iovisor · skipmcgee · Mar 4, 2025 · Mar 4, 2025 · Mar 4, 2025 · Mar 14, 2025
@@ -1,9 +1,9 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
 #
-# bashreadline  Print entered bash commands from all running shells.
+# bashreadline Print entered bash commands from all running shells.
 #               For Linux, uses BCC, eBPF. Embedded C.
 #
-# USAGE: bashreadline [-s SHARED]
+# USAGE: bashreadline [-h] [-s [SHARED]] [-j] [-f [FILENAME]]
 # This works by tracing the readline() function using a uretprobe (uprobes).
 # When you failed to run the script directly with error:
 # `Exception: could not determine address of symbol b'readline'`,
@@ -15,27 +15,50 @@
 #
 # 28-Jan-2016    Brendan Gregg   Created this.
 # 12-Feb-2016    Allan McAleavy migrated to BPF_PERF_OUTPUT
+# 25-Feb-2025    Skip McGee added args, output and uid
 
 from __future__ import print_function
 from elftools.elf.elffile import ELFFile
 from bcc import BPF
 from time import strftime
+import os
 import argparse
+import json
 
 parser = argparse.ArgumentParser(
-        description="Print entered bash commands from all running shells",
-        formatter_class=argparse.RawDescriptionHelpFormatter)
-parser.add_argument("-s", "--shared", nargs="?",
-        const="/lib/libreadline.so", type=str,
-        help="specify the location of libreadline.so library.\
-              Default is /lib/libreadline.so")
+    description="Print entered bash commands from all running shells",
+    formatter_class=argparse.RawDescriptionHelpFormatter,
+)
+parser.add_argument(
+    "-f",
+    "--file",
+    nargs="?",
+    type=argparse.FileType("a"),
+    help="specify an output file for results.",
+)
+parser.add_argument(
+    "-j",
+    "--json",
+    action="store_true",
+    help="return each result as a JSON string.",
+)
+parser.add_argument(
+    "-s",
+    "--shared",
+    nargs="?",
+    const="/lib/libreadline.so",
+    type=str,
+    help="specify the location of libreadline.so library.\
+              Default is /lib/libreadline.so",
+)
+
 args = parser.parse_args()
 
 name = args.shared if args.shared else "/bin/bash"
 
 
 def get_sym(filename):
-    with open(filename, 'rb') as f:
+    with open(filename, "rb") as f:
         elf = ELFFile(f)
         symbol_table = elf.get_section_by_name(".dynsym")
         for symbol in symbol_table.iter_symbols():
@@ -52,10 +75,10 @@ def get_sym(filename):
 #include <linux/sched.h>
 
 struct str_t {
+    u32 uid;
     u32 pid;
-    char str[80];
+    char str[400];
 };
-
 BPF_PERF_OUTPUT(events);
 
 int printret(struct pt_regs *ctx) {
@@ -64,6 +87,7 @@ def get_sym(filename):
     if (!PT_REGS_RC(ctx))
         return 0;
     data.pid = bpf_get_current_pid_tgid() >> 32;
+    data.uid = bpf_get_current_uid_gid();
     bpf_probe_read_user(&data.str, sizeof(data.str), (void *)PT_REGS_RC(ctx));
 
     bpf_get_current_comm(&comm, sizeof(comm));
@@ -80,16 +104,63 @@ def get_sym(filename):
 b.attach_uretprobe(name=name, sym=sym, fn_name="printret")
 
