watch_execve – FreeBSD – see processes being created
In Linux you can use the following 2 articles/methods to monitor commands as they happen on any shell on your server (good for studying systems, or monitoring for security):
- http://www.infotinks.com/monitor-commands-ran-system-remove-duplicates-without-sorting-like-uniq-sorting-ps-output/
- http://www.infotinks.com/snoopy-command-monitor-logger-ive-hoping-exists/
Here is how you monitor commands as they happen live on a FreeBSD computer:
First load dtrace kernel module (this is similar to insmod / modprobe in linux systems)
kldload dtraceall
Sidenote: dtraceall will load dtraceall.ko and dtrace.ko. They are loaded from /boot/kernel/ (on my system thats where they are, not sure if FreeBSD allows these else where)
There is also dtrace_test.ko, but we dont need to load it.
[koss01]# find / -type f | grep "ko$" | grep dtrace /boot/kernel/dtraceall.ko /boot/kernel/dtrace_test.ko /boot/kernel/dtrace.ko
Confirm that kldload dtraceall loaded with kldstat (you will see dtraceall and dtrace there):
[koss01]# kldstat | head -n1; kldstat | grep dtrace; Id Refs Address Size Name 20 1 0xffffffff82abd000 138f dtraceall.ko 23 8 0xffffffff82ad0000 13d0ba dtrace.ko
kldstat -v gives more information:
[SA:koss01]# kldstat -v 20 1 0xffffffff82abd000 138f dtraceall.ko (/boot/kernel/dtraceall.ko) Contains modules: Id Name 309 dtraceall ...skip... 23 8 0xffffffff82ad0000 13d0ba dtrace.ko (/boot/kernel/dtrace.ko) Contains modules: Id Name 301 dtrace
Next create the following watch_execve.d dtrace script & make it executable. It doesnt matter what directory it is in.
Thanks to dteske for this awesome dtrace script that monitors processes in parallel by attaching to execve: https://svnweb.freebsd.org/base/head/share/dtrace/watch_execve (then click view at the top next to HEAD – here is a better link: https://svnweb.freebsd.org/base/head/share/dtrace/watch_execve?view=markup)
Here is the latest revision of this dtrace script as of March 28th 2016 (for the latest check out the links above)
#!/usr/sbin/dtrace -s /* - * Copyright (c) 2014 Devin Teske <dteske@FreeBSD.org> * All rights reserved. * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $Title: dtrace(1) script to log process(es) entering syscall::execve $ * $FreeBSD$ */ #pragma D option quiet #pragma D option dynvarsize=16m #pragma D option switchrate=10hz /*********************************************************/ syscall::execve:entry /* probe ID 1 */ { this->caller_execname = execname; } /*********************************************************/ syscall::execve:return /execname != this->caller_execname/ /* probe ID 2 */ { /* * Examine process, parent process, and grandparent process details */ /******************* CURPROC *******************/ this->proc = curthread->td_proc; this->pid0 = this->proc->p_pid; this->uid0 = this->proc->p_ucred->cr_uid; this->gid0 = this->proc->p_ucred->cr_rgid; this->p_args = this->proc->p_args; this->ar_length = this->p_args ? this->p_args->ar_length : 0; this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0); this->arg0_0 = this->ar_length > 0 ? this->ar_args : stringof(this->proc->p_comm); this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg0_1 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg0_2 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg0_3 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg0_4 = this->ar_length > 0 ? "..." : ""; /******************* PPARENT *******************/ this->proc = this->proc->p_pptr; this->pid1 = this->proc->p_pid; this->uid1 = this->proc->p_ucred->cr_uid; this->gid1 = this->proc->p_ucred->cr_rgid; this->p_args = this->proc ? this->proc->p_args : 0; this->ar_length = this->p_args ? this->p_args->ar_length : 0; this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0); this->arg1_0 = this->ar_length > 0 ? this->ar_args : stringof(this->proc->p_comm); this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg1_1 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg1_2 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg1_3 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg1_4 = this->ar_length > 0 ? "..." : ""; /******************* GPARENT *******************/ this->proc = this->proc->p_pptr; this->pid2 = this->proc->p_pid; this->uid2 = this->proc->p_ucred->cr_uid; this->gid2 = this->proc->p_ucred->cr_rgid; this->p_args = this->proc ? this->proc->p_args : 0; this->ar_length = this->p_args ? this->p_args->ar_length : 0; this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0); this->arg2_0 = this->ar_length > 0 ? this->ar_args : stringof(this->proc->p_comm); this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg2_1 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg2_2 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg2_3 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg2_4 = this->ar_length > 0 ? "..." : ""; /******************* APARENT *******************/ this->proc = this->proc->p_pptr; this->pid3 = this->proc->p_pid; this->uid3 = this->proc->p_ucred->cr_uid; this->gid3 = this->proc->p_ucred->cr_rgid; this->p_args = this->proc ? this->proc->p_args : 0; this->ar_length = this->p_args ? this->p_args->ar_length : 0; this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0); this->arg3_0 = this->ar_length > 0 ? this->ar_args : stringof(this->proc->p_comm); this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg3_1 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg3_2 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg3_3 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg3_4 = this->ar_length > 0 ? "..." : ""; /***********************************************/ /* * Print process, parent, and grandparent details */ printf("%Y %s[%d]: ", timestamp + 1406598400000000000, this->caller_execname, this->pid1); printf("%s", this->arg0_0); printf("%s%s", this->arg0_1 != "" ? " " : "", this->arg0_1); printf("%s%s", this->arg0_2 != "" ? " " : "", this->arg0_2); printf("%s%s", this->arg0_3 != "" ? " " : "", this->arg0_3); printf("%s%s", this->arg0_4 != "" ? " " : "", this->arg0_4); printf("\n"); printf(" -+= %05d %d.%d %s", this->pid3, this->uid3, this->gid3, this->arg3_0); printf("%s%s", this->arg3_1 != "" ? " " : "", this->arg3_1); printf("%s%s", this->arg3_2 != "" ? " " : "", this->arg3_2); printf("%s%s", this->arg3_3 != "" ? " " : "", this->arg3_3); printf("%s%s", this->arg3_4 != "" ? " " : "", this->arg3_4); printf("%s", this->arg3_0 != "" ? "\n" : ""); printf(" \-+= %05d %d.%d %s", this->pid2, this->uid2, this->gid2, this->arg2_0); printf("%s%s", this->arg2_1 != "" ? " " : "", this->arg2_1); printf("%s%s", this->arg2_2 != "" ? " " : "", this->arg2_2); printf("%s%s", this->arg2_3 != "" ? " " : "", this->arg2_3); printf("%s%s", this->arg2_4 != "" ? " " : "", this->arg2_4); printf("%s", this->arg2_0 != "" ? "\n" : ""); printf(" \-+= %05d %d.%d %s", this->pid1, this->uid1, this->gid1, this->arg1_0); printf("%s%s", this->arg1_1 != "" ? " " : "", this->arg1_1); printf("%s%s", this->arg1_2 != "" ? " " : "", this->arg1_2); printf("%s%s", this->arg1_3 != "" ? " " : "", this->arg1_3); printf("%s%s", this->arg1_4 != "" ? " " : "", this->arg1_4); printf("%s", this->arg1_0 != "" ? "\n" : ""); printf(" \-+= %05d %d.%d %s", this->pid0, this->uid0, this->gid0, this->arg0_0); printf("%s%s", this->arg0_1 != "" ? " " : "", this->arg0_1); printf("%s%s", this->arg0_2 != "" ? " " : "", this->arg0_2); printf("%s%s", this->arg0_3 != "" ? " " : "", this->arg0_3); printf("%s%s", this->arg0_4 != "" ? " " : "", this->arg0_4); printf("%s", this->arg0_0 != "" ? "\n" : ""); }
To run simply execute it like a shell script
./watch_execve
Notice the output shows the whole ancestry of a process (current process, its parent, and grandparent)
watch_kill – FreeBSD – see processes being killed / signaled
There are other interesting dtraces. For example here is watch_kill, which monitors all kill signals (of any kind) on your server: watch_kill.d
I found two versions of the script one that uses syscall to monitor kill, and another that uses fbt to monitor kill. They both work. The two latest scripts use syscall and they are located in the first two links (same content when I saw them). Then other script is the 3rd link (might be older; both versions of the script work on my FreeBSD 8.3 system none the less).
