capable - Trace security capability checks (cap_capable()).
capable [-h] [-v] [-p PID]
This traces security capability checks in the kernel, and prints details for
each call. This can be useful for general debugging, and also security
enforcement: determining a white list of capabilities an application needs.
Since this uses BPF, only the root user can use this tool.
-h USAGE message.
- Include non-audit capability checks. These are those deemed
not interesting and not necessary to audit, such as CAP_SYS_ADMIN checks
on memory allocation to affect the behavior of overcommit.
- Trace all capability checks system-wide:
- # capable
- Trace capability checks for PID 181:
- # capable -p 181
- Time of capability check: HH:MM:SS.
- User ID.
- Process ID.
- Process name. CAP Capability number. NAME Capability name.
See capabilities(7) for descriptions.
- Whether this was an audit event. Use -v to include
This adds low-overhead instrumentation to capability checks, which are expected
to be low frequency, however, that depends on the application. Test in a lab
environment before use.
This is from bcc.
Also look in the bcc distribution for a companion _examples.txt file containing
example usage, output, and commentary for this tool.
Unstable - in development.