Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 5 Dec 2014 16:39:16 -0800
From:      <dteske@FreeBSD.org>
To:        <freebsd-dtrace@freebsd.org>
Cc:        dteske@FreeBSD.org, 'Julian Elischer' <julian@freebsd.org>, 'Michael Dexter' <editor@callfortesting.org>
Subject:   DTrace script to trace process execution
Message-ID:  <064f01d010ed$11445990$33cd0cb0$@FreeBSD.org>
next in thread | raw e-mail | index | archive | help 
This is a multipart message in MIME format.

------=_NextPart_000_0650_01D010AA.032167B0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit

Someone asked me about having a DTrace script that displays
"ps axwww"-like info each time a process is executed.

Well, I'm actually more of a fan of "pstree"-like layout, so I
wrote a DTrace script that produces output similar to
sysutils/pstree each/everytime a process is executed.

Sample output of attached "watch_execve.d":

2014 Dec  5 13:31:30 bash[40851]: ls -A
 -+= 00809 0.0 /usr/sbin/sshd
  \-+= 40829 0.0 sshd: support@pts/0
    \-+= 40851 0.0 -bash
      \-+= 27188 0.0 ls -A

If you don't want the pstree style info, you can simply run:

watch_execve.d | grep -v '^[[:space:]]'
-- 
Cheers,
Devin

------=_NextPart_000_0650_01D010AA.032167B0
Content-Type: application/octet-stream;
	name="watch_execve.d"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="watch_execve.d"

