Recording Process Startup (forks/exec etc) in Unix

[The Boss]

Hi All,

I am trying to find a way to record when processes on a Unix/Linux system
are started and when (i.e. new process ID, parent process ID, spawning
user,time) as a way of modeling user behavior in order to allow intrusion
detection. I was thinking of perhaps catching the SIGCHILD signal or
recording exec system calls. I could probably run this as root, so this
would probably be a daemon and record these to a logfile for a separate
analysis routine.

I am not opposed to roundabout programming, but I would like to do this
fairly efficiently. I could probably parse out the "/proc" filesystem or
the output of "/bin/ps", but I think that would make this method of
collection cause a performance hit in the system.

Does anyone know of any resources related to this or have any idea of how
to begin? I'd like to keep it in C if possible.

I appreciate your help!

Thanks,

Craig

 

[Jack Klein]

Hi All,

I am trying to find a way to record when processes on a Unix/Linux system

Cross posting to this many newsgroups is rude. Especially when it is
off-topic in at least one of them, as it is in comp.lang.c. There are
no processes nor is there a UNIX or Linux in the C language.

Go to and read some articles on proper
posting manners. Scattering a question to every group with a name
that happens to make you think it might be relevant is just plain bad
manners.

[posted and mailed]

--
Jack Klein
Home: http://JK-Technology.Com
FAQs for
comp.lang.c http://www.eskimo.com/~scs/C-faq/top.html
comp.lang.c++ http://www.parashift.com/c++-faq-lite/
alt.comp.lang.learn.c-c++ ftp://snurse-l.org/pub/acllc-c++/faq