安全：snoopy配置

一，配置snoopy只记录控制台上执行的命令:

编辑配置文件

[root@blog ~]# vi /etc/snoopy.ini 

设置filter_chain项的值为only_tty:

filter_chain = "only_tty;exclude_uid:1001"

查看效果:

[root@blog ~]# snoopyctl conf
; Options from config file (or defaults): /etc/snoopy.ini
[snoopy]
filter_chain = only_tty;exclude_uid:1001
...

 说明： only_tty表示只记录控制台执行的命令，
非控制台执行的，例如crontab中的命令执行就不会再记录

 

二，查看命令执行时是否经过snoopy?

1，使用命令ldd可以看到,当执行/bin/pwd时，调用了libsnoopy.so

[root@blog ~]# ldd /bin/pwd
        linux-vdso.so.1 (0x00007ffda49dc000)
        /usr/lib64/libsnoopy.so (0x00007ff58bbdd000)
        libc.so.6 => /lib64/libc.so.6 (0x00007ff58b800000)
        /lib64/ld-linux-x86-64.so.2 (0x00007ff58bbf7000)

ldd命令:  列出程序依赖的共享库的命令

查看此时snoopy的状态:

[root@blog ~]# snoopyctl status
/etc/ld.so.preload:            OK - Snoopy is enabled.
LD_PRELOAD environment var:    NOT OK - Not set.
Current process (shared libs): OK - libsnoopy.so is loaded in front of libc.so.6.
Current process (execve addr): OK - execve() symbol address changed, looks like Snoopy is loaded.

2,停止snoopy

root@blog ~]# snoopyctl disable
[SUCCESS] Snoopy has been removed from /etc/ld.so.preload.
[INFO] Existing processes may still have Snoopy enabled until they are restarted.

查看snoopy的状态:

[root@blog ~]# snoopyctl status
/etc/ld.so.preload:            NOT OK - Snoopy is not enabled.
LD_PRELOAD environment var:    NOT OK - Not set.
Current process (shared libs): NOT OK - Unable to find libsnoopy.so.
Current process (execve addr): NOT OK - execve() symbol not overloaded, Snoopy is not loaded.

查看执行命令时是否会调用libsnoopy.so

[root@blog ~]# ldd /bin/pwd
        linux-vdso.so.1 (0x00007ffc3f595000)
        libc.so.6 => /lib64/libc.so.6 (0x00007ff280200000)
        /lib64/ld-linux-x86-64.so.2 (0x00007ff280443000)

查看配置文件:/etc/ld.so.preload ,发现内容已清空

[root@blog ~]# more /etc/ld.so.preload 

3,启用snoopy

[root@blog ~]# snoopyctl enable
[DIAG] ld.so.preload path: '/etc/ld.so.preload'
[DIAG] Snoopy library path: '/usr/lib64/libsnoopy.so'
SUCCESS: Snoopy has been enabled.

查看snoopy的状态:

[root@blog ~]# snoopyctl status
/etc/ld.so.preload:            OK - Snoopy is enabled.
LD_PRELOAD environment var:    NOT OK - Not set.
Current process (shared libs): OK - libsnoopy.so is loaded in front of libc.so.6.
Current process (execve addr): OK - execve() symbol address changed, looks like Snoopy is loaded.

 查看命令执行时是否会调用libsnoopy.so:

[root@blog ~]# ldd /bin/pwd
        linux-vdso.so.1 (0x00007ffd95912000)
        /usr/lib64/libsnoopy.so (0x00007fb8f992c000)
        libc.so.6 => /lib64/libc.so.6 (0x00007fb8f9600000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fb8f9946000)

 查看配置文件/etc/ld.so.preload,可能看到libsnoopy.so已写入:

[root@blog ~]# more /etc/ld.so.preload
/usr/lib64/libsnoopy.so