3

I'm running Slackware 13.37, and I was wondering if there was a way to tell which script executed a command. I tracked the process and its arguments, but I would like to know where the command originated from.

Improve this question
1
  • In what type of scenario: is the command running at the time of your investigation? Do you want to investigate all executions of the command or just some? Can you set up a monitoring method beforehand or is this strictly forensic? Can you control all the ways the command is run? Can you modify the command's executable? Browsing process+monitoring might provide inspiration. Commented May 27, 2011 at 10:08

1 Answer 1

Reset to default
4

There is no guaranteed generic way to do that apart from walking the process tree (by looking at the commands PPID, then that process's PPID, etc...).

There's a good utility for that though, if you're not trying to script something: pstree. It will give you a "graphical" view of the process hierarchy. Something like:

$ pstree -a
 ...
  ├─udevd --daemon
  │   ├─udevd --daemon
  │   └─udevd --daemon
  ├─urxvt
  │   └─bash
  │       └─pstree -ah
  └─xdm
      ├─X :0 vt7 -auth /var/lib/xdm/authdir/authfiles/A:0-g8w3zk
      └─xdm
          └─awesome
              ├─chrome
              │   ├─chrome
              │   └─21*[{chrome}]
              └─qmpdclient
                  └─{qmpdclient}

There are options to show the PIDs, show or hide the command lines, etc...

Improve this answer
1
  • 1
    You can also use ps -axf. The f is for forrest, but it looks like a tree. ;-) Commented May 27, 2011 at 5:25

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.