infra/scripts/pve-snoopy.ini

; snoopy config for the PVE host (192.168.1.127) — logs every execve() to journald.
;
; Install to /etc/snoopy.ini. Enable globally by adding the lib to /etc/ld.so.preload:
;   apt-get install -y snoopy
;   echo /usr/lib/x86_64-linux-gnu/libsnoopy.so > /etc/ld.so.preload   # enable (no snoopy-enable in the Debian pkg)
;   # disable/rollback: truncate -s 0 /etc/ld.so.preload   (or remove the line)
;
; output=devlog writes directly to /dev/log -> journald (identifier "snoopy").
; DO NOT use output=syslog on a systemd host — snoopy's own docs warn it can hang the system on boot.
;
; Shipped to Loki by promtail as {job="pve-journal", identifier="snoopy"} (scripts/pve-promtail.yaml).
; Attribution note: all sessions run as root (shared root key), so uid/login are always root;
; correlate a command's sid/time with the matching {job="sshd-pve"} "Accepted publickey ... SHA256:<fp>"
; line to attribute it to a person (e.g. emo's agent key fp SHA256:Wd+m0EABlm4RDDykDh85PIYSqe0Al8Hr9AZ+7Ksy4HQ).
[snoopy]
output = devlog
message_format = "snoopy uid=%{uid} login=%{login} tty=%{tty} sid=%{sid} cwd=%{cwd} : %{cmdline}"
syslog_ident = snoopy
syslog_facility = LOG_AUTHPRIV
syslog_level = LOG_INFO
filter_chain = ""
pve-host: ship journal to Loki (snoopy command audit + sshd-pve) for emo's root SSH Emo's Claude agent was given root SSH to the Proxmox host (`ssh pve`, dedicated shared-root key emo-pve-agent@devvm) so he can manage the host — e.g. the R730 fan daemon — through his agent. To keep an audit trail of what that agent does, and to feed the long-pending Wave-1 S1 security rule, the PVE host now ships its systemd journal to cluster Loki: - snoopy logs every execve() to journald (identifier=snoopy), enabled via /etc/ld.so.preload; config scripts/pve-snoopy.ini. - promtail v3.5.1 (amd64) ships /var/log/journal to Loki as {job="pve-journal"} (full host journal; filter identifier="snoopy" for the command audit), and relabels sshd auth to {job="sshd-pve"} — which ACTIVATES S1 (it was PENDING only for lack of this shipper). Config/unit: scripts/pve-promtail.{yaml,service}. S1 won't false-fire on legitimate access: the devvm SNATs through pfSense to 192.168.1.2, which is already in the S1 source-IP allowlist. Loki is reached via an /etc/hosts pin (10.0.20.203 loki.viktorbarzin.lan); follow-up noted to register a Technitium CNAME so it auto-tracks LB renumbers. Host pieces are hand-managed (not Terraform), like fan-control and the rpi-sofia promtail — these files are the source of truth. Docs updated: security.md (S1 LIVE) and monitoring.md ("External host: pve"). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-10 19:31:45 +00:00			`; snoopy config for the PVE host (192.168.1.127) — logs every execve() to journald.`
			`;`
			`; Install to /etc/snoopy.ini. Enable globally by adding the lib to /etc/ld.so.preload:`
			`; apt-get install -y snoopy`
			`; echo /usr/lib/x86_64-linux-gnu/libsnoopy.so > /etc/ld.so.preload # enable (no snoopy-enable in the Debian pkg)`
			`; # disable/rollback: truncate -s 0 /etc/ld.so.preload (or remove the line)`
			`;`
			`; output=devlog writes directly to /dev/log -> journald (identifier "snoopy").`
			`; DO NOT use output=syslog on a systemd host — snoopy's own docs warn it can hang the system on boot.`
			`;`
			`; Shipped to Loki by promtail as {job="pve-journal", identifier="snoopy"} (scripts/pve-promtail.yaml).`
			`; Attribution note: all sessions run as root (shared root key), so uid/login are always root;`
			`; correlate a command's sid/time with the matching {job="sshd-pve"} "Accepted publickey ... SHA256:<fp>"`
			`; line to attribute it to a person (e.g. emo's agent key fp SHA256:Wd+m0EABlm4RDDykDh85PIYSqe0Al8Hr9AZ+7Ksy4HQ).`
			`[snoopy]`
			`output = devlog`
			`message_format = "snoopy uid=%{uid} login=%{login} tty=%{tty} sid=%{sid} cwd=%{cwd} : %{cmdline}"`
			`syslog_ident = snoopy`
			`syslog_facility = LOG_AUTHPRIV`
			`syslog_level = LOG_INFO`
			`filter_chain = ""`