Hi All,
I am trying to find a way to record when processes on a Unix/Linux system
are started and when (i.e. new process ID, parent process ID, spawning
user,time) as a way of modeling user behavior in order to allow intrusion
detection. I was thinking of perhaps catching the SIGCHILD signal or
recording exec system calls. I could probably run this as root, so this
would probably be a daemon and record these to a logfile for a separate
analysis routine.
I am not opposed to roundabout programming, but I would like to do this
fairly efficiently. I could probably parse out the "/proc" filesystem or
the output of "/bin/ps", but I think that would make this method of
collection cause a performance hit in the system.
Does anyone know of any resources related to this or have any idea of how
to begin? I'd like to keep it in C if possible.
I appreciate your help!
Thanks,
Craig