1 The following is an example of execsnoop. As processes are executed their
2 details are printed out. Another user was logged in running a few commands
3 which can be viewed below,
9 100 3010 2656 cat /etc/passwd
10 100 3011 2656 vi /etc/hosts
19 In this example the command "man gzip" was executed. The output lets us
20 see what the man command is actually doing,
24 100 3064 2656 man gzip
25 100 3065 3064 sh -c cd /usr/share/man; tbl /usr/share/man/man1/gzip.1 |nroff -u0 -Tlp -man -
26 100 3067 3066 tbl /usr/share/man/man1/gzip.1
27 100 3068 3066 nroff -u0 -Tlp -man -
29 100 3069 3064 sh -c trap '' 1 15; /usr/bin/mv -f /tmp/mpoMaa_f /usr/share/man/cat1/gzip.1 2>
30 100 3070 3069 /usr/bin/mv -f /tmp/mpoMaa_f /usr/share/man/cat1/gzip.1
31 100 3071 3064 sh -c more -s /tmp/mpoMaa_f
32 100 3072 3071 more -s /tmp/mpoMaa_f
37 Execsnoop has other options,
40 USAGE: execsnoop [-a|-A|-sv] [-c command]
41 execsnoop # default output
43 -A # dump all data, space delimited
44 -s # include start time, us
45 -v # include start time, string
46 -c command # command name to snoop
50 In particular the verbose option for human readable timestamps is
54 STRTIME UID PID PPID ARGS
55 2005 Jan 22 00:07:22 0 23053 20933 date
56 2005 Jan 22 00:07:24 0 23054 20933 uname -a
57 2005 Jan 22 00:07:25 0 23055 20933 ls -latr
58 2005 Jan 22 00:07:27 0 23056 20933 df -k
59 2005 Jan 22 00:07:29 0 23057 20933 ps -ef
60 2005 Jan 22 00:07:29 0 23057 20933 ps -ef
61 2005 Jan 22 00:07:34 0 23058 20933 uptime
62 2005 Jan 22 00:07:34 0 23058 20933 uptime
67 It is also possible to match particular commands. Here we watch
68 anyone using the vi command only,
71 STRTIME UID PID PPID ARGS
72 2005 Jan 22 00:10:33 0 23063 20933 vi /etc/passwd
73 2005 Jan 22 00:10:40 0 23064 20933 vi /etc/shadow
74 2005 Jan 22 00:10:51 0 23065 20933 vi /etc/group
75 2005 Jan 22 00:10:57 0 23066 20933 vi /.rhosts