1capable(8) System Manager's Manual capable(8)
2
6 capable - Trace security capability checks (cap_capable()).
7
9 capable [-h] [-v] [-p PID]
10
12 This traces security capability checks in the kernel, and prints
13 details for each call. This can be useful for general debugging, and
14 also security enforcement: determining a white list of capabilities an
15 application needs.
16 Since this uses BPF, only the root user can use this tool.
18
20 CONFIG_BPF, bcc.
21
23 -h USAGE message.
24 -v Include non-audit capability checks. These are those deemed not
26 interesting and not necessary to audit, such as CAP_SYS_ADMIN
27 checks on memory allocation to affect the behavior of overcomā
28 mit.
29
31 Trace all capability checks system-wide:
32 # capable
33 Trace capability checks for PID 181:
35 # capable -p 181
36
38 TIME(s)
39 Time of capability check: HH:MM:SS.
40 UID User ID.
42 PID Process ID.
44 COMM Process name. CAP Capability number. NAME Capability name. See
46 capabilities(7) for descriptions.
47 AUDIT Whether this was an audit event. Use -v to include non-audit
49 events.
50
52 This adds low-overhead instrumentation to capability checks, which are
53 expected to be low frequency, however, that depends on the application.
54 Test in a lab environment before use.
55
57 This is from bcc.
58 https://github.com/iovisor/bcc
60 Also look in the bcc distribution for a companion _examples.txt file
62 containing example usage, output, and commentary for this tool.
63
65 Linux
66
68 Unstable - in development.
69
71 Brendan Gregg
72
74 capabilities(7)
75USER COMMANDS 2016-09-13 capable(8)