@yeet/execsnoop
execsnoop is a lightweight, high-performance tool that monitors and logs all exec calls on your system in real-time. It captures detailed execution data, including command details and process IDs, with minimal system overhead. Ideal for security monitoring and compliance, execsnoop provides comprehensive visibility into every process execution. Enhance your system's observability and security with seamless integration into your existing infrastructure.
Installation
Use yeet to install this package
sudo yeet install execsnoop
execsnoop is a lightweight, high-performance tool designed to monitor and log all exec system calls in real time. It efficiently captures detailed execution data such as command details and process IDs, all with minimal system overhead. Ideal for security monitoring and compliance, execsnoop provides comprehensive visibility into every process execution, enhancing system observability and security. It integrates seamlessly into your existing infrastructure.
Get Started
1. Install yeet
2. Deploy execsnoop
3. Create a collection
4. Monitor events
Data Schema
Each time an exec syscall occurs, a new row is added to the collection with the following schema:
Execsnoop Row
| Field | Type | Description |
|---|---|---|
| timestamp | Date | The time when the exec syscall occurred. |
| seq_no | Int | A sequential number for the exec event. |
| event | ExecsnoopEvent | Contains details about the exec event. |
Execsnoop Event
| Field | Type | Description |
|---|---|---|
| cgroup_id | string | The ID of the control group associated with the process. |
| cgroup_name | string | The name of the control group associated with the process. |
| comm | string | The command name of the executed process. |
| latency_ns | int | How long the exec took to complete in nanoseconds. |
| uid | int | The user who triggered the exec. |
| gid | int | The group ID of the user. |
| pid | int | The process ID of the executed command. |
| ppid | int | The parent process ID of the executed command. |
| tgid | int | The thread group ID of the executed command. |
Example query:
You can query this collection using the SQL Editor.
SELECT
timestamp,
seq_no,
event->>'$.cgroup_id' AS cgroup_id,
event->>'$.cgroup_name' AS cgroup_name,
event->>'$.comm' AS comm,
CAST(event->>'$.latency_ns' AS int) AS latency_ns,
event->>'$.gid' AS gid,
event->>'$.pid' AS pid,
event->>'$.ppid' AS ppid,
event->>'$.tgid' AS tgid
FROM <your_collection_name_here>
ORDER BY seq_no DESC
Key Details:
JSON Path Extraction
- The syntax
event->>'$.property_name'is used to extract properties from the JSON event object without enclosing them in quotes.
CAST Function
latency_nsis cast to an integer, as it is initially treated as a string. This conversion ensures it can be correctly visualized or processed numerically.