11.7.3.1 exec

The following example shows how you can use the exec probe to easily determine which programs are being executed, and by whom. Type the following D source code and save it in a file named whoexec.d: 

#pragma D option quiet

proc:::exec
{
  self->parent = execname;
}

proc:::exec-success
/self->parent != NULL/
{
  @[self->parent, execname] = count();
  self->parent = NULL;
}

proc:::exec-failure
/self->parent != NULL/
{
  self->parent = NULL;
}

END
{
  printf("%-20s %-20s %s\n", "WHO", "WHAT", "COUNT");
  printa("%-20s %-20s %@d\n", @);
}

Running the example script for a short period of time results in output similar to the following: 

# dtrace -s ./whoexec.d 
^C
WHO                  WHAT                 COUNT
abrtd                abrt-handle-eve      1
firefox              basename             1
firefox              mkdir                1
firefox              mozilla-plugin-      1
firefox              mozilla-xremote      1
firefox              run-mozilla.sh       1
firefox              uname                1
gnome-panel          firefox              1
kworker/u:1          modprobe             1
modprobe             modprobe.ksplic      1
mozilla-plugin-      plugin-config        1
mozilla-plugin-      uname                1
nice                 sosreport            1
run-mozilla.sh       basename             1
run-mozilla.sh       dirname              1
run-mozilla.sh       firefox              1
run-mozilla.sh       uname                1
sh                   abrt-action-sav      1
sh                   blkid                1
sh                   brctl                1
sh                   cut                  1
...

Copyright © 2013, 2019, Oracle and/or its affiliates. All rights reserved. Legal Notices