1 #!/usr/sbin/dtrace -s 2 /* 3 * setuids.d - snoop setuid calls. This can examine user logins. 4 * Written in DTrace (Solaris 10 3/05). 5 * 6 * $Id: setuids.d,v 1.1.1.1 2015/09/30 22:01:09 christos Exp $ 7 * 8 * USAGE: setuids.d 9 * 10 * FIELDS: 11 * UID user ID (from) 12 * SUID set user ID (to) 13 * PPID parent process ID 14 * PID process ID 15 * PCMD parent command 16 * CMD command (full arguments) 17 * 18 * SEE ALSO: BSM auditing 19 * 20 * COPYRIGHT: Copyright (c) 2005 Brendan Gregg. 21 * 22 * CDDL HEADER START 23 * 24 * The contents of this file are subject to the terms of the 25 * Common Development and Distribution License, Version 1.0 only 26 * (the "License"). You may not use this file except in compliance 27 * with the License. 28 * 29 * You can obtain a copy of the license at Docs/cddl1.txt 30 * or http://www.opensolaris.org/os/licensing. 31 * See the License for the specific language governing permissions 32 * and limitations under the License. 33 * 34 * CDDL HEADER END 35 * 36 * 09-May-2004 Brendan Gregg Created this. 37 * 08-May-2005 " " Used modern variable builtins. 38 * 28-Jul-2005 " " Last update. 39 */ 40 41 #pragma D option quiet 42 43 /* 44 * Print header 45 */ 46 dtrace:::BEGIN 47 { 48 printf("%5s %5s %5s %5s %-12s %s\n", 49 "UID", "SUID", "PPID", "PID", "PCMD", "CMD"); 50 } 51 52 /* 53 * Save values 54 */ 55 syscall::setuid:entry 56 { 57 self->uid = uid; 58 self->suid = arg0; 59 self->ok = 1; 60 } 61 62 /* 63 * Print output on success 64 */ 65 syscall::setuid:return 66 /arg0 == 0 && self->ok/ 67 { 68 printf("%5d %5d %5d %5d %-12s %S\n", 69 self->uid, self->suid, ppid, pid, 70 curthread->t_procp->p_parent->p_user.u_comm, 71 curpsinfo->pr_psargs); 72 } 73 74 /* 75 * Cleanup 76 */ 77 syscall::setuid:return 78 { 79 self->uid = 0; 80 self->suid = 0; 81 self->ok = 0; 82 } 83