Created
March 9, 2013 01:44
-
-
Save wolfeidau/5122096 to your computer and use it in GitHub Desktop.
My slightly modified version of execsnoop.d this currently only looks at exece system calls.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/sbin/dtrace -s | |
/* | |
** execsnoop.d - snoop process execution as it occurs. | |
** Written in DTrace (Solaris 10 build 51). | |
** | |
** NOTE: This version is deprecated. See "execsnoop", | |
** http://www.brendangregg.com/dtrace.html | |
** | |
** 27-Mar-2004, ver 0.60 | |
** | |
** | |
** USAGE: ./execsnoop.d | |
** | |
** Different styles of output can be selected by changing | |
** the "PFORMAT" variable below. | |
** | |
** FIELDS: | |
** UID user ID | |
** PID process ID | |
** PPID parent process ID | |
** CMD command (full arguments) | |
** TIME end timestamp, us | |
** STIME start timestamp, us | |
** | |
** SEE ALSO: BSM auditing | |
** | |
** Standard Disclaimer: This is freeware, use at your own risk. | |
** | |
** 27-Mar-2004 Brendan Gregg Created this. | |
** | |
*/ | |
inline int PFORMAT = 1; | |
/* 1 - Default output | |
** 2 - Timestamp output (includes TIME) | |
** 3 - Everything, space delimited (for spreadsheets) | |
*/ | |
#pragma D option quiet | |
/* | |
** Print header | |
*/ | |
dtrace:::BEGIN /PFORMAT == 1/ { | |
printf("%5s %5s %5s %s\n","UID","PID","PPID","CMD"); | |
} | |
dtrace:::BEGIN /PFORMAT == 2/ { | |
printf("%-14s %5s %5s %5s %s\n", | |
"TIME","UID","PID","PPID","CMD"); | |
} | |
dtrace:::BEGIN /PFORMAT == 3/ { | |
printf("%s %s %s %s %s %s\n", | |
"STIME","TIME","UID","PID","PPID","CMD"); | |
} | |
/* | |
** Main | |
*/ | |
syscall::exece:entry | |
{ | |
/* | |
** Store values | |
*/ | |
self->uid = curpsinfo->pr_euid; | |
self->pid = pid; | |
self->ppid = curpsinfo->pr_ppid; | |
self->args = (char *)curpsinfo->pr_psargs; | |
self->time = timestamp; | |
} | |
/* | |
** Print output | |
*/ | |
syscall::exece:return | |
/PFORMAT == 1 && arg0 == 0/ | |
{ | |
printf("%5d %5d %5d %s\n", | |
self->uid,self->pid,self->ppid,stringof(self->args)); | |
} | |
syscall::exece:return | |
/PFORMAT == 2 && arg0 == 0/ | |
{ | |
printf("%-14d %5d %5d %5d %s\n", | |
timestamp/1000,self->uid,self->pid, | |
self->ppid,stringof(self->args)); | |
} | |
syscall::exece:return | |
/PFORMAT == 3 && arg0 == 0/ | |
{ | |
printf("%d %d %d %d %d %s\n", | |
self->time/1000,timestamp/1000,self->uid,self->pid, | |
self->ppid,stringof(self->args)); | |
} | |
/* | |
** Cleanup | |
*/ | |
syscall::exece:return { | |
self->time = 0; | |
self->uid = 0; | |
self->pid = 0; | |
self->ppid = 0; | |
self->args = 0; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment