Snoopy logger is a powerful utility which makes the admin work more easy by providing a log of commands executed via shell. It logs each and every users shell command executions to “/var/log/secure”. We can later check the log and recognize the user and the command it executed from the uid.

Snoopy Installation Steps
=========================
* cd /usr/src
* wget ftp://ftp.uwsg.indiana.edu/pub/FreeBSD/ports/distfiles/snoopy-1.8.0.tar.gz
* tar xvf snoopy-1.8.0.tar.gz
* cd snoopy-1.8.0
* ./configure
make
make install

# Then you can actually enable snoopy:
make enable

Snoopy “/usr/local/lib/snoopy.so” is placed in /etc/ld.so.preload. To remove snoopy later, simply edit /etc/ld.so.preload and remove the
reference to snoopy.so and delete /usr/local/lib/snoopy.so.

snoopy logs:
————————–
Sep 10 05:38:21 serverXXX snoopy[206016]: [uid:99 sid:185700 tty: cwd:/home/user123/public_html/my-notepad.biz/forum/archive filename:/opt/suphp/sbin/suphp]: /opt/suphp/sbin/suphp
Sep 10 05:38:21 serverXXX snoopy[206016]: [uid:1002 sid:185700 tty: cwd:/home/user123/public_html/my-notepad.biz/forum/archive filename:/usr/bin/php]: /usr/bin/php /home/markwesl/public_html/my-notepad.biz/forum/archive/index.php
Sep 10 05:38:22 serverXXX snoopy[206024]: [uid:1006 sid:185700 tty: cwd:/home/user999/public_html/drwhofigures.co.uk/forum filename:/usr/bin/php]: /usr/bin/php /home/senseb/public_html/domain.com/forum/cron.php
————————–

You can find the user using uid using the following command or from the /etc/passwd file.

root@serverxxx [~]# getent passwd 99
nobody:x:99:99:Nobody:/:/sbin/nologin
root@serverxxx [~]# getent passwd 1002
user123:x:1002:997::/home/user123:/usr/local/cpanel/bin/noshellsnoopy-1.8.0.tar.gz
root@serverxxx [~]# getent passwd 1006
user999:x:1006:1001::/home/user999:/usr/local/cpanel/bin/noshell

=======================================