By Darren Moffat-Oracle on Apr 04, 2013
As a very quick example of how powerful it can be here is a short one liner to find all the processes that are running with their real and effective uid
> ::ptree | ::if proc_t p_cred->cr_ruid <> p_cred->cr_uid | ::print proc_t p_user.u_comm
Or a similar one to find out all the priv aware processes, this time showing some output:
> ::ptree | ::if proc_t p_cred->cr_priv.crpriv_flags & 0x0002 | ::print proc_t p_user.u_comm p_user.u_comm = [ "su" ] p_user.u_comm = [ "nfs4cbd" ] p_user.u_comm = [ "lockd" ] p_user.u_comm = [ "nfsmapid" ] p_user.u_comm = [ "statd" ] p_user.u_comm = [ "nfs4cbd" ] ...
The new ::if is very powerful and can do much more advanced things, like substring comparison, than my simple examples, but I choose examples that are useful to me and relevant to security.