Monitor process creation in FreeBSD

Question

I'm looking to monitor all the commands that are executed on a FreeBSD system. I already looked at lastcomm which uses process accounting facilities in BSD. Unfortunately, it stores only the first ten characters of each command that is executed. I would ideally want the whole command including the CLI parameters.

Also, for reasons that I would not like to get into, I am working on a FreeBSD 4.x system here so I dont think I will have access to "auditd" or such facilities.

/proc has all the info I require but I am not able to find a good way to monitor procfs for creation and deletion of new nodes.

Edit: Thanks for the input. Unfortunately dtrace isn't an option as I mentioned these are FreeBSD 4.x systems. Next - I did look at the modification time in /proc. It's just that the kqueue doesn't specifically say what file was modified.

Answer 1

Check if the modification time of /proc changes if a new process is created?

---

Alternatively, run a loop doing the following. You'll need a list or array to store PIDs.

• Call kvm_getprocs (with the op argument of KERN_PROC_PROC) to get information about all running processes.
• Skip all the PIDs that you already know about.
• Add all the new PIDs to the list or array of PIDs. Use whatever info you need from the new process.
• Purge all processes that have ended from your list.

Answer 2

Explore the dtrace facility. I think, it has the capabilities you require, although you should be aware, logging everything you wish to log may slow your system down quite a bit.