Latest versions: both of these links as of May 4th, 2016 have the same content
(1) https://raw.githubusercontent.com/freebsd/freebsd-base-graphics/master/share/dtrace/watch_kill
(2) https://svnweb.freebsd.org/base/head/share/dtrace/watch_kill?view=co
#!/usr/sbin/dtrace -s /* - * Copyright (c) 2014-2016 Devin Teske <dteske@FreeBSD.org> * All rights reserved. * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $Title: dtrace(1) script to log process(es) entering syscall::kill $ * $FreeBSD$ */ #pragma D option quiet #pragma D option dynvarsize=16m #pragma D option switchrate=10hz /*********************************************************/ syscall::execve:entry /* probe ID 1 */ { this->caller_execname = execname; } /*********************************************************/ syscall::kill:entry /* probe ID 2 */ { this->pid_to_kill = (pid_t)arg0; this->kill_signal = (int)arg1; /* * Examine process, parent process, and grandparent process details */ /******************* CURPROC *******************/ this->proc = curthread->td_proc; this->pid0 = this->proc->p_pid; this->uid0 = this->proc->p_ucred->cr_uid; this->gid0 = this->proc->p_ucred->cr_rgid; this->p_args = this->proc->p_args; this->ar_length = this->p_args ? this->p_args->ar_length : 0; this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0); this->arg0_0 = this->ar_length > 0 ? this->ar_args : stringof(this->proc->p_comm); this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg0_1 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg0_2 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg0_3 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg0_4 = this->ar_length > 0 ? "..." : ""; /******************* PPARENT *******************/ this->proc = this->proc->p_pptr; this->pid1 = this->proc->p_pid; this->uid1 = this->proc->p_ucred->cr_uid; this->gid1 = this->proc->p_ucred->cr_rgid; this->p_args = this->proc ? this->proc->p_args : 0; this->ar_length = this->p_args ? this->p_args->ar_length : 0; this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0); this->arg1_0 = this->ar_length > 0 ? this->ar_args : stringof(this->proc->p_comm); this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg1_1 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg1_2 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg1_3 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg1_4 = this->ar_length > 0 ? "..." : ""; /******************* GPARENT *******************/ this->proc = this->proc->p_pptr; this->pid2 = this->proc->p_pid; this->uid2 = this->proc->p_ucred->cr_uid; this->gid2 = this->proc->p_ucred->cr_rgid; this->p_args = this->proc ? this->proc->p_args : 0; this->ar_length = this->p_args ? this->p_args->ar_length : 0; this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0); this->arg2_0 = this->ar_length > 0 ? this->ar_args : stringof(this->proc->p_comm); this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg2_1 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg2_2 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg2_3 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg2_4 = this->ar_length > 0 ? "..." : ""; /******************* APARENT *******************/ this->proc = this->proc->p_pptr; this->pid3 = this->proc->p_pid; this->uid3 = this->proc->p_ucred->cr_uid; this->gid3 = this->proc->p_ucred->cr_rgid; this->p_args = this->proc ? this->proc->p_args : 0; this->ar_length = this->p_args ? this->p_args->ar_length : 0; this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0); this->arg3_0 = this->ar_length > 0 ? this->ar_args : stringof(this->proc->p_comm); this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg3_1 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg3_2 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg3_3 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg3_4 = this->ar_length > 0 ? "..." : ""; /***********************************************/ /* * Print process, parent, and grandparent details */ printf("%Y %s[%d]: ", timestamp + 1406598400000000000, this->caller_execname, this->pid1); printf("%s", this->arg0_0); printf("%s%s", this->arg0_1 != "" ? " " : "", this->arg0_1); printf("%s%s", this->arg0_2 != "" ? " " : "", this->arg0_2); printf("%s%s", this->arg0_3 != "" ? " " : "", this->arg0_3); printf("%s%s", this->arg0_4 != "" ? " " : "", this->arg0_4); printf(" (sending signal %u to pid %u)", this->kill_signal, this->pid_to_kill); printf("\n"); printf(" -+= %05d %d.