Re: monitoring user processes

[Steven Day <scd104 ecs soton ac uk>]

Ole Laursen <olau hardworking dk> writes:
> A hack that might work would be to use inotify to monitor /usr/bin and
> other directories with binaries.
> 
> BTW, does your project haave a web page? It sounds interesting, I have
> read a couple of papers with similar ideas.

Hi, thanks for your input. I'm afraid I don't have a website for it at
the moment, at least not on a page viewable outside my university's
network. I'm basically trying to figure out exactly what information it
is possible for me to collect at the moment, so that I can start to get
some idea of what approaches I can use algorithmically. When I have
something a little more concrete to show I'll let you know.

re your suggestion: If I use inotify on the /usr/bin directories, is
this not similar to the way top monitors the /proc filesystem to provide
it's information? Also, how would I be able to determine who (user-wise)
executed the binary with that method? One of my big problems is that I
only want to record applications that were explicitly invoked by the
user, not system processes etc. I don't think it would be much use
having an 'intelligent' suggestion recommending the d-bus message daemon
for instance. 
On this note, is there a better way to tell a user invoked process from
a system one or daemon than the uid or effective uid? Can i use
information about when it was started etc?