| .TH capable 8 "2016-09-13" "USER COMMANDS" |
| .SH NAME |
| capable \- Trace security capability checks (cap_capable()). |
| .SH SYNOPSIS |
| .B capable [\-h] [\-v] [\-p PID] |
| .SH DESCRIPTION |
| This traces security capability checks in the kernel, and prints details for |
| each call. This can be useful for general debugging, and also security |
| enforcement: determining a white list of capabilities an application needs. |
| |
| Since this uses BPF, only the root user can use this tool. |
| .SH REQUIREMENTS |
| CONFIG_BPF, bcc. |
| .SH OPTIONS |
| \-h |
| USAGE message. |
| .TP |
| \-v |
| Include non-audit capability checks. These are those deemed not interesting and |
| not necessary to audit, such as CAP_SYS_ADMIN checks on memory allocation to |
| affect the behavior of overcommit. |
| .SH EXAMPLES |
| .TP |
| Trace all capability checks system-wide: |
| # |
| .B capable |
| .TP |
| Trace capability checks for PID 181: |
| # |
| .B capable \-p 181 |
| .SH FIELDS |
| .TP |
| TIME(s) |
| Time of capability check: HH:MM:SS. |
| .TP |
| UID |
| User ID. |
| .TP |
| PID |
| Process ID. |
| .TP |
| COMM |
| Process name. |
| CAP |
| Capability number. |
| NAME |
| Capability name. See capabilities(7) for descriptions. |
| .TP |
| AUDIT |
| Whether this was an audit event. Use \-v to include non-audit events. |
| .SH OVERHEAD |
| This adds low-overhead instrumentation to capability checks, which are expected |
| to be low frequency, however, that depends on the application. Test in a lab |
| environment before use. |
| .SH SOURCE |
| This is from bcc. |
| .IP |
| https://github.com/iovisor/bcc |
| .PP |
| Also look in the bcc distribution for a companion _examples.txt file containing |
| example usage, output, and commentary for this tool. |
| .SH OS |
| Linux |
| .SH STABILITY |
| Unstable - in development. |
| .SH AUTHOR |
| Brendan Gregg |
| .SH SEE ALSO |
| capabilities(7) |