User space support for Event Auditing is installed as part of the base FreeBSD
operating system. In FreeBSD 7.0 and later, kernel support for Event Auditing is compiled
in by default. In FreeBSD 6.X, support must be
explicitly compiled into the kernel by adding the following lines to the kernel
configuration file:
options AUDIT
Rebuild and reinstall the kernel via the normal process explained in Chapter 8.
Once an audit-enabled kernel is built, installed, and the system has been rebooted,
enable the audit daemon by adding the following line to rc.conf(5):
auditd_enable="YES"
Audit support must then be started by a reboot, or by manually starting the audit
daemon:
/etc/rc.d/auditd start