Chapter 16 Security Event Auditing

Table of Contents
16.1 Synopsis
16.2 Key Terms - Words to Know
16.3 Installing Audit Support
16.4 Audit Configuration
16.5 Event Audit Administration
Written by Tom Rhodes.

16.1 Synopsis

The FreeBSD 7-CURRENT development branch includes support for Event Auditing based on the POSIX®.1e draft and Sun's published BSM API and file format. Event auditing permits the selective logging of security-relevant system events for the purposes of post-mortem analysis, system monitoring, and intrusion detection. After some settling time in FreeBSD 7-CURRENT, this support will be merged to FreeBSD 6-STABLE and appear in subsequent releases.

Warning: The audit facility in FreeBSD is considered experimental, and production deployment should occur only after careful consideration of the risks of deploying experimental software.

This chapter will focus mainly on the installation and configuration of Event Auditing. Explanation of audit policies, and an example configuration will be provided for the convenience of the reader.

After reading this chapter, you will know:

Before reading this chapter, you should:

Warning: Event auditing can generate a great deal of log file data, exceeding gigabytes a week in some configurations. An administrator should read this chapter in its entirety to avoid possible self-inflicted DoS attacks due to improper configuration.

The implementation of Event Auditing in FreeBSD is similar to that of the Sun™ Basic Security Module, or BSM library. Thus, the configuration is almost completely interchangeable with Solaris™ and Mac OS X/Darwin operating systems.

This, and other documents, can be downloaded from

For questions about FreeBSD, read the documentation before contacting <>.
For questions about this documentation, e-mail <>.