Project 3: Process Execution Logger (execsnoop Clone)

A tool that logs every process execution on the system—showing the command, arguments, parent process, return code, and timing. This is your own version of execsnoop from BCC.

Quick Reference

Attribute	Value
Primary Language	C (libbpf)
Alternative Languages	Go (cilium/ebpf), Rust (aya)
Difficulty	Level 2: Intermediate
Time Estimate	1-2 weeks
Knowledge Area	Process Tracing / Security Auditing
Tooling	libbpf, perf_buffer/ring_buffer
Prerequisites	Project 2 completed, understanding of fork/exec

What You Will Build

A tool that logs every process execution on the system—showing the command, arguments, parent process, return code, and timing. This is your own version of execsnoop from BCC.

Why It Matters

This project introduces event streaming from kernel to userspace using perf buffers or ring buffers. You’ll also learn to capture variable-length data (command arguments) and correlate entry/exit events.

Core Challenges

Capturing variable-length arguments → maps to reading from userspace memory
Streaming events to userspace → maps to perf_buffer vs ring_buffer
Correlating entry and exit → maps to storing state between probes
Handling high event rates → maps to performance optimization

Key Concepts

Perf Buffers: “BPF Performance Tools” Chapter 2.5 - Brendan Gregg
Ring Buffers: Andrii Nakryiko on Ring Buffers
Reading User Memory: “Learning eBPF” Chapter 6 - Liz Rice
execsnoop Analysis: Brendan Gregg’s execsnoop

Real-World Outcome

$ sudo ./execsnoop
TIME      PID    PPID   RET  COMM             ARGS
14:23:01  12345  1234     0  bash             bash -c echo hello
14:23:01  12346  12345    0  echo             echo hello
14:23:02  12347  1234     0  curl             curl -s https://api.example.com
14:23:03  12348  12347    0  sh               sh -c date
14:23:03  12349  12348    0  date             date
14:23:05  12350  1        -2  badcmd           badcmd --flag  # ENOENT

[Filters: PID, PPID, command pattern, failed-only]

Implementation Guide

Reproduce the simplest happy-path scenario.
Build the smallest working version of the core feature.
Add input validation and error handling.
Add instrumentation/logging to confirm behavior.
Refactor into clean modules with tests.

Milestones

Milestone 1: Minimal working program that runs end-to-end.
Milestone 2: Correct outputs for typical inputs.
Milestone 3: Robust handling of edge cases.
Milestone 4: Clean structure and documented usage.

Validation Checklist

Output matches the real-world outcome example
Handles invalid inputs safely
Provides clear errors and exit codes
Repeatable results across runs

References

Main guide: LEARN_BPF_EBPF_LINUX.md
“BPF Performance Tools” by Brendan Gregg