Provided by: bpftrace_0.14.0-1_amd64
capable.bt - Trace security capability checks (cap_capable()).
This traces security capability checks in the kernel, and prints details for each call. This can be useful for general debugging, and also security enforcement: determining a white list of capabilities an application needs. Since this uses BPF, only the root user can use this tool.
Trace all capability checks system-wide: # capable.bt
TIME(s) Time of capability check: HH:MM:SS. UID User ID. PID Process ID. COMM Process name. CAP Capability number. NAME Capability name. See capabilities(7) for descriptions. AUDIT Whether this was an audit event.
This adds low-overhead instrumentation to capability checks, which are expected to be low frequency, however, that depends on the application. Test in a lab environment before use.
This is from bpftrace. https://github.com/iovisor/bpftrace Also look in the bpftrace distribution for a companion _examples.txt file containing example usage, output, and commentary for this tool. This is a bpftrace version of the bcc tool of the same name. The bcc tool provides options to customize the output. https://github.com/iovisor/bcc
Unstable - in development.