Skip to content

capmon-1.0
Compare
Choose a tag to compare
@cappe987 cappe987 released this 27 Jul 13:33
· 108 commits to main since this release
1.0
14e21c7

capmon 1.0

Start monitoring capability checks.

capmon

Filter by process name

capmon tcpdump trafgen

Filter by process ID

capmon -p 13424

Filter by capability

capmon -c CAP_NET_RAW

Summary mode. On exit, output a summary of which capabilities each process has
accessed. Either grouped by process name or by pid.

capmon -s pid
capmon -s name

Listen to ALL capability checks. By default it only listens to the functions
ns_capable and capable_wrt_inode_uidgid. This listens directly to the
cap_capable function.

capmon -a

All the above arguments can be combined freely. Multiple filters can be used.
Filters of the same type are treated as OR operations. Filters of different
types are treated as AND operations. For example, the command

capmon -n tcpdump -n trafgen -c CAP_NET_RAW

is interpreted as

(name:tcpdump OR name:trafgen) AND (capability:CAP_NET_RAW)

Example: combining arguments

The example below listens to only tcpdump and trafgen commands, will listen
to ALL capability checks, will do a summary at the end based on the names
(which will only be tcpdump and trafgen), and will only listen if the
capability being checked is also CAP_NET_RAW or CAP_NET_ADMIN. So it has to
belong to either of the names AND be one of those two capabilities.

capmon tcpdump trafgen -a -s name -c CAP_NET_RAW -c CAP_NET_ADMIN

This particular combination may not be very useful, but it shows how you can
combine the arguments.

Running in background

Start or stop monitoring in the background. Can only be combined with -a.
After enabling it you can view and filter the output by running capmon as
shown above.

capmon --enable
capmon --disable
Assets 3
Loading