1 Demonstrations of capable, the Linux eBPF/bcc version. 2 3 4 capable traces calls to the kernel cap_capable() function, which does security 5 capability checks, and prints details for each call. For example: 6 7 # ./capable.py 8 TIME UID PID COMM CAP NAME AUDIT 9 22:11:23 114 2676 snmpd 12 CAP_NET_ADMIN 1 10 22:11:23 0 6990 run 24 CAP_SYS_RESOURCE 1 11 22:11:23 0 7003 chmod 3 CAP_FOWNER 1 12 22:11:23 0 7003 chmod 4 CAP_FSETID 1 13 22:11:23 0 7005 chmod 4 CAP_FSETID 1 14 22:11:23 0 7005 chmod 4 CAP_FSETID 1 15 22:11:23 0 7006 chown 4 CAP_FSETID 1 16 22:11:23 0 7006 chown 4 CAP_FSETID 1 17 22:11:23 0 6990 setuidgid 6 CAP_SETGID 1 18 22:11:23 0 6990 setuidgid 6 CAP_SETGID 1 19 22:11:23 0 6990 setuidgid 7 CAP_SETUID 1 20 22:11:24 0 7013 run 24 CAP_SYS_RESOURCE 1 21 22:11:24 0 7026 chmod 3 CAP_FOWNER 1 22 22:11:24 0 7026 chmod 4 CAP_FSETID 1 23 22:11:24 0 7028 chmod 4 CAP_FSETID 1 24 22:11:24 0 7028 chmod 4 CAP_FSETID 1 25 22:11:24 0 7029 chown 4 CAP_FSETID 1 26 22:11:24 0 7029 chown 4 CAP_FSETID 1 27 22:11:24 0 7013 setuidgid 6 CAP_SETGID 1 28 22:11:24 0 7013 setuidgid 6 CAP_SETGID 1 29 22:11:24 0 7013 setuidgid 7 CAP_SETUID 1 30 22:11:25 0 7036 run 24 CAP_SYS_RESOURCE 1 31 22:11:25 0 7049 chmod 3 CAP_FOWNER 1 32 22:11:25 0 7049 chmod 4 CAP_FSETID 1 33 22:11:25 0 7051 chmod 4 CAP_FSETID 1 34 22:11:25 0 7051 chmod 4 CAP_FSETID 1 35 [...] 36 37 This can be useful for general debugging, and also security enforcement: 38 determining a whitelist of capabilities an application needs. 39 40 The output above includes various capability checks: snmpd checking 41 CAP_NET_ADMIN, run checking CAP_SYS_RESOURCES, then some short-lived processes 42 checking CAP_FOWNER, CAP_FSETID, etc. 43 44 To see what each of these capabilities does, check the capabilities(7) man 45 page and the kernel source. 46 47 48 Sometimes capable catches itself starting up: 49 50 # ./capable.py 51 TIME UID PID COMM CAP NAME AUDIT 52 22:22:19 0 21949 capable.py 21 CAP_SYS_ADMIN 1 53 22:22:19 0 21949 capable.py 21 CAP_SYS_ADMIN 1 54 22:22:19 0 21949 capable.py 21 CAP_SYS_ADMIN 1 55 22:22:19 0 21949 capable.py 21 CAP_SYS_ADMIN 1 56 22:22:19 0 21949 capable.py 21 CAP_SYS_ADMIN 1 57 22:22:19 0 21949 capable.py 21 CAP_SYS_ADMIN 1 58 22:22:19 0 21952 run 24 CAP_SYS_RESOURCE 1 59 [...] 60 61 These are capability checks from BPF and perf_events syscalls. 62 63 64 USAGE: 65 66 # ./capable.py -h 67 usage: capable.py [-h] [-v] [-p PID] 68 69 Trace security capability checks 70 71 optional arguments: 72 -h, --help show this help message and exit 73 -v, --verbose include non-audit checks 74 -p PID, --pid PID trace this PID only 75 76 examples: 77 ./capable # trace capability checks 78 ./capable -v # verbose: include non-audit checks 79 ./capable -p 181 # only trace PID 181 80
