Hey all,


I'm trying to figure out how to view every single process that gets ran since boot, everything from PID 1 and onwards; even short lived transient processes. After googling around, I discovered auditd would be the tool for the job.

I have the following line in my auditd rules file:

I've also added the kernel parameter to get early audit support before the auditd daemon has started.

However, after looking at the audit.log file, I can only see all processes that have launched AFTER the auditd daemon has started. I was under the impression the point of the kernel parameter was to be able to capture the SYSCALLs before the userspace daemon is ran.

Anyone have any ideas what I'm doing wrong, or if there is another way to go about seeing every single process (and arguments passed to it) that was ran during the entire boot sequence?

By any definition (and there are several), boot has well and truly finished by the time init has been scheduled - let alone later tasks like auditd. Everything prior to init is in kernel-space - none of it issues syscalls, let alone attempting things like trying to open files which might leave audit records. Be satisfied with what you have would be my perspective.

Yeah I know about the kernel itself being finished by the time it has to call the userspace init. I'm not so much interested in the kernel initialization stuff itself, but everything from userspace init and onwards like I mentioned. Obviously there must be a way to do this, since how would you debug/trace a potentially slow process (that's supposed to be short-lived/transient) that boots between init (the actual systemd process) and the last process to load before user input (agetty, for the sake of an example). systemd-analyze doesn't go deep enough, as that only shows you processes that systemd kicks off, but not potentially what THOSE processes themselves end up executing. I'm just interested in seeing the process called, it's arguments, and potentially the CPU time it used. auditd works fantastic for this, but ONLY after the daemon has already started.

On Windows side of things you have WPR w/ boot tracing and WPA which gives you the entire picture of all processes (whether permanent or transient) during the boot. From everything I've read, I should be able to see these processes with auditd and the audit=1 kernel flag.

EDIT: I figured out what I'll probably need to do, is that I need to call auditctl in the initramfs. Though feel free to chime in on any additional ways or other tools that accomplish what I'm trying to do.

EDIT2: This was indeed the fix. I just edited my initramfs to include auditctl and have it start capturing the execve SYSCALL just prior to the call to switch_root. I can see all process calls now that I want.

1 members found this post helpful.

Excellent - thanks for the updates. Never a day goes by there isn't something to learn.