Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

Chapter 17 Security Event Auditing

Written by Tom Rhodes and Robert Watson.

17.1 Synopsis

FreeBSD 6.2 and later include support for fine-grained security event auditing. Event auditing allows the reliable, fine-grained, and configurable logging of a variety of security-relevant system events, including logins, configuration changes, and file and network access. These log records can be invaluable for live system monitoring, intrusion detection, and postmortem analysis. FreeBSD implements Sun™'s published BSM API and file format, and is interoperable with both Sun's Solaris™ and Apple®'s Mac OS® X audit implementations.

This chapter focuses on the installation and configuration of Event Auditing. It explains audit policies, and provides an example audit configuration.

After reading this chapter, you will know:

  • What Event Auditing is and how it works.

  • How to configure Event Auditing on FreeBSD for users and processes.

  • How to review the audit trail using the audit reduction and review tools.

Before reading this chapter, you should:

  • Understand UNIX® and FreeBSD basics (Chapter 3).

  • Be familiar with the basics of kernel configuration/compilation (Chapter 8).

  • Have some familiarity with security and how it pertains to FreeBSD (Chapter 14).

Warning: The audit facility in FreeBSD 6.X is experimental, and production deployment should occur only after careful consideration of the risks of deploying experimental software. Known limitations include that not all security-relevant system events are currently auditable, and that some login mechanisms, such as X11-based display managers and third party daemons, do not properly configure auditing for user login sessions.

Warning: The security event auditing facility is able to generate very detailed logs of system activity: on a busy system, trail file data can be very large when configured for high detail, exceeding gigabytes a week in some configurations. Administrators should take into account disk space requirements associated with high volume audit configurations. For example, it may be desirable to dedicate a file system to the /var/audit tree so that other file systems are not affected if the audit file system becomes full.


 
 
  Published under the terms of the FreeBSD Document Project