setuids.bt - Man Page

Trace setuid family of syscalls. Uses bpftrace/eBPF.

Synopsis

setuids.bt

Description

This tool traces privilege escalation via setuid syscalls, and can be used for debugging, whitelist creation, and intrusion detection.

It works by tracing the setuid(2), setfsuid(2), and retresuid(2) syscalls using the syscall tracepoints.

Since this uses BPF, only the root user can use this tool.

Requirements

CONFIG_BPF and bpftrace.

Examples

Trace setuid syscalls:

# setuids.bt

Fields

PID

The calling process ID.

COMM

The calling process (thread) name.

UID

The UID of the caller.

SYSCALL

The syscall name.

ARGS

The arguments to the syscall

(RET)

The return value for the syscall: 0 == success, other numbers indicate an error code.

Overhead

setuid calls are expected to be low frequency (<< 100/s), so the overhead of this tool is expected to be negligible.

Source

This tool originated from the book "BPF Performance Tools", published by Addison Wesley (2019):

http://www.brendangregg.com/bpf-performance-tools-book.html

See the book for more documentation on this tool.

This version is in the bpftrace repository:

https://github.com/iovisor/bpftrace

Also look in the bpftrace distribution for a companion _examples.txt file containing example usage, output, and commentary for this tool.

OS

Linux

Stability

Unstable - in development.

Author

Brendan Gregg

See Also

capable.bt(8)

Info

2019-07-05 USER COMMANDS