I’ve been hacking around with dtrace for a few months now. Whenever I find I have a need to use dtrace I’ll start by going over to Brendan Gregg’s site and looking for something close to what I need, then modify as necessary.
1) Who’s signaling who.
Here’s a dtrace 1 liner I wrote when I needed to figure out why a certain process was dying off. I wanted a list of all signals being sent and received by all processes on my system. It will tell you what process sent a signal, what signal was sent, and to which process it was sent. It will also tell you any process that receives a signal and which signal it got.
# dtrace -qn 'proc:::signal-send { printf("%s (PID=%d) sent signal %d to PID %d\n", execname, pid, arg1, args[1]->pr_pid) }
proc:::signal-handle { printf("%s (PID=%d) was sent signal %d\n", execname, pid, arg0)}'
2) UID of new processes.
I used this to troubleshoot an RBAC problem to verify the UID’s that processes are started with.
# dtrace -qn 'proc:::exec {printf("UID=%d ",uid); }
proc:::exec-success {printf("Process=%s\n",execname);}'