Running snoopy on NetBSD

Snoopy is a pretty cool piece of software that can log every exec(3) call to syslog. When it comes to security, that feature can be really handy.

Yesterday (Dec. 5), I commited security/snoopy to pkgsrc. The package comes with GNU/Linux related scripts in order to modify /etc/ld.so.preload so libsnoopy is loaded before libc and achieve its role. NetBSD doesn’t have a ld.so.preload file, instead, we use a flexible /etc/ld.so.conf configuration file which has the following syntax:

<library> <sysctl> <variable>[,...]:<library>[,...] ...

In our case, after having installed snoopy, you’ll just have to add the following line to /etc/ld.so.conf (or create it):

libc.so.12    kern.ostype    NetBSD:/usr/pkg/lib/libsnoopy.so,libc.so.12

Meaning that when kern.ostype sysctl(8) value is NetBSD (always true on NetBSD, obviously), libsnoopy.so will be loaded before libc.

Once done, /var/log/authlog will be filled with lines like:

Dec  6 09:36:46 coruscant snoopy[19394]: [uid:1000 sid:4525 tty:(none) cwd:/home/imil filename:/sbin/sysctl]: sysctl vm.loadavg
Dec  6 09:36:46 coruscant snoopy[29510]: [uid:1000 sid:4525 tty:(none) cwd:/home/imil filename:/usr/bin/cut]: cut -f2-4 -d