Monitor your system using kernel auditing and auditctl

Watchful

© Image © tetola, 123RF.com

© Image © tetola, 123RF.com

Article from Issue 299/2025
Author(s):

Use the kernel auditing system to set watches on critical files and system calls and log the activity for later anaylsis.

Back in the olden days of computing, long before the widespread adoption of personal computers, there was a phenomenon called a "wheel war": That is, a conflict between administrators given the highest privilege (named the wheel group in classic operating environments like TENEX or TOPS-10). Disagreement from administrators would lead to one user from the wheel group taking action, and another one reversing that action – without much communication or documentation regarding the events. In some cases, administrators would go as far as to block other users or rivaling labs from accessing the system. And when a conflict arose, it was often difficult to unravel who did what when because the system lacked the tools for sorting out the history.

This type of incident would have been significantly less prevalent if operating systems had better ways for auditing and monitoring changes in critical files. In today's world, the "war" isn't between competing administrators but is about potential intruders lurking on the Internet, looking for a way onto your system. A kernel auditing system that tracks access to critical files and system calls is a key ingredient for maintaining a safe environment.

General auditing and system monitoring on Unix-like systems saw its introduction with "trusted" variants of operating systems like Trusted Solaris or TRUSIX. Linux systems with modified kernels allowed for things like Access Control Lists and role-based access control. These systems were often configured to achieve a particular Evaluation Assurance Level certification [1] against multiple protection profiles like CAPP, LSPP, and RBACPP.

[...]

Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Core Technologies

    Look for intruders and study the health of your system with Linux auditing tools.

  • Security Lessons: auditd

    The auditd tool can provide system logging capabilities to satisfy even the most paranoid users.

  • Integrity Measurement Architecture

    The Integrity Measurement Architecture adds important details to your audit logs, making it easier to track an intruder's footprints.

  • Kernel News

    Chronicler Zack Brown reports on the latest news, views, dilemmas, and developments within the Linux kernel community.

  • SELinux

    SELinux provides a comprehensive Mandatory Access Control system for Linux, if you are ready for all the details.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More

News