Filename: ../Examples/execsnoop

The following is an example of execsnoop. As processes are executed their
 details are printed out. Another user was logged in running a few commands
 which can be viewed below,
 
   # ./execsnoop
     UID   PID  PPID ARGS
     100  3008  2656 ls
     100  3009  2656 ls -l
     100  3010  2656 cat /etc/passwd
     100  3011  2656 vi /etc/hosts
     100  3012  2656 date
     100  3013  2656 ls -l
     100  3014  2656 ls
     100  3015  2656 finger
   [...]
 
 
 
 In this example the command "man gzip" was executed. The output lets us
 see what the man command is actually doing,
 
   # ./execsnoop
     UID   PID  PPID ARGS
     100  3064  2656 man gzip
     100  3065  3064 sh -c cd /usr/share/man; tbl /usr/share/man/man1/gzip.1 |nroff -u0 -Tlp -man - 
     100  3067  3066 tbl /usr/share/man/man1/gzip.1
     100  3068  3066 nroff -u0 -Tlp -man -
     100  3066  3065 col -x
     100  3069  3064 sh -c trap '' 1 15; /usr/bin/mv -f /tmp/mpoMaa_f /usr/share/man/cat1/gzip.1 2> 
     100  3070  3069 /usr/bin/mv -f /tmp/mpoMaa_f /usr/share/man/cat1/gzip.1
     100  3071  3064 sh -c more -s /tmp/mpoMaa_f
     100  3072  3071 more -s /tmp/mpoMaa_f
   ^C
   
 
 
 Execsnoop has other options,
 
   # ./execsnoop -h
   USAGE: execsnoop [-a|-A|-sv] [-c command]
          execsnoop                # default output
                   -a              # print all data
                   -A              # dump all data, space delimited
                   -s              # include start time, us
                   -v              # include start time, string
                   -c command      # command name to snoop
 
 
 
 In particular the verbose option for human readable timestamps is 
 very useful,
 
   # ./execsnoop -v
   STRTIME                UID   PID  PPID ARGS
   2005 Jan 22 00:07:22     0 23053 20933 date
   2005 Jan 22 00:07:24     0 23054 20933 uname -a
   2005 Jan 22 00:07:25     0 23055 20933 ls -latr
   2005 Jan 22 00:07:27     0 23056 20933 df -k
   2005 Jan 22 00:07:29     0 23057 20933 ps -ef
   2005 Jan 22 00:07:29     0 23057 20933 ps -ef
   2005 Jan 22 00:07:34     0 23058 20933 uptime
   2005 Jan 22 00:07:34     0 23058 20933 uptime
   [...]
 
 
 
 It is also possible to match particular commands. Here we watch
 anyone using the vi command only,
 
   # ./execsnoop -vc vi 
   STRTIME                UID   PID  PPID ARGS
   2005 Jan 22 00:10:33     0 23063 20933 vi /etc/passwd
   2005 Jan 22 00:10:40     0 23064 20933 vi /etc/shadow
   2005 Jan 22 00:10:51     0 23065 20933 vi /etc/group
   2005 Jan 22 00:10:57     0 23066 20933 vi /.rhosts
   [...]