bcc-capable man page
capable ā Trace security capability checks (cap_capable()). This traces security capability checks in the kernel, and prints details for each call. This can be useful for general debugging, and also security enforcement: determining a white list of capabilities an application needs. Since this uses BPF, only the root user can use this tool. CONFIG_BPF, bcc. -h USAGE message. # capable # capable -p 181 Time of capability check: HH:MM:SS. User ID. Process ID. Process name. CAP Capability number. NAME Capability name. See capabilities(7) for descriptions. Whether this was an audit event. Use -v to include non-audit events. INSETID Whether the INSETID bit was set (Linux >= 5.1). This adds low-overhead instrumentation to capability checks, which are expected to be low frequency, however, that depends on the application. Test in a lab environment before use. This is from bcc. https://github.com/iovisor/bcc Also look in the bcc distribution for a companion _examples.txt file containing example usage, output, and commentary for this tool. Linux Unstable - in development. Brendan GreggSynopsis
Description
Requirements
Options
Examples
Fields
Overhead
Source
OS
Stability
Author
See Also
Info