#!/usr/sbin/dtrace -s=0A=
/* -=0A=
 * Copyright (c) 2014 Devin Teske <dteske@FreeBSD.org>=0A=
 * All rights reserved.=0A=
 * Redistribution and use in source and binary forms, with or without=0A=
 * modification, are permitted provided that the following conditions=0A=
 * are met:=0A=
 * 1. Redistributions of source code must retain the above copyright=0A=
 *    notice, this list of conditions and the following disclaimer.=0A=
 * 2. Redistributions in binary form must reproduce the above copyright=0A=
 *    notice, this list of conditions and the following disclaimer in the=0A=
 *    documentation and/or other materials provided with the =
distribution.=0A=
 * =0A=
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND=0A=
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE=0A=
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR =
PURPOSE=0A=
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE =
LIABLE=0A=
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR =
CONSEQUENTIAL=0A=
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE =
GOODS=0A=
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)=0A=
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, =
STRICT=0A=
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY =
WAY=0A=
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF=0A=
 * SUCH DAMAGE.=0A=
 *=0A=
 * $Title: dtrace(1) script to log process(es) entering vfs::vop_remove $=0A=
 */=0A=
=0A=
#pragma D option quiet=0A=
#pragma D option dynvarsize=3D16m=0A=
#pragma D option switchrate=3D10hz=0A=
=0A=
/*********************************************************/=0A=
=0A=
syscall::execve:entry /* probe ID 1 */=0A=
{=0A=
	this->caller_execname =3D execname;=0A=
}=0A=
=0A=
/*********************************************************/=0A=
=0A=
syscall::execve:return /execname !=3D this->caller_execname/ /* probe ID =
2 */=0A=
{=0A=
	/*=0A=
	 * Examine process, parent process, and grandparent process details=0A=
	 */=0A=
=0A=
	/******************* CURPROC *******************/=0A=
=0A=
	this->proc =3D curthread->td_proc;=0A=
	this->pid0 =3D this->proc->p_pid;=0A=
	this->uid0 =3D this->proc->p_ucred->cr_uid;=0A=
	this->gid0 =3D this->proc->p_ucred->cr_rgid;=0A=
	this->p_args =3D this->proc->p_args;=0A=
	this->ar_length =3D this->p_args ? this->p_args->ar_length : 0;=0A=
	this->ar_args =3D (char *)(this->p_args ? this->p_args->ar_args : 0);=0A=
=0A=
	this->arg0_0 =3D this->ar_length > 0 ?=0A=
		this->ar_args : stringof(this->proc->p_comm);=0A=
	this->len =3D this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;=0A=
	this->ar_args +=3D this->len;=0A=
	this->ar_length -=3D this->len;=0A=
=0A=
	this->arg0_1 =3D this->ar_length > 0 ? this->ar_args : "";=0A=
	this->len =3D this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;=0A=
	this->ar_args +=3D this->len;=0A=
	this->ar_length -=3D this->len;=0A=
=0A=
	this->arg0_2 =3D this->ar_length > 0 ? this->ar_args : "";=0A=
	this->len =3D this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;=0A=
	this->ar_args +=3D this->len;=0A=
	this->ar_length -=3D this->len;=0A=
=0A=
	this->arg0_3 =3D this->ar_length > 0 ? this->ar_args : "";=0A=
	this->len =3D this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;=0A=
	this->ar_args +=3D this->len;=0A=
	this->ar_length -=3D this->len;=0A=
=0A=
	this->arg0_4 =3D this->ar_length > 0 ? "..." : "";=0A=
=0A=
	/******************* PPARENT *******************/=0A=
=0A=
	this->proc =3D this->proc->p_pptr;=0A=
	this->pid1 =3D this->proc->p_pid;=0A=
	this->uid1 =3D this->proc->p_ucred->cr_uid;=0A=
	this->gid1 =3D this->proc->p_ucred->cr_rgid;=0A=
	this->p_args =3D this->proc ? this->proc->p_args : 0;=0A=
	this->ar_length =3D this->p_args ? this->p_args->ar_length : 0;=0A=
	this->ar_args =3D (char *)(this->p_args ? this->p_args->ar_args : 0);=0A=
=0A=
	this->arg1_0 =3D this->ar_length > 0 ?=0A=
		this->ar_args : stringof(this->proc->p_comm);=0A=
	this->len =3D this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;=0A=
	this->ar_args +=3D this->len;=0A=
	this->ar_length -=3D this->len;=0A=
=0A=
	this->arg1_1 =3D this->ar_length > 0 ? this->ar_args : "";=0A=
	this->len =3D this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;=0A=
	this->ar_args +=3D this->len;=0A=
	this->ar_length -=3D this->len;=0A=
=0A=
	this->arg1_2 =3D this->ar_length > 0 ? this->ar_args : "";=0A=
	this->len =3D this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;=0A=
	this->ar_args +=3D this->len;=0A=
	this->ar_length -=3D this->len;=0A=
=0A=
	this->arg1_3 =3D this->ar_length > 0 ? this->ar_args : "";=0A=
	this->len =3D this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;=0A=
	this->ar_args +=3D this->len;=0A=
	this->ar_length -=3D this->len;=0A=
=0A=
	this->arg1_4 =3D this->ar_length > 0 ? "..." : "";=0A=
=0A=
	/******************* GPARENT *******************/=0A=
=0A=
	this->proc =3D this->proc->p_pptr;=0A=
	this->pid2 =3D this->proc->p_pid;=0A=
	this->uid2 =3D this->proc->p_ucred->cr_uid;=0A=
	this->gid2 =3D this->proc->p_ucred->cr_rgid;=0A=
