3 # execsnoop - snoop process execution as it occurs.
4 # Written using DTrace (Solaris 10 3/05).
6 # $Id: execsnoop 3 2007-08-01 10:50:08Z brendan $
8 # USAGE: execsnoop [-a|-A|-ehsvJ] [-c command]
10 # execsnoop # default output
13 # -A # dump all data, space delimited
14 # -e # safe output - parseable
15 # -s # print start time, us
16 # -v # print start time, string
18 # -c command # command name to snoop
20 # execsnoop -v # human readable timestamps
21 # execsnoop -J # print jail ID
22 # execsnoop -c ls # snoop ls commands only
24 # The parseable output ensures that the ARGS field doesn't contain
25 # any "\n"s, which normally sometimes can - and would wreck postprocessing.
30 # PPID Parent Process ID
31 # COMM command name for the process
32 # ARGS argument listing for the process
34 # TIME timestamp for the command, us
35 # STRTIME timestamp for the command, string
37 # SEE ALSO: BSM auditing.
39 # COPYRIGHT: Copyright (c) 2005 Brendan Gregg.
43 # The contents of this file are subject to the terms of the
44 # Common Development and Distribution License, Version 1.0 only
45 # (the "License"). You may not use this file except in compliance
48 # You can obtain a copy of the license at Docs/cddl1.txt
49 # or http://www.opensolaris.org/os/licensing.
50 # See the License for the specific language governing permissions
51 # and limitations under the License.
55 # Author: Brendan Gregg [Sydney, Australia]
57 # 27-Mar-2004 Brendan Gregg Created this.
58 # 21-Jan-2005 " " Wrapped in sh to provide options.
59 # 08-May-2005 " " Rewritten for performance.
60 # 14-May-2005 " " Added zonename.
61 # 02-Jul-2005 " " Added projid, safe printing.
62 # 11-Sep-2005 " " Increased switchrate.
63 # 11-Sep-2005 " " Last update.
67 ##############################
68 # --- Process Arguments ---
72 opt_dump=0; opt_cmd=0; opt_time=0; opt_timestr=0; filter=0; command=.
73 opt_jailid=0; opt_safe=0
76 while getopts aAc:ehsvJ name
79 a) opt_time=1; opt_timestr=1; opt_jailid=1 ;;
81 c) opt_cmd=1; command=$OPTARG ;;
87 USAGE: execsnoop [-a|-A|-ehjsvJ] [-c command]
88 execsnoop # default output
90 -A # dump all data, space delimited
91 -e # safe output, parseable
92 -s # print start time, us
93 -v # print start time, string
95 -c command # command name to snoop
97 execsnoop -v # human readable timestamps
98 execsnoop -J # print jail ID
99 execsnoop -c ls # snoop ls commands only
106 if [ $opt_dump -eq 1 ]; then
107 opt_time=0; opt_timestr=0; opt_jailid=0
109 if [ $opt_cmd -eq 1 ]; then
114 #################################
115 # --- Main Program, DTrace ---
117 /usr/sbin/dtrace -n '
119 * Command line arguments
121 inline int OPT_dump = '$opt_dump';
122 inline int OPT_cmd = '$opt_cmd';
123 inline int OPT_time = '$opt_time';
124 inline int OPT_timestr = '$opt_timestr';
125 inline int OPT_jailid = '$opt_jailid';
126 inline int OPT_safe = '$opt_safe';
127 inline int FILTER = '$filter';
128 inline string COMMAND = "'$command'";
130 #pragma D option quiet
131 #pragma D option switchrate=10hz
138 /* print optional headers */
139 OPT_time ? printf("%-14s ", "TIME") : 1;
140 OPT_timestr ? printf("%-20s ", "STRTIME") : 1;
141 OPT_jailid ? printf("%-10s ", "JAIL ID") : 1;
143 /* print main headers */
144 OPT_dump ? printf("%s %s %s %s %s %s %s\n",
145 "TIME", "JAIL ID", "UID", "PID", "PPID", "COMM", "ARGS") :
146 printf("%5s %6s %6s %s\n", "UID", "PID", "PPID", "ARGS");
152 syscall::execve:return
153 /(FILTER == 0) || (OPT_cmd == 1 && COMMAND == execname)/
155 /* print optional fields */
156 OPT_time ? printf("%-14d ", timestamp/1000) : 1;
157 OPT_timestr ? printf("%-20Y ", walltimestamp) : 1;
158 OPT_jailid ? printf("%-10d ", curpsinfo->pr_jailid) : 1;
160 /* print main data */
161 OPT_dump ? printf("%d %d %d %d %d %s ", timestamp/1000,
162 curpsinfo->pr_jailid, uid, pid, ppid, execname) :
163 printf("%5d %6d %6d ", uid, pid, ppid);
164 OPT_safe ? printf("%S\n", curpsinfo->pr_psargs) :
165 printf("%s\n", curpsinfo->pr_psargs);
projects / FreeBSD / stable / 10.git / blob