1capable.bt(8)               System Manager's Manual              capable.bt(8)
2
3
4

NAME

6       capable.bt - Trace security capability checks (cap_capable()).
7

SYNOPSIS

9       capable.bt
10

DESCRIPTION

12       This  traces  security  capability checks in the kernel, and prints de‐
13       tails for each call. This can be useful for general debugging, and also
14       security  enforcement:  determining a white list of capabilities an ap‐
15       plication needs.
16
17       Since this uses BPF, only the root user can use this tool.
18

REQUIREMENTS

20       CONFIG_BPF, bpftrace.
21

EXAMPLES

23       Trace all capability checks system-wide:
24              # capable.bt
25

FIELDS

27       TIME(s)
28              Time of capability check: HH:MM:SS.
29
30       UID    User ID.
31
32       PID    Process ID.
33
34       COMM   Process name.  CAP Capability number.  NAME Capability name. See
35              capabilities(7) for descriptions.
36
37       AUDIT  Whether this was an audit event.
38

OVERHEAD

40       This  adds low-overhead instrumentation to capability checks, which are
41       expected to be low frequency, however, that depends on the application.
42       Test in a lab environment before use.
43

SOURCE

45       This is from bpftrace.
46
47              https://github.com/iovisor/bpftrace
48
49       Also  look  in  the bpftrace distribution for a companion _examples.txt
50       file containing example usage, output, and commentary for this tool.
51
52       This is a bpftrace version of the bcc tool of the same  name.  The  bcc
53       tool provides options to customize the output.
54
55              https://github.com/iovisor/bcc
56

OS

58       Linux
59

STABILITY

61       Unstable - in development.
62

AUTHOR

64       Brendan Gregg
65

SEE ALSO

67       capabilities(7)
68
69
70
71USER COMMANDS                     2018-09-08                     capable.bt(8)
Impressum