.TH capable 8 "2016-09-13" "USER COMMANDS" .SH NAME capable \- Trace security capability checks (cap_capable()). .SH SYNOPSIS .B capable [\-h] [\-v] [\-p PID] .SH DESCRIPTION This traces security capability checks in the kernel, and prints details for each call. This can be useful for general debugging, and also security enforcement: determining a white list of capabilities an application needs. Since this uses BPF, only the root user can use this tool. .SH REQUIREMENTS CONFIG_BPF, bcc. .SH OPTIONS \-h USAGE message. .TP \-v Include non-audit capability checks. These are those deemed not interesting and not necessary to audit, such as CAP_SYS_ADMIN checks on memory allocation to affect the behavior of overcommit. .SH EXAMPLES .TP Trace all capability checks system-wide: # .B capable .TP Trace capability checks for PID 181: # .B capable \-p 181 .SH FIELDS .TP TIME(s) Time of capability check: HH:MM:SS. .TP UID User ID. .TP PID Process ID. .TP COMM Process name. CAP Capability number. NAME Capability name. See capabilities(7) for descriptions. .TP AUDIT Whether this was an audit event. Use \-v to include non-audit events. .SH OVERHEAD This adds low-overhead instrumentation to capability checks, which are expected to be low frequency, however, that depends on the application. Test in a lab environment before use. .SH SOURCE This is from bcc. .IP https://github.com/iovisor/bcc .PP Also look in the bcc distribution for a companion _examples.txt file containing example usage, output, and commentary for this tool. .SH OS Linux .SH STABILITY Unstable - in development. .SH AUTHOR Brendan Gregg .SH SEE ALSO capabilities(7)