1Demonstrations of execsnoop, the Linux eBPF/bcc version. 2 3 4execsnoop traces new processes. For example, tracing the commands invoked when 5running "man ls": 6 7# ./execsnoop 8PCOMM PID RET ARGS 9bash 15887 0 /usr/bin/man ls 10preconv 15894 0 /usr/bin/preconv -e UTF-8 11man 15896 0 /usr/bin/tbl 12man 15897 0 /usr/bin/nroff -mandoc -rLL=169n -rLT=169n -Tutf8 13man 15898 0 /usr/bin/pager -s 14nroff 15900 0 /usr/bin/locale charmap 15nroff 15901 0 /usr/bin/groff -mtty-char -Tutf8 -mandoc -rLL=169n -rLT=169n 16groff 15902 0 /usr/bin/troff -mtty-char -mandoc -rLL=169n -rLT=169n -Tutf8 17groff 15903 0 /usr/bin/grotty 18 19The output shows the parent process/command name (PCOMM), the PID, the return 20value of the exec() (RET), and the filename with arguments (ARGS). 21 22This works by traces the execve() system call (commonly used exec() variant), 23and shows details of the arguments and return value. This catches new processes 24that follow the fork->exec sequence, as well as processes that re-exec() 25themselves. Some applications fork() but do not exec(), eg, for worker 26processes, which won't be included in the execsnoop output. 27 28 29The -x option can be used to include failed exec()s. For example: 30 31# ./execsnoop -x 32PCOMM PID RET ARGS 33supervise 9660 0 ./run 34supervise 9661 0 ./run 35mkdir 9662 0 /bin/mkdir -p ./main 36run 9663 0 ./run 37chown 9664 0 /bin/chown nobody:nobody ./main 38run 9665 0 /bin/mkdir -p ./main 39supervise 9667 0 ./run 40run 9660 -2 /usr/local/bin/setuidgid nobody /command/multilog t ./main 41chown 9668 0 /bin/chown nobody:nobody ./main 42run 9666 0 /bin/chmod 0777 main 43run 9663 -2 /usr/local/bin/setuidgid nobody /command/multilog t ./main 44run 9669 0 /bin/mkdir -p ./main 45run 9661 -2 /usr/local/bin/setuidgid nobody /command/multilog t ./main 46supervise 9670 0 ./run 47[...] 48 49This example shows various regular system daemon activity, including some 50failures (trying to execute a /usr/local/bin/setuidgid, which I just noticed 51doesn't exist). 52 53 54A -t option can be used to include a timestamp column, and a -n option to match 55on a name. Regular expressions are allowed. 56For example, matching commands containing "mount": 57 58# ./execsnoop -tn mount 59TIME(s) PCOMM PID RET ARGS 602.849 mount 18049 0 /bin/mount -p 61 62The -l option can be used to only show command where one of the arguments 63matches specified line. The limitation is that we are looking only into first 20 64arguments of the command. For example, matching all command where one of the argument 65is "testpkg": 66 67# ./execsnoop.py -l testpkg 68PCOMM PID PPID RET ARGS 69service 3344535 4146419 0 /usr/sbin/service testpkg status 70systemctl 3344535 4146419 0 /bin/systemctl status testpkg.service 71yum 3344856 4146419 0 /usr/local/bin/yum remove testpkg 72python 3344856 4146419 0 /usr/local/bin/python /usr/local/bin/yum remove testpkg 73yum 3344856 4146419 0 /usr/bin/yum remove testpkg 74yum 3345086 4146419 0 /usr/local/bin/yum install testpkg 75python 3345086 4146419 0 /usr/local/bin/python /usr/local/bin/yum install testpkg 76yum 3345086 4146419 0 /usr/bin/yum install testpkg 77rpm 3345452 4146419 0 /bin/rpm -qa testpkg 78 79USAGE message: 80 81# ./execsnoop -h 82usage: execsnoop [-h] [-t] [-x] [-n NAME] [-l LINE] [--max-args MAX_ARGS] 83 84Trace exec() syscalls 85 86optional arguments: 87 -h, --help show this help message and exit 88 -t, --timestamp include timestamp on output 89 -x, --fails include failed exec()s 90 -n NAME, --name NAME only print commands matching this name (regex), any 91 arg 92 -l LINE, --line LINE only print commands where arg contains this line 93 (regex) 94 --max-args MAX_ARGS maximum number of arguments parsed and displayed, 95 defaults to 20 96 97examples: 98 ./execsnoop # trace all exec() syscalls 99 ./execsnoop -x # include failed exec()s 100 ./execsnoop -t # include timestamps 101 ./execsnoop -n main # only print command lines containing "main" 102 ./execsnoop -l tpkg # only print command where arguments contains "tpkg" 103