1Demonstrations of execsnoop, the Linux eBPF/bcc version. 2 3 4execsnoop traces new processes. For example, tracing the commands invoked when 5running "man ls": 6 7# ./execsnoop 8PCOMM PID RET ARGS 9bash 15887 0 /usr/bin/man ls 10preconv 15894 0 /usr/bin/preconv -e UTF-8 11man 15896 0 /usr/bin/tbl 12man 15897 0 /usr/bin/nroff -mandoc -rLL=169n -rLT=169n -Tutf8 13man 15898 0 /usr/bin/pager -s 14nroff 15900 0 /usr/bin/locale charmap 15nroff 15901 0 /usr/bin/groff -mtty-char -Tutf8 -mandoc -rLL=169n -rLT=169n 16groff 15902 0 /usr/bin/troff -mtty-char -mandoc -rLL=169n -rLT=169n -Tutf8 17groff 15903 0 /usr/bin/grotty 18 19The output shows the parent process/command name (PCOMM), the PID, the return 20value of the exec() (RET), and the filename with arguments (ARGS). 21 22This works by traces the execve() system call (commonly used exec() variant), 23and shows details of the arguments and return value. This catches new processes 24that follow the fork->exec sequence, as well as processes that re-exec() 25themselves. Some applications fork() but do not exec(), eg, for worker 26processes, which won't be included in the execsnoop output. 27 28 29The -x option can be used to include failed exec()s. For example: 30 31# ./execsnoop -x 32PCOMM PID RET ARGS 33supervise 9660 0 ./run 34supervise 9661 0 ./run 35mkdir 9662 0 /bin/mkdir -p ./main 36run 9663 0 ./run 37chown 9664 0 /bin/chown nobody:nobody ./main 38run 9665 0 /bin/mkdir -p ./main 39supervise 9667 0 ./run 40run 9660 -2 /usr/local/bin/setuidgid nobody /command/multilog t ./main 41chown 9668 0 /bin/chown nobody:nobody ./main 42run 9666 0 /bin/chmod 0777 main 43run 9663 -2 /usr/local/bin/setuidgid nobody /command/multilog t ./main 44run 9669 0 /bin/mkdir -p ./main 45run 9661 -2 /usr/local/bin/setuidgid nobody /command/multilog t ./main 46supervise 9670 0 ./run 47[...] 48 49This example shows various regular system daemon activity, including some 50failures (trying to execute a /usr/local/bin/setuidgid, which I just noticed 51doesn't exist). 52 53 54A -T option can be used to include a time column, a -t option to include a 55timestamp column, and a -n option to match on a name. Regular expressions 56are allowed. 57For example, matching commands containing "mount": 58 59# ./execsnoop -Ttn mount 60TIME TIME(s) PCOMM PID PPID RET ARGS 6114:08:23 2.849 mount 18049 1045 0 /bin/mount -p 62 63The -l option can be used to only show command where one of the arguments 64matches specified line. The limitation is that we are looking only into first 20 65arguments of the command. For example, matching all command where one of the argument 66is "testpkg": 67 68# ./execsnoop.py -l testpkg 69PCOMM PID PPID RET ARGS 70service 3344535 4146419 0 /usr/sbin/service testpkg status 71systemctl 3344535 4146419 0 /bin/systemctl status testpkg.service 72yum 3344856 4146419 0 /usr/local/bin/yum remove testpkg 73python 3344856 4146419 0 /usr/local/bin/python /usr/local/bin/yum remove testpkg 74yum 3344856 4146419 0 /usr/bin/yum remove testpkg 75yum 3345086 4146419 0 /usr/local/bin/yum install testpkg 76python 3345086 4146419 0 /usr/local/bin/python /usr/local/bin/yum install testpkg 77yum 3345086 4146419 0 /usr/bin/yum install testpkg 78rpm 3345452 4146419 0 /bin/rpm -qa testpkg 79 80 81The --cgroupmap option filters based on a cgroup set. It is meant to be used 82with an externally created map. 83 84# ./execsnoop --cgroupmap /sys/fs/bpf/test01 85 86For more details, see docs/special_filtering.md 87 88The -U option include UID on output: 89 90# ./execsnoop -U 91 92UID PCOMM PID PPID RET ARGS 931000 ls 171318 133702 0 /bin/ls --color=auto 941000 w 171322 133702 0 /usr/bin/w 95 96The -u options filters output based process UID. You also can use username as 97argument, in that cause UID will be looked up using getpwnam (see man 3 getpwnam). 98 99# ./execsnoop -Uu 1000 100UID PCOMM PID PPID RET ARGS 1011000 ls 171335 133702 0 /bin/ls --color=auto 1021000 man 171340 133702 0 /usr/bin/man getpwnam 1031000 bzip2 171341 171340 0 /bin/bzip2 -dc 1041000 bzip2 171342 171340 0 /bin/bzip2 -dc 1051000 bzip2 171345 171340 0 /bin/bzip2 -dc 1061000 manpager 171355 171340 0 /usr/bin/manpager 1071000 less 171355 171340 0 /usr/bin/less 108 109USAGE message: 110 111# ./execsnoop -h 112usage: execsnoop.py [-h] [-T] [-t] [-x] [--cgroupmap CGROUPMAP] 113 [--mntnsmap MNTNSMAP] [-u USER] [-q] [-n NAME] [-l LINE] 114 [-U] [--max-args MAX_ARGS] [-P PPID] 115 116Trace exec() syscalls 117 118optional arguments: 119 -h, --help show this help message and exit 120 -T, --time include time column on output (HH:MM:SS) 121 -t, --timestamp include timestamp on output 122 -x, --fails include failed exec()s 123 --cgroupmap CGROUPMAP 124 trace cgroups in this BPF map only 125 --mntnsmap MNTNSMAP trace mount namespaces in this BPF map only 126 -u USER, --uid USER trace this UID only 127 -q, --quote Add quotemarks (") around arguments. 128 -n NAME, --name NAME only print commands matching this name (regex), any 129 arg 130 -l LINE, --line LINE only print commands where arg contains this line 131 (regex) 132 -U, --print-uid print UID column 133 --max-args MAX_ARGS maximum number of arguments parsed and displayed, 134 defaults to 20 135 -P PPID, --ppid PPID trace this parent PID only 136 137examples: 138 ./execsnoop # trace all exec() syscalls 139 ./execsnoop -x # include failed exec()s 140 ./execsnoop -T # include time (HH:MM:SS) 141 ./execsnoop -P 181 # only trace new processes whose parent PID is 181 142 ./execsnoop -U # include UID 143 ./execsnoop -u 1000 # only trace UID 1000 144 ./execsnoop -u user # get user UID and trace only them 145 ./execsnoop -t # include timestamps 146 ./execsnoop -q # add "quotemarks" around arguments 147 ./execsnoop -n main # only print command lines containing "main" 148 ./execsnoop -l tpkg # only print command where arguments contains "tpkg" 149 ./execsnoop --cgroupmap mappath # only trace cgroups in this BPF map 150 ./execsnoop --mntnsmap mappath # only trace mount namespaces in the map 151