In the past I've employed inotify for logging and as well as system functions. Now I'm in a position where I need to know each time an executable has been called, and a complete set of command line arguments passed in.
Short of setting up an auditd rule, is there any method to trigger on a particular executable being called, and return its command line arguments from user-space? I know the audit daemon can do this, so perhaps that's where I should look.
Monitoring process creation and termination events is a useful skill to have in you toolbox. This article consists of two parts. The first introduces exiting tools for diffrent platforms. The second explains how these tools work internally. 1
1 describes many tools, one tool named forkstat which uses the netlink2 and source code
Here are commands I used:
git clone https://github.com/ColinIanKing/forkstat.git
cd forkstat
make
sudo ./forkstat
In a separate ssh session I ran an ls command and observed this output:
Time Event PID Info Duration Process
09:43:49 fork 10362 parent -bash
09:43:49 fork 10433 child -bash
09:43:49 exec 10433 ls --color=auto
09:43:49 exit 10433 0 0.004s ls --color=auto