Execsnoop cli args matching (#1115)

* adding args matching option * fixing typos * fixing merge artefacts * [execsnoop]: adding documentation on -l in man * [execsnoop][man]: fixing typo in commands name

Execsnoop cli args matching (#1115)
* adding args matching option * fixing typos * fixing merge artefacts * [execsnoop]: adding documentation on -l in man * [execsnoop][man]: fixing typo in commands name
0a01506e · Nikita V. Shirokov · Sasha Goldshtein · 9556db2f · 0a01506e · 0a01506e
Commit 0a01506e authored Apr 19, 2017 by Nikita V. Shirokov Committed by Sasha Goldshtein Apr 19, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 44 additions and 9 deletions

man/man8/execsnoop.8 man/man8/execsnoop.8 +11 -4

tools/execsnoop.py tools/execsnoop.py +10 -1

tools/execsnoop_example.txt tools/execsnoop_example.txt +23 -4

No files found.
--- a/man/man8/execsnoop.8
+++ b/man/man8/execsnoop.8
@@ -2,7 +2,7 @@
 .SH NAME
 execsnoop \- Trace new processes via exec() syscalls. Uses Linux eBPF/bcc.
 .SH SYNOPSIS
-.B execsnoop [\-h] [\-t] [\-x] [\-n NAME]
+.B execsnoop [\-h] [\-t] [\-x] [\-n NAME] [\-l LINE]
 .SH DESCRIPTION
 execsnoop traces new processes, showing the filename executed and argument
 list.
@@ -31,7 +31,10 @@ Include a timestamp column.
 Include failed exec()s
 .TP
 \-n NAME
-Only print command lines matching this name (regex), matched anywhere
+Only print command lines matching this name (regex)
+.TP
+\-l LINE
+Only print commands where arg contains this line (regex)
 .SH EXAMPLES
 .TP
 Trace all exec() syscalls:
@@ -46,9 +49,13 @@ Include failed exec()s:
 #
 .B execsnoop \-x
 .TP
-Only trace exec()s where the filename or arguments contain "mount":
+Only trace exec()s where the filename contains "mount":
+#
+.B execsnoop \-n mount
+.TP
+Only trace exec()s where argument's line contains "testpkg":
 #
-.B opensnoop \-n mount
+.B execsnoop \-l testpkg
 .SH FIELDS
 .TP
 TIME(s)

--- a/tools/execsnoop.py
+++ b/tools/execsnoop.py
@@ -30,6 +30,7 @@ examples = """examples:
    ./execsnoop -x        # include failed exec()s
    ./execsnoop -t        # include timestamps
    ./execsnoop -n main   # only print command lines containing "main"
+    ./execsnoop -l tpkg   # only print command where arguments contains "tpkg" 
 """
 parser = argparse.ArgumentParser(
    description="Trace exec() syscalls",
@@ -41,6 +42,8 @@ parser.add_argument("-x", "--fails", action="store_true",
    help="include failed exec()s")
 parser.add_argument("-n", "--name",
    help="only print commands matching this name (regex), any arg")
+parser.add_argument("-l", "--line",
+    help="only print commands where arg contains this line (regex)")
 args = parser.parse_args()

 # define BPF program
@@ -192,6 +195,9 @@ def print_event(cpu, data, size):
            skip = True
        if args.name and not re.search(args.name, event.comm):
            skip = True
+        if args.line and not re.search(args.line,
+                                       b' '.join(argv[event.pid]).decode()):
+            skip = True

        if not skip:
            if args.timestamp:
@@ -200,8 +206,11 @@ def print_event(cpu, data, size):
            print("%-16s %-6s %-6s %3s %s" % (event.comm.decode(), event.pid,
                    ppid if ppid > 0 else "?", event.retval,
                    b' '.join(argv[event.pid]).decode()))
+        try:
+            del(argv[event.pid])
+        except Exception:
+            pass

-        del(argv[event.pid])

 # loop with callback to print_event
 b["events"].open_perf_buffer(print_event)

--- a/tools/execsnoop_example.txt
+++ b/tools/execsnoop_example.txt
@@ -52,13 +52,29 @@ doesn't exist).


 A -t option can be used to include a timestamp column, and a -n option to match
-on a name or substring from the full command line (filename + args). Regular
-expressions are allowed. For example, matching commands containing "mount":
+on a name. Regular expressions are allowed. 
+For example, matching commands containing "mount":

 # ./execsnoop -tn mount
 TIME(s) PCOMM            PID    RET ARGS
-2.849   bash             18049    0 /bin/mount -p
-
+2.849   mount            18049    0 /bin/mount -p
+
+The -l option can be used to only show command where one of the arguments
+matches specified line. The limitation is that we are looking only into first 20
+arguments of the command. For example, matching all command where one of the argument
+is "testpkg":
+
+# ./execsnoop.py -l testpkg
+PCOMM            PID    PPID   RET ARGS
+service          3344535 4146419   0 /usr/sbin/service testpkg status
+systemctl        3344535 4146419   0 /bin/systemctl status testpkg.service
+yum              3344856 4146419   0 /usr/local/bin/yum remove testpkg
+python           3344856 4146419   0 /usr/local/bin/python /usr/local/bin/yum remove testpkg
+yum              3344856 4146419   0 /usr/bin/yum remove testpkg
+yum              3345086 4146419   0 /usr/local/bin/yum install testpkg
+python           3345086 4146419   0 /usr/local/bin/python /usr/local/bin/yum install testpkg
+yum              3345086 4146419   0 /usr/bin/yum install testpkg
+rpm              3345452 4146419   0 /bin/rpm -qa testpkg

 USAGE message:

@@ -73,9 +89,12 @@ optional arguments:
  -x, --fails           include failed exec()s
  -n NAME, --name NAME  only print commands matching this name (regex), any
                        arg
+  -l LINE, --line LINE  only print commands where arg contains this line
+                        (regex)

 examples:
    ./execsnoop           # trace all exec() syscalls
    ./execsnoop -x        # include failed exec()s 
    ./execsnoop -t        # include timestamps
    ./execsnoop -n main   # only print command lines containing "main"
+    ./execsnoop -l tpkg   # only print command where arguments contains "tpkg"