DEV.co
Open-Source Observability · a2o

snoopy

Snoopy is a lightweight C library that logs all command executions on Linux/BSD systems at the OS level. It captures execution context (user, session, working directory) and writes logs to standard syslog destinations, making it useful for audit and compliance purposes.

Source: GitHub — github.com/a2o/snoopy
1.3k
GitHub stars
159
Forks
C
Primary language
GPL-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorya2o/snoopy
Ownera2o
Primary languageC
LicenseGPL-2.0 — OSI-approved
Stars1.3k
Forks159
Open issues10
Latest releasesnoopy-2.5.2 (2024-10-24)
Last updated2026-03-07
Sourcehttps://github.com/a2o/snoopy

What snoopy is

Snoopy operates as a preloaded shared library (LD_PRELOAD) that intercepts execve() syscalls to capture program execution events with metadata. Thread-safe as of v2.5.0, configurable via /etc/snoopy.ini, and published under GPL-2.0 with active CI/CD coverage (Coverity, SonarCloud, Valgrind).

Quickstart

Get the snoopy source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/a2o/snoopy.gitcd snoopy# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Security audit & forensics

Log all command executions system-wide for post-incident investigation, compliance reporting, and detecting unauthorized administrative actions.

System administration oversight

Monitor what scripts and tools are running on production servers; useful for shared environments where multiple teams have access.

Regulatory compliance

Meet audit requirements (SOC 2, ISO 27001) that mandate command-line execution logging for privileged user activity.

Implementation considerations

  • LD_PRELOAD mechanism requires careful ordering in /etc/ld.so.preload or shell initialization; conflicts with other preloaded libraries must be evaluated.
  • Relies on syslog infrastructure for output; ensure rsyslog/syslog-ng is configured and persistent storage is available to prevent log loss.
  • Thread safety enabled by default (v2.5.0+), but test with your application stack to verify no edge cases around signal handling or exec variants.
  • Configuration via /etc/snoopy.ini allows filtering and output format customization; review filters to balance audit coverage vs. log volume.
  • Binary packages available for major distros (Ubuntu, CentOS, etc.) since v2.5.0; source installation still supported but requires build toolchain.

When to avoid it — and what to weigh

  • High-performance, latency-sensitive workloads — Snoopy intercepts system calls; overhead depends on command frequency. Not suitable for systems where microsecond-level latencies are critical.
  • Closed-source or proprietary license required — GPL-2.0 copyleft license requires any modifications or derivative distributions to remain open-source. Proprietary use requires legal review.
  • Windows/macOS primary platforms — Limited to Linux and BSD. Not an option for Windows-only or macOS-only infrastructure.
  • Complex multi-tenant containerized environments — Container escape and namespacing interactions with LD_PRELOAD are non-trivial; requires careful testing in Kubernetes/Docker deployments.

License & commercial use

Released under GNU General Public License v2.0 (GPL-2.0), a copyleft license. Source code is freely available and modifiable, but any distributed modifications or derivative works must remain open-source under the same license.

Commercial use of the unmodified binary is permitted (running Snoopy on your systems). However, if you modify the code or bundle it into a proprietary product for distribution, legal review is strongly recommended due to GPL-2.0 copyleft obligations. Static linking or redistribution requires compliance consultation.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityModerate
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Snoopy logs sensitive data: command-line arguments may include passwords, API keys, or PII—configure syslog destination permissions and retention carefully. LD_PRELOAD mechanism itself can be subverted by processes with root privilege or via LD_PRELOAD environment hijacking; assume audit logs are only trustworthy if system is already compromised. README includes explicit security disclaimer. No known CVEs mentioned in data, but C-based preload library warrants regular dependency updates and fuzz testing.

Alternatives to consider

auditd (Linux audit framework)

Kernel-level audit daemon with configurable rules, more robust against tampering, produces structured logs, but steeper learning curve and higher overhead in some scenarios.

osquery

Cross-platform (Linux, macOS, Windows), provides structured audit logs and real-time process monitoring via SQL queries, but heavier footprint and external dependency.

Runtime security tool that captures system calls and generates alerts based on rules; more suitable for threat detection than pure logging, but overkill for simple audit-only use cases.

Software development agency

Build on snoopy with DEV.co software developers

If you need system-wide command logging for compliance or forensics, test Snoopy in a staging environment first. Review syslog configuration, LD_PRELOAD interactions, and log retention policy. For mission-critical deployments, compare with auditd or osquery.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

snoopy FAQ

Does Snoopy log my shell history or interactive commands?
Yes. Snoopy intercepts the execve() syscall, so it logs every program execution, including commands typed in interactive shells. It does not log input/output or environment variables by default.
Will Snoopy slow down my system?
Overhead depends on command frequency. Each execve() call incurs a small penalty for logging. In typical servers, the impact is negligible; high-frequency workloads (e.g., containers spawning many short-lived processes) may see measurable latency.
Can Snoopy be disabled by unprivileged users?
No. Snoopy logs at the kernel level (via LD_PRELOAD in the root libc). Unprivileged users cannot disable it, but they can potentially bypass it if the system is already compromised by a root attacker.
Is Snoopy safe to run in containers?
Requires testing. LD_PRELOAD in containerized environments can conflict with container runtimes, seccomp profiles, and privilege separation. Works in permissive Docker/Kubernetes setups; requires validation in restrictive environments.

Software development & web development with DEV.co

DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If snoopy is part of your open-source observability roadmap, our team can implement, customize, migrate, and maintain it.

Evaluate Snoopy for your audit infrastructure

If you need system-wide command logging for compliance or forensics, test Snoopy in a staging environment first. Review syslog configuration, LD_PRELOAD interactions, and log retention policy. For mission-critical deployments, compare with auditd or osquery.