I've been working on a design for auditing system calls within the kernel. Basic idea is that details of every system call are communicated to a listening daemon in userland using, for example, netlink sockets. Every process will have an audit mask that determines which calls are audited for that process. Control via ioctl() on fake character device. Design is still fluid, partly influenced by Digital Unix's kernel auditing. I haven't yet started coding in earnest and will look into LinuxBSM (mentioned elsewhere in this thread) before deciding whether or not my efforts are worthwhile.
You might like to take a look at KASH (Computational Algebreic Number Theory Shell) which is freely available, but I'm not sure that it's open source. Check out their web site for more information.
Slashdot Mirror
I've been working on a design for auditing system calls within the kernel. Basic idea is that details of every system call are communicated to a listening daemon in userland using, for example, netlink sockets. Every process will have an audit mask that determines which calls are audited for that process. Control via ioctl() on fake character device. Design is still fluid, partly influenced by Digital Unix's kernel auditing. I haven't yet started coding in earnest and will look into LinuxBSM (mentioned elsewhere in this thread) before deciding whether or not my efforts are worthwhile.
You might like to take a look at KASH (Computational Algebreic Number Theory Shell) which is freely available, but I'm not sure that it's open source. Check out their web site for more information.