Developers working on the kernel often have a natural interest to watch and inspect what is going on inside the code. But they are not the only ones who would like to know what the kernel does. System administrators, for instance, might want to observe which decisions the kernel has taken and which actions were performed. This can be beneficial for a number of reasons, ranging from increased security to postmortem forensic investigation of things that went wrong. It could, for instance, be very interesting to not only observe that a wrong security decision caused by some misconfiguration was made by the kernel, but also to know which process or users took advantage of this. This chapter describes the methods provided by the kernel for this purpose.
Obviously, the surveillance needs of administrators differ considerably from those of developers. While programmers are usually interested in comparatively low-level information, administrators will tend to need a higher-level view: Which processes have opened network connections? Which users have started programs? When did the kernel grant or refuse certain privileges? To answer such questions, the kernel provides the audit subsystem.
While programmers will run their experiments on machines solely devoted to development, administrators face a different problem: The machines they have to monitor usually serve as production machines. This places two crucial constraints on the audit mechanism:
It must be possible ...