OS-wide monitoring (in Linux)

file changes

man inotifywait

Wikipedia 'inotify'

process creation

• forkstat
  • based on netlink, which should be available in kernels v2.0 and v2.2+
    • Note, however, that netlink is considered an unreliable communication channel, and that events may be dropped in two situations: 1) global memory exhaustion, or 2) receiver queue buffer overrun.
  • man forkstat
  • forkstat source code
  • forkstat has almost no filtering options, so it may be best to pipe its output to | grep --line-buffered <pattern>
• bpftrace ... sys_enter_exec
  • based on eBPF, which should be available in kernels v3.18+
  • bpftrace source code
• auditctl
  • based on auditd, which is commonly available on RHEL
  • man auditctl
  • man autrace
  • for example, try something like auditctl -a always,entry -S execve then tail -f /var/log/audit/audit.log (NOTE — I haven't gotten this working yet)
• (TODO — continue looking through this list of suggestions)