bcc-capable man page
capable ā Trace security capability checks (cap_capable()).
Synopsis
Description
This traces security capability checks in the kernel, and prints details for each call. This can be useful for general debugging, and also security enforcement: determining a white list of capabilities an application needs.
Since this uses BPF, only the root user can use this tool.
Requirements
CONFIG_BPF, bcc.
Options
-h USAGE message.
- -v
Include non-audit capability checks. These are those deemed not interesting and not necessary to audit, such as CAP_SYS_ADMIN checks on memory allocation to affect the behavior of overcommit.
- -K
Include kernel stack traces to the output.
- -U
Include user-space stack traces to the output.
Examples
- Trace all capability checks system-wide:
# capable
- Trace capability checks for PID 181:
# capable -p 181
Fields
- TIME(s)
Time of capability check: HH:MM:SS.
- UID
User ID.
- PID
Process ID.
- COMM
Process name. CAP Capability number. NAME Capability name. See capabilities(7) for descriptions.
- AUDIT
Whether this was an audit event. Use -v to include non-audit events. INSETID Whether the INSETID bit was set (Linux >= 5.1).
Overhead
This adds low-overhead instrumentation to capability checks, which are expected to be low frequency, however, that depends on the application. Test in a lab environment before use.
Source
This is from bcc.
https://github.com/iovisor/bcc
Also look in the bcc distribution for a companion _examples.txt file containing example usage, output, and commentary for this tool.
OS
Linux
Stability
Unstable - in development.
Author
Brendan Gregg