1N/AThe following is an example of execsnoop. As processes are executed their
1N/Adetails are printed out. Another user was logged in running a few commands
1N/Awhich can be viewed below,
1N/A 100 3015 2656 finger
1N/AIn this example the command "man gzip" was executed. The output lets us
1N/Asee what the man command is actually doing,
1N/A 100 3064 2656 man gzip
1N/A 100 3068 3066 nroff -u0 -Tlp -man -
1N/A 100 3066 3065 col -x
1N/AExecsnoop has other options,
1N/A USAGE: execsnoop [-a|-A|-sv] [-c command]
1N/A execsnoop # default output
1N/A -A # dump all data, space delimited
1N/A -s # include start time, us
1N/A -v # include start time, string
1N/A -c command # command name to snoop
1N/AIn particular the verbose option for human readable timestamps is
1N/A STRTIME UID PID PPID ARGS
1N/A 2005 Jan 22 00:07:22 0 23053 20933 date
1N/A 2005 Jan 22 00:07:24 0 23054 20933 uname -a
1N/A 2005 Jan 22 00:07:25 0 23055 20933 ls -latr
1N/A 2005 Jan 22 00:07:27 0 23056 20933 df -k
1N/A 2005 Jan 22 00:07:29 0 23057 20933 ps -ef
1N/A 2005 Jan 22 00:07:29 0 23057 20933 ps -ef
1N/A 2005 Jan 22 00:07:34 0 23058 20933 uptime
1N/A 2005 Jan 22 00:07:34 0 23058 20933 uptime
1N/AIt is also possible to match particular commands. Here we watch
1N/Aanyone using the vi command only,
1N/A # ./execsnoop -vc vi
1N/A STRTIME UID PID PPID ARGS
1N/A 2005 Jan 22 00:10:57 0 23066 20933 vi /.rhosts