setuids.bt - Trace setuid family of syscalls. Uses bpftrace/eBPF.

       Brendan Gregg

       This  tool  traces  privilege  escalation  via  setuid syscalls, and can be used for debugging, whitelist
       creation, and intrusion detection.

       It works by tracing the setuid(2), setfsuid(2), and retresuid(2) syscalls using the syscall tracepoints.

       Since this uses BPF, only the root user can use this tool.

       Trace setuid syscalls:
              # setuids.bt

       PID    The calling process ID.

       COMM   The calling process (thread) name.

       UID    The UID of the caller.

       SYSCALL
              The syscall name.

       ARGS   The arguments to the syscall

       (RET)  The return value for the syscall: 0 == success, other numbers indicate an error code.

       setuids.bt - Trace setuid family of syscalls. Uses bpftrace/eBPF.

       Linux

       setuid calls are expected to be low frequency (<< 100/s), so the overhead of this tool is expected to  be
       negligible.

       CONFIG_BPF and bpftrace.

capable.bt(8)

USER COMMANDS                                      2019-07-05                                      setuids.bt(8)

       This tool originated from the book "BPF Performance Tools", published by Addison Wesley (2019):

              http://www.brendangregg.com/bpf-performance-tools-book.html

       See the book for more documentation on this tool.

       This version is in the bpftrace repository:

              https://github.com/bpftrace/bpftrace

       Also  look  in  the  bpftrace  distribution  for a companion _examples.txt file containing example usage,
       output, and commentary for this tool.

       Unstable - in development.

setuids.bt