Hi all,

I am trying to detect process creation and process "renames", in particular looking at the fork/exec and spawn sequences
 from a POSIX perspective.

When looking at the PROCESS class of events I am seeing the following when running a command on the shell (in this case 
the command "cat"):

t:0x54f21c6ce18  CPU:01 PROCESS        :PROCCREATE                 ppid:483347  pid:1064985
t:0x54f21d07a5b CPU:01 PROCESS         :PROCCREATE_NAME   ppid:483347  pid:1064985 name:bin/sh
t:0x54f21dc5a56  CPU:01 PROCESS        :PROCCREATE                 ppid:1064985 pid:1064986
t:0x54f21f2d4ca  CPU:01 PROCESS         :PROCCREATE_NAME    ppid:483347  pid:1064985 name:proc/boot/cat
t:0x54f21f2ed36  CPU:01 PROCESS         :PROCDESTROY              ppid:1064985 pid:1064986

Can I rely on this sequence to represent the usual fork()/exec() pattern? Is it the same in the case of spawn()?

I noticed in particular that the first PROCCREATE_NAME seems to correspond to a fork(), as the name of the new process 
matches the parent shell bin/sh, which is shown in the "initial state" sequence of pseudo-PROCCREATE_NAME events as bin/
sh.

The second PROCCREATE_NAME differs from the preceding PROCCREATE in pid and ppid.
The second PROCCREATE seems to refer to a "dummy" process, which is destroyed just after its creation, while the second 
PROCCREATE_NAME seems to refer to the first pid, and thus I map this to "exec()".

Am I looking at this correctly? Is this always the case that this sequence is followed for the creation of new processes
?

Thank you as always for your helpful comments,

Claudio