96 lines
2.3 KiB
Groff
96 lines
2.3 KiB
Groff
.TH capable 8 "2020-03-08" "USER COMMANDS"
|
|
.SH NAME
|
|
capable \- Trace security capability checks (cap_capable()).
|
|
.SH SYNOPSIS
|
|
.B capable [\-h] [\-v] [\-p PID] [\-K] [\-U] [\-x] [\-\-cgroupmap MAPPATH]
|
|
[\-\-mntnsmap MAPPATH] [--unique]
|
|
.SH DESCRIPTION
|
|
This traces security capability checks in the kernel, and prints details for
|
|
each call. This can be useful for general debugging, and also security
|
|
enforcement: determining a white list of capabilities an application needs.
|
|
|
|
Since this uses BPF, only the root user can use this tool.
|
|
.SH REQUIREMENTS
|
|
CONFIG_BPF, bcc.
|
|
.SH OPTIONS
|
|
\-h
|
|
USAGE message.
|
|
.TP
|
|
\-v
|
|
Include non-audit capability checks. These are those deemed not interesting and
|
|
not necessary to audit, such as CAP_SYS_ADMIN checks on memory allocation to
|
|
affect the behavior of overcommit.
|
|
.TP
|
|
\-K
|
|
Include kernel stack traces to the output.
|
|
.TP
|
|
\-U
|
|
Include user-space stack traces to the output.
|
|
.TP
|
|
\-x
|
|
Show extra fields in TID and INSETID columns.
|
|
.TP
|
|
\-\-cgroupmap MAPPATH
|
|
Trace cgroups in this BPF map only (filtered in-kernel).
|
|
.TP
|
|
\-\-mntnsmap MAPPATH
|
|
Trace mount namespaces in this BPF map only (filtered in-kernel).
|
|
.TP
|
|
\-\-unique
|
|
Don't repeat stacks for the same PID or cgroup.
|
|
.SH EXAMPLES
|
|
.TP
|
|
Trace all capability checks system-wide:
|
|
#
|
|
.B capable
|
|
.TP
|
|
Trace capability checks for PID 181:
|
|
#
|
|
.B capable \-p 181
|
|
.TP
|
|
Trace capability checks in a set of cgroups only (see special_filtering.md
|
|
from bcc sources for more details):
|
|
#
|
|
.B capable \-\-cgroupmap /sys/fs/bpf/test01
|
|
.SH FIELDS
|
|
.TP
|
|
TIME(s)
|
|
Time of capability check: HH:MM:SS.
|
|
.TP
|
|
UID
|
|
User ID.
|
|
.TP
|
|
PID
|
|
Process ID.
|
|
.TP
|
|
COMM
|
|
Process name.
|
|
CAP
|
|
Capability number.
|
|
NAME
|
|
Capability name. See capabilities(7) for descriptions.
|
|
.TP
|
|
AUDIT
|
|
Whether this was an audit event. Use \-v to include non-audit events.
|
|
INSETID
|
|
Whether the INSETID bit was set (Linux >= 5.1).
|
|
.SH OVERHEAD
|
|
This adds low-overhead instrumentation to capability checks, which are expected
|
|
to be low frequency, however, that depends on the application. Test in a lab
|
|
environment before use.
|
|
.SH SOURCE
|
|
This is from bcc.
|
|
.IP
|
|
https://github.com/iovisor/bcc
|
|
.PP
|
|
Also look in the bcc distribution for a companion _examples.txt file containing
|
|
example usage, output, and commentary for this tool.
|
|
.SH OS
|
|
Linux
|
|
.SH STABILITY
|
|
Unstable - in development.
|
|
.SH AUTHOR
|
|
Brendan Gregg
|
|
.SH SEE ALSO
|
|
capabilities(7)
|