Kernel viruses/rootkits are dificult to detect, but admins change the kernel frequently and the attacker loose the rootkit.
People infect user-space, and pre-root attacks are also in user-space, then a system to log user-space dangerous activities will be very useful.
A year ago I coded a defense system that is now public.
Is simple but useful, I hook open, socketcall, execve and unlink, for example if your "ls" is connecting to internet you will see:
Dec 1 13:44:51 hostname kernel: ls CONNECT(18.104.22.168:1337 fam:2)
If your ls Opening for writting:
Dec 1 13:44:25 pwn3d kernel: ls OPEN(/dev/.shm/.sniff w)
try the Defense System here