watch_execve – FreeBSD – see processes being created
In Linux you can use the following 2 articles/methods to monitor commands as they happen on any shell on your server (good for studying systems, or monitoring for security):
- http://www.infotinks.com/monitor-commands-ran-system-remove-duplicates-without-sorting-like-uniq-sorting-ps-output/
- http://www.infotinks.com/snoopy-command-monitor-logger-ive-hoping-exists/
Here is how you monitor commands as they happen live on a FreeBSD computer:
First load dtrace kernel module (this is similar to insmod / modprobe in linux systems)
1 |
kldload dtraceall |
Sidenote: dtraceall will load dtraceall.ko and dtrace.ko. They are loaded from /boot/kernel/ (on my system thats where they are, not sure if FreeBSD allows these else where)
There is also dtrace_test.ko, but we dont need to load it.
1 2 3 4 |
[koss01]# find / -type f | grep "ko$" | grep dtrace /boot/kernel/dtraceall.ko /boot/kernel/dtrace_test.ko /boot/kernel/dtrace.ko |
Confirm that kldload dtraceall loaded with kldstat (you will see dtraceall and dtrace there):
1 2 3 4 |
[koss01]# kldstat | head -n1; kldstat | grep dtrace; Id Refs Address Size Name 20 1 0xffffffff82abd000 138f dtraceall.ko 23 8 0xffffffff82ad0000 13d0ba dtrace.ko |
kldstat -v gives more information:
1 2 3 4 5 6 7 8 9 10 |
[SA:koss01]# kldstat -v 20 1 0xffffffff82abd000 138f dtraceall.ko (/boot/kernel/dtraceall.ko) Contains modules: Id Name 309 dtraceall ...skip... 23 8 0xffffffff82ad0000 13d0ba dtrace.ko (/boot/kernel/dtrace.ko) Contains modules: Id Name 301 dtrace |
Next create the following watch_execve.d dtrace script & make it executable. It doesnt matter what directory it is in.
Thanks to dteske for this awesome dtrace script that monitors processes in parallel by attaching to execve: https://svnweb.freebsd.org/base/head/share/dtrace/watch_execve (then click view at the top next to HEAD – here is a better link: https://svnweb.freebsd.org/base/head/share/dtrace/watch_execve?view=markup)
Here is the latest revision of this dtrace script as of March 28th 2016 (for the latest check out the links above)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 |
#!/usr/sbin/dtrace -s /* - * Copyright (c) 2014 Devin Teske <dteske@FreeBSD.org> * All rights reserved. * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $Title: dtrace(1) script to log process(es) entering syscall::execve $ * $FreeBSD$ */ #pragma D option quiet #pragma D option dynvarsize=16m #pragma D option switchrate=10hz /*********************************************************/ syscall::execve:entry /* probe ID 1 */ { this->caller_execname = execname; } /*********************************************************/ syscall::execve:return /execname != this->caller_execname/ /* probe ID 2 */ { /* * Examine process, parent process, and grandparent process details */ /******************* CURPROC *******************/ this->proc = curthread->td_proc; this->pid0 = this->proc->p_pid; this->uid0 = this->proc->p_ucred->cr_uid; this->gid0 = this->proc->p_ucred->cr_rgid; this->p_args = this->proc->p_args; this->ar_length = this->p_args ? this->p_args->ar_length : 0; this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0); this->arg0_0 = this->ar_length > 0 ? this->ar_args : stringof(this->proc->p_comm); this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg0_1 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg0_2 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg0_3 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg0_4 = this->ar_length > 0 ? "..." : ""; /******************* PPARENT *******************/ this->proc = this->proc->p_pptr; this->pid1 = this->proc->p_pid; this->uid1 = this->proc->p_ucred->cr_uid; this->gid1 = this->proc->p_ucred->cr_rgid; this->p_args = this->proc ? this->proc->p_args : 0; this->ar_length = this->p_args ? this->p_args->ar_length : 0; this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0); this->arg1_0 = this->ar_length > 0 ? this->ar_args : stringof(this->proc->p_comm); this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg1_1 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg1_2 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg1_3 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg1_4 = this->ar_length > 0 ? "..." : ""; /******************* GPARENT *******************/ this->proc = this->proc->p_pptr; this->pid2 = this->proc->p_pid; this->uid2 = this->proc->p_ucred->cr_uid; this->gid2 = this->proc->p_ucred->cr_rgid; this->p_args = this->proc ? this->proc->p_args : 0; this->ar_length = this->p_args ? this->p_args->ar_length : 0; this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0); this->arg2_0 = this->ar_length > 0 ? this->ar_args : stringof(this->proc->p_comm); this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg2_1 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg2_2 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg2_3 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg2_4 = this->ar_length > 0 ? "..." : ""; /******************* APARENT *******************/ this->proc = this->proc->p_pptr; this->pid3 = this->proc->p_pid; this->uid3 = this->proc->p_ucred->cr_uid; this->gid3 = this->proc->p_ucred->cr_rgid; this->p_args = this->proc ? this->proc->p_args : 0; this->ar_length = this->p_args ? this->p_args->ar_length : 0; this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0); this->arg3_0 = this->ar_length > 0 ? this->ar_args : stringof(this->proc->p_comm); this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg3_1 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg3_2 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg3_3 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg3_4 = this->ar_length > 0 ? "..." : ""; /***********************************************/ /* * Print process, parent, and grandparent details */ printf("%Y %s[%d]: ", timestamp + 1406598400000000000, this->caller_execname, this->pid1); printf("%s", this->arg0_0); printf("%s%s", this->arg0_1 != "" ? " " : "", this->arg0_1); printf("%s%s", this->arg0_2 != "" ? " " : "", this->arg0_2); printf("%s%s", this->arg0_3 != "" ? " " : "", this->arg0_3); printf("%s%s", this->arg0_4 != "" ? " " : "", this->arg0_4); printf("\n"); printf(" -+= %05d %d.%d %s", this->pid3, this->uid3, this->gid3, this->arg3_0); printf("%s%s", this->arg3_1 != "" ? " " : "", this->arg3_1); printf("%s%s", this->arg3_2 != "" ? " " : "", this->arg3_2); printf("%s%s", this->arg3_3 != "" ? " " : "", this->arg3_3); printf("%s%s", this->arg3_4 != "" ? " " : "", this->arg3_4); printf("%s", this->arg3_0 != "" ? "\n" : ""); printf(" \-+= %05d %d.%d %s", this->pid2, this->uid2, this->gid2, this->arg2_0); printf("%s%s", this->arg2_1 != "" ? " " : "", this->arg2_1); printf("%s%s", this->arg2_2 != "" ? " " : "", this->arg2_2); printf("%s%s", this->arg2_3 != "" ? " " : "", this->arg2_3); printf("%s%s", this->arg2_4 != "" ? " " : "", this->arg2_4); printf("%s", this->arg2_0 != "" ? "\n" : ""); printf(" \-+= %05d %d.%d %s", this->pid1, this->uid1, this->gid1, this->arg1_0); printf("%s%s", this->arg1_1 != "" ? " " : "", this->arg1_1); printf("%s%s", this->arg1_2 != "" ? " " : "", this->arg1_2); printf("%s%s", this->arg1_3 != "" ? " " : "", this->arg1_3); printf("%s%s", this->arg1_4 != "" ? " " : "", this->arg1_4); printf("%s", this->arg1_0 != "" ? "\n" : ""); printf(" \-+= %05d %d.%d %s", this->pid0, this->uid0, this->gid0, this->arg0_0); printf("%s%s", this->arg0_1 != "" ? " " : "", this->arg0_1); printf("%s%s", this->arg0_2 != "" ? " " : "", this->arg0_2); printf("%s%s", this->arg0_3 != "" ? " " : "", this->arg0_3); printf("%s%s", this->arg0_4 != "" ? " " : "", this->arg0_4); printf("%s", this->arg0_0 != "" ? "\n" : ""); } |
To run simply execute it like a shell script
1 |
./watch_execve |
Notice the output shows the whole ancestry of a process (current process, its parent, and grandparent)
watch_kill – FreeBSD – see processes being killed / signaled
There are other interesting dtraces. For example here is watch_kill, which monitors all kill signals (of any kind) on your server: watch_kill.d
I found two versions of the script one that uses syscall to monitor kill, and another that uses fbt to monitor kill. They both work. The two latest scripts use syscall and they are located in the first two links (same content when I saw them). Then other script is the 3rd link (might be older; both versions of the script work on my FreeBSD 8.3 system none the less).
