1The following is an example of execsnoop. As processes are executed their 2details are printed out. Another user was logged in running a few commands 3which can be viewed below, 4 5 # ./execsnoop 6 UID PID PPID ARGS 7 100 3008 2656 ls 8 100 3009 2656 ls -l 9 100 3010 2656 cat /etc/passwd 10 100 3011 2656 vi /etc/hosts 11 100 3012 2656 date 12 100 3013 2656 ls -l 13 100 3014 2656 ls 14 100 3015 2656 finger 15 [...] 16 17 18 19In this example the command "man gzip" was executed. The output lets us 20see what the man command is actually doing, 21 22 # ./execsnoop 23 UID PID PPID ARGS 24 100 3064 2656 man gzip 25 100 3065 3064 sh -c cd /usr/share/man; tbl /usr/share/man/man1/gzip.1 |nroff -u0 -Tlp -man - 26 100 3067 3066 tbl /usr/share/man/man1/gzip.1 27 100 3068 3066 nroff -u0 -Tlp -man - 28 100 3066 3065 col -x 29 100 3069 3064 sh -c trap '' 1 15; /usr/bin/mv -f /tmp/mpoMaa_f /usr/share/man/cat1/gzip.1 2> 30 100 3070 3069 /usr/bin/mv -f /tmp/mpoMaa_f /usr/share/man/cat1/gzip.1 31 100 3071 3064 sh -c more -s /tmp/mpoMaa_f 32 100 3072 3071 more -s /tmp/mpoMaa_f 33 ^C 34 35 36 37Execsnoop has other options, 38 39 # ./execsnoop -h 40 USAGE: execsnoop [-a|-A|-sv] [-c command] 41 execsnoop # default output 42 -a # print all data 43 -A # dump all data, space delimited 44 -s # include start time, us 45 -v # include start time, string 46 -c command # command name to snoop 47 48 49 50In particular the verbose option for human readable timestamps is 51very useful, 52 53 # ./execsnoop -v 54 STRTIME UID PID PPID ARGS 55 2005 Jan 22 00:07:22 0 23053 20933 date 56 2005 Jan 22 00:07:24 0 23054 20933 uname -a 57 2005 Jan 22 00:07:25 0 23055 20933 ls -latr 58 2005 Jan 22 00:07:27 0 23056 20933 df -k 59 2005 Jan 22 00:07:29 0 23057 20933 ps -ef 60 2005 Jan 22 00:07:29 0 23057 20933 ps -ef 61 2005 Jan 22 00:07:34 0 23058 20933 uptime 62 2005 Jan 22 00:07:34 0 23058 20933 uptime 63 [...] 64 65 66 67It is also possible to match particular commands. Here we watch 68anyone using the vi command only, 69 70 # ./execsnoop -vc vi 71 STRTIME UID PID PPID ARGS 72 2005 Jan 22 00:10:33 0 23063 20933 vi /etc/passwd 73 2005 Jan 22 00:10:40 0 23064 20933 vi /etc/shadow 74 2005 Jan 22 00:10:51 0 23065 20933 vi /etc/group 75 2005 Jan 22 00:10:57 0 23066 20933 vi /.rhosts 76 [...] 77 78 79