[akikoo]

You can accomplish the same with bpftrace:

  bpftrace -e 'tracepoint:sched:sched_process_exec { time("%H:%M:%S"); printf("   uid = %d   pid = %d   cmd = %s \n", uid, pid, comm); } tracepoint:syscalls:sys_enter_execve { time("%H:%M:%S"); printf("   uid = %d   pid = %d   cmd_with_args = ", uid, pid); join(args->argv); }'

[westurner]

From https://news.ycombinator.com/item?id=37442312 re why not ptrace for tracing all exec() syscalls:

> The Falco docs list 3 syscall event drivers: Kernel module, Classic eBPF probe, and Modern eBPF probe: https://falco.org/docs/event-sources/kernel/

[T3OU-736]

Consider adding ppid to the mix - cometimes _what_ started a process is also quite valuable (if firefox starts bash, worry more than, say, sshd)

[westurner]

It looks like the falco rules mention proc.ppid.duration, but there's not yet a rule that matches on ppid: rules/falco_rules.yaml https://github.com/falcosecurity/rules/blob/main/rules/falco... :

> Tuning suggestions include looking at the duration of the parent process (proc.ppid.duration) to define your long-running app processes. Checking for newer fields such as proc.vpgid.name and proc.vpgid.exe instead of the direct parent process being a non-shell application could make the rule more robust.