1The following is an example of execsnoop. As processes are executed their
2details are printed out. Another user was logged in running a few commands
3which can be viewed below,
4
5  # ./execsnoop
6    UID   PID  PPID ARGS
7    100  3008  2656 ls
8    100  3009  2656 ls -l
9    100  3010  2656 cat /etc/passwd
10    100  3011  2656 vi /etc/hosts
11    100  3012  2656 date
12    100  3013  2656 ls -l
13    100  3014  2656 ls
14    100  3015  2656 finger
15  [...]
16
17
18
19In this example the command "man gzip" was executed. The output lets us
20see what the man command is actually doing,
21
22  # ./execsnoop
23    UID   PID  PPID ARGS
24    100  3064  2656 man gzip
25    100  3065  3064 sh -c cd /usr/share/man; tbl /usr/share/man/man1/gzip.1 |nroff -u0 -Tlp -man - 
26    100  3067  3066 tbl /usr/share/man/man1/gzip.1
27    100  3068  3066 nroff -u0 -Tlp -man -
28    100  3066  3065 col -x
29    100  3069  3064 sh -c trap '' 1 15; /usr/bin/mv -f /tmp/mpoMaa_f /usr/share/man/cat1/gzip.1 2> 
30    100  3070  3069 /usr/bin/mv -f /tmp/mpoMaa_f /usr/share/man/cat1/gzip.1
31    100  3071  3064 sh -c more -s /tmp/mpoMaa_f
32    100  3072  3071 more -s /tmp/mpoMaa_f
33  ^C
34  
35
36
37Execsnoop has other options,
38
39  # ./execsnoop -h
40  USAGE: execsnoop [-a|-A|-sv] [-c command]
41         execsnoop                # default output
42                  -a              # print all data
43                  -A              # dump all data, space delimited
44                  -s              # include start time, us
45                  -v              # include start time, string
46                  -c command      # command name to snoop
47
48
49
50In particular the verbose option for human readable timestamps is 
51very useful,
52
53  # ./execsnoop -v
54  STRTIME                UID   PID  PPID ARGS
55  2005 Jan 22 00:07:22     0 23053 20933 date
56  2005 Jan 22 00:07:24     0 23054 20933 uname -a
57  2005 Jan 22 00:07:25     0 23055 20933 ls -latr
58  2005 Jan 22 00:07:27     0 23056 20933 df -k
59  2005 Jan 22 00:07:29     0 23057 20933 ps -ef
60  2005 Jan 22 00:07:29     0 23057 20933 ps -ef
61  2005 Jan 22 00:07:34     0 23058 20933 uptime
62  2005 Jan 22 00:07:34     0 23058 20933 uptime
63  [...]
64
65
66
67It is also possible to match particular commands. Here we watch
68anyone using the vi command only,
69
70  # ./execsnoop -vc vi 
71  STRTIME                UID   PID  PPID ARGS
72  2005 Jan 22 00:10:33     0 23063 20933 vi /etc/passwd
73  2005 Jan 22 00:10:40     0 23064 20933 vi /etc/shadow
74  2005 Jan 22 00:10:51     0 23065 20933 vi /etc/group
75  2005 Jan 22 00:10:57     0 23066 20933 vi /.rhosts
76  [...]
77
78
79