Security - logging of user commands

Damien Fleuriot ml at my.gd
Thu Jul 26 10:23:50 UTC 2012 

On 7/25/12 6:15 PM, jb wrote:
> Damien Fleuriot <ml <at> my.gd> writes:
> 
>> ... 
>> >From my syslog.conf:
>> auth.info;authpriv.info                         /var/log/auth.log
>>
>> Yet I'm seeing not a trail in /var/log/auth.log , or messages, or even
>> in secure
>> ... 
> 
> # less /var/log/auth.log 
> Feb 22 21:13:56 localhost newsyslog[1503]: logfile first created
> Feb 22 21:14:07 localhost login: login on ttyv0 as jb
> Feb 22 21:14:15 localhost su: jb to root on /dev/ttyv0
> ...
> Jul 25 15:23:48 localhost su: jb to root on /dev/pts/3
> Jul 25 17:25:05 localhost snoopy[50059]: [uid:0 sid:45449 tty:/dev/pts/2
> cwd:/usr/ports/security/snoopy filename:/usr/bin/touch]: touch 
> /etc/ld.so.preload 
> Jul 25 17:25:05 localhost snoopy[50060]: [uid:0 sid:45449 tty:/dev/pts/2
> cwd:/usr/ports/security/snoopy filename:/usr/bin/grep]: grep -c
> ^/usr/local/lib//snoopy.so /etc/ld.so.preload 
> Jul 25 17:52:29 localhost snoopy[50145]: [uid:0 sid:46687 tty:/dev/pts/3
> cwd:/usr/home/jb filename:/usr/bin/less]: less /var/log/auth.log 
> Jul 25 17:54:03 localhost snoopy[50148]: [uid:0 sid:46687 tty:/dev/pts/3
> cwd:/usr/home/jb filename:/usr/bin/touch]: touch test1 
> Jul 25 17:54:08 localhost snoopy[50149]: [uid:0 sid:46687 tty:/dev/pts/3
> cwd:/usr/home/jb filename:/usr/bin/less]: less /var/log/auth.log 
> [root at localhost /home/jb]#
> 
> jb
> 
> 


Well, after some digging I am sorry to report that security/snoopy/ is,
imho, quite bugged on 8-STABLE and 9-STABLE alike.



Let's take the example of logging the current working directory:


Below is the statement from ./configure --help :
Optional Features:
[snip]
  --disable-cwd-logging   disable logging of Current Working Directory
                          [default=enabled]



>From config.h:66
/* Enable logging of Current Working Directory */
/* #undef SNOOPY_CWD_LOGGING */

>From configure:4298
#define SNOOPY_CWD_LOGGING 1

>From snoopy.c:127
        /* Create logMessage */
        #if defined(SNOOPY_CWD_LOGGING)



Small edits to snoopy.c to check if current working directory logging is
really enabled:

--- snoopy.c.orig	2012-07-26 10:16:06.000000000 +0000
+++ snoopy.c	2012-07-26 10:18:05.000000000 +0000
@@ -123,12 +123,18 @@
 	logString[logStringSize-1] = '\0';


+/* Check wether SNOOPY_CWD_LOGGING is _really_ defined or not */
+int cwdlog=0;
+#if defined(SNOOPY_CWD_LOGGING)
+cwdlog=1;
+#endif
+
 	/* Create logMessage */
 	#if defined(SNOOPY_CWD_LOGGING)
 		getCwdRet = getcwd(cwd, PATH_MAX+1);
-		sprintf(logMessage, "[uid:%d sid:%d tty:%s cwd:%s filename:%s]: %s",
getuid(), getsid(0), ttyPath, cwd, filename, logString);
+		sprintf(logMessage, "[uid:%d sid:%d tty:%s cwd:%s filename:%s]: %s",
              getuid(), getsid(0), ttyPath, cwd, filename, logString);
 	#else
-		sprintf(logMessage, "[uid:%d sid:%d tty:%s filename:%s]: %s",
getuid(), getsid(0), ttyPath, filename, logString);
+		sprintf(logMessage, "cwdlog: %d - [uid:%d sid:%d tty:%s filename:%s]:
%s", cwdlog, getuid(), getsid(0), ttyPath, filename, logString);
 	#endif




And the result:
gmake snoopy.so
setenv LD_PRELOAD /usr/ports/security/snoopy/work/snoopy-1.8.0/snoopy.so
/etc/rc.d/named status


Yields, amongst others:

Jul 26 10:19:00 pf1 snoopy[96561]: cwdlog: 0 - [uid:0 sid:92850
tty:/dev/pts/0 filename:/bin/ps]: /bin/ps -ww -o pid= -o jid= -o
command= -p 1073


Notice how "cwdlog" is set to 0 which means we don't want to log the
CWD, although configure reports "SNOOPY_CWD_LOGGING 1"

I think that might not be the only bug, seeing only root actions seem to
be logged although the default should be to log every user.

I'd like to point out that apart from these edits for my tests this is a
*vanilla* install of snoopy.



Might anyone confirm the issue ?

The above is true for 8.1-RELEASE, 8-STABLE , 9-STABLE with snoopy being
at version 1.8.0 on all of them.

More information about the freebsd-questions mailing list