1235455Sgnn#!/bin/sh 2235368Sgnn# 3235368Sgnn# execsnoop - snoop process execution as it occurs. 4235368Sgnn# Written using DTrace (Solaris 10 3/05). 5235368Sgnn# 6235368Sgnn# $Id: execsnoop 3 2007-08-01 10:50:08Z brendan $ 7235368Sgnn# 8239972Srpaulo# USAGE: execsnoop [-a|-A|-ehsvJ] [-c command] 9235368Sgnn# 10235368Sgnn# execsnoop # default output 11235368Sgnn# 12235368Sgnn# -a # print all data 13235368Sgnn# -A # dump all data, space delimited 14235368Sgnn# -e # safe output - parseable 15235368Sgnn# -s # print start time, us 16235368Sgnn# -v # print start time, string 17239972Srpaulo# -J # print jail ID 18235368Sgnn# -c command # command name to snoop 19235368Sgnn# eg, 20235368Sgnn# execsnoop -v # human readable timestamps 21239972Srpaulo# execsnoop -J # print jail ID 22235368Sgnn# execsnoop -c ls # snoop ls commands only 23235368Sgnn# 24235368Sgnn# The parseable output ensures that the ARGS field doesn't contain 25235368Sgnn# any "\n"s, which normally sometimes can - and would wreck postprocessing. 26235368Sgnn# 27235368Sgnn# FIELDS: 28235368Sgnn# UID User ID 29235368Sgnn# PID Process ID 30235368Sgnn# PPID Parent Process ID 31235368Sgnn# COMM command name for the process 32235368Sgnn# ARGS argument listing for the process 33239972Srpaulo# JAIL ID Jail ID 34235368Sgnn# TIME timestamp for the command, us 35235368Sgnn# STRTIME timestamp for the command, string 36235368Sgnn# 37235368Sgnn# SEE ALSO: BSM auditing. 38235368Sgnn# 39235368Sgnn# COPYRIGHT: Copyright (c) 2005 Brendan Gregg. 40235368Sgnn# 41235368Sgnn# CDDL HEADER START 42235368Sgnn# 43235368Sgnn# The contents of this file are subject to the terms of the 44235368Sgnn# Common Development and Distribution License, Version 1.0 only 45235368Sgnn# (the "License"). You may not use this file except in compliance 46235368Sgnn# with the License. 47235368Sgnn# 48235368Sgnn# You can obtain a copy of the license at Docs/cddl1.txt 49235368Sgnn# or http://www.opensolaris.org/os/licensing. 50235368Sgnn# See the License for the specific language governing permissions 51235368Sgnn# and limitations under the License. 52235368Sgnn# 53235368Sgnn# CDDL HEADER END 54235368Sgnn# 55235368Sgnn# Author: Brendan Gregg [Sydney, Australia] 56235368Sgnn# 57235368Sgnn# 27-Mar-2004 Brendan Gregg Created this. 58235368Sgnn# 21-Jan-2005 " " Wrapped in sh to provide options. 59235368Sgnn# 08-May-2005 " " Rewritten for performance. 60235368Sgnn# 14-May-2005 " " Added zonename. 61235368Sgnn# 02-Jul-2005 " " Added projid, safe printing. 62235368Sgnn# 11-Sep-2005 " " Increased switchrate. 63235368Sgnn# 11-Sep-2005 " " Last update. 64235368Sgnn# 65235368Sgnn 66235368Sgnn 67235368Sgnn############################## 68235368Sgnn# --- Process Arguments --- 69235368Sgnn# 70235368Sgnn 71235368Sgnn### default variables 72235368Sgnnopt_dump=0; opt_cmd=0; opt_time=0; opt_timestr=0; filter=0; command=. 