Back in the olden days of computing, long before the widespread adoption of personal computers, there was a phenomenon called a "wheel war": That is, a conflict between administrators given the highest privilege (named the wheel group in classic operating environments like TENEX or TOPS-10). Disagreement from administrators would lead to one user from the wheel group taking action, and another one reversing that action – without much communication or documentation regarding the events. In some cases, administrators would go as far as to block other users or rivaling labs from accessing the system. And when a conflict arose, it was often difficult to unravel who did what when because the system lacked the tools for sorting out the history.

This type of incident would have been significantly less prevalent if operating systems had better ways for auditing and monitoring changes in critical files. In today's world, the "war" isn't between competing administrators but is about potential intruders lurking on the Internet, looking for a way onto your system. A kernel auditing system that tracks access to critical files and system calls is a key ingredient for maintaining a safe environment.

General auditing and system monitoring on Unix-like systems saw its introduction with "trusted" variants of operating systems like Trusted Solaris or TRUSIX. Linux systems with modified kernels allowed for things like Access Control Lists and role-based access control. These systems were often configured to achieve a particular Evaluation Assurance Level certification [1] against multiple protection profiles like CAPP, LSPP, and RBACPP.

[...]