You can accomplish the same with bpftrace:
bpftrace -e 'tracepoint:sched:sched_process_exec { time("%H:%M:%S"); printf(" uid = %d pid = %d cmd = %s \n", uid, pid, comm); } tracepoint:syscalls:sys_enter_execve { time("%H:%M:%S"); printf(" uid = %d pid = %d cmd_with_args = ", uid, pid); join(args->argv); }'
From https://news.ycombinator.com/item?id=37442312 re why not ptrace for tracing all exec() syscalls:
> The Falco docs list 3 syscall event drivers: Kernel module, Classic eBPF probe, and Modern eBPF probe: https://falco.org/docs/event-sources/kernel/
Consider adding ppid to the mix - cometimes _what_ started a process is also quite valuable (if firefox starts bash, worry more than, say, sshd)
It looks like the falco rules mention proc.ppid.duration, but there's not yet a rule that matches on ppid: rules/falco_rules.yaml https://github.com/falcosecurity/rules/blob/main/rules/falco... :
> Tuning suggestions include looking at the duration of the parent process (proc.ppid.duration) to define your long-running app processes. Checking for newer fields such as proc.vpgid.name and proc.vpgid.exe instead of the direct parent process being a non-shell application could make the rule more robust.