Bash history stores the commands executed by a user from the terminal. What if you want to log every command (and arguments) ever executed on a system? Enter Snoopy, a tiny library that intercepts all execv() and execve() syscalls.

Snoopy is loaded via the preload mechanism. When installed and activated, it adds and entry to /etc/ld.so.preload. The process is transparent to users and applications. Logging is done using syslog.

Features

Configure log output

Supports message filtering

Use optional configuration file (Spoopy’s config file is /etc/snoopy.ini)

Installation

Run the following commands to install the latest stable version of Snoopy:

$ rm -f snoopy-install.sh && $ wget -q -O snoopy-install.sh https://github.com/a2o/snoopy/raw/install/doc/install/bin/snoopy-install.sh && $ chmod 755 snoopy-install.sh && $ sudo ./snoopy-install.sh stable

Usage

To enable Snoopy after installation, run:

$ sudo snoopy enable

To disable:

$ sudo snoopy disable

The log file for Ubuntu is /var/log/auth.log. Check out the configuration file (/etc/snoopy.ini) for several options.

Logs from Snoopy look like:

2015-02-11T19:05:10+00:00 labrat-1 snoopy[896]: [uid:0 sid:11679 tty:/dev/pts/2 cwd:/root filename:/usr/bin/cat]: cat /etc/fstab.BAK 2015-02-11T19:05:15+00:00 labrat-1 snoopy[896]: [uid:0 sid:11679 tty:/dev/pts/2 cwd:/root filename:/usr/bin/rm]: rm -f /etc/fstab.BAK 2015-02-11T19:05:19+00:00 labrat-1 snoopy[896]: [uid:0 sid:11679 tty:/dev/pts/2 cwd:/root filename:/usr/bin/tail]: tail -f /var/log/messages

On GitHub: Snoopy

Alternative

You can also use the kernel userspace security audit feature. To install on Ubuntu, run:

$ sudo apt-get install auditd

To audit all execve() calls:

$ auditctl -a exit,always -S execve

For more options, refer to man auditctl .

You may also want to check out keysniffer, a kernel module I wrote to log pressed keys in debugfs.