Execsnoop cli args matching (iovisor#1115)

* adding args matching option * fixing typos * fixing merge artefacts * [execsnoop]: adding documentation on -l in man * [execsnoop][man]: fixing typo in commands name
GaoHuijian · Apr 19, 2017 · 0a01506 · 0a01506
1 parent 9556db2
commit 0a01506
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 9 deletions.
diff --git a/man/man8/execsnoop.8 b/man/man8/execsnoop.8
@@ -2,7 +2,7 @@
 .SH NAME
 execsnoop \- Trace new processes via exec() syscalls. Uses Linux eBPF/bcc.
 .SH SYNOPSIS
-.B execsnoop [\-h] [\-t] [\-x] [\-n NAME]
+.B execsnoop [\-h] [\-t] [\-x] [\-n NAME] [\-l LINE]
 .SH DESCRIPTION
 execsnoop traces new processes, showing the filename executed and argument
 list.
@@ -31,7 +31,10 @@ Include a timestamp column.
 Include failed exec()s
 .TP
 \-n NAME
-Only print command lines matching this name (regex), matched anywhere
+Only print command lines matching this name (regex)
+.TP
+\-l LINE
+Only print commands where arg contains this line (regex)
 .SH EXAMPLES
 .TP
 Trace all exec() syscalls:
@@ -46,9 +49,13 @@ Include failed exec()s:
 #
 .B execsnoop \-x
 .TP
-Only trace exec()s where the filename or arguments contain "mount":
+Only trace exec()s where the filename contains "mount":
+#
+.B execsnoop \-n mount
+.TP
+Only trace exec()s where argument's line contains "testpkg":
 #
-.B opensnoop \-n mount
+.B execsnoop \-l testpkg
 .SH FIELDS
 .TP
 TIME(s)

diff --git a/tools/execsnoop.py b/tools/execsnoop.py
@@ -30,6 +30,7 @@
  ./execsnoop -x # include failed exec()s
  ./execsnoop -t # include timestamps
  ./execsnoop -n main # only print command lines containing "main"
+ ./execsnoop -l tpkg # only print command where arguments contains "tpkg" 
 """
 parser = argparse.ArgumentParser(
  description="Trace exec() syscalls",
@@ -41,6 +42,8 @@
  help="include failed exec()s")
 parser.add_argument("-n", "--name",
  help="only print commands matching this name (regex), any arg")
+parser.add_argument("-l", "--line",
+ help="only print commands where arg contains this line (regex)")
 args = parser.parse_args()
 
 # define BPF program
@@ -192,6 +195,9 @@ def print_event(cpu, data, size):
  skip = True
  if args.name and not re.search(args.name, event.comm):
  skip = True
+ if args.line and not re.search(args.line,
+ b' '.join(argv[event.pid]).decode()):
+ skip = True
 
  if not skip:
  if args.timestamp:
@@ -200,8 +206,11 @@ def print_event(cpu, data, size):
  print("%-16s %-6s %-6s %3s %s" % (event.comm.decode(), event.pid,
  ppid if ppid > 0 else "?", event.retval,
  b' '.join(argv[event.pid]).decode()))
+ try:
+ del(argv[event.pid])
+ except Exception:
+ pass
 
- del(argv[event.pid])
 
 # loop with callback to print_event
 b["events"].open_perf_buffer(print_event)

diff --git a/tools/execsnoop_example.txt b/tools/execsnoop_example.txt
@@ -52,13 +52,29 @@ doesn't exist).
 
 
 A -t option can be used to include a timestamp column, and a -n option to match
-on a name or substring from the full command line (filename + args). Regular
-expressions are allowed. For example, matching commands containing "mount":
+on a name. Regular expressions are allowed. 
+For example, matching commands containing "mount":
 
 # ./execsnoop -tn mount
 TIME(s) PCOMM PID RET ARGS
-2.849 bash 18049 0 /bin/mount -p
-
+2.849 mount 18049 0 /bin/mount -p
+
+The -l option can be used to only show command where one of the arguments
+matches specified line. The limitation is that we are looking only into first 20
+arguments of the command. For example, matching all command where one of the argument
+is "testpkg":
+
+# ./execsnoop.py -l testpkg
+PCOMM PID PPID RET ARGS
+service 3344535 4146419 0 /usr/sbin/service testpkg status
+systemctl 3344535 4146419 0 /bin/systemctl status testpkg.service
+yum 3344856 4146419 0 /usr/local/bin/yum remove testpkg
+python 3344856 4146419 0 /usr/local/bin/python /usr/local/bin/yum remove testpkg
+yum 3344856 4146419 0 /usr/bin/yum remove testpkg
+yum 3345086 4146419 0 /usr/local/bin/yum install testpkg
+python 3345086 4146419 0 /usr/local/bin/python /usr/local/bin/yum install testpkg
+yum 3345086 4146419 0 /usr/bin/yum install testpkg
+rpm 3345452 4146419 0 /bin/rpm -qa testpkg
 
 USAGE message:
 
@@ -73,9 +89,12 @@ optional arguments:
  -x, --fails include failed exec()s
  -n NAME, --name NAME only print commands matching this name (regex), any
  arg
+ -l LINE, --line LINE only print commands where arg contains this line
+ (regex)
 
 examples:
  ./execsnoop # trace all exec() syscalls
  ./execsnoop -x # include failed exec()s 
  ./execsnoop -t # include timestamps
  ./execsnoop -n main # only print command lines containing "main"
+ ./execsnoop -l tpkg # only print command where arguments contains "tpkg"