Brendan Gregg | 1298998 | 2016-09-14 08:15:09 -0700 | [diff] [blame] | 1 | Demonstrations of capable, the Linux eBPF/bcc version. |
| 2 | |
| 3 | |
| 4 | capable traces calls to the kernel cap_capable() function, which does security |
| 5 | capability checks, and prints details for each call. For example: |
| 6 | |
| 7 | # ./capable.py |
| 8 | TIME UID PID COMM CAP NAME AUDIT |
| 9 | 22:11:23 114 2676 snmpd 12 CAP_NET_ADMIN 1 |
| 10 | 22:11:23 0 6990 run 24 CAP_SYS_RESOURCE 1 |
| 11 | 22:11:23 0 7003 chmod 3 CAP_FOWNER 1 |
| 12 | 22:11:23 0 7003 chmod 4 CAP_FSETID 1 |
| 13 | 22:11:23 0 7005 chmod 4 CAP_FSETID 1 |
| 14 | 22:11:23 0 7005 chmod 4 CAP_FSETID 1 |
| 15 | 22:11:23 0 7006 chown 4 CAP_FSETID 1 |
| 16 | 22:11:23 0 7006 chown 4 CAP_FSETID 1 |
| 17 | 22:11:23 0 6990 setuidgid 6 CAP_SETGID 1 |
| 18 | 22:11:23 0 6990 setuidgid 6 CAP_SETGID 1 |
| 19 | 22:11:23 0 6990 setuidgid 7 CAP_SETUID 1 |
| 20 | 22:11:24 0 7013 run 24 CAP_SYS_RESOURCE 1 |
| 21 | 22:11:24 0 7026 chmod 3 CAP_FOWNER 1 |
| 22 | 22:11:24 0 7026 chmod 4 CAP_FSETID 1 |
| 23 | 22:11:24 0 7028 chmod 4 CAP_FSETID 1 |
| 24 | 22:11:24 0 7028 chmod 4 CAP_FSETID 1 |
| 25 | 22:11:24 0 7029 chown 4 CAP_FSETID 1 |
| 26 | 22:11:24 0 7029 chown 4 CAP_FSETID 1 |
| 27 | 22:11:24 0 7013 setuidgid 6 CAP_SETGID 1 |
| 28 | 22:11:24 0 7013 setuidgid 6 CAP_SETGID 1 |
| 29 | 22:11:24 0 7013 setuidgid 7 CAP_SETUID 1 |
| 30 | 22:11:25 0 7036 run 24 CAP_SYS_RESOURCE 1 |
| 31 | 22:11:25 0 7049 chmod 3 CAP_FOWNER 1 |
| 32 | 22:11:25 0 7049 chmod 4 CAP_FSETID 1 |
| 33 | 22:11:25 0 7051 chmod 4 CAP_FSETID 1 |
| 34 | 22:11:25 0 7051 chmod 4 CAP_FSETID 1 |
| 35 | [...] |
| 36 | |
| 37 | This can be useful for general debugging, and also security enforcement: |
| 38 | determining a whitelist of capabilities an application needs. |
| 39 | |
| 40 | The output above includes various capability checks: snmpd checking |
| 41 | CAP_NET_ADMIN, run checking CAP_SYS_RESOURCES, then some short-lived processes |
| 42 | checking CAP_FOWNER, CAP_FSETID, etc. |
| 43 | |
| 44 | To see what each of these capabilities does, check the capabilities(7) man |
| 45 | page and the kernel source. |
| 46 | |
| 47 | |
| 48 | Sometimes capable catches itself starting up: |
| 49 | |
| 50 | # ./capable.py |
| 51 | TIME UID PID COMM CAP NAME AUDIT |
| 52 | 22:22:19 0 21949 capable.py 21 CAP_SYS_ADMIN 1 |
| 53 | 22:22:19 0 21949 capable.py 21 CAP_SYS_ADMIN 1 |
| 54 | 22:22:19 0 21949 capable.py 21 CAP_SYS_ADMIN 1 |
| 55 | 22:22:19 0 21949 capable.py 21 CAP_SYS_ADMIN 1 |
| 56 | 22:22:19 0 21949 capable.py 21 CAP_SYS_ADMIN 1 |
| 57 | 22:22:19 0 21949 capable.py 21 CAP_SYS_ADMIN 1 |
| 58 | 22:22:19 0 21952 run 24 CAP_SYS_RESOURCE 1 |
| 59 | [...] |
| 60 | |
| 61 | These are capability checks from BPF and perf_events syscalls. |
| 62 | |
| 63 | |
| 64 | USAGE: |
| 65 | |
| 66 | # ./capable.py -h |
| 67 | usage: capable.py [-h] [-v] [-p PID] |
| 68 | |
| 69 | Trace security capability checks |
| 70 | |
| 71 | optional arguments: |
| 72 | -h, --help show this help message and exit |
| 73 | -v, --verbose include non-audit checks |
| 74 | -p PID, --pid PID trace this PID only |
| 75 | |
| 76 | examples: |
| 77 | ./capable # trace capability checks |
| 78 | ./capable -v # verbose: include non-audit checks |
| 79 | ./capable -p 181 # only trace PID 181 |