The FreeBSD 7-CURRENT development branch includes support for Event Auditing based on the POSIX®.1e draft and Sun's published BSM API and file format. Event auditing permits the selective logging of security-relevant system events for the purposes of post-mortem analysis, system monitoring, and intrusion detection. After some settling time in FreeBSD 7-CURRENT, this support will be merged to FreeBSD 6-STABLE and appear in subsequent releases.
Warning: The audit facility in FreeBSD is considered experimental, and production deployment should occur only after careful consideration of the risks of deploying experimental software.
This chapter will focus mainly on the installation and configuration of Event Auditing. Explanation of audit policies, and an example configuration will be provided for the convenience of the reader.
After reading this chapter, you will know:
What Event Auditing is and how it works.
How to configure Event Auditing on FreeBSD for users and processes.
Before reading this chapter, you should:
Understand UNIX® and FreeBSD basics (Chapter 3).
Be familiar with the basics of kernel configuration/compilation (Chapter 8).
Have some familiarity with security and how it pertains to FreeBSD (Chapter 14).
Warning: Event auditing can generate a great deal of log file data, exceeding gigabytes a week in some configurations. An administrator should read this chapter in its entirety to avoid possible self-inflicted DoS attacks due to improper configuration.
The implementation of Event Auditing in FreeBSD is similar to that of the Sun™ Basic Security Module, or BSM library. Thus, the configuration is almost completely interchangeable with Solaris™ and Mac OS X/Darwin operating systems.
This, and other documents, can be downloaded from ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/.
For questions about FreeBSD, read the documentation before contacting <questions@FreeBSD.org>.
For questions about this documentation, e-mail <doc@FreeBSD.org>.