System call interception can help you here. Caveat: it will let you log the fact that a process communicated with a daemon/service, but if the daemon/service is not subject to logging then it will not transitively log actions that the daemon/service performs, so it cannot expose all confused deputy problems.
From the strace
man page
In the simplest case strace runs the specified command until it exits. It intercepts and records the system calls which are called by a process and the signals which are received by a process. The name of each system call, its arguments and its return value are printed on standard error or to the file specified with the -o option.
Since file-system access and network socket creation are done via syscalls, logging those calls will let you reconstruct which file and network resources your program is accessing.
If you want to understand which resources are being accessed, and then make sure that the process never accesses more than that even if subverted, look into systrace
.
For complicated applications, it is difficult to know the correct policy before running them. Initially, Systrace notifies the user about all system calls that an application tries to execute. The user configures a policy for the specific system call that caused the warning. After a few minutes, a policy is generated that allows the application to run without any warnings. However, events that are not covered still generate a warning. Normally, that is an indication of a security problem. Systrace improves cyber security by providing intrusion prevention.
Alternatively, policies can be learned automatically. In many instances, the automatically learned policies can be used for sandboxing immediately. Sometimes, minimal manual post-processing is necessary.
Caveat: strace
was not designed for security the way systrace
was so is prone to exploitable race conditions around syscall parameters. See D.W.'s comment for points to how to harden strace
.
I don't know much about syscall interception on Windows, but STraceNT and vtrace looks like a good starting points.
StraceNT is a System Call Tracer for Windows. It provides similar functionality as of strace on Linux. It can trace all the calls made by a process to the imported functions from a DLL. StraceNT can be very useful in debugging and analyzing the internal working of a program.
VTrace collects data about processes, threads, messages, disk operations, network operations, and devices. The technique uses a DLL loaded into the address space of every process to intercept Win32 system calls; establishes hook functions for Windows NT kernel system calls; modifies the context switch code in memory to log context switches; and uses device filters to log accesses to devices.