Is <i>process accounting</i> so obviously unsuitable to the article author's requirements, that it needs no mention at all?<p><a href="https://unix.stackexchange.com/questions/468909/what-does-process-accounting-mean-in-linux" rel="nofollow">https://unix.stackexchange.com/questions/468909/what-does-pr...</a>
To really capture any new process, on an x86 chip at least, you'd need to implement some kind of hardware callback to the OS whenever a new Task State Segment (TSS) was created in the GDT.<p>Note however, that this wouldn't capture new threads that are created inside of existing tasks/processes, nor those inside of software emulated virtual machines, and the capture of those, additionally, for logging purposes, might be desirable...<p>But, for future hardware designers out there -- if you're going to create a new CPU, then I think a hardware callback for anytime a new task is created -- would be a great addition for your new CPU...<p>Perhaps such a callback could be done in microcode...<p>Also, this callback should work in all nested VM/protection levels, from the highest level hypervisor, down to the lowest level OS...<p>Anyway, just thinking aloud...
Worth mentioning the Microsoft(!) Process Monitor for Linux, as well. <a href="https://github.com/microsoft/ProcMon-for-Linux" rel="nofollow">https://github.com/microsoft/ProcMon-for-Linux</a><p>The windows procmon is very powerful, but the linux one is still in preview so YMMV.
I wrote an eBPF security monitoring tool for an endpoint protection solution that is surprisingly similar to your proposed solution of walking the dentry tree for obtaining the command path.<p>It basically takes a block of memory, and splits it in a static array of arrays, and then walks the dentry tree, copying each portion of the path into it.<p>It then follows and decodes the mount path in a similar way, and it's fully recomposed in user space into a single path.<p>I could have done the mount path in userspace too probably by just passing some identifier.
Nice!<p>I find it ways more difficult debugging networking on Linux. It's easy to see which ports are in use but finding out which process is using a port is a nightmare to me.