procmon

procmon is a Linux host telemetry and process-monitoring tool written in C++17 with ncurses. It provides a real-time terminal dashboard powered directly by /proc, with process-level CPU and memory analytics, fast filtering, and lightweight suspicious-process tagging for defensive workflows.

Why this project matters

This project demonstrates systems programming and host visibility fundamentals used in security, incident response, and endpoint defense:

• Parsing live telemetry from Linux kernel-exposed interfaces (/proc/stat, /proc/meminfo, /proc/<pid>/*)
• Building a responsive low-level TUI in C++ with no heavy framework
• Implementing resource accounting and process triage heuristics
• Designing for operational usage (sorting, filtering, rapid scanning, low overhead)

Core capabilities

• Real-time host metrics:
  • total CPU utilization
  • total memory utilization
• Real-time process table:
  • PID
  • state
  • CPU %
  • memory %
  • suspicious tag
  • command
• Interactive controls:
  • q quit
  • c sort by CPU %
  • m sort by memory %
  • p sort by PID
  • typing applies a live substring filter on PID/command
  • backspace edits filter
• Defensive tagging heuristics:
  • TMP_EXEC for commands launched from temp/shared-memory paths
  • LOLBIN for common command-line patterns associated with living-off-the-land behavior
  • SPIKE for very high CPU processes

Architecture

src/process.*

• Collects per-process telemetry from /proc/<pid>/stat, /proc/<pid>/status, /proc/<pid>/cmdline, and /proc/<pid>/comm
• Computes:
  • process CPU% (normalized against elapsed process lifetime and logical CPU count)
  • process memory% (RSS relative to host MemTotal)
• Exposes process state and suspicion tag for UI rendering

src/system.*

• Enumerates numeric process directories under /proc
• Produces process objects for the UI pipeline
• Computes host CPU% using delta sampling of /proc/stat
• Computes host memory% from /proc/meminfo

src/ui.*

• Renders a high-frequency ncurses dashboard
• Applies interactive sort/filter operations
• Supports immediate keyboard control with non-blocking input

Build and run

Requirements

• Linux
• g++ with C++17 support
• make
• ncurses development headers

Dependency install examples

Arch:

sudo pacman -S base-devel ncurses

Debian/Ubuntu:

sudo apt update
sudo apt install build-essential libncurses5-dev

Fedora:

sudo dnf install gcc-c++ make ncurses-devel

Compile

make

Run

./procmon

Defensive use cases

• Rapid endpoint triage during suspicious host activity
• Identifying outlier CPU/memory consumers
• Spotting potentially risky execution locations (for example /tmp and /dev/shm)
• Quick first-look process review before deeper tooling (EDR, audit logs, memory forensics)

Limitations and future roadmap

Current version is intentionally lightweight and local-only. Candidate next steps:

• Parent/child process tree view
• User/UID display and privilege-awareness indicators
• Signal actions from UI (SIGTERM, SIGKILL) with confirmations
• Export snapshots (JSON/CSV) for incident documentation
• Unit tests around parser logic with fixture-based /proc samples
• CI and packaging

Resume highlights (suggested wording)

• Built a Linux host telemetry monitor in C++17 that parses live /proc data and renders a responsive ncurses dashboard.
• Implemented process and host resource analytics (CPU/memory), interactive sort/filter controls, and suspicious process tagging heuristics for defensive triage.
• Designed a low-overhead, terminal-native monitoring workflow aligned with SOC/IR-style endpoint analysis.

Project structure

procmon/
├── src/
│   ├── main.cpp
│   ├── process.cpp
│   ├── process.h
│   ├── system.cpp
│   ├── system.h
│   ├── ui.cpp
│   └── ui.h
├── Makefile
└── README.md

License

MIT (see LICENSE).