	this->p_args =3D this->proc ? this->proc->p_args : 0;=0A=
	this->ar_length =3D this->p_args ? this->p_args->ar_length : 0;=0A=
	this->ar_args =3D (char *)(this->p_args ? this->p_args->ar_args : 0);=0A=
=0A=
	this->arg2_0 =3D this->ar_length > 0 ?=0A=
		this->ar_args : stringof(this->proc->p_comm);=0A=
	this->len =3D this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;=0A=
	this->ar_args +=3D this->len;=0A=
	this->ar_length -=3D this->len;=0A=
=0A=
	this->arg2_1 =3D this->ar_length > 0 ? this->ar_args : "";=0A=
	this->len =3D this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;=0A=
	this->ar_args +=3D this->len;=0A=
	this->ar_length -=3D this->len;=0A=
=0A=
	this->arg2_2 =3D this->ar_length > 0 ? this->ar_args : "";=0A=
	this->len =3D this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;=0A=
	this->ar_args +=3D this->len;=0A=
	this->ar_length -=3D this->len;=0A=
=0A=
	this->arg2_3 =3D this->ar_length > 0 ? this->ar_args : "";=0A=
	this->len =3D this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;=0A=
	this->ar_args +=3D this->len;=0A=
	this->ar_length -=3D this->len;=0A=
=0A=
	this->arg2_4 =3D this->ar_length > 0 ? "..." : "";=0A=
=0A=
	/******************* APARENT *******************/=0A=
=0A=
	this->proc =3D this->proc->p_pptr;=0A=
	this->pid3 =3D this->proc->p_pid;=0A=
	this->uid3 =3D this->proc->p_ucred->cr_uid;=0A=
	this->gid3 =3D this->proc->p_ucred->cr_rgid;=0A=
	this->p_args =3D this->proc ? this->proc->p_args : 0;=0A=
	this->ar_length =3D this->p_args ? this->p_args->ar_length : 0;=0A=
	this->ar_args =3D (char *)(this->p_args ? this->p_args->ar_args : 0);=0A=
=0A=
	this->arg3_0 =3D this->ar_length > 0 ?=0A=
		this->ar_args : stringof(this->proc->p_comm);=0A=
	this->len =3D this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;=0A=
	this->ar_args +=3D this->len;=0A=
	this->ar_length -=3D this->len;=0A=
=0A=
	this->arg3_1 =3D this->ar_length > 0 ? this->ar_args : "";=0A=
	this->len =3D this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;=0A=
	this->ar_args +=3D this->len;=0A=
	this->ar_length -=3D this->len;=0A=
=0A=
	this->arg3_2 =3D this->ar_length > 0 ? this->ar_args : "";=0A=
	this->len =3D this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;=0A=
	this->ar_args +=3D this->len;=0A=
	this->ar_length -=3D this->len;=0A=
=0A=
	this->arg3_3 =3D this->ar_length > 0 ? this->ar_args : "";=0A=
	this->len =3D this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;=0A=
	this->ar_args +=3D this->len;=0A=
	this->ar_length -=3D this->len;=0A=
=0A=
	this->arg3_4 =3D this->ar_length > 0 ? "..." : "";=0A=
=0A=
	/***********************************************/=0A=
=0A=
	/*=0A=
	 * Print process, parent, and grandparent details=0A=
	 */=0A=
=0A=
	printf("%Y %s[%d]: ", timestamp + 1406598400000000000,=0A=
		this->caller_execname, this->pid1);=0A=
	printf("%s", this->arg0_0);=0A=
	printf("%s%s", this->arg0_1 !=3D "" ? " " : "", this->arg0_1);=0A=
	printf("%s%s", this->arg0_2 !=3D "" ? " " : "", this->arg0_2);=0A=
	printf("%s%s", this->arg0_3 !=3D "" ? " " : "", this->arg0_3);=0A=
	printf("%s%s", this->arg0_4 !=3D "" ? " " : "", this->arg0_4);=0A=
	printf("\n");=0A=
=0A=
	printf(" -+=3D %05d %d.%d %s",=0A=
		this->pid3, this->uid3, this->gid3, this->arg3_0);=0A=
	printf("%s%s", this->arg3_1 !=3D "" ? " " : "", this->arg3_1);=0A=
	printf("%s%s", this->arg3_2 !=3D "" ? " " : "", this->arg3_2);=0A=
	printf("%s%s", this->arg3_3 !=3D "" ? " " : "", this->arg3_3);=0A=
	printf("%s%s", this->arg3_4 !=3D "" ? " " : "", this->arg3_4);=0A=
	printf("%s", this->arg3_0 !=3D "" ? "\n" : "");=0A=
=0A=
	printf("  \-+=3D %05d %d.%d %s",=0A=
		this->pid2, this->uid2, this->gid2, this->arg2_0);=0A=
	printf("%s%s", this->arg2_1 !=3D "" ? " " : "", this->arg2_1);=0A=
	printf("%s%s", this->arg2_2 !=3D "" ? " " : "", this->arg2_2);=0A=
	printf("%s%s", this->arg2_3 !=3D "" ? " " : "", this->arg2_3);=0A=
	printf("%s%s", this->arg2_4 !=3D "" ? " " : "", this->arg2_4);=0A=
	printf("%s", this->arg2_0 !=3D "" ? "\n" : "");=0A=
=0A=
	printf("    \-+=3D %05d %d.%d %s",=0A=
		this->pid1, this->uid1, this->gid1, this->arg1_0);=0A=
	printf("%s%s", this->arg1_1 !=3D "" ? " " : "", this->arg1_1);=0A=
	printf("%s%s", this->arg1_2 !=3D "" ? " " : "", this->arg1_2);=0A=
	printf("%s%s", this->arg1_3 !=3D "" ? " " : "", this->arg1_3);=0A=
	printf("%s%s", this->arg1_4 !=3D "" ? " " : "", this->arg1_4);=0A=
	printf("%s", this->arg1_0 !=3D "" ? "\n" : "");=0A=
=0A=
	printf("      \-+=3D %05d %d.%d %s",=0A=
		this->pid0, this->uid0, this->gid0, this->arg0_0);=0A=
	printf("%s%s", this->arg0_1 !=3D "" ? " " : "", this->arg0_1);=0A=
	printf("%s%s", this->arg0_2 !=3D "" ? " " : "", this->arg0_2);=0A=
	printf("%s%s", this->arg0_3 !=3D "" ? " " : "", this->arg0_3);=0A=
	printf("%s%s", this->arg0_4 !=3D "" ? " " : "", this->arg0_4);=0A=
	printf("%s", this->arg0_0 !=3D "" ? "\n" : "");=0A=
}=0A=

------=_NextPart_000_0650_01D010AA.032167B0--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?064f01d010ed$11445990$33cd0cb0$>