forked from iovisor/bcc
-
Notifications
You must be signed in to change notification settings - Fork 0
/
execsnoop.8
145 lines (142 loc) · 3.34 KB
/
execsnoop.8
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
.TH execsnoop 8 "2020-02-20" "USER COMMANDS"
.SH NAME
execsnoop \- Trace new processes via exec() syscalls. Uses Linux eBPF/bcc.
.SH SYNOPSIS
.B execsnoop [\-h] [\-T] [\-t] [\-x] [\-\-cgroupmap CGROUPMAP] [\-u USER]
.B [\-q] [\-n NAME] [\-l LINE] [\-U] [\-\-max-args MAX_ARGS]
.SH DESCRIPTION
execsnoop traces new processes, showing the filename executed and argument
list.
It works by traces the execve() system call (commonly used exec() variant).
This catches new processes that follow the fork->exec sequence, as well as
processes that re-exec() themselves. Some applications fork() but do not
exec(), eg, for worker processes, which won't be included in the execsnoop
output.
This works by tracing the kernel sys_execve() function using dynamic tracing,
and will need updating to match any changes to this function.
Since this uses BPF, only the root user can use this tool.
.SH REQUIREMENTS
CONFIG_BPF and bcc.
.SH OPTIONS
.TP
\-h
Print usage message.
.TP
\-T
Include a time column (HH:MM:SS).
.TP
\-U
Include UID column.
.TP
\-t
Include a timestamp column.
.TP
\-u USER
Filter by UID (or username)
.TP
\-x
Include failed exec()s
.TP
\-q
Add "quotemarks" around arguments. Escape quotemarks in arguments with a
backslash. For tracing empty arguments or arguments that contain whitespace.
.TP
\-n NAME
Only print command lines matching this name (regex)
.TP
\-l LINE
Only print commands where arg contains this line (regex)
.TP
\--max-args MAXARGS
Maximum number of arguments parsed and displayed, defaults to 20
.TP
\-\-cgroupmap MAPPATH
Trace cgroups in this BPF map only (filtered in-kernel).
.SH EXAMPLES
.TP
Trace all exec() syscalls:
#
.B execsnoop
.TP
Trace all exec() syscalls, and include timestamps:
#
.B execsnoop \-t
.TP
Display process UID:
#
.B execsnoop \-U
.TP
Trace only UID 1000:
#
.B execsnoop \-u 1000
.TP
Trace only processes launched by root and display UID column:
#
.B execsnoop \-Uu root
.TP
Include failed exec()s:
#
.B execsnoop \-x
.TP
Put quotemarks around arguments.
#
.B execsnoop \-q
.TP
Only trace exec()s where the filename contains "mount":
#
.B execsnoop \-n mount
.TP
Only trace exec()s where argument's line contains "testpkg":
#
.B execsnoop \-l testpkg
.TP
Trace a set of cgroups only (see filtering_by_cgroups.md from bcc sources for more details):
#
.B execsnoop \-\-cgroupmap /sys/fs/bpf/test01
.SH FIELDS
.TP
TIME
Time of exec() return, in HH:MM:SS format.
.TP
TIME(s)
Time of exec() return, in seconds.
.TP
UID
User ID
.TP
PCOMM
Parent process/command name.
.TP
PID
Process ID
.TP
PPID
Parent process ID
.TP
RET
Return value of exec(). 0 == successs. Failures are only shown when using the
\-x option.
.TP
ARGS
Filename for the exec(), followed be up to 19 arguments. An ellipsis "..." is
shown if the argument list is known to be truncated.
.SH OVERHEAD
This traces the kernel execve function and prints output for each event. As the
rate of this is generally expected to be low (< 1000/s), the overhead is also
expected to be negligible. If you have an application that is calling a high
rate of exec()s, then test and understand overhead before use.
.SH SOURCE
This is from bcc.
.IP
https://github.com/iovisor/bcc
.PP
Also look in the bcc distribution for a companion _examples.txt file containing
example usage, output, and commentary for this tool.
.SH OS
Linux
.SH STABILITY
Unstable - in development.
.SH AUTHOR
Brendan Gregg
.SH SEE ALSO
opensnoop(1)