Rozdział 16. Security Event Auditing

Written by Tom Rhodes.
Spis treści
16.1. Synopsis
16.2. Key Terms - Words to Know
16.3. Installing Audit Support
16.4. Audit Configuration
16.5. Event Audit Administration

16.1. Synopsis

The FreeBSD 7-CURRENT development branch includes support for Event Auditing based on the POSIX(R).1e draft and Sun's published BSM API and file format. Event auditing permits the selective logging of security-relevant system events for the purposes of post-mortem analysis, system monitoring, and intrusion detection. After some settling time in FreeBSD 7-CURRENT, this support will be merged to FreeBSD 6-STABLE and appear in subsequent releases.


The audit facility in FreeBSD is considered experimental, and production deployment should occur only after careful consideration of the risks of deploying experimental software.

This chapter will focus mainly on the installation and configuration of Event Auditing. Explanation of audit policies, and an example configuration will be provided for the convenience of the reader.

After reading this chapter, you will know:

  • What Event Auditing is and how it works.

  • How to configure Event Auditing on FreeBSD for users and processes.

Before reading this chapter, you should:


Event auditing can generate a great deal of log file data, exceeding gigabytes a week in some configurations. An administrator should read this chapter in its entirety to avoid possible self-inflicted DoS attacks due to improper configuration.

The implementation of Event Auditing in FreeBSD is similar to that of the SunTM Basic Security Module, or BSM library. Thus, the configuration is almost completely interchangeable with SolarisTM and Mac OS X/Darwin operating systems.

All FreeBSD documents are available for download at

Questions that are not answered by the documentation may be sent to <>.
Send questions about this document to <>.