3 * setuids.d - snoop setuid calls. This can examine user logins.
4 * Written in DTrace (Solaris 10 3/05).
6 * $Id: setuids.d 3 2007-08-01 10:50:08Z brendan $
12 * SUID set user ID (to)
13 * PPID parent process ID
16 * CMD command (full arguments)
18 * SEE ALSO: BSM auditing
20 * COPYRIGHT: Copyright (c) 2005 Brendan Gregg.
24 * The contents of this file are subject to the terms of the
25 * Common Development and Distribution License, Version 1.0 only
26 * (the "License"). You may not use this file except in compliance
29 * You can obtain a copy of the license at Docs/cddl1.txt
30 * or http://www.opensolaris.org/os/licensing.
31 * See the License for the specific language governing permissions
32 * and limitations under the License.
36 * 09-May-2004 Brendan Gregg Created this.
37 * 08-May-2005 " " Used modern variable builtins.
38 * 28-Jul-2005 " " Last update.
41 #pragma D option quiet
48 printf("%5s %5s %5s %5s %-12s %s\n",
49 "UID", "SUID", "PPID", "PID", "PCMD", "CMD");
63 * Print output on success
65 syscall::setuid:return
66 /arg0 == 0 && self->ok/
68 printf("%5d %5d %5d %5d %-12s %S\n",
69 self->uid, self->suid, ppid, pid,
70 curthread->t_procp->p_parent->p_user.u_comm,
71 curpsinfo->pr_psargs);
77 syscall::setuid:return