1setuids.bt(8)               System Manager's Manual              setuids.bt(8)
2
3
4

NAME

6       setuids.bt - Trace setuid family of syscalls. Uses bpftrace/eBPF.
7

SYNOPSIS

9       setuids.bt
10

DESCRIPTION

12       This  tool  traces privilege escalation via setuid syscalls, and can be
13       used for debugging, whitelist creation, and intrusion detection.
14
15       It works  by  tracing  the  setuid(2),  setfsuid(2),  and  retresuid(2)
16       syscalls using the syscall tracepoints.
17
18       Since this uses BPF, only the root user can use this tool.
19

REQUIREMENTS

21       CONFIG_BPF and bpftrace.
22

EXAMPLES

24       Trace setuid syscalls:
25              # setuids.bt
26

FIELDS

28       PID    The calling process ID.
29
30       COMM   The calling process (thread) name.
31
32       UID    The UID of the caller.
33
34       SYSCALL
35              The syscall name.
36
37       ARGS   The arguments to the syscall
38
39       (RET)  The  return  value  for the syscall: 0 == success, other numbers
40              indicate an error code.
41

OVERHEAD

43       setuid calls are expected to be low frequency (<< 100/s), so the  over‐
44       head of this tool is expected to be negligible.
45

SOURCE

47       This  tool  originated from the book "BPF Performance Tools", published
48       by Addison Wesley (2019):
49
50              http://www.brendangregg.com/bpf-performance-tools-book.html
51
52       See the book for more documentation on this tool.
53
54       This version is in the bpftrace repository:
55
56              https://github.com/iovisor/bpftrace
57
58       Also look in the bpftrace distribution for  a  companion  _examples.txt
59       file containing example usage, output, and commentary for this tool.
60

OS

62       Linux
63

STABILITY

65       Unstable - in development.
66

AUTHOR

68       Brendan Gregg
69

SEE ALSO

71       capable.bt(8)
72
73
74
75USER COMMANDS                     2019-07-05                     setuids.bt(8)
Impressum