I'm a Linux server administrator (Debian) and my colleagues use php. I like to log any use of some php functions like mkdir or unlink, so I can trace any penetration to our site for example by shell code.
You can override those functions and log whatever you want before to call them.
http://php.net/manual/es/function.override-function.php#50821
<?php
// Rename function to call old function later
rename_function('mkdir', 'old_mkdir');
// Override function mkdir
override_function('mkdir', '$pathname, $mode, $recursive, $context', 'return override_mkdir($string);');
// New mkdir function
function override_mkdir($pathname, $mode, $recursive, $context){
do_something();
// Call original mkdir function
return old_mkdir($pathname, $mode, $recursive, $context);
}
?>