Components

• ACLs
• Audit
• BSMtrace
• Extended Attributes and UFS2
• Capabilities
• GEOM
• MAC
• OpenBSM
• OpenPAM
• SEBSD
• SEDarwin

Perforce: //depot/projects/trustedbsd/audit3/... Collection: p4-cvs-trustedbsd-audit3

Event auditing permits the selective and fine-grained logging of security-relevant system events for the purposes of post-mortem analysis, intrusion detection, and run-time monitoring. analysis. This includes the logging of authentication events, user management events, and detailed logging of access control events, including the ability to log system calls based on user and event class.

The trustedbsd_audit3 implementation is the third generation security audit implementation implemented by the TrustedBSD Project, and is derived from work performed by members of the TrustedBSD team working at McAfee Research under contract to Apple Computer, Inc., in support of the Mac OS X CAPP evaluation. The audit3 code base includes a kernel audit event engine, auditing of system calls across all native and emulated ABIs, modifications to several user space components, including login-related programs such as login and sshd, audit print and reduction tools, audit management daemon, "audit pipes" for live application monitoring of system events, and an audit support library.

As of FreeBSD 6.2-RELEASE, audit support is included in the base FreeBSD distribution, and further development of the kernel implementation will take place in the FreeBSD CVS repository rather than Perforce.

The file format and API are based on Sun's published Basic Security Module (BSM), the de facto industry standard, and are provided via a BSD-licensed OpenBSM user space package. This package is portable to other operating systems, including Apple's Mac OS X, Solaris, and Linux, and permits the writing of portable audit-related applications. OpenBSM is maintained by the TrustedBSD Project, and new versions are imported into the FreeBSD CVS repository intermittently.

BSMtrace is an audit-based host intrusion detection system.

Discussion of the TrustedBSD Audit implementation, as well as the OpenBSM package, takes place on the trustedbsd-audit mailing list.

The TrustedBSD Project greatfully acknowledges Apple Computer, Inc., for its generous donation of the Darwin audit implementation under a BSD license.