1capable(8) System Manager's Manual capable(8)
2
6 capable - Trace security capability checks (cap_capable()).
7
9 capable [-h] [-v] [-p PID] [-K] [-U]
10
12 This traces security capability checks in the kernel, and prints
13 details for each call. This can be useful for general debugging, and
14 also security enforcement: determining a white list of capabilities an
15 application needs.
16 Since this uses BPF, only the root user can use this tool.
18
20 CONFIG_BPF, bcc.
21
23 -h USAGE message.
24 -v Include non-audit capability checks. These are those deemed not
26 interesting and not necessary to audit, such as CAP_SYS_ADMIN
27 checks on memory allocation to affect the behavior of overcomā
28 mit.
29 -K Include kernel stack traces to the output.
31 -U Include user-space stack traces to the output.
33 -x Show extra fields in TID and INSETID columns.
35
37 Trace all capability checks system-wide:
38 # capable
39 Trace capability checks for PID 181:
41 # capable -p 181
42
44 TIME(s)
45 Time of capability check: HH:MM:SS.
46 UID User ID.
48 PID Process ID.
50 COMM Process name. CAP Capability number. NAME Capability name. See
52 capabilities(7) for descriptions.
53 AUDIT Whether this was an audit event. Use -v to include non-audit
55 events. INSETID Whether the INSETID bit was set (Linux >= 5.1).
56
58 This adds low-overhead instrumentation to capability checks, which are
59 expected to be low frequency, however, that depends on the application.
60 Test in a lab environment before use.
61
63 This is from bcc.
64 https://github.com/iovisor/bcc
66 Also look in the bcc distribution for a companion _examples.txt file
68 containing example usage, output, and commentary for this tool.
69
71 Linux
72
74 Unstable - in development.
75
77 Brendan Gregg
78
80 capabilities(7)
81USER COMMANDS 2016-09-13 capable(8)