1Demonstrations of capable, the Linux eBPF/bcc version. 2 3 4capable traces calls to the kernel cap_capable() function, which does security 5capability checks, and prints details for each call. For example: 6 7# ./capable.py 8TIME UID PID COMM CAP NAME AUDIT 922:11:23 114 2676 snmpd 12 CAP_NET_ADMIN 1 1022:11:23 0 6990 run 24 CAP_SYS_RESOURCE 1 1122:11:23 0 7003 chmod 3 CAP_FOWNER 1 1222:11:23 0 7003 chmod 4 CAP_FSETID 1 1322:11:23 0 7005 chmod 4 CAP_FSETID 1 1422:11:23 0 7005 chmod 4 CAP_FSETID 1 1522:11:23 0 7006 chown 4 CAP_FSETID 1 1622:11:23 0 7006 chown 4 CAP_FSETID 1 1722:11:23 0 6990 setuidgid 6 CAP_SETGID 1 1822:11:23 0 6990 setuidgid 6 CAP_SETGID 1 1922:11:23 0 6990 setuidgid 7 CAP_SETUID 1 2022:11:24 0 7013 run 24 CAP_SYS_RESOURCE 1 2122:11:24 0 7026 chmod 3 CAP_FOWNER 1 2222:11:24 0 7026 chmod 4 CAP_FSETID 1 2322:11:24 0 7028 chmod 4 CAP_FSETID 1 2422:11:24 0 7028 chmod 4 CAP_FSETID 1 2522:11:24 0 7029 chown 4 CAP_FSETID 1 2622:11:24 0 7029 chown 4 CAP_FSETID 1 2722:11:24 0 7013 setuidgid 6 CAP_SETGID 1 2822:11:24 0 7013 setuidgid 6 CAP_SETGID 1 2922:11:24 0 7013 setuidgid 7 CAP_SETUID 1 3022:11:25 0 7036 run 24 CAP_SYS_RESOURCE 1 3122:11:25 0 7049 chmod 3 CAP_FOWNER 1 3222:11:25 0 7049 chmod 4 CAP_FSETID 1 3322:11:25 0 7051 chmod 4 CAP_FSETID 1 3422:11:25 0 7051 chmod 4 CAP_FSETID 1 35[...] 36 37This can be useful for general debugging, and also security enforcement: 38determining a whitelist of capabilities an application needs. 39 40The output above includes various capability checks: snmpd checking 41CAP_NET_ADMIN, run checking CAP_SYS_RESOURCES, then some short-lived processes 42checking CAP_FOWNER, CAP_FSETID, etc. 43 44To see what each of these capabilities does, check the capabilities(7) man 45page and the kernel source. 46 47It is possible to include a kernel stack trace to the capable events by passing 48-K to the command: 49 50# ./capable.py -K 51TIME UID PID COMM CAP NAME AUDIT 5215:32:21 1000 10708 fetchmail 7 CAP_SETUID 1 53 cap_capable+0x1 [kernel] 54 ns_capable_common+0x7a [kernel] 55 __sys_setresuid+0xc8 [kernel] 56 do_syscall_64+0x56 [kernel] 57 entry_SYSCALL_64_after_hwframe+0x49 [kernel] 5815:32:21 1000 30047 procmail 6 CAP_SETGID 1 59 cap_capable+0x1 [kernel] 60 ns_capable_common+0x7a [kernel] 61 may_setgroups+0x2f [kernel] 62 __x64_sys_setgroups+0x18 [kernel] 63 do_syscall_64+0x56 [kernel] 64 entry_SYSCALL_64_after_hwframe+0x49 [kernel] 65 66Similarly, it is possible to include user-space stack with -U (or they can be 67used both at the same time to include user and kernel stack). 68 69USAGE: 70 71# ./capable.py -h 72usage: capable.py [-h] [-v] [-p PID] [-K] [-U] 73 74Trace security capability checks 75 76optional arguments: 77 -h, --help show this help message and exit 78 -v, --verbose include non-audit checks 79 -p PID, --pid PID trace this PID only 80 -K, --kernel-stack output kernel stack trace 81 -U, --user-stack output user stack trace 82 83examples: 84 ./capable # trace capability checks 85 ./capable -v # verbose: include non-audit checks 86 ./capable -p 181 # only trace PID 181 87 ./capable -K # add kernel stacks to trace 88 ./capable -U # add user-space stacks to trace 89