capable man page

capable ā€” Trace security capability checks (cap_capable()).

Synopsis

capable [-h] [-v] [-p PID]

Description

This traces security capability checks in the kernel, and prints details for each call. This can be useful for general debugging, and also security enforcement: determining a white list of capabilities an application needs.

Since this uses BPF, only the root user can use this tool.

Requirements

CONFIG_BPF, bcc.

Options

-h USAGE message.

-v

Include non-audit capability checks. These are those deemed not interesting and not necessary to audit, such as CAP_SYS_ADMIN checks on memory allocation to affect the behavior of overcommit.

Examples

Trace all capability checks system-wide:

# capable

Trace capability checks for PID 181:

# capable -p 181

Fields

TIME(s)

Time of capability check: HH:MM:SS.

UID

User ID.

PID

Process ID.

COMM

Process name. CAP Capability number. NAME Capability name. See capabilities(7) for descriptions.

AUDIT

Whether this was an audit event. Use -v to include non-audit events.

Overhead

This adds low-overhead instrumentation to capability checks, which are expected to be low frequency, however, that depends on the application. Test in a lab environment before use.

Source

This is from bcc.

https://github.com/iovisor/bcc

Also look in the bcc distribution for a companion _examples.txt file containing example usage, output, and commentary for this tool.

OS

Linux

Stability

Unstable - in development.

Author

Brendan Gregg

See Also

capabilities(7)

Info

2016-09-13 USER COMMANDS