Home Developers Documentation Source code ACLs Audit BSMtrace ExtAttr + UFS2 GEOM + GBDE
Mailing Lists News Legal MAC Framework OpenBSM OpenPAM Privileges SEBSD SEDarwin

OpenBSM: Open Source Basic Security Module (BSM) Audit Implementation

GitHub: https://github.com/openbsm/openbsm

OpenBSM is a portable, open source implementation of Sun's Basic Security Module (BSM) security audit API and file format. BSM, the de facto industry standard for audit, describes a set of system call and library interfaces for managing audit records, as well as a token stream file format that permits extensible and generalized audit trail processing. Records may describe both kernel events, such as system calls, as well as application events, such as login, password changes, etc.

OpenBSM extends the BSM API and file format in a number of ways to support features present in the Mac OS X and FreeBSD operating systems, such as Mach task interfaces, sendfile(), and Linux system calls present in the FreeBSD Linux emulation layer, as well as focusing on portability through an endian-independent version of the trail format.

The OpenBSM distribution provides system include files, the libbsm library, command-line tools such as praudit and auditreduce, sample /etc configuration files, an audit daemon for use on systems with kernel support, and an audit trail distribution daemon to allow trails to be securely submitted by end hosts to a central audit trail server (to appear in OpenBSM 1.2). It is appropriate for use stand-alone in processing trails generated by BSM-enabled systems, as well as for use as the foundation of OS audit implementations requiring libraries, command-line tools, etc.

OpenBSM is built and tested on several versions of FreeBSD, Mac OS X, and Linux; some components, such as the audit daemon, require kernel audit support (present in FreeBSD and Mac OS X, and in fact derived from OpenBSM), but the basic library and audit trail tools run on all three platforms regardless of OS kernel support. Written in portable C and built using autoconf/automake, it is easy to adapt OpenBSM for use on new platforms.

History and Vendors

OpenBSM is derived from the BSM audit implementation found in Apple's open source Darwin operating system, generously released by Apple under a BSD license. The Darwin BSM implementation was created by McAfee Research under contract to Apple Computer, and has since been maintained and extended by the volunteer TrustedBSD team. The FreeBSD Foundation sponsored the development of auditdistd, a distributed audit trail daemon.

OpenBSM is the core user space component of the TrustedBSD Audit Implementation for FreeBSD, providing tools, libraries, and include files. OpenBSM ships with FreeBSD 6.2 and later, with the first full release of OpenBSM (1.0) in FreeBSD 6.3 and FreeBSD 7.0.

BSMtrace is an independently distributed BSM-based host intrusion detection system that relies on OpenBSM audit trails.

Mailing List

Discussion of the TrustedBSD Audit implementation, as well as the OpenBSM package, takes place on the trustedbsd-audit mailing list.


OpenBSM source code is available for download via occasional snapshot and release tarballs, vendor integrated source code (such as the FreeBSD source tree), and the OpenBSM GitHub repository. The current release is OpenBSM 1.1p2, released on 2 August, 2009. Please see the file README present in the OpenBSM distribution for build and installation instructions.

Version Download Size Date Description
1.1p2 openbsm-1.1-p2.tgz 560K 2009-08-02

OpenBSM 1.1p2 is a minor patch release of the OpenBSM code base. There are no significant changes from OpenBSM 1.1p1, but there are several bug fixes relating to /etc/security/audit_event entries for the openat(2) system call, build fixes for Linux, and the printing of class masks by the audump tool.

1.1p1 openbsm-1.1-p1.tgz 560K 2009-07-17

OpenBSM 1.1p1 is a minor patch release of the OpenBSM code base. There are no significant changes from OpenBSM 1.1, but there are a number of bug fixes in token parsing and generation, and tolerance for whitespace variation in OpenBSM configuration files is improved.

