xref: /freebsd-10.0-release/cddl/contrib/dtracetoolkit/execsnoop

#!/bin/sh
#
# execsnoop - snoop process execution as it occurs.
#             Written using DTrace (Solaris 10 3/05).
#
# $Id: execsnoop 3 2007-08-01 10:50:08Z brendan $
#
# USAGE:	execsnoop [-a|-A|-ehsvJ] [-c command]
#
#		execsnoop	# default output
#
#		-a		# print all data
#		-A		# dump all data, space delimited
#		-e		# safe output - parseable
#		-s		# print start time, us
#		-v		# print start time, string
#		-J		# print jail ID
#		-c command	# command name to snoop
#	eg,
#		execsnoop -v		# human readable timestamps
#		execsnoop -J		# print jail ID
#		execsnoop -c ls		# snoop ls commands only
#
# The parseable output ensures that the ARGS field doesn't contain
# any "\n"s, which normally sometimes can - and would wreck postprocessing.
#
# FIELDS:
#		UID		User ID
#		PID		Process ID
#		PPID		Parent Process ID
#		COMM		command name for the process
#		ARGS		argument listing for the process
#		JAIL ID		Jail ID	
#		TIME		timestamp for the command, us
#		STRTIME		timestamp for the command, string
#
# SEE ALSO: BSM auditing.
#
# COPYRIGHT: Copyright (c) 2005 Brendan Gregg.
#
# CDDL HEADER START
#
#  The contents of this file are subject to the terms of the
#  Common Development and Distribution License, Version 1.0 only
#  (the "License").  You may not use this file except in compliance
#  with the License.
#
#  You can obtain a copy of the license at Docs/cddl1.txt
#  or http://www.opensolaris.org/os/licensing.
#  See the License for the specific language governing permissions
#  and limitations under the License.
#
# CDDL HEADER END
#
# Author: Brendan Gregg  [Sydney, Australia]
#
# 27-Mar-2004	Brendan Gregg	Created this.
# 21-Jan-2005	   "	  "	Wrapped in sh to provide options.
# 08-May-2005 	   "      "	Rewritten for performance.
# 14-May-2005 	   "      "	Added zonename.
# 02-Jul-2005 	   "      "	Added projid, safe printing.
# 11-Sep-2005	   "      "	Increased switchrate.
# 11-Sep-2005	   "      "	Last update.
# 


##############################
# --- Process Arguments ---
#

### default variables
opt_dump=0; opt_cmd=0; opt_time=0; opt_timestr=0; filter=0; command=.
opt_jailid=0; opt_safe=0

### process options
while getopts aAc:ehsvJ name
do
	case $name in
	a)	opt_time=1; opt_timestr=1; opt_jailid=1 ;;
	A)	opt_dump=1 ;;
	c)	opt_cmd=1; command=$OPTARG ;;
	e)	opt_safe=1 ;;
	s)	opt_time=1 ;;
	v)	opt_timestr=1 ;;
	J)	opt_jailid=1 ;;
	h|?)	cat <<-END >&2
		USAGE: execsnoop [-a|-A|-ehjsvJ] [-c command]
		       execsnoop                # default output
		                -a              # print all data
		                -A              # dump all data, space delimited
		                -e              # safe output, parseable
		                -s              # print start time, us
		                -v              # print start time, string
		                -J              # print jail ID 
		                -c command      # command name to snoop
		  eg,
		        execsnoop -v            # human readable timestamps
		        execsnoop -J		# print jail ID 
		        execsnoop -c ls         # snoop ls commands only
		END
		exit 1
	esac
done

### option logic
if [ $opt_dump -eq 1 ]; then
	opt_time=0; opt_timestr=0; opt_jailid=0
fi
if [ $opt_cmd -eq 1 ]; then
	filter=1
fi


#################################
# --- Main Program, DTrace ---
#
/usr/sbin/dtrace -n '
 /*
  * Command line arguments
  */
 inline int OPT_dump 	= '$opt_dump';
 inline int OPT_cmd 	= '$opt_cmd';
 inline int OPT_time 	= '$opt_time';
 inline int OPT_timestr	= '$opt_timestr';
 inline int OPT_jailid  = '$opt_jailid';
 inline int OPT_safe 	= '$opt_safe';
 inline int FILTER 	= '$filter';
 inline string COMMAND 	= "'$command'";
 
 #pragma D option quiet
 #pragma D option switchrate=10hz
 
 /*
  * Print header
  */
 dtrace:::BEGIN 
 {
	/* print optional headers */
 	OPT_time    ? printf("%-14s ", "TIME") : 1;
 	OPT_timestr ? printf("%-20s ", "STRTIME") : 1;
 	OPT_jailid    ? printf("%-10s ", "JAIL ID") : 1;

	/* print main headers */
	OPT_dump    ? printf("%s %s %s %s %s %s %s\n",
	    "TIME", "JAIL ID", "UID", "PID", "PPID", "COMM", "ARGS") :
	    printf("%5s %6s %6s %s\n", "UID", "PID", "PPID", "ARGS");
 }

 /*
  * Print exec event
  */
 syscall::execve:return
 /(FILTER == 0) || (OPT_cmd == 1 && COMMAND == execname)/ 
 {
	/* print optional fields */
 	OPT_time ? printf("%-14d ", timestamp/1000) : 1;
	OPT_timestr ? printf("%-20Y ", walltimestamp) : 1;
	OPT_jailid ? printf("%-10d ", curpsinfo->pr_jailid) : 1;

	/* print main data */
	OPT_dump ? printf("%d %d %d %d %d %s ", timestamp/1000,
	    curpsinfo->pr_jailid, uid, pid, ppid, execname) :
	    printf("%5d %6d %6d ", uid, pid, ppid);
	OPT_safe ? printf("%S\n", curpsinfo->pr_psargs) :
	    printf("%s\n", curpsinfo->pr_psargs);
 }
'