TrustedBSD Security Event Auditing
Security event auditing permits the selective and fine-grained
logging of security-relevant system events for the purposes of
post-mortem analysis, intrusion detection, and run-time monitoring.
This includes the logging of authentication events, user management
events, and detailed logging of access control events, including the
ability to log system calls based on user and event class.
The TrustedBSD audit implementation appeared in FreeBSD 6.2, and
is also present in Mac OS X. The current implementation is derived
from the Mac OS X audit implementation created by McAfee Research
under contract to Apple, Inc, in support of the Mac OS X CAPP
evaluation. The TrustedBSD implementation has been substantially
enhanced to add new features, such as audit pipes allowing
intrusion detection and monitoring applications to attach to and
tailor the live event stream.
The audit implementation includes a kernel audit event engine,
auditing of system calls across all native and emulated ABIs,
modifications to several user space components, including
login-related programs such as login and sshd, audit print and
reduction tools, audit management daemon, "audit pipes" for live
application monitoring of system events, and an audit support
The file format and API are based on Sun's published Basic Security
Module (BSM), the de facto industry standard, and are provided via a
BSD-licensed OpenBSM user space package.
This package is portable to other operating systems, including
Apple's Mac OS X, Solaris, and Linux, and permits the writing of
portable audit-related applications.
OpenBSM is maintained by the TrustedBSD Project, and new versions
are imported into the FreeBSD CVS repository intermittently.
Security event auditing user documentation and an implementation
paper may be found on the documentation
BSMtrace is an audit-based host
intrusion detection system.
Discussion of the TrustedBSD Audit implementation, as well as the
OpenBSM package, takes place on the trustedbsd-audit mailing list.
The TrustedBSD Project greatfully acknowledges Apple Computer, Inc.,
for its generous donation of the Darwin audit implementation under a
The FreeBSD Foundation sponsored development of auditdistd, a
distributed audit trail daemon.