www.TrustedBSD.org
Home Developers Documentation Source code ACLs Audit BSMtrace ExtAttr + UFS2 GEOM + GBDE
Mailing Lists News Legal MAC Framework OpenBSM OpenPAM Privileges SEBSD SEDarwin
Trusty

TrustedBSD Security Event Auditing

Security event auditing permits the selective and fine-grained logging of security-relevant system events for the purposes of post-mortem analysis, intrusion detection, and run-time monitoring. This includes the logging of authentication events, user management events, and detailed logging of access control events, including the ability to log system calls based on user and event class.

The TrustedBSD audit implementation appeared in FreeBSD 6.2, and is also present in Mac OS X. The current implementation is derived from the Mac OS X audit implementation created by McAfee Research under contract to Apple, Inc, in support of the Mac OS X CAPP evaluation. The TrustedBSD implementation has been substantially enhanced to add new features, such as audit pipes allowing intrusion detection and monitoring applications to attach to and tailor the live event stream.

The audit implementation includes a kernel audit event engine, auditing of system calls across all native and emulated ABIs, modifications to several user space components, including login-related programs such as login and sshd, audit print and reduction tools, audit management daemon, "audit pipes" for live application monitoring of system events, and an audit support library.

The file format and API are based on Sun's published Basic Security Module (BSM), the de facto industry standard, and are provided via a BSD-licensed OpenBSM user space package. This package is portable to other operating systems, including Apple's Mac OS X, Solaris, and Linux, and permits the writing of portable audit-related applications. OpenBSM is maintained by the TrustedBSD Project, and new versions are imported into the FreeBSD CVS repository intermittently.

Security event auditing user documentation and an implementation paper may be found on the documentation page.

BSMtrace is an audit-based host intrusion detection system.

Discussion of the TrustedBSD Audit implementation, as well as the OpenBSM package, takes place on the trustedbsd-audit mailing list.

The TrustedBSD Project greatfully acknowledges Apple Computer, Inc., for its generous donation of the Darwin audit implementation under a BSD license. The FreeBSD Foundation sponsored development of auditdistd, a distributed audit trail daemon.


    Copyright 2000-2012 Robert N. M. Watson. All rights reserved.
    Copyright 2005 SPARTA, Inc. All rights reserved.
    Copyright 2002, Leigh T. Denault. All rights reserved.
    Copyright 2002, 2003 Networks Associates, Inc. All rights reserved.
    $P4: //depot/projects/trustedbsd/www/audit.page#11 $