How to log processes created?

Support for security such as Firewalls and securing linux
Post Reply
Suaroman
Posts: 3
Joined: 2014/07/30 15:29:03

How to log processes created?

Post by Suaroman » 2014/07/30 15:43:26

I'm running Centos 6.5

I need to track if a certain program is getting spawned but not sure how to do this?

For example :

1. A program called FooProgram might get spawned by another application
2. If FooProgram does indeed get spawned, it will run for a very short amount of time (< 1 second), then it goes away.
3. I'd like to 'record' or track when FooProgram gets spawned and capture (of course) the name of the program and the command line process info that was used at the time it was spawned.


Application like system monitor, htop/top, don't seem quick enough and even if they were , I wouldn't have time to look at the command line property (<its very large) before the process exits.

Is there something I can turn on that would capture / log all processes started (and associated process attributes like command line) ? I would only need to do this type of capturing within a very short time window. I'm not concerned about system performance or overhead during the collection process.

Thanks for any tips,
Suaroman

User avatar
TrevorH
Forum Moderator
Posts: 28074
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: How to log processes created?

Post by TrevorH » 2014/07/30 16:07:14

Moved to the Security forum as I suspect that you'll get better answers here from someone familiar with audit rules.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

Don
Posts: 13
Joined: 2014/07/16 02:00:48
Location: West Lafayette, IN, USA

Re: How to log processes created?

Post by Don » 2014/07/30 21:06:33

Would the following work for you?

1. move FooProgram (temporarily) to FooProgram.orig
2. create a script FooProgram containing something like the following:

Code: Select all

#!/bin/bash
echo "$0" "$@" >> /tmp/FooProgram.log
exec $0.orig "$@"
--Don

Suaroman
Posts: 3
Joined: 2014/07/30 15:29:03

Re: How to log processes created?

Post by Suaroman » 2014/07/31 00:23:30

Thanks Don. I'll give something like this a try. I think this will work fine.

Suaroman
Posts: 3
Joined: 2014/07/30 15:29:03

Re: How to log processes created?

Post by Suaroman » 2014/07/31 00:42:01

This worked perfectly and exactly what I needed. You are a life saver! :)

Post Reply

Return to “CentOS 6 - Security Support”