1#!/usr/sbin/dtrace -s 2/* 3 * setuids.d - snoop setuid calls. This can examine user logins. 4 * Written in DTrace (Solaris 10 3/05). 5 * 6 * $Id: setuids.d 3 2007-08-01 10:50:08Z brendan $ 7 * 8 * USAGE: setuids.d 9 * 10 * FIELDS: 11 * UID user ID (from) 12 * SUID set user ID (to) 13 * PPID parent process ID 14 * PID process ID 15 * PCMD parent command 16 * CMD command (full arguments) 17 * 18 * SEE ALSO: BSM auditing 19 * 20 * COPYRIGHT: Copyright (c) 2005 Brendan Gregg. 21 * 22 * CDDL HEADER START 23 * 24 * The contents of this file are subject to the terms of the 25 * Common Development and Distribution License, Version 1.0 only 26 * (the "License"). You may not use this file except in compliance 27 * with the License. 28 * 29 * You can obtain a copy of the license at Docs/cddl1.txt 30 * or http://www.opensolaris.org/os/licensing. 31 * See the License for the specific language governing permissions 32 * and limitations under the License. 33 * 34 * CDDL HEADER END 35 * 36 * 09-May-2004 Brendan Gregg Created this. 37 * 08-May-2005 " " Used modern variable builtins. 38 * 28-Jul-2005 " " Last update. 39 */ 40 41#pragma D option quiet 42 43/* 44 * Print header 45 */ 46dtrace:::BEGIN 47{ 48 printf("%5s %5s %5s %5s %-12s %s\n", 49 "UID", "SUID", "PPID", "PID", "PCMD", "CMD"); 50} 51 52/* 53 * Save values 54 */ 55syscall::setuid:entry 56{ 57 self->uid = uid; 58 self->suid = arg0; 59 self->ok = 1; 60} 61 62/* 63 * Print output on success 64 */ 65syscall::setuid:return 66/arg0 == 0 && self->ok/ 67{ 68 printf("%5d %5d %5d %5d %-12s %S\n", 69 self->uid, self->suid, ppid, pid, 70 curthread->t_procp->p_parent->p_user.u_comm, 71 curpsinfo->pr_psargs); 72} 73 74/* 75 * Cleanup 76 */ 77syscall::setuid:return 78{ 79 self->uid = 0; 80 self->suid = 0; 81 self->ok = 0; 82} 83