other versions
- buster 0.8.0-4
- buster-backports 0.17.0-7~bpo10+2
- testing 0.18.0+ds-2
- unstable 0.18.0+ds-2
- experimental 0.21.0+ds-1
capable(8) | System Manager's Manual | capable(8) |
NAME¶
capable - Trace security capability checks (cap_capable()).SYNOPSIS¶
capable [-h] [-v] [-p PID] [-K] [-U]DESCRIPTION¶
This traces security capability checks in the kernel, and prints details for each call. This can be useful for general debugging, and also security enforcement: determining a white list of capabilities an application needs.Since this uses BPF, only the root user can use this tool.
REQUIREMENTS¶
CONFIG_BPF, bcc.OPTIONS¶
-h USAGE message.- -v
- Include non-audit capability checks. These are those deemed not interesting and not necessary to audit, such as CAP_SYS_ADMIN checks on memory allocation to affect the behavior of overcommit.
- -K
- Include kernel stack traces to the output.
- -U
- Include user-space stack traces to the output.
EXAMPLES¶
- Trace all capability checks system-wide:
- # capable
- Trace capability checks for PID 181:
- # capable -p 181
FIELDS¶
- TIME(s)
- Time of capability check: HH:MM:SS.
- UID
- User ID.
- PID
- Process ID.
- COMM
- Process name. CAP Capability number. NAME Capability name. See capabilities(7) for descriptions.
- AUDIT
- Whether this was an audit event. Use -v to include non-audit events.
OVERHEAD¶
This adds low-overhead instrumentation to capability checks, which are expected to be low frequency, however, that depends on the application. Test in a lab environment before use.SOURCE¶
This is from bcc.Also look in the bcc distribution for a companion _examples.txt file containing example usage, output, and commentary for this tool.
OS¶
LinuxSTABILITY¶
Unstable - in development.AUTHOR¶
Brendan GreggSEE ALSO¶
capabilities(7)2016-09-13 | USER COMMANDS |