OpenBSM: Open Source Basic Security Module (BSM) Audit
OpenBSM is a portable, open source implementation of Sun's Basic
Security Module (BSM) security audit API and file format.
BSM, the de facto industry standard for audit, describes a set of
system call and library interfaces for managing audit records, as
well as a token stream file format that permits extensible and
generalized audit trail processing.
Records may describe both kernel events, such as system calls, as
well as application events, such as login, password changes,
OpenBSM extends the BSM API and file format in a number of ways to
support features present in the Mac OS X and FreeBSD operating
systems, such as Mach task interfaces, sendfile(), and Linux system
calls present in the FreeBSD Linux emulation layer, as well as
focusing on portability through an endian-independent version of the
The OpenBSM distribution provides system include files, the libbsm
library, command-line tools such as praudit and auditreduce, sample
/etc configuration files, an audit daemon for use on systems with
kernel support, and an audit trail distribution daemon to allow
trails to be securely submitted by end hosts to a central audit trail
server (to appear in OpenBSM 1.2).
It is appropriate for use stand-alone in processing trails generated
by BSM-enabled systems, as well as for use as the foundation of OS
audit implementations requiring libraries, command-line tools,
OpenBSM is built and tested on several versions of FreeBSD, Mac OS
X, and Linux; some components, such as the audit daemon, require
kernel audit support (present in FreeBSD and Mac OS X, and in fact
derived from OpenBSM), but the basic library and audit trail tools
run on all three platforms regardless of OS kernel support.
Written in portable C and built using autoconf/automake, it is easy
to adapt OpenBSM for use on new platforms.
History and Vendors
OpenBSM is derived from the BSM audit implementation found in
Apple's open source Darwin operating system, generously released by
Apple under a BSD license.
The Darwin BSM implementation was created by McAfee Research under
contract to Apple Computer, and has since been maintained and
extended by the volunteer TrustedBSD team.
The FreeBSD Foundation sponsored the development of auditdistd, a
distributed audit trail daemon.
OpenBSM is the core user space component of the TrustedBSD Audit Implementation for
FreeBSD, providing tools, libraries, and include files.
OpenBSM ships with FreeBSD 6.2 and later, with the first full
release of OpenBSM (1.0) in FreeBSD 6.3 and FreeBSD 7.0.
BSMtrace is an independently
distributed BSM-based host intrusion detection system that relies
on OpenBSM audit trails.
Discussion of the TrustedBSD Audit implementation, as well as the
OpenBSM package, takes place on the trustedbsd-audit mailing list.
OpenBSM source code is available for download via occasional
snapshot and release tarballs, vendor integrated source code (such as
the FreeBSD source tree), and the
OpenBSM GitHub repository.
The current release is OpenBSM 1.1p2, released on 2 August, 2009.
Please see the file README present in the OpenBSM distribution for
build and installation instructions.
OpenBSM 1.1p2 is a minor patch release of the OpenBSM code base.
There are no significant changes from OpenBSM 1.1p1, but there
are several bug fixes relating to /etc/security/audit_event
entries for the openat(2) system call, build fixes for Linux, and
the printing of class masks by the audump tool.
OpenBSM 1.1p1 is a minor patch release of the OpenBSM code base.
There are no significant changes from OpenBSM 1.1, but there are
a number of bug fixes in token parsing and generation, and
tolerance for whitespace variation in OpenBSM configuration
files is improved.
OpenBSM 1.1 is the second production release of the OpenBSM
code base. Major changes since OpenBSM 1.0 include:
- Trail files now include the host where the trail is
generated. Crash recovery has been improved. Trail
expiration based on size and date is now supported; by
default trail files will be expired after 10MB of trails.
The default individual trail limit is now 2MB.
- Mac OS X Snow Leopard is now a fully supported platform;
launchd(8) can now be used to launchd auditd(8). Command
line tools and libraries are now supported on Mac OS X
- Extended header tokens are now supported, allowing audit
trails to be tagged with a host identifier. IPv6 addresses
are now supported in subject tokens.
- BSM token and record types have been further synchronized
to OpenSolaris; support for many new system calls has been
added. Local errors and socket types are mapped to and from
Since the last test release, OpenBSM 1.1 beta 1, 32/64-bit
compatibility has been fixed for the auditon(2) system call.
A default "expire-after" of 10MB is now set in
audit_control(5). Local fcntl(2) arguments are now mapped to
wire BSM versions using new APIs. The audit_submit(3) man
page has been fixed. A new audit event class has been added
for post-login authentication and access control events.
OpenBSM 1.0 is the first production release of the OpenBSM
Since the last test release, OpenBSM 1.0 alpha 15, a bug
leading to a crash in auditreduce(8) has been resolved, and all
AU_ constants have been removed.
The versions of autoconf and automake used to build OpenBSM
have been updated.
Current Development Snapshot
Development snapshots reflect work-in-progress snapshots of the
OpenBSM development branch on GitHub.
They are appropriate for use in production systems, but consumers of
these snapshots should be aware that APIs, file formats, and tools
are under active development, and may change at any time.
Please see the file README present in the OpenBSM distribution for
build and installation instructions.
OpenBSM 1.2-alpha5 is the fifth test release of the OpenBSM 1.2
In this revision several new features were added, among them: support for
setting the kernel's maximum audit queue length; the ability to push a
mapping between audit event names and event numbers into a kernel supporting
this feature; sandboxing support for auditreduce(1) and praudit(1) on systems
supporting Capsicum; and the ability to leave the flags and naflags parameters
empty. Additionally, event definitions for several FreeBSD subsystems were
Historical Development Snapshots
This is an archive of past OpenBSM test snapshots; use of these
versions is not recommended.
