How can I monitor every newly created process of an entire Linux system?

Question

I am on a gentoo Linux system and I want to monitor the time and name of every created and deleted process on an entire Linux system. How can I do that?

If possible, I do not want to install new software to do this, but just the tools Linux comes with.

Answer 1

As suggested by the comments, process accounting psacct is one potential solution. The functionality itself is in the kernel, the tooling just enables it and captures the output.

# apt-get install -y acct
... (installed & auto-started on most systems)
# lastcomm |head
nrpe              F    nagios   __         0.02 secs Mon Mar 29 04:39
check_nrpe             nagios   __         0.03 secs Mon Mar 29 04:39
nrpe              F    nagios   __         0.00 secs Mon Mar 29 04:39
sh                     nagios   __         0.00 secs Mon Mar 29 04:39
check_procs            nagios   __         0.00 secs Mon Mar 29 04:39
ps                     nagios   __         0.01 secs Mon Mar 29 04:39
nrpe              F    nagios   __         0.00 secs Mon Mar 29 04:39
nrpe              F    nagios   __         0.02 secs Mon Mar 29 04:39
check_nrpe             nagios   __         0.03 secs Mon Mar 29 04:39
nrpe              F    nagios   __         0.00 secs Mon Mar 29 04:39

On this system you can see that nagios checks are extremely common.

audit can also do what you want, and it likely more flexible for your purposes, but it's certainly not as drop-in as using psacct.