Latest versions: both of these links as of May 4th, 2016 have the same content
(1) https://raw.githubusercontent.com/freebsd/freebsd-base-graphics/master/share/dtrace/watch_kill
(2) https://svnweb.freebsd.org/base/head/share/dtrace/watch_kill?view=co
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 |
#!/usr/sbin/dtrace -s /* - * Copyright (c) 2014-2016 Devin Teske <dteske@FreeBSD.org> * All rights reserved. * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $Title: dtrace(1) script to log process(es) entering syscall::kill $ * $FreeBSD$ */ #pragma D option quiet #pragma D option dynvarsize=16m #pragma D option switchrate=10hz /*********************************************************/ syscall::execve:entry /* probe ID 1 */ { this->caller_execname = execname; } /*********************************************************/ syscall::kill:entry /* probe ID 2 */ { this->pid_to_kill = (pid_t)arg0; this->kill_signal = (int)arg1; /* * Examine process, parent process, and grandparent process details */ /******************* CURPROC *******************/ this->proc = curthread->td_proc; this->pid0 = this->proc->p_pid; this->uid0 = this->proc->p_ucred->cr_uid; this->gid0 = this->proc->p_ucred->cr_rgid; this->p_args = this->proc->p_args; this->ar_length = this->p_args ? this->p_args->ar_length : 0; this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0); this->arg0_0 = this->ar_length > 0 ? this->ar_args : stringof(this->proc->p_comm); this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg0_1 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg0_2 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg0_3 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg0_4 = this->ar_length > 0 ? "..." : ""; /******************* PPARENT *******************/ this->proc = this->proc->p_pptr; this->pid1 = this->proc->p_pid; this->uid1 = this->proc->p_ucred->cr_uid; this->gid1 = this->proc->p_ucred->cr_rgid; this->p_args = this->proc ? this->proc->p_args : 0; this->ar_length = this->p_args ? this->p_args->ar_length : 0; this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0); this->arg1_0 = this->ar_length > 0 ? this->ar_args : stringof(this->proc->p_comm); this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg1_1 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg1_2 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg1_3 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg1_4 = this->ar_length > 0 ? "..." : ""; /******************* GPARENT *******************/ this->proc = this->proc->p_pptr; this->pid2 = this->proc->p_pid; this->uid2 = this->proc->p_ucred->cr_uid; this->gid2 = this->proc->p_ucred->cr_rgid; this->p_args = this->proc ? this->proc->p_args : 0; this->ar_length = this->p_args ? this->p_args->ar_length : 0; this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0); this->arg2_0 = this->ar_length > 0 ? this->ar_args : stringof(this->proc->p_comm); this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg2_1 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg2_2 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg2_3 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg2_4 = this->ar_length > 0 ? "..." : ""; /******************* APARENT *******************/ this->proc = this->proc->p_pptr; this->pid3 = this->proc->p_pid; this->uid3 = this->proc->p_ucred->cr_uid; this->gid3 = this->proc->p_ucred->cr_rgid; this->p_args = this->proc ? this->proc->p_args : 0; this->ar_length = this->p_args ? this->p_args->ar_length : 0; this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0); this->arg3_0 = this->ar_length > 0 ? this->ar_args : stringof(this->proc->p_comm); this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg3_1 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg3_2 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg3_3 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg3_4 = this->ar_length > 0 ? "..." : ""; /***********************************************/ /* * Print process, parent, and grandparent details */ printf("%Y %s[%d]: ", timestamp + 1406598400000000000, this->caller_execname, this->pid1); printf("%s", this->arg0_0); printf("%s%s", this->arg0_1 != "" ? " " : "", this->arg0_1); printf("%s%s", this->arg0_2 != "" ? " " : "", this->arg0_2); printf("%s%s", this->arg0_3 != "" ? " " : "", this->arg0_3); printf("%s%s", this->arg0_4 != "" ? " " : "", this->arg0_4); printf(" (sending signal %u to pid %u)", this->kill_signal, this->pid_to_kill); printf("\n"); printf(" -+= %05d %d.%d %s", this->pid3, this->uid3, this->gid3, this->arg3_0); printf("%s%s", this->arg3_1 != "" ? " " : "", this->arg3_1); printf("%s%s", this->arg3_2 != "" ? " " : "", this->arg3_2); printf("%s%s", this->arg3_3 != "" ? " " : "", this->arg3_3); printf("%s%s", this->arg3_4 != "" ? " " : "", this->arg3_4); printf("%s", this->arg3_0 != "" ? "\n" : ""); printf(" \-+= %05d %d.%d %s", this->pid2, this->uid2, this->gid2, this->arg2_0); printf("%s%s", this->arg2_1 != "" ? " " : "", this->arg2_1); printf("%s%s", this->arg2_2 != "" ? " " : "", this->arg2_2); printf("%s%s", this->arg2_3 != "" ? " " : "", this->arg2_3); printf("%s%s", this->arg2_4 != "" ? " " : "", this->arg2_4); printf("%s", this->arg2_0 != "" ? "\n" : ""); printf(" \-+= %05d %d.%d %s", this->pid1, this->uid1, this->gid1, this->arg1_0); printf("%s%s", this->arg1_1 != "" ? " " : "", this->arg1_1); printf("%s%s", this->arg1_2 != "" ? " " : "", this->arg1_2); printf("%s%s", this->arg1_3 != "" ? " " : "", this->arg1_3); printf("%s%s", this->arg1_4 != "" ? " " : "", this->arg1_4); printf("%s", this->arg1_0 != "" ? "\n" : ""); printf(" \-+= %05d %d.%d %s", this->pid0, this->uid0, this->gid0, this->arg0_0); printf("%s%s", this->arg0_1 != "" ? " " : "", this->arg0_1); printf("%s%s", this->arg0_2 != "" ? " " : "", this->arg0_2); printf("%s%s", this->arg0_3 != "" ? " " : "", this->arg0_3); printf("%s%s", this->arg0_4 != "" ? " " : "", this->arg0_4); printf("%s", this->arg0_0 != "" ? "\n" : ""); } |
Probably not the latest version but still works (this next version uses fbt::kill:entry for probe 2 instead of syscall::kill:entry for probe 2 – they both work on my freebsd 8.3 system)
(3) <missing link> just use below
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 |
#!/usr/sbin/dtrace -s /* - * Copyright (c) 2014-2015 Devin Teske <dteske@FreeBSD.org> * All rights reserved. * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $Title: dtrace(1) script to log process(es) entering syscall::kill $ */ #pragma D option quiet #pragma D option dynvarsize=16m #pragma D option switchrate=10hz /*********************************************************/ syscall::execve:entry /* probe ID 1 */ { this->caller_execname = execname; } /*********************************************************/ fbt::kill:entry /* probe ID 2 */ { this->kill_args = (struct kill_args *)arg1; this->pid_to_kill = this->kill_args->pid; this->kill_signal = this->kill_args->signum; /* * Examine process, parent process, and grandparent process details */ /******************* CURPROC *******************/ this->proc = curthread->td_proc; this->pid0 = this->proc->p_pid; this->uid0 = this->proc->p_ucred->cr_uid; this->gid0 = this->proc->p_ucred->cr_rgid; this->p_args = this->proc->p_args; this->ar_length = this->p_args ? this->p_args->ar_length : 0; this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0); this->arg0_0 = this->ar_length > 0 ? this->ar_args : stringof(this->proc->p_comm); this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg0_1 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg0_2 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg0_3 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg0_4 = this->ar_length > 0 ? "..." : ""; /******************* PPARENT *******************/ this->proc = this->proc->p_pptr; this->pid1 = this->proc->p_pid; this->uid1 = this->proc->p_ucred->cr_uid; this->gid1 = this->proc->p_ucred->cr_rgid; this->p_args = this->proc ? this->proc->p_args : 0; this->ar_length = this->p_args ? this->p_args->ar_length : 0; this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0); this->arg1_0 = this->ar_length > 0 ? this->ar_args : stringof(this->proc->p_comm); this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg1_1 