1Demonstrations of bashreadline, the Linux eBPF/bcc version. 2 3 4This prints bash commands from all running bash shells on the system. For 5example: 6 7# ./bashreadline 8TIME PID COMMAND 905:28:25 21176 ls -l 1005:28:28 21176 date 1105:28:35 21176 echo hello world 1205:28:43 21176 foo this command failed 1305:28:45 21176 df -h 1405:29:04 3059 echo another shell 1505:29:13 21176 echo first shell again 16 17When running the script on Arch Linux, you may need to specify the location 18of libreadline.so library: 19 20# ./bashreadline -s /lib/libreadline.so 21TIME PID COMMAND 2211:17:34 28796 whoami 2311:17:41 28796 ps -ef 2411:17:51 28796 echo "Hello eBPF!" 25 26 27The entered command may fail. This is just showing what command lines were 28entered interactively for bash to process. 29 30It works by tracing the return of the readline() function using uprobes 31(specifically a uretprobe). 32