73239972Srpauloopt_jailid=0; opt_safe=0 74235368Sgnn 75235368Sgnn### process options 76239972Srpaulowhile getopts aAc:ehsvJ name 77235368Sgnndo 78235368Sgnn case $name in 79239972Srpaulo a) opt_time=1; opt_timestr=1; opt_jailid=1 ;; 80235368Sgnn A) opt_dump=1 ;; 81235368Sgnn c) opt_cmd=1; command=$OPTARG ;; 82235368Sgnn e) opt_safe=1 ;; 83235368Sgnn s) opt_time=1 ;; 84235368Sgnn v) opt_timestr=1 ;; 85239972Srpaulo J) opt_jailid=1 ;; 86235368Sgnn h|?) cat <<-END >&2 87239972Srpaulo USAGE: execsnoop [-a|-A|-ehjsvJ] [-c command] 88235368Sgnn execsnoop # default output 89235368Sgnn -a # print all data 90235368Sgnn -A # dump all data, space delimited 91235368Sgnn -e # safe output, parseable 92235368Sgnn -s # print start time, us 93235368Sgnn -v # print start time, string 94239972Srpaulo -J # print jail ID 95235368Sgnn -c command # command name to snoop 96235368Sgnn eg, 97235368Sgnn execsnoop -v # human readable timestamps 98239972Srpaulo execsnoop -J # print jail ID 99235368Sgnn execsnoop -c ls # snoop ls commands only 100235368Sgnn END 101235368Sgnn exit 1 102235368Sgnn esac 103235368Sgnndone 104235368Sgnn 105235368Sgnn### option logic 106235368Sgnnif [ $opt_dump -eq 1 ]; then 107239972Srpaulo opt_time=0; opt_timestr=0; opt_jailid=0 108235368Sgnnfi 109235368Sgnnif [ $opt_cmd -eq 1 ]; then 110235368Sgnn filter=1 111235368Sgnnfi 112235368Sgnn 113235368Sgnn 114235368Sgnn################################# 115235368Sgnn# --- Main Program, DTrace --- 116235368Sgnn# 117235368Sgnn/usr/sbin/dtrace -n ' 118235368Sgnn /* 119235368Sgnn * Command line arguments 120235368Sgnn */ 121235368Sgnn inline int OPT_dump = '$opt_dump'; 122235368Sgnn inline int OPT_cmd = '$opt_cmd'; 123235368Sgnn inline int OPT_time = '$opt_time'; 124235368Sgnn inline int OPT_timestr = '$opt_timestr'; 125239972Srpaulo inline int OPT_jailid = '$opt_jailid'; 126235368Sgnn inline int OPT_safe = '$opt_safe'; 127235368Sgnn inline int FILTER = '$filter'; 128235368Sgnn inline string COMMAND = "'$command'"; 129235368Sgnn 130235368Sgnn #pragma D option quiet 131235368Sgnn #pragma D option switchrate=10hz 132235368Sgnn 133235368Sgnn /* 134235368Sgnn * Print header 135235368Sgnn */ 136235368Sgnn dtrace:::BEGIN 137235368Sgnn { 138235368Sgnn /* print optional headers */ 139235368Sgnn OPT_time ? printf("%-14s ", "TIME") : 1; 140235368Sgnn OPT_timestr ? printf("%-20s ", "STRTIME") : 1; 141239972Srpaulo OPT_jailid ? printf("%-10s ", "JAIL ID") : 1; 142235368Sgnn 143235368Sgnn /* print main headers */ 144239972Srpaulo OPT_dump ? printf("%s %s %s %s %s %s %s\n", 145239972Srpaulo "TIME", "JAIL ID", "UID", "PID", "PPID", "COMM", "ARGS") : 146235368Sgnn printf("%5s %6s %6s %s\n", "UID", "PID", "PPID", "ARGS"); 147235368Sgnn } 148235368Sgnn 149235368Sgnn /* 150235368Sgnn * Print exec event 151235368Sgnn */ 152235455Sgnn syscall::execve:return 153235368Sgnn /(FILTER == 0) || (OPT_cmd == 1 && COMMAND == execname)/ 154235368Sgnn { 155235368Sgnn /* print optional fields */ 156235368Sgnn OPT_time ? printf("%-14d ", timestamp/1000) : 1; 157235368Sgnn OPT_timestr ? printf("%-20Y ", walltimestamp) : 1; 158239972Srpaulo OPT_jailid ? printf("%-10d ", curpsinfo->pr_jailid) : 1; 159235368Sgnn 160235368Sgnn /* print main data */ 161239972Srpaulo OPT_dump ? printf("%d %d %d %d %d %s ", timestamp/1000, 162239972Srpaulo curpsinfo->pr_jailid, uid, pid, ppid, execname) : 163235368Sgnn printf("%5d %6d %6d ", uid, pid, ppid); 164235368Sgnn OPT_safe ? printf("%S\n", curpsinfo->pr_psargs) : 165235368Sgnn printf("%s\n", curpsinfo->pr_psargs); 166235368Sgnn } 167235368Sgnn' 168