com>
X-Gm-Message-State: ALoCoQmCgVtajsMicdVeYLOuH6imjSoYmHBUl5/MHBiPzHm5XOnZG/zRTWP7jOBs6MSLzA+1RSXV
Cc: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>
Subject: Re: Securituy - logging of user commands
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jul 2012 20:30:05 -0000


On 25 Jul 2012, at 18:15, jb <jb.1234abcd@gmail.com> wrote:

> Damien Fleuriot <ml <at> my.gd> writes:
> 
>> ... 
>>> From my syslog.conf:
>> auth.info;authpriv.info                         /var/log/auth.log
>> 
>> Yet I'm seeing not a trail in /var/log/auth.log , or messages, or even
>> in secure
>> ... 
> 
> # less /var/log/auth.log 
> Feb 22 21:13:56 localhost newsyslog[1503]: logfile first created
> Feb 22 21:14:07 localhost login: login on ttyv0 as jb
> Feb 22 21:14:15 localhost su: jb to root on /dev/ttyv0
> ...
> Jul 25 15:23:48 localhost su: jb to root on /dev/pts/3
> Jul 25 17:25:05 localhost snoopy[50059]: [uid:0 sid:45449 tty:/dev/pts/2
> cwd:/usr/ports/security/snoopy filename:/usr/bin/touch]: touch 
> /etc/ld.so.preload 
> Jul 25 17:25:05 localhost snoopy[50060]: [uid:0 sid:45449 tty:/dev/pts/2
> cwd:/usr/ports/security/snoopy filename:/usr/bin/grep]: grep -c
> ^/usr/local/lib//snoopy.so /etc/ld.so.preload 
> Jul 25 17:52:29 localhost snoopy[50145]: [uid:0 sid:46687 tty:/dev/pts/3
> cwd:/usr/home/jb filename:/usr/bin/less]: less /var/log/auth.log 
> Jul 25 17:54:03 localhost snoopy[50148]: [uid:0 sid:46687 tty:/dev/pts/3
> cwd:/usr/home/jb filename:/usr/bin/touch]: touch test1 
> Jul 25 17:54:08 localhost snoopy[50149]: [uid:0 sid:46687 tty:/dev/pts/3
> cwd:/usr/home/jb filename:/usr/bin/less]: less /var/log/auth.log 
> [root@localhost /home/jb]#
> 
> jb
> 

Thanks for taking the time to show me it works, at least for you.

What fbsd and snoopy version might these be ?