1 Demonstrations of execsnoop, the Linux eBPF/bcc version. 2 3 4 execsnoop traces new processes. For example, tracing the commands invoked when 5 running "man ls": 6 7 # ./execsnoop 8 PCOMM PID RET ARGS 9 bash 15887 0 /usr/bin/man ls 10 preconv 15894 0 /usr/bin/preconv -e UTF-8 11 man 15896 0 /usr/bin/tbl 12 man 15897 0 /usr/bin/nroff -mandoc -rLL=169n -rLT=169n -Tutf8 13 man 15898 0 /usr/bin/pager -s 14 nroff 15900 0 /usr/bin/locale charmap 15 nroff 15901 0 /usr/bin/groff -mtty-char -Tutf8 -mandoc -rLL=169n -rLT=169n 16 groff 15902 0 /usr/bin/troff -mtty-char -mandoc -rLL=169n -rLT=169n -Tutf8 17 groff 15903 0 /usr/bin/grotty 18 19 The output shows the parent process/command name (PCOMM), the PID, the return 20 value of the exec() (RET), and the filename with arguments (ARGS). 21 22 This works by traces the execve() system call (commonly used exec() variant), 23 and shows details of the arguments and return value. This catches new processes 24 that follow the fork->exec sequence, as well as processes that re-exec() 25 themselves. Some applications fork() but do not exec(), eg, for worker 26 processes, which won't be included in the execsnoop output. 27 28 29 The -x option can be used to include failed exec()s. For example: 30 31 # ./execsnoop -x 32 PCOMM PID RET ARGS 33 supervise 9660 0 ./run 34 supervise 9661 0 ./run 35 mkdir 9662 0 /bin/mkdir -p ./main 36 run 9663 0 ./run 37 chown 9664 0 /bin/chown nobody:nobody ./main 38 run 9665 0 /bin/mkdir -p ./main 39 supervise 9667 0 ./run 40 run 9660 -2 /usr/local/bin/setuidgid nobody /command/multilog t ./main 41 chown 9668 0 /bin/chown nobody:nobody ./main 42 run 9666 0 /bin/chmod 0777 main 43 run 9663 -2 /usr/local/bin/setuidgid nobody /command/multilog t ./main 44 run 9669 0 /bin/mkdir -p ./main 45 run 9661 -2 /usr/local/bin/setuidgid nobody /command/multilog t ./main 46 supervise 9670 0 ./run 47 [...] 48 49 This example shows various regular system daemon activity, including some 50 failures (trying to execute a /usr/local/bin/setuidgid, which I just noticed 51 doesn't exist). 52 53 54 A -t option can be used to include a timestamp column, and a -n option to match 55 on a name. Regular expressions are allowed. 56 For example, matching commands containing "mount": 57 58 # ./execsnoop -tn mount 59 TIME(s) PCOMM PID RET ARGS 60 2.849 mount 18049 0 /bin/mount -p 61 62 The -l option can be used to only show command where one of the arguments 63 matches specified line. The limitation is that we are looking only into first 20 64 arguments of the command. For example, matching all command where one of the argument 65 is "testpkg": 66 67 # ./execsnoop.py -l testpkg 68 PCOMM PID PPID RET ARGS 69 service 3344535 4146419 0 /usr/sbin/service testpkg status 70 systemctl 3344535 4146419 0 /bin/systemctl status testpkg.service 71 yum 3344856 4146419 0 /usr/local/bin/yum remove testpkg 72 python 3344856 4146419 0 /usr/local/bin/python /usr/local/bin/yum remove testpkg 73 yum 3344856 4146419 0 /usr/bin/yum remove testpkg 74 yum 3345086 4146419 0 /usr/local/bin/yum install testpkg 75 python 3345086 4146419 0 /usr/local/bin/python /usr/local/bin/yum install testpkg 76 yum 3345086 4146419 0 /usr/bin/yum install testpkg 77 rpm 3345452 4146419 0 /bin/rpm -qa testpkg 78 79 USAGE message: 80 81 # ./execsnoop -h 82 usage: execsnoop [-h] [-t] [-x] [-n NAME] [-l LINE] [--max-args MAX_ARGS] 83 84 Trace exec() syscalls 85 86 optional arguments: 87 -h, --help show this help message and exit 88 -t, --timestamp include timestamp on output 89 -x, --fails include failed exec()s 90 -n NAME, --name NAME only print commands matching this name (regex), any 91 arg 92 -l LINE, --line LINE only print commands where arg contains this line 93 (regex) 94 --max-args MAX_ARGS maximum number of arguments parsed and displayed, 95 defaults to 20 96 97 examples: 98 ./execsnoop # trace all exec() syscalls 99 ./execsnoop -x # include failed exec()s 100 ./execsnoop -t # include timestamps 101 ./execsnoop -n main # only print command lines containing "main" 102 ./execsnoop -l tpkg # only print command where arguments contains "tpkg" 103