Anderson [3] first proposed using audit trails to monitor system activity. The use of existing audit records suggested the development of simple tools to check for unauthorized access to systems and files.
Bonyun [4] argued that a single, well-unified logging process was an essential component of computer security mechanisms.
Picciotto [5] presents a sophisticated audit capability for a Compartmented Mode Workstation.
Intrusion detection systems that focus on anomalous behavior have also driven research in auditing and logging. Axent Technologies [7] has presented IDS in Unix and NT platforms, but nothing for Linux.
Tripwire facility from the COAST [8] project at Purdue University can take care of the file system, but it can only report problems: it does not take any action to terminate the dangerous event.