setuids.bt(8) | System Manager's Manual | setuids.bt(8) |
setuids.bt - Trace setuid family of syscalls. Uses bpftrace/eBPF.
setuids.bt
This tool traces privilege escalation via setuid syscalls, and can be used for debugging, whitelist creation, and intrusion detection.
It works by tracing the setuid(2), setfsuid(2), and retresuid(2) syscalls using the syscall tracepoints.
Since this uses BPF, only the root user can use this tool.
CONFIG_BPF and bpftrace.
setuid calls are expected to be low frequency (<< 100/s), so the overhead of this tool is expected to be negligible.
This tool originated from the book "BPF Performance Tools", published by Addison Wesley (2019):
See the book for more documentation on this tool.
This version is in the bpftrace repository:
Also look in the bpftrace distribution for a companion _examples.txt file containing example usage, output, and commentary for this tool.
Linux
Unstable - in development.
Brendan Gregg
2019-07-05 | USER COMMANDS |