%d %s", this->pid3, this->uid3, this->gid3, this->arg3_0); printf("%s%s", this->arg3_1 != "" ? " " : "", this->arg3_1); printf("%s%s", this->arg3_2 != "" ? " " : "", this->arg3_2); printf("%s%s", this->arg3_3 != "" ? " " : "", this->arg3_3); printf("%s%s", this->arg3_4 != "" ? " " : "", this->arg3_4); printf("%s", this->arg3_0 != "" ? "\n" : ""); printf(" \-+= %05d %d.%d %s", this->pid2, this->uid2, this->gid2, this->arg2_0); printf("%s%s", this->arg2_1 != "" ? " " : "", this->arg2_1); printf("%s%s", this->arg2_2 != "" ? " " : "", this->arg2_2); printf("%s%s", this->arg2_3 != "" ? " " : "", this->arg2_3); printf("%s%s", this->arg2_4 != "" ? " " : "", this->arg2_4); printf("%s", this->arg2_0 != "" ? "\n" : ""); printf(" \-+= %05d %d.%d %s", this->pid1, this->uid1, this->gid1, this->arg1_0); printf("%s%s", this->arg1_1 != "" ? " " : "", this->arg1_1); printf("%s%s", this->arg1_2 != "" ? " " : "", this->arg1_2); printf("%s%s", this->arg1_3 != "" ? " " : "", this->arg1_3); printf("%s%s", this->arg1_4 != "" ? " " : "", this->arg1_4); printf("%s", this->arg1_0 != "" ? "\n" : ""); printf(" \-+= %05d %d.%d %s", this->pid0, this->uid0, this->gid0, this->arg0_0); printf("%s%s", this->arg0_1 != "" ? " " : "", this->arg0_1); printf("%s%s", this->arg0_2 != "" ? " " : "", this->arg0_2); printf("%s%s", this->arg0_3 != "" ? " " : "", this->arg0_3); printf("%s%s", this->arg0_4 != "" ? " " : "", this->arg0_4); printf("%s", this->arg0_0 != "" ? "\n" : ""); }
Probably not the latest version but still works (this next version uses fbt::kill:entry for probe 2 instead of syscall::kill:entry for probe 2 – they both work on my freebsd 8.3 system)
(3) <missing link> just use below
#!/usr/sbin/dtrace -s /* - * Copyright (c) 2014-2015 Devin Teske <dteske@FreeBSD.org> * All rights reserved. * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * $Title: dtrace(1) script to log process(es) entering syscall::kill $ */ #pragma D option quiet #pragma D option dynvarsize=16m #pragma D option switchrate=10hz /*********************************************************/ syscall::execve:entry /* probe ID 1 */ { this->caller_execname = execname; } /*********************************************************/ fbt::kill:entry /* probe ID 2 */ { this->kill_args = (struct kill_args *)arg1; this->pid_to_kill = this->kill_args->pid; this->kill_signal = this->kill_args->signum; /* * Examine process, parent process, and grandparent process details */ /******************* CURPROC *******************/ this->proc = curthread->td_proc; this->pid0 = this->proc->p_pid; this->uid0 = this->proc->p_ucred->cr_uid; this->gid0 = this->proc->p_ucred->cr_rgid; this->p_args = this->proc->p_args; this->ar_length = this->p_args ? this->p_args->ar_length : 0; this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0); this->arg0_0 = this->ar_length > 0 ? this->ar_args : stringof(this->proc->p_comm); this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg0_1 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg0_2 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg0_3 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg0_4 = this->ar_length > 0 ? "..." : ""; /******************* PPARENT *******************/ this->proc = this->proc->p_pptr; this->pid1 = this->proc->p_pid; this->uid1 = this->proc->p_ucred->cr_uid; this->gid1 = this->proc->p_ucred->cr_rgid; this->p_args = this->proc ? this->proc->p_args : 0; this->ar_length = this->p_args ? this->p_args->ar_length : 0; this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0); this->arg1_0 = this->ar_length > 0 ? this->ar_args : stringof(this->proc->p_comm); this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg1_1 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg1_2 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg1_3 