Monitor your system using kernel auditing and auditctl
Watchful

© Image © tetola, 123RF.com
Use the kernel auditing system to set watches on critical files and system calls and log the activity for later anaylsis.
Back in the olden days of computing, long before the widespread adoption of personal computers, there was a phenomenon called a "wheel war": That is, a conflict between administrators given the highest privilege (named the wheel
group in classic operating environments like TENEX or TOPS-10). Disagreement from administrators would lead to one user from the wheel
group taking action, and another one reversing that action – without much communication or documentation regarding the events. In some cases, administrators would go as far as to block other users or rivaling labs from accessing the system. And when a conflict arose, it was often difficult to unravel who did what when because the system lacked the tools for sorting out the history.
This type of incident would have been significantly less prevalent if operating systems had better ways for auditing and monitoring changes in critical files. In today's world, the "war" isn't between competing administrators but is about potential intruders lurking on the Internet, looking for a way onto your system. A kernel auditing system that tracks access to critical files and system calls is a key ingredient for maintaining a safe environment.
General auditing and system monitoring on Unix-like systems saw its introduction with "trusted" variants of operating systems like Trusted Solaris or TRUSIX. Linux systems with modified kernels allowed for things like Access Control Lists and role-based access control. These systems were often configured to achieve a particular Evaluation Assurance Level certification [1] against multiple protection profiles like CAPP, LSPP, and RBACPP.
[...]
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

News
-
AerynOS Alpha Release Available
With a choice of several desktop environments, AerynOS 2025.08 is almost ready to be your next operating system.
-
AUR Repository Still Under DDoS Attack
Arch User Repository continues to be under a DDoS attack that has been going on for more than two weeks.
-
RingReaper Malware Poses Danger to Linux Systems
A new kind of malware exploits modern Linux kernels for I/O operations.
-
Happy Birthday, Linux
On August 25, Linux officially turns 34.
-
VirtualBox 7.2 Has Arrived
With early support for Linux kernel 6.17 and other new additions, VirtualBox 7.2 is a must-update for users.
-
Linux Mint 22.2 Beta Available for Testing
Some interesting new additions and improvements are coming to Linux Mint. Check out the Linux Mint 22.2 Beta to give it a test run.
-
Debian 13.0 Officially Released
After two years of development, the latest iteration of Debian is now available with plenty of under-the-hood improvements.
-
Upcoming Changes for MXLinux
MXLinux 25 has plenty in store to please all types of users.
-
A New Linux AI Assistant in Town
Newelle, a Linux AI assistant, works with different LLMs and includes document parsing and profiles.
-
Linux Kernel 6.16 Released with Minor Fixes
The latest Linux kernel doesn't really include any big-ticket features, just a lot of lines of code.