Log every process that runs with root privileges, including in the log its environment variables, command line flags, and parent process. Don't forget processes that setuid root.
Maybe auditd can do this.
Inspired by auth.log recording all invocations of sudo.
Logs will become voluminous, but if you have root processes starting multiple times per second, maybe things should be rearchitected.
EmoticonEmoticon