Demonstrations of capable, the Linux eBPF/bcc version. capable traces calls to the kernel cap_capable() function, which does security capability checks, and prints details for each call. For example: # ./capable.py TIME UID PID COMM CAP NAME AUDIT 22:11:23 114 2676 snmpd 12 CAP_NET_ADMIN 1 22:11:23 0 6990 run 24 CAP_SYS_RESOURCE 1 22:11:23 0 7003 chmod 3 CAP_FOWNER 1 22:11:23 0 7003 chmod 4 CAP_FSETID 1 22:11:23 0 7005 chmod 4 CAP_FSETID 1 22:11:23 0 7005 chmod 4 CAP_FSETID 1 22:11:23 0 7006 chown 4 CAP_FSETID 1 22:11:23 0 7006 chown 4 CAP_FSETID 1 22:11:23 0 6990 setuidgid 6 CAP_SETGID 1 22:11:23 0 6990 setuidgid 6 CAP_SETGID 1 22:11:23 0 6990 setuidgid 7 CAP_SETUID 1 22:11:24 0 7013 run 24 CAP_SYS_RESOURCE 1 22:11:24 0 7026 chmod 3 CAP_FOWNER 1 22:11:24 0 7026 chmod 4 CAP_FSETID 1 22:11:24 0 7028 chmod 4 CAP_FSETID 1 22:11:24 0 7028 chmod 4 CAP_FSETID 1 22:11:24 0 7029 chown 4 CAP_FSETID 1 22:11:24 0 7029 chown 4 CAP_FSETID 1 22:11:24 0 7013 setuidgid 6 CAP_SETGID 1 22:11:24 0 7013 setuidgid 6 CAP_SETGID 1 22:11:24 0 7013 setuidgid 7 CAP_SETUID 1 22:11:25 0 7036 run 24 CAP_SYS_RESOURCE 1 22:11:25 0 7049 chmod 3 CAP_FOWNER 1 22:11:25 0 7049 chmod 4 CAP_FSETID 1 22:11:25 0 7051 chmod 4 CAP_FSETID 1 22:11:25 0 7051 chmod 4 CAP_FSETID 1 [...] This can be useful for general debugging, and also security enforcement: determining a whitelist of capabilities an application needs. The output above includes various capability checks: snmpd checking CAP_NET_ADMIN, run checking CAP_SYS_RESOURCES, then some short-lived processes checking CAP_FOWNER, CAP_FSETID, etc. To see what each of these capabilities does, check the capabilities(7) man page and the kernel source. Sometimes capable catches itself starting up: # ./capable.py TIME UID PID COMM CAP NAME AUDIT 22:22:19 0 21949 capable.py 21 CAP_SYS_ADMIN 1 22:22:19 0 21949 capable.py 21 CAP_SYS_ADMIN 1 22:22:19 0 21949 capable.py 21 CAP_SYS_ADMIN 1 22:22:19 0 21949 capable.py 21 CAP_SYS_ADMIN 1 22:22:19 0 21949 capable.py 21 CAP_SYS_ADMIN 1 22:22:19 0 21949 capable.py 21 CAP_SYS_ADMIN 1 22:22:19 0 21952 run 24 CAP_SYS_RESOURCE 1 [...] These are capability checks from BPF and perf_events syscalls. USAGE: # ./capable.py -h usage: capable.py [-h] [-v] [-p PID] Trace security capability checks optional arguments: -h, --help show this help message and exit -v, --verbose include non-audit checks -p PID, --pid PID trace this PID only examples: ./capable # trace capability checks ./capable -v # verbose: include non-audit checks ./capable -p 181 # only trace PID 181