tools/execsnoop_example.txt

Demonstrations of execsnoop, the Linux eBPF/bcc version.


execsnoop traces new processes. For example:

# ./execsnoop 
PCOMM            PID    RET ARGS
supervise        9660     0 ./run
supervise        9661     0 ./run
mkdir            9662     0 /bin/mkdir -p ./main
run              9663     0 ./run
chown            9664     0 /bin/chown nobody:nobody ./main
run              9665     0 /bin/mkdir -p ./main
supervise        9667     0 ./run
run              9660    -2 /usr/local/bin/setuidgid nobody /command/multilog t ./main
chown            9668     0 /bin/chown nobody:nobody ./main
run              9666     0 /bin/chmod 0777 main
run              9663    -2 /usr/local/bin/setuidgid nobody /command/multilog t ./main
run              9669     0 /bin/mkdir -p ./main
run              9661    -2 /usr/local/bin/setuidgid nobody /command/multilog t ./main
supervise        9670     0 ./run
[...]

The output shows the parent process/command name (PCOMM), the PID, the return
value of the exec() (RET), and the filename with arguments (ARGS). The example
above shows various regular system daemon activity, including some failures
(trying to execute a /usr/local/bin/setuidgid, which I just noticed doesn't
exist).

It works by traces the execve() system call (commonly used exec() variant), and
shows details of the arguments and return value. This catches new processes
that follow the fork->exec sequence, as well as processes that re-exec()
themselves. Some applications fork() but do not exec(), eg, for worker
processes, which won't be included in the execsnoop output.


The -X option can be used to only show successful exec()s. For example, tracing
a "man ls":

# ./execsnoop -X
PCOMM            PID    RET ARGS
bash             15887    0 /usr/bin/man ls
preconv          15894    0 /usr/bin/preconv -e UTF-8
man              15896    0 /usr/bin/tbl
man              15897    0 /usr/bin/nroff -mandoc -rLL=169n -rLT=169n -Tutf8
man              15898    0 /usr/bin/pager -s
nroff            15900    0 /usr/bin/locale charmap
nroff            15901    0 /usr/bin/groff -mtty-char -Tutf8 -mandoc -rLL=169n -rLT=169n
groff            15902    0 /usr/bin/troff -mtty-char -mandoc -rLL=169n -rLT=169n -Tutf8
groff            15903    0 /usr/bin/grotty

This shows the various commands used to process the "man ls" command.


A -t option can be used to include a timestamp column, and a -n option to match
on a name or substring from the full command line (filename + args). Regular
expressions are allowed. For example, matching commands containing "mount":

# ./execsnoop -tn mount
TIME(s) PCOMM            PID    RET ARGS
2.849   bash             18049    0 /bin/mount -p


USAGE message:

# ./execsnoop -h
usage: execsnoop [-h] [-t] [-X] [-n NAME]

Trace exec() syscalls

optional arguments:
  -h, --help            show this help message and exit
  -t, --timestamp       include timestamp on output
  -X, --excludefails    exclude failed exec()s
  -n NAME, --name NAME  only print commands matching this name (regex), any
                        arg

examples:
    ./execsnoop           # trace all exec() syscalls
    ./execsnoop -X        # only show successful exec()s
    ./execsnoop -t        # include timestamps
    ./execsnoop -n main   # only print command lines containing "main"