1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
|
#!/bin/sh
#
# execsnoop - snoop process execution as it occurs.
# Written using DTrace (Solaris 10 3/05).
#
# $Id: execsnoop 3 2007-08-01 10:50:08Z brendan $
#
# USAGE: execsnoop [-a|-A|-ehsvJ] [-c command]
#
# execsnoop # default output
#
# -a # print all data
# -A # dump all data, space delimited
# -e # safe output - parseable
# -s # print start time, us
# -v # print start time, string
# -J # print jail ID
# -c command # command name to snoop
# eg,
# execsnoop -v # human readable timestamps
# execsnoop -J # print jail ID
# execsnoop -c ls # snoop ls commands only
#
# The parseable output ensures that the ARGS field doesn't contain
# any "\n"s, which normally sometimes can - and would wreck postprocessing.
#
# FIELDS:
# UID User ID
# PID Process ID
# PPID Parent Process ID
# COMM command name for the process
# ARGS argument listing for the process
# JAIL ID Jail ID
# TIME timestamp for the command, us
# STRTIME timestamp for the command, string
#
# SEE ALSO: BSM auditing.
#
# COPYRIGHT: Copyright (c) 2005 Brendan Gregg.
#
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License, Version 1.0 only
# (the "License"). You may not use this file except in compliance
# with the License.
#
# You can obtain a copy of the license at Docs/cddl1.txt
# or http://www.opensolaris.org/os/licensing.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# CDDL HEADER END
#
# Author: Brendan Gregg [Sydney, Australia]
#
# 27-Mar-2004 Brendan Gregg Created this.
# 21-Jan-2005 " " Wrapped in sh to provide options.
# 08-May-2005 " " Rewritten for performance.
# 14-May-2005 " " Added zonename.
# 02-Jul-2005 " " Added projid, safe printing.
# 11-Sep-2005 " " Increased switchrate.
# 11-Sep-2005 " " Last update.
#
##############################
# --- Process Arguments ---
#
### default variables
opt_dump=0; opt_cmd=0; opt_time=0; opt_timestr=0; filter=0; command=.
opt_jailid=0; opt_safe=0
### process options
while getopts aAc:ehsvJ name
do
case $name in
a) opt_time=1; opt_timestr=1; opt_jailid=1 ;;
A) opt_dump=1 ;;
c) opt_cmd=1; command=$OPTARG ;;
e) opt_safe=1 ;;
s) opt_time=1 ;;
v) opt_timestr=1 ;;
J) opt_jailid=1 ;;
h|?) cat <<-END >&2
USAGE: execsnoop [-a|-A|-ehjsvJ] [-c command]
execsnoop # default output
-a # print all data
-A # dump all data, space delimited
-e # safe output, parseable
-s # print start time, us
-v # print start time, string
-J # print jail ID
-c command # command name to snoop
eg,
execsnoop -v # human readable timestamps
execsnoop -J # print jail ID
execsnoop -c ls # snoop ls commands only
END
exit 1
esac
done
### option logic
if [ $opt_dump -eq 1 ]; then
opt_time=0; opt_timestr=0; opt_jailid=0
fi
if [ $opt_cmd -eq 1 ]; then
filter=1
fi
#################################
# --- Main Program, DTrace ---
#
/usr/sbin/dtrace -n '
/*
* Command line arguments
*/
inline int OPT_dump = '$opt_dump';
inline int OPT_cmd = '$opt_cmd';
inline int OPT_time = '$opt_time';
inline int OPT_timestr = '$opt_timestr';
inline int OPT_jailid = '$opt_jailid';
inline int OPT_safe = '$opt_safe';
inline int FILTER = '$filter';
inline string COMMAND = "'$command'";
#pragma D option quiet
#pragma D option switchrate=10hz
/*
* Print header
*/
dtrace:::BEGIN
{
/* print optional headers */
OPT_time ? printf("%-14s ", "TIME") : 1;
OPT_timestr ? printf("%-20s ", "STRTIME") : 1;
OPT_jailid ? printf("%-10s ", "JAIL ID") : 1;
/* print main headers */
OPT_dump ? printf("%s %s %s %s %s %s %s\n",
"TIME", "JAIL ID", "UID", "PID", "PPID", "COMM", "ARGS") :
printf("%5s %6s %6s %s\n", "UID", "PID", "PPID", "ARGS");
}
/*
* Print exec event
*/
syscall::execve:return
/(FILTER == 0) || (OPT_cmd == 1 && COMMAND == execname)/
{
/* print optional fields */
OPT_time ? printf("%-14d ", timestamp/1000) : 1;
OPT_timestr ? printf("%-20Y ", walltimestamp) : 1;
OPT_jailid ? printf("%-10d ", curpsinfo->pr_jailid) : 1;
/* print main data */
OPT_dump ? printf("%d %d %d %d %d %s ", timestamp/1000,
curpsinfo->pr_jailid, uid, pid, ppid, execname) :
printf("%5d %6d %6d ", uid, pid, ppid);
OPT_safe ? printf("%S\n", curpsinfo->pr_psargs) :
printf("%s\n", curpsinfo->pr_psargs);
}
'
|
