execsnoop_example.txt   [plain text]

The following is an example of execsnoop. As processes are executed their
details are printed out. Another user was logged in running a few commands
which can be viewed below,

  # ./execsnoop
    UID   PID  PPID ARGS
    100  3008  2656 ls
    100  3009  2656 ls -l
    100  3010  2656 cat /etc/passwd
    100  3011  2656 vi /etc/hosts
    100  3012  2656 date
    100  3013  2656 ls -l
    100  3014  2656 ls
    100  3015  2656 finger
  [...]



In this example the command "man gzip" was executed. The output lets us
see what the man command is actually doing,

  # ./execsnoop
    UID   PID  PPID ARGS
    100  3064  2656 man gzip
    100  3065  3064 sh -c cd /usr/share/man; tbl /usr/share/man/man1/gzip.1 |nroff -u0 -Tlp -man - 
    100  3067  3066 tbl /usr/share/man/man1/gzip.1
    100  3068  3066 nroff -u0 -Tlp -man -
    100  3066  3065 col -x
    100  3069  3064 sh -c trap '' 1 15; /usr/bin/mv -f /tmp/mpoMaa_f /usr/share/man/cat1/gzip.1 2> 
    100  3070  3069 /usr/bin/mv -f /tmp/mpoMaa_f /usr/share/man/cat1/gzip.1
    100  3071  3064 sh -c more -s /tmp/mpoMaa_f
    100  3072  3071 more -s /tmp/mpoMaa_f
  ^C
  


Execsnoop has other options,

  # ./execsnoop -h
  USAGE: execsnoop [-a|-A|-sv] [-c command]
         execsnoop                # default output
                  -a              # print all data
                  -A              # dump all data, space delimited
                  -s              # include start time, us
                  -v              # include start time, string
                  -c command      # command name to snoop



In particular the verbose option for human readable timestamps is 
very useful,

  # ./execsnoop -v
  STRTIME                UID   PID  PPID ARGS
  2005 Jan 22 00:07:22     0 23053 20933 date
  2005 Jan 22 00:07:24     0 23054 20933 uname -a
  2005 Jan 22 00:07:25     0 23055 20933 ls -latr
  2005 Jan 22 00:07:27     0 23056 20933 df -k
  2005 Jan 22 00:07:29     0 23057 20933 ps -ef
  2005 Jan 22 00:07:29     0 23057 20933 ps -ef
  2005 Jan 22 00:07:34     0 23058 20933 uptime
  2005 Jan 22 00:07:34     0 23058 20933 uptime
  [...]



It is also possible to match particular commands. Here we watch
anyone using the vi command only,

  # ./execsnoop -vc vi 
  STRTIME                UID   PID  PPID ARGS
  2005 Jan 22 00:10:33     0 23063 20933 vi /etc/passwd
  2005 Jan 22 00:10:40     0 23064 20933 vi /etc/shadow
  2005 Jan 22 00:10:51     0 23065 20933 vi /etc/group
  2005 Jan 22 00:10:57     0 23066 20933 vi /.rhosts
  [...]