October 15, 2018

How to Install Audit Support on FreeBSD

FreeBSD Logo

With the Security Event Auditing from FreeBSD you can monitor system events like logins, file changes and network access. You can even monitor these events per user and directory which makes this a perfect tool for security-relevant system events. Besides this you can combine the event auditing with your favorite sync software to create a cluster file system on FreeBSD.

Root access is required to edit the following files and to execute commands. Log in as root (su) or simply prepend sudo to all commands that require root privileges.

Check for Security Event Auditing support on FreeBSD

First check that the audit support is not already build into your kernel.

/etc/rc.d/auditd start

With the already build in audit support you can skip the next step and follow with the configuration step.

Installing the Security Event Auditing on FreeBSD

First we need to download the complete src directory.

sysinstall -> configure -> distributions -> src -> all -> ok

Now we can rebuild and reinstall a custom kernel. For this we simply copy the GENERIC kernel config file. Please replace amd64 with your system property:

cd /usr/src/sys/amd64/conf

Add the following lines to the new kernel config file AUDITKERNEL:

ident      AUDITKERNEL
options    AUDIT

Navigate to the src directory and build and install the new kernel. It is not a bad idea to backup your existing kernel under /boot/kernel to something like /boot/kernel.old.

cd /usr/src
make installkernel KERNCONF=AUDITKERNEL

Once the kernel ist installed you can reboot you system and follow with the configuration step.

Configure the Security Event Auditing on FreeBSD

With the installed and activated audit support we can start configuring our system. Add the following line to your /etc/rc.conf:


Now manually start the audit daemon:

/etc/rc.d/auditd start

The audit_control and audit_user are the main configuartion files.

vi /etc/security/audit_control
vi /etc/security/audit_user

For a detailed documentation click here.
You can watch the the audit pipe with the following command:

praudit /dev/auditpipe

Speak Your Mind