1.1 openbsm-1.1.tgz 560K 2009-04-16

OpenBSM 1.1 is the second production release of the OpenBSM code base. Major changes since OpenBSM 1.0 include:

  • Trail files now include the host where the trail is generated. Crash recovery has been improved. Trail expiration based on size and date is now supported; by default trail files will be expired after 10MB of trails. The default individual trail limit is now 2MB.
  • Mac OS X Snow Leopard is now a fully supported platform; launchd(8) can now be used to launchd auditd(8). Command line tools and libraries are now supported on Mac OS X Leopard.
  • Extended header tokens are now supported, allowing audit trails to be tagged with a host identifier. IPv6 addresses are now supported in subject tokens.
  • BSM token and record types have been further synchronized to OpenSolaris; support for many new system calls has been added. Local errors and socket types are mapped to and from BSM values.

Since the last test release, OpenBSM 1.1 beta 1, 32/64-bit compatibility has been fixed for the auditon(2) system call. A default "expire-after" of 10MB is now set in audit_control(5). Local fcntl(2) arguments are now mapped to wire BSM versions using new APIs. The audit_submit(3) man page has been fixed. A new audit event class has been added for post-login authentication and access control events.

1.0 openbsm-1.0.tgz 496K 2007-10-28

OpenBSM 1.0 is the first production release of the OpenBSM code base. Since the last test release, OpenBSM 1.0 alpha 15, a bug leading to a crash in auditreduce(8) has been resolved, and all AU_ constants have been removed. The versions of autoconf and automake used to build OpenBSM have been updated.

Current Development Snapshot

Development snapshots reflect work-in-progress snapshots of the OpenBSM development branch on GitHub. They are appropriate for use in production systems, but consumers of these snapshots should be aware that APIs, file formats, and tools are under active development, and may change at any time. Please see the file README present in the OpenBSM distribution for build and installation instructions.

Version Download Size Date Description
1.2 alpha4 openbsm-1.2-alpha4.tgz 683K 2015-11-02

SHA256: 35b0370d19a742a387f10aaae187a38abee536d8a7b57c0e9d997d3ceaf02429

OpenBSM 1.2-alpha4 is the fourth test release of the OpenBSM 1.2 release stream. In this revision, a number of bugs have been fixed in auditdistd. A bug in praudit has been fixes that caused it to emit invalid XML output. Manpage links, broken since the switch to autotools, are installed once again. Additionally, event definitions were updated, and the documentation has been improved.

Historical Development Snapshots

This is an archive of past OpenBSM test snapshots; use of these versions is not recommended. These snapshots are from the development of OpenBSM 1.1:

Version Download Size Date Description
1.2 alpha3 openbsm-1.2-alpha3.tgz 736K 2012-12-15

In this revision, a number of (largely minor) refinements are made to auditdistd; perhaps most importantly, header files and build elements are cleaned up to support better integration into the FreeBSD 10-CURRENT source tree.

1.2 alpha2 openbsm-1.2-alpha2.tgz 736K 2012-11-23

In this revision, OpenBSM grows a new daemon, auditdistd, which provides secure audit trail distribution over the network. Implemented by Pawel Jakub Dawidek and sponsored by the FreeBSD Foundation, auditdistd provides a client to run on hosts generating audit trails, and a server to run on a central secure audit host. auditdistd uses TLS to encrypt trails on the wire, and does it append-only, so that audit trails leading up to a compromise on the client are tamper-proof on the client. This feature is considered experimental.

1.2 alpha1 openbsm-1.2-alpha1.tgz 640K 2012-07-22

In this revision, OpenBSM grows support for Capsicum system calls and events, has various fixes to address warnings from the Clang static analyser, fixes trail expiration when the host parameter is used, adds support for privilege tokens, fixes a directory descriptor leak that arose in low disk space conditions, added build support for more recent Linux versions, fixed bugs in XML rendering of BSM, and improved the documentation.

1.1 beta 1 openbsm-1.1-beta1.tgz 544K 2009-02-24

In this revision, OpenBSM's auditd(8) grows support for audit trail expiration based on age and trail size, various defaults in audit_control(5) are modernized (such as smaller percent free default, and enabling execve(2) argument auