1capable(8) System Manager's Manual capable(8)
2
6 capable - Trace security capability checks (cap_capable()).
7
9 capable [-h] [-v] [-p PID] [-K] [-U]
10
12 This traces security capability checks in the kernel, and prints
13 details for each call. This can be useful for general debugging, and
14 also security enforcement: determining a white list of capabilities an
15 application needs.
16 Since this uses BPF, only the root user can use this tool.
18
20 CONFIG_BPF, bcc.
21
23 -h USAGE message.
24 -v Include non-audit capability checks. These are those deemed not
26 interesting and not necessary to audit, such as CAP_SYS_ADMIN
27 checks on memory allocation to affect the behavior of overcomā
28 mit.
29 -K Include kernel stack traces to the output.
31 -U Include user-space stack traces to the output.
33
35 Trace all capability checks system-wide:
36 # capable
37 Trace capability checks for PID 181:
39 # capable -p 181
40
42 TIME(s)
43 Time of capability check: HH:MM:SS.
44 UID User ID.
46 PID Process ID.
48 COMM Process name. CAP Capability number. NAME Capability name. See
50 capabilities(7) for descriptions.
51 AUDIT Whether this was an audit event. Use -v to include non-audit
53 events. INSETID Whether the INSETID bit was set (Linux >= 5.1).
54
56 This adds low-overhead instrumentation to capability checks, which are
57 expected to be low frequency, however, that depends on the application.
58 Test in a lab environment before use.
59
61 This is from bcc.
62 https://github.com/iovisor/bcc
64 Also look in the bcc distribution for a companion _examples.txt file
66 containing example usage, output, and commentary for this tool.
67
69 Linux
70
72 Unstable - in development.
73
75 Brendan Gregg
76
78 capabilities(7)
79USER COMMANDS 2016-09-13 capable(8)