Syscall auditing comes to Linux
Something that had been on my wishlist for a while is now available as part of the Linux 2.6.6 kernel release: Syscall Auditing. Syscall auditing allows for the selective logging of syscalls.
This means they you can define logging rules that let you more easily do things like track down what program is spewing crap files all over /tmp, watch suspicious users and see what files they are editing and what they are running, find out what exactly that temperamental long running processes does when it seems to die randomly at 4:32am in the morning, etc. Of course the given examples could be done with other tools but syscall auditing makes things signficantly easier.
Unfortunately the userspace tools are still rather raw and the auditing output isn't very human friendly. I figure it is only a matter of time before more friendly parsing tools start popping up. The existing tools can be found here and the needed kernel support is already in recent Fedora 2.6.x kernel releases.
