capable.bt - Trace security capability checks (cap_capable()).

       Brendan Gregg

       This  traces  security  capability  checks  in  the kernel, and prints details for each call. This can be
       useful for general debugging, and also security enforcement: determining a white list of capabilities  an
       application needs.

       Since this uses BPF, only the root user can use this tool.

       Trace all capability checks system-wide:
              # capable.bt

       TIME(s)
              Time of capability check: HH:MM:SS.

       UID    User ID.

       PID    Process ID.

       COMM   Process name.  CAP Capability number.  NAME Capability name. See capabilities(7) for descriptions.

       AUDIT  Whether this was an audit event.

       capable.bt - Trace security capability checks (cap_capable()).

       Linux

       This  adds  low-overhead  instrumentation  to  capability checks, which are expected to be low frequency,
       however, that depends on the application. Test in a lab environment before use.

       CONFIG_BPF, bpftrace.

capabilities(7)

USER COMMANDS                                      2018-09-08                                      capable.bt(8)

       This is from bpftrace.

              https://github.com/bpftrace/bpftrace

       Also look in the bpftrace distribution for a  companion  _examples.txt  file  containing  example  usage,
       output, and commentary for this tool.

       This  is  a bpftrace version of the bcc tool of the same name. The bcc tool provides options to customize
       the output.

              https://github.com/iovisor/bcc

       Unstable - in development.

capable.bt