diff options
Diffstat (limited to 'cddl/contrib/dtracetoolkit/Examples/execsnoop_example.txt')
-rw-r--r-- | cddl/contrib/dtracetoolkit/Examples/execsnoop_example.txt | 78 |
1 files changed, 78 insertions, 0 deletions
diff --git a/cddl/contrib/dtracetoolkit/Examples/execsnoop_example.txt b/cddl/contrib/dtracetoolkit/Examples/execsnoop_example.txt new file mode 100644 index 0000000..e55682a --- /dev/null +++ b/cddl/contrib/dtracetoolkit/Examples/execsnoop_example.txt @@ -0,0 +1,78 @@ +The following is an example of execsnoop. As processes are executed their +details are printed out. Another user was logged in running a few commands +which can be viewed below, + + # ./execsnoop + UID PID PPID ARGS + 100 3008 2656 ls + 100 3009 2656 ls -l + 100 3010 2656 cat /etc/passwd + 100 3011 2656 vi /etc/hosts + 100 3012 2656 date + 100 3013 2656 ls -l + 100 3014 2656 ls + 100 3015 2656 finger + [...] + + + +In this example the command "man gzip" was executed. The output lets us +see what the man command is actually doing, + + # ./execsnoop + UID PID PPID ARGS + 100 3064 2656 man gzip + 100 3065 3064 sh -c cd /usr/share/man; tbl /usr/share/man/man1/gzip.1 |nroff -u0 -Tlp -man - + 100 3067 3066 tbl /usr/share/man/man1/gzip.1 + 100 3068 3066 nroff -u0 -Tlp -man - + 100 3066 3065 col -x + 100 3069 3064 sh -c trap '' 1 15; /usr/bin/mv -f /tmp/mpoMaa_f /usr/share/man/cat1/gzip.1 2> + 100 3070 3069 /usr/bin/mv -f /tmp/mpoMaa_f /usr/share/man/cat1/gzip.1 + 100 3071 3064 sh -c more -s /tmp/mpoMaa_f + 100 3072 3071 more -s /tmp/mpoMaa_f + ^C + + + +Execsnoop has other options, + + # ./execsnoop -h + USAGE: execsnoop [-a|-A|-sv] [-c command] + execsnoop # default output + -a # print all data + -A # dump all data, space delimited + -s # include start time, us + -v # include start time, string + -c command # command name to snoop + + + +In particular the verbose option for human readable timestamps is +very useful, + + # ./execsnoop -v + STRTIME UID PID PPID ARGS + 2005 Jan 22 00:07:22 0 23053 20933 date + 2005 Jan 22 00:07:24 0 23054 20933 uname -a + 2005 Jan 22 00:07:25 0 23055 20933 ls -latr + 2005 Jan 22 00:07:27 0 23056 20933 df -k + 2005 Jan 22 00:07:29 0 23057 20933 ps -ef + 2005 Jan 22 00:07:29 0 23057 20933 ps -ef + 2005 Jan 22 00:07:34 0 23058 20933 uptime + 2005 Jan 22 00:07:34 0 23058 20933 uptime + [...] + + + +It is also possible to match particular commands. Here we watch +anyone using the vi command only, + + # ./execsnoop -vc vi + STRTIME UID PID PPID ARGS + 2005 Jan 22 00:10:33 0 23063 20933 vi /etc/passwd + 2005 Jan 22 00:10:40 0 23064 20933 vi /etc/shadow + 2005 Jan 22 00:10:51 0 23065 20933 vi /etc/group + 2005 Jan 22 00:10:57 0 23066 20933 vi /.rhosts + [...] + + |