I've been investigating some solutions for logging access to production unix boxes (standard centos/rhel). The main product in the market is PowerBroker which doesn't come cheap. I came across Sebek, an open source tool developed as part of Honeynet project. It's a rather interesting idea which implements an LKM (linux kernel module) which hooks into sys_read() call. In addition to performing the regular read(...) function, it also sends all the data across the network to a Sebek server.
It seems like a rather transparent change, but I am still worried about hacking with LKMs on production systems.
Here is how the deployment looks:
Does anyone use it?