 # header
-print("%-9s %-7s %s" % ("TIME", "PID", "COMMAND"))
+if not args.json:
+    banner = "%-20s %-7s %-6s %s" % ("TIME", "PID", "UID", "COMMAND")
+    if args.file:
+        if os.path.exists(args.file.name):
+            file_size = os.stat(args.file.name).st_size
+            if file_size == 0:
+                with open(args.file.name, "w") as output_file:
+                    output_file.write(banner + "\n")
+        else:
+            with open(args.file.name, "w") as output_file:
+                output_file.write(banner + "\n")
+    else:
+        print(banner)
 
 
 def print_event(cpu, data, size):
     event = b["events"].event(data)
-    print("%-9s %-7d %s" % (strftime("%H:%M:%S"), event.pid,
-                            event.str.decode('utf-8', 'replace')))
-
-
-b["events"].open_perf_buffer(print_event)
+    event_time = strftime("%Y/%m/%d-%H:%M:%S")
+    if args.file:
+        event_output = "%-20s %-7s %-6s %s" % (
+            event_time,
+            event.pid,
+            event.uid,
+            event.str.decode("utf-8", "replace").strip(),
+        )
+        with open(args.file.name, "a") as output_file:
+            output_file.write(event_output + "\n")
+    else:
+        print(
+            "%-20s %-7d %-6d %s"
+            % (
+                event_time,
+                event.pid,
+                event.uid,
+                event.str.decode("utf-8", "replace").strip(),
+            )
+        )
+
+
+def json_event(cpu, data, size):
+    event = b["events"].event(data)
+    json_data = dict()
+    json_data["TIME"] = strftime("%Y/%m/%d-%H:%M:%S")
+    json_data["PID"] = event.pid
+    json_data["UID"] = event.uid
+    json_data["COMMAND"] = event.str.decode("utf-8", "replace").strip()
+    if args.file:
+        with open(args.file.name, "a") as output_file:
+            output_file.write(f"{json.dumps(json_data)}\n")
+    else:
+        print(str(json_data))
+
+
+if args.json:
+    b["events"].open_perf_buffer(json_event)
+else:
+    b["events"].open_perf_buffer(print_event)
 while 1:
     try:
         b.perf_buffer_poll()

@@ -5,27 +5,36 @@ This prints bash commands from all running bash shells on the system. For
 example:
 
 # ./bashreadline
-TIME      PID    COMMAND
-05:28:25  21176  ls -l
-05:28:28  21176  date
-05:28:35  21176  echo hello world
-05:28:43  21176  foo this command failed
-05:28:45  21176  df -h
-05:29:04  3059   echo another shell
-05:29:13  21176  echo first shell again
+TIME                 PID     UID    COMMAND
+02/25/2025-05:28:25  21176   56782  ls -l
+02/25/2025-05:28:28  21176   56783  date
+02/25/2025-05:28:35  21176   56782  echo hello world
+02/25/2025-05:28:43  21176   56784  foo this command failed
+02/25/2025-05:28:45  21176   56784  df -h
+02/25/2025-05:29:04  3059    56779  echo another shell
+02/25/2025-05:29:13  21176   56784  echo first shell again
 
 When running the script on Arch Linux, you may need to specify the location
 of libreadline.so library:
 
 # ./bashreadline -s /lib/libreadline.so
-TIME      PID    COMMAND
-11:17:34  28796  whoami
-11:17:41  28796  ps -ef
-11:17:51  28796  echo "Hello eBPF!"
+TIME                 PID     UID    COMMAND
+02/25/2025-11:17:34  28796   56782  whoami
+02/25/2025-11:17:41  28796   56782  ps -ef
+02/25/2025-11:17:51  28796   56782  echo "Hello eBPF!"
 
+There is a -j or --json argument that converts the output to json:
+# ./bashreadline -j
+{'TIME': '02/25/2025-11:14:21', 'PID': 818095, 'UID': 78912, 'COMMAND': 'whoami'}
+{'TIME': '02/25/2025-11:14:28', 'PID': 818095, 'UID': 43592, 'COMMAND': 'oranges'}
+
+There is also a -f or --file argument that logs all output to a file instead of to stdout:
+# ./bashreadline -f /var/log/test.log
+if the file logging is desired in json, combine the arguments to produce the desired result:
+# ./bashreadline -jf /var/log/test.log
 
 The entered command may fail. This is just showing what command lines were
 entered interactively for bash to process.
 
 It works by tracing the return of the readline() function using uprobes
-(specifically a uretprobe).
+(specifically a uretprobe).