| Demonstrations of capable, the Linux eBPF/bcc version. |
| |
| |
| capable traces calls to the kernel cap_capable() function, which does security |
| capability checks, and prints details for each call. For example: |
| |
| # ./capable.py |
| TIME UID PID COMM CAP NAME AUDIT |
| 22:11:23 114 2676 snmpd 12 CAP_NET_ADMIN 1 |
| 22:11:23 0 6990 run 24 CAP_SYS_RESOURCE 1 |
| 22:11:23 0 7003 chmod 3 CAP_FOWNER 1 |
| 22:11:23 0 7003 chmod 4 CAP_FSETID 1 |
| 22:11:23 0 7005 chmod 4 CAP_FSETID 1 |
| 22:11:23 0 7005 chmod 4 CAP_FSETID 1 |
| 22:11:23 0 7006 chown 4 CAP_FSETID 1 |
| 22:11:23 0 7006 chown 4 CAP_FSETID 1 |
| 22:11:23 0 6990 setuidgid 6 CAP_SETGID 1 |
| 22:11:23 0 6990 setuidgid 6 CAP_SETGID 1 |
| 22:11:23 0 6990 setuidgid 7 CAP_SETUID 1 |
| 22:11:24 0 7013 run 24 CAP_SYS_RESOURCE 1 |
| 22:11:24 0 7026 chmod 3 CAP_FOWNER 1 |
| 22:11:24 0 7026 chmod 4 CAP_FSETID 1 |
| 22:11:24 0 7028 chmod 4 CAP_FSETID 1 |
| 22:11:24 0 7028 chmod 4 CAP_FSETID 1 |
| 22:11:24 0 7029 chown 4 CAP_FSETID 1 |
| 22:11:24 0 7029 chown 4 CAP_FSETID 1 |
| 22:11:24 0 7013 setuidgid 6 CAP_SETGID 1 |
| 22:11:24 0 7013 setuidgid 6 CAP_SETGID 1 |
| 22:11:24 0 7013 setuidgid 7 CAP_SETUID 1 |
| 22:11:25 0 7036 run 24 CAP_SYS_RESOURCE 1 |
| 22:11:25 0 7049 chmod 3 CAP_FOWNER 1 |
| 22:11:25 0 7049 chmod 4 CAP_FSETID 1 |
| 22:11:25 0 7051 chmod 4 CAP_FSETID 1 |
| 22:11:25 0 7051 chmod 4 CAP_FSETID 1 |
| |
| Checks where AUDIT is 0 are ignored by default, which can be changed |
| with -v but is more verbose. |
| |
| We can show the TID and INSETID columns with -x. |
| Since only a recent kernel version >= 5.1 reports the INSETID bit to cap_capable(), |
| the fallback value "N/A" will be displayed on older kernels. |
| |
| # ./capable.py -x |
| TIME UID PID TID COMM CAP NAME AUDIT INSETID |
| 08:22:36 0 12869 12869 chown 0 CAP_CHOWN 1 0 |
| 08:22:36 0 12869 12869 chown 0 CAP_CHOWN 1 0 |
| 08:22:36 0 12869 12869 chown 0 CAP_CHOWN 1 0 |
| 08:23:02 0 13036 13036 setuidgid 6 CAP_SETGID 1 0 |
| 08:23:02 0 13036 13036 setuidgid 6 CAP_SETGID 1 0 |
| 08:23:02 0 13036 13036 setuidgid 7 CAP_SETUID 1 1 |
| 08:23:13 0 13085 13085 chmod 3 CAP_FOWNER 1 0 |
| 08:23:13 0 13085 13085 chmod 4 CAP_FSETID 1 0 |
| 08:23:13 0 13085 13085 chmod 3 CAP_FOWNER 1 0 |
| 08:23:13 0 13085 13085 chmod 4 CAP_FSETID 1 0 |
| 08:23:13 0 13085 13085 chmod 4 CAP_FSETID 1 0 |
| 08:24:27 0 13522 13522 ping 13 CAP_NET_RAW 1 0 |
| [...] |
| |
| This can be useful for general debugging, and also security enforcement: |
| determining a whitelist of capabilities an application needs. |
| |
| The output above includes various capability checks: snmpd checking |
| CAP_NET_ADMIN, run checking CAP_SYS_RESOURCES, then some short-lived processes |
| checking CAP_FOWNER, CAP_FSETID, etc. |
| |
| To see what each of these capabilities does, check the capabilities(7) man |
| page and the kernel source. |
| |
| It is possible to include a kernel stack trace to the capable events by passing |
| -K to the command: |
| |
| # ./capable.py -K |
| TIME UID PID COMM CAP NAME AUDIT |
| 15:32:21 1000 10708 fetchmail 7 CAP_SETUID 1 |
| cap_capable+0x1 [kernel] |
| ns_capable_common+0x7a [kernel] |
| __sys_setresuid+0xc8 [kernel] |
| do_syscall_64+0x56 [kernel] |
| entry_SYSCALL_64_after_hwframe+0x49 [kernel] |
| 15:32:21 1000 30047 procmail 6 CAP_SETGID 1 |
| cap_capable+0x1 [kernel] |
| ns_capable_common+0x7a [kernel] |
| may_setgroups+0x2f [kernel] |
| __x64_sys_setgroups+0x18 [kernel] |
| do_syscall_64+0x56 [kernel] |
| entry_SYSCALL_64_after_hwframe+0x49 [kernel] |
| |
| Similarly, it is possible to include user-space stack with -U (or they can be |
| used both at the same time to include user and kernel stack). |
| |
| Some processes can do a lot of security capability checks, generating a lot of |
| ouput. In this case, the --unique option is useful to only print once the same |
| set of capability, pid (or cgroup if --cgroupmap is used) and kernel/user |
| stacks (if -K or -U are used). |
| |
| # ./capable.py -K -U --unique |
| |
| The --cgroupmap option filters based on a cgroup set. It is meant to be used |
| with an externally created map. |
| |
| # ./capable.py --cgroupmap /sys/fs/bpf/test01 |
| |
| For more details, see docs/special_filtering.md |
| |
| |
| USAGE: |
| |
| # ./capable.py -h |
| usage: capable.py [-h] [-v] [-p PID] [-K] [-U] [-x] [--cgroupmap CGROUPMAP] |
| [--mntnsmap MNTNSMAP] [--unique] |
| |
| Trace security capability checks |
| |
| optional arguments: |
| -h, --help show this help message and exit |
| -v, --verbose include non-audit checks |
| -p PID, --pid PID trace this PID only |
| -K, --kernel-stack output kernel stack trace |
| -U, --user-stack output user stack trace |
| -x, --extra show extra fields in TID and INSETID columns |
| --cgroupmap CGROUPMAP |
| trace cgroups in this BPF map only |
| --mntnsmap MNTNSMAP trace mount namespaces in this BPF map only |
| --unique don't repeat stacks for the same pid or cgroup |
| |
| examples: |
| ./capable # trace capability checks |
| ./capable -v # verbose: include non-audit checks |
| ./capable -p 181 # only trace PID 181 |
| ./capable -K # add kernel stacks to trace |
| ./capable -U # add user-space stacks to trace |
| ./capable -x # extra fields: show TID and INSETID columns |
| ./capable --unique # don't repeat stacks for the same pid or cgroup |
| ./capable --cgroupmap mappath # only trace cgroups in this BPF map |
| ./capable --mntnsmap mappath # only trace mount namespaces in the map |