watch_execve – FreeBSD – see processes being created

In Linux you can use the following 2 articles/methods to monitor commands as they happen on any shell on your server (good for studying systems, or monitoring for security):

Here is how you monitor commands as they happen live on a FreeBSD computer:

First load dtrace kernel module (this is similar to insmod / modprobe in linux systems)

Sidenote: dtraceall will load dtraceall.ko and dtrace.ko. They are loaded from /boot/kernel/ (on my system thats where they are, not sure if FreeBSD allows these else where)

There is also dtrace_test.ko, but we dont need to load it.

Confirm that kldload dtraceall loaded with kldstat (you will see dtraceall and dtrace there):

kldstat -v gives more information:

Next create the following watch_execve.d dtrace script & make it executable. It doesnt matter what directory it is in.

Thanks to dteske for this awesome dtrace script that monitors processes in parallel by attaching to execve: (then click view at the top next to HEAD – here is a better link:

Here is the latest revision of this dtrace script as of March 28th 2016 (for the latest check out the links above)

To run simply execute it like a shell script

Notice the output shows the whole ancestry of a process (current process, its parent, and grandparent)

watch_kill – FreeBSD – see processes being killed / signaled

There are other interesting dtraces. For example here is watch_kill, which monitors all kill signals (of any kind) on your server: watch_kill.d

I found two versions of the script one that uses syscall to monitor kill, and another that uses fbt to monitor kill. They both work. The two latest scripts use syscall and they are located in the first two links (same content when I saw them). Then other script is the 3rd link (might be older; both versions of the script work on my FreeBSD 8.3 system none the less).

Latest versions: both of these links as of May 4th, 2016 have the same content



Probably not the latest version but still works (this next version uses fbt::kill:entry for probe 2 instead of syscall::kill:entry for probe 2 – they both work on my freebsd 8.3 system)

(3) <missing link> just use below

Both variations of the script have similar output.

To run the watch_kill. Just make sure dtraceall is loaded with: kldload dtraceall (if its already loaded it will not hurt if you try to load it again, it will just automatically know not to load something thats already loaded). Then make sure the script is chmod +x watch_kill.d. Then run it like this ./watch_kill.d and watch the output

The end

Leave a Reply

Your email address will not be published. Required fields are marked *