These snapshots are from the development of OpenBSM 1.1:
OpenBSM 1.2-alpha4 is the fourth test release of the OpenBSM 1.2
In this revision, a number of bugs have been fixed in auditdistd.
A bug in praudit has been fixes that caused it to emit invalid XML
output. Manpage links, broken since the switch to autotools, are
installed once again. Additionally, event definitions were updated,
and the documentation has been improved.
In this revision, a number of (largely minor) refinements are
made to auditdistd; perhaps most importantly, header files and
build elements are cleaned up to support better integration into
the FreeBSD 10-CURRENT source tree.
In this revision, OpenBSM grows a new daemon, auditdistd, which
provides secure audit trail distribution over the network.
Implemented by Pawel Jakub Dawidek and sponsored by the FreeBSD
Foundation, auditdistd provides a client to run on hosts
generating audit trails, and a server to run on a central secure
audit host. auditdistd uses TLS to encrypt trails on the wire,
and does it append-only, so that audit trails leading up to a
compromise on the client are tamper-proof on the client. This
feature is considered experimental.
In this revision, OpenBSM grows support for Capsicum system calls
and events, has various fixes to address warnings from the Clang
static analyser, fixes trail expiration when the host parameter
is used, adds support for privilege tokens, fixes a directory
descriptor leak that arose in low disk space conditions, added
build support for more recent Linux versions, fixed bugs in XML
rendering of BSM, and improved the documentation.
|1.1 beta 1
In this revision, OpenBSM's auditd(8) grows support for audit
trail expiration based on age and trail size, various defaults
in audit_control(5) are modernized (such as smaller percent
free default, and enabling execve(2) argument auditing by
default), socket types and domains are converted to BSM format
when written out, and bugs are fixed in IPC permission token
|1.1 alpha 5
In this revision, OpenBSM is modified to map local protocol
family constants and socket types to wire versions, as the
specific constant values vary by OS; a stub libauditd(3) man
page is added, errno constants are renamed, full error string
text is not compiled into kernels when OpenBSM code is used
there, warnings are fixed on many platforms, and the launchd
label for audit is changed on Mac OS X.
|1.1 alpha 4
In this revision, most functional components of auditd(8) are
moved to a new libauditd(3), so that they can be shared by
auditd(8) on FreeBSD and launchd(8) on Mac OS X. In addition,
audit_submit(3) is taught to accept local errno values (as it
did before the additional of a BSM error number space), further
cleanup of the user audit event ID space is performed in order
to avoid collisions with other systems, au_strerror(3) is added
to allow printing of error numbers without converting to local
numbers (which may lose fidelity), and audit crash recovery is
improved as auditd now maintains a current trail link and
cleans up if it discovers auditd failed during the last
rotation. In Mac OS X, ASL(3) is used instead of syslog(3) for
|1.1 alpha 3
In this revision, OpenBSM maps between local and wire values
for the errno error space, bugs are fixed in the encoding of
execve arguments and environmental variables, support for the
portable AUT_SOCKET_EX token type is added, and the BSM header
version is bumped to give OpenBSM 1.1 its own file format
version due to non-trivial changes in tokens.
|1.1 alpha 2
In this revision, BSM include files required by OS vendors for
use in kernels are broken out into a separate include
directory, a configure option is added to force use of native
rather than OpenBSM sys includes if desired, strlcpy() and
strlcat() are used in preference to less robust APIs,
compatibility defines for old Darwin event identifiers are
removed, support for exended header tokens (containing host
information) is added to the BSM library and auditd(8), and can
be set in audit_control(5).
|1.1 alpha 1
In this revision, support for Mac OS X 10.5 is introduced,
including new events specific to Leopard, and support for the
Mach IPC audit trigger method.
auditreduce(1) grows an invert flag, and allows selecting of
more than one event.
A number of bugs are fixed, including in XML trail conversion,
BSM record writing, and audit_control file access.
These snapshots are from the development of OpenBSM 1.0:
|1.0 alpha 15
Bugs fixed in the handling of IPv6 addresses, auditreduce, and
additional audit event identifiers added for new system
|1.0 alpha 14
Support for the zonename token type added, a variety of
endian-related bugs in IPv6 addresses fixed, OpenBSM becomes
warning clean for gcc1, and various man page updated.
|1.0 alpha 13
Man page documentation substantially imrpved, XML printing
support added to praudit(8), and support for more 64-bit token
|1.0 alpha 12
audit_control(5) filesz configuration added in order to
support automated rotation of audit trails based on file size,
regular expression matching for paths added to auditreduce, an
audit_warn event is generated on rotation, and a number of
other bugs fixed and documentation improved.
|1.0 alpha 11
audit_control(5) control of audit policy is introduced, and
and significant number of bugs relating to execve(2) argument
auditing and trail rotation are fixed.
|1.0 alpha 10
auditd(8) now submits complete audit records, including full
return information, as part of its operation.
|1.0 alpha 9
Many BSM_/bsm_ constants are renamed to AUDIT_/audit_, the
audit filter module API has been refined, and a number of bugs
have been fixed..
|1.0 alpha 8
Non-Solaris audit events have been renumbered to avoid future
collisions, and a unique OpenBSM header token version number
has been adopted.
A variety of other bugs have been fixed, and cleanups made.
|1.0 alpha 7
Improvements in the creation of subject tokens and in code
|1.0 alpha 6
An experimental audit filter API is introduced, APIs for
application-submitted audit records are improved, and bugs are
|1.0 alpha 5
OpenBSM now uses autoconf/automake, allowing it to build on
Mac OS X and Linux.
|1.0 alpha 4
This is the first version of OpenBSM and incorporates the
OpenBSM code as present on FreeBSD CVS at this date.