bpftrace/tools/setuids.bt at master · sushink70/bpftrace · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
#!/usr/bin/env bpftrace
// setuids - Trace the setuid syscalls: privilege escalation.
//
// See BPF Performance Tools, Chapter 11, for an explanation of this tool.
//
// Example of usage:
//
// # ./setuids.bt
// Attaching 7 probes...
// Tracing setuid(2) family syscalls. Hit Ctrl-C to end.
// TIME     PID    COMM             UID    SYSCALL   ARGS (RET)
// 14:28:22 21785  ssh              1000   setresuid ruid=-1 euid=1000 suid=-1 (0)
// 14:28:22 21787  sshd             0      setresuid ruid=122 euid=122 suid=122 (0)
// 14:28:22 21787  sshd             122    setuid    uid=0 (-1)
// 14:28:22 21787  sshd             122    setresuid ruid=-1 euid=0 suid=-1 (-1)
// 14:28:24 21786  sshd             0      setresuid ruid=-1 euid=1000 suid=-1 (0)
// [...]
// 14:28:24 21786  sshd             0      setfsuid  uid=0 (prevuid=0)
// 14:28:24 21851  sshd             0      setresuid ruid=1000 euid=1000 suid=1000 (0)
// 14:28:24 21851  sshd             1000   setuid    uid=0 (-1)
// 14:28:24 21851  sshd             1000   setresuid ruid=-1 euid=0 suid=-1 (-1)
//
// Why does sshd make so many calls? I don't know! Nevertheless, this shows what
// this tool can do: it shows the caller details (PID, COMM, and UID), the syscall
// (SYSCALL), and the syscall arguments (ARGS) and return value (RET). You can
// modify this tool to print user stack traces for each call, which will show the
// code path in sshd (provided it is compiled with frame pointers).
//
// Copyright (c) 2019 Brendan Gregg.
// This was originally created for the BPF Performance Tools book
// published by Addison Wesley. ISBN-13: 9780136554820
// When copying or porting, include this comment.
//
// 26-Feb-2019  Brendan Gregg   Created this.

BEGIN
{
  printf("Tracing setuid(2) family syscalls. Hit Ctrl-C to end.\n");
  printf("%-8s %-6s %-16s %-6s %-9s %s\n",
         "TIME", "PID", "COMM", "UID", "SYSCALL", "ARGS (RET)");
}

tracepoint:syscalls:sys_enter_setuid,
tracepoint:syscalls:sys_enter_setfsuid
{
  @uid[tid] = uid;
  @setuid[tid] = args.uid;
  @seen[tid] = 1;
}

tracepoint:syscalls:sys_enter_setresuid
{
  @uid[tid] = uid;
  @ruid[tid] = args.ruid;
  @euid[tid] = args.euid;
  @suid[tid] = args.suid;
  @seen[tid] = 1;
}

tracepoint:syscalls:sys_exit_setuid
/@seen[tid]/
{
  time("%H:%M:%S ");
  printf("%-6d %-16s %-6d setuid    uid=%d (%d)\n",
         pid, comm, @uid[tid], @setuid[tid], args.ret);
  delete(@seen, tid);
  delete(@uid, tid);
  delete(@setuid, tid);
}

tracepoint:syscalls:sys_exit_setfsuid
/@seen[tid]/
{
  time("%H:%M:%S ");
  printf("%-6d %-16s %-6d setfsuid  uid=%d (prevuid=%d)\n",
         pid, comm, @uid[tid], @setuid[tid], args.ret);
  delete(@seen, tid);
  delete(@uid, tid);
  delete(@setuid, tid);
}

tracepoint:syscalls:sys_exit_setresuid
/@seen[tid]/
{
  time("%H:%M:%S ");
  printf("%-6d %-16s %-6d setresuid ", pid, comm, @uid[tid]);
  printf("ruid=%d euid=%d suid=%d (%d)\n", @ruid[tid], @euid[tid], @suid[tid], args.ret);
  delete(@seen, tid);
  delete(@uid, tid);
  delete(@ruid, tid);
  delete(@euid, tid);
  delete(@suid, tid);
}