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg1_2 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg1_3 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg1_4 = this->ar_length > 0 ? "..." : ""; /******************* GPARENT *******************/ this->proc = this->proc->p_pptr; this->pid2 = this->proc->p_pid; this->uid2 = this->proc->p_ucred->cr_uid; this->gid2 = this->proc->p_ucred->cr_rgid; this->p_args = this->proc ? this->proc->p_args : 0; this->ar_length = this->p_args ? this->p_args->ar_length : 0; this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0); this->arg2_0 = this->ar_length > 0 ? this->ar_args : stringof(this->proc->p_comm); this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg2_1 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg2_2 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg2_3 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg2_4 = this->ar_length > 0 ? "..." : ""; /******************* APARENT *******************/ this->proc = this->proc->p_pptr; this->pid3 = this->proc->p_pid; this->uid3 = this->proc->p_ucred->cr_uid; this->gid3 = this->proc->p_ucred->cr_rgid; this->p_args = this->proc ? this->proc->p_args : 0; this->ar_length = this->p_args ? this->p_args->ar_length : 0; this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0); this->arg3_0 = this->ar_length > 0 ? this->ar_args : stringof(this->proc->p_comm); this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg3_1 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg3_2 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg3_3 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg3_4 = this->ar_length > 0 ? "..." : ""; /***********************************************/ /* * Print process, parent, and grandparent details */ printf("%Y %s[%d]: ", timestamp + 1406598400000000000, this->caller_execname, this->pid1); printf("%s", this->arg0_0); printf("%s%s", this->arg0_1 != "" ? " " : "", this->arg0_1); printf("%s%s", this->arg0_2 != "" ? " " : "", this->arg0_2); printf("%s%s", this->arg0_3 != "" ? " " : "", this->arg0_3); printf("%s%s", this->arg0_4 != "" ? " " : "", this->arg0_4); printf(" (sending signal %u to pid %u)", this->kill_signal, this->pid_to_kill); printf("\n"); printf(" -+= %05d %d.%d %s", this->pid3, this->uid3, this->gid3, this->arg3_0); printf("%s%s", this->arg3_1 != "" ? " " : "", this->arg3_1); printf("%s%s", this->arg3_2 != "" ? " " : "", this->arg3_2); printf("%s%s", this->arg3_3 != "" ? " " : "", this->arg3_3); printf("%s%s", this->arg3_4 != "" ? " " : "", this->arg3_4); printf("%s", this->arg3_0 != "" ? "\n" : ""); printf(" \-+= %05d %d.%d %s", this->pid2, this->uid2, this->gid2, this->arg2_0); printf("%s%s", this->arg2_1 != "" ? " " : "", this->arg2_1); printf("%s%s", this->arg2_2 != "" ? " " : "", this->arg2_2); printf("%s%s", this->arg2_3 != "" ? " " : "", this->arg2_3); printf("%s%s", this->arg2_4 != "" ? " " : "", this->arg2_4); printf("%s", this->arg2_0 != "" ? "\n" : ""); printf(" \-+= %05d %d.%d %s", this->pid1, this->uid1, this->gid1, this->arg1_0); printf("%s%s", this->arg1_1 != "" ? " " : "", this->arg1_1); printf("%s%s", this->arg1_2 != "" ? " " : "", this->arg1_2); printf("%s%s", this->arg1_3 != "" ? " " : "", this->arg1_3); printf("%s%s", this->arg1_4 != "" ? " " : "", this->arg1_4); printf("%s", this->arg1_0 != "" ? "\n" : ""); printf(" \-+= %05d %d.%d %s", this->pid0, this->uid0, this->gid0, this->arg0_0); printf("%s%s", this->arg0_1 != "" ? " " : "", this->arg0_1); printf("%s%s", this->arg0_2 != "" ? " " : "", this->arg0_2); printf("%s%s", this->arg0_3 != "" ? " " : "", this->arg0_3); printf("%s%s", this->arg0_4 != "" ? " " : "", this->arg0_4); printf("%s", this->arg0_0 != "" ? "\n" : ""); } |
Both variations of the script have similar output.
To run the watch_kill. Just make sure dtraceall is loaded with: kldload dtraceall (if its already loaded it will not hurt if you try to load it again, it will just automatically know not to load something thats already loaded). Then make sure the script is chmod +x watch_kill.d. Then run it like this ./watch_kill.d and watch the output
The end