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg1_4 = this->ar_length > 0 ? "..." : ""; /******************* GPARENT *******************/ this->proc = this->proc->p_pptr; this->pid2 = this->proc->p_pid; this->uid2 = this->proc->p_ucred->cr_uid; this->gid2 = this->proc->p_ucred->cr_rgid; this->p_args = this->proc ? this->proc->p_args : 0; this->ar_length = this->p_args ? this->p_args->ar_length : 0; this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0); this->arg2_0 = this->ar_length > 0 ? this->ar_args : stringof(this->proc->p_comm); this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg2_1 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg2_2 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg2_3 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg2_4 = this->ar_length > 0 ? "..." : ""; /******************* APARENT *******************/ this->proc = this->proc->p_pptr; this->pid3 = this->proc->p_pid; this->uid3 = this->proc->p_ucred->cr_uid; this->gid3 = this->proc->p_ucred->cr_rgid; this->p_args = this->proc ? this->proc->p_args : 0; this->ar_length = this->p_args ? this->p_args->ar_length : 0; this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0); this->arg3_0 = this->ar_length > 0 ? this->ar_args : stringof(this->proc->p_comm); this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg3_1 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg3_2 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg3_3 = this->ar_length > 0 ? this->ar_args : ""; this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; this->ar_args += this->len; this->ar_length -= this->len; this->arg3_4 = this->ar_length > 0 ? "..." : ""; /***********************************************/ /* * Print process, parent, and grandparent details */ printf("%Y %s[%d]: ", timestamp + 1406598400000000000, this->caller_execname, this->pid1); printf("%s", this->arg0_0); printf("%s%s", this->arg0_1 != "" ? " " : "", this->arg0_1); printf("%s%s", this->arg0_2 != "" ? " " : "", this->arg0_2); printf("%s%s", this->arg0_3 != "" ? " " : "", this->arg0_3); printf("%s%s", this->arg0_4 != "" ? " " : "", this->arg0_4); printf(" (sending signal %u to pid %u)", this->kill_signal, this->pid_to_kill); printf("\n"); printf(" -+= %05d %d.%d %s", this->pid3, this->uid3, this->gid3, this->arg3_0); printf("%s%s", this->arg3_1 != "" ? " " : "", this->arg3_1); printf("%s%s", this->arg3_2 != "" ? " " : "", this->arg3_2); printf("%s%s", this->arg3_3 != "" ? " " : "", this->arg3_3); printf("%s%s", this->arg3_4 != "" ? " " : "", this->arg3_4); printf("%s", this->arg3_0 != "" ? "\n" : ""); printf(" \-+= %05d %d.%d %s", this->pid2, this->uid2, this->gid2, this->arg2_0); printf("%s%s", this->arg2_1 != "" ? " " : "", this->arg2_1); printf("%s%s", this->arg2_2 != "" ? " " : "", this->arg2_2); printf("%s%s", this->arg2_3 != "" ? " " : "", this->arg2_3); printf("%s%s", this->arg2_4 != "" ? " " : "", this->arg2_4); printf("%s", this->arg2_0 != "" ? "\n" : ""); printf(" \-+= %05d %d.%d %s", this->pid1, this->uid1, this->gid1, this->arg1_0); printf("%s%s", this->arg1_1 != "" ? " " : "", this->arg1_1); printf("%s%s", this->arg1_2 != "" ? " " : "", this->arg1_2); printf("%s%s", this->arg1_3 != "" ? " " : "", this->arg1_3); printf("%s%s", this->arg1_4 != "" ? " " : "", this->arg1_4); printf("%s", this->arg1_0 != "" ? "\n" : ""); printf(" \-+= %05d %d.%d %s", this->pid0, this->uid0, this->gid0, this->arg0_0); printf("%s%s", this->arg0_1 != "" ? " " : "", this->arg0_1); printf("%s%s", this->arg0_2 != "" ? " " : "", this->arg0_2); printf("%s%s", this->arg0_3 != "" ? " " : "", this->arg0_3); printf("%s%s", this->arg0_4 != "" ? " " : "", this->arg0_4); printf("%s", this->arg0_0 != "" ? "\n" : ""); }
Both variations of the script have similar output.
To run the watch_kill. Just make sure dtraceall is loaded with: kldload dtraceall (if its already loaded it will not hurt if you try to load it again, it will just automatically know not to load something thats already loaded). Then make sure the script is chmod +x watch_kill.d. Then run it like this ./watch_kill.d and watch the output
The end