2.7.7 Solution to Exercise and Example: Counting Programs Invoked by a Specified User (countprogs.d)

#!/usr/sbin/dtrace -qs

/* countprogs.d -- Count programs invoked by a specified user */

proc::do_execveat_common:exec
/uid == $1/
{
  @num[execname] = count();
}

The predicate /uid == $1/ compares the effective UID for each program that is run against the argument specified on the command line. You can use the id -u user command to find out the ID of the guest user account, for example:

# chmod +x countprogs.d
# ./countprogs.d $(id -u guest)
^C

less 1
lesspipe.sh 1
sh 1
bash 9

You can use the same command for the root user, which is typically user 0. For testing purposes, you might want to have the user account under a test login by using another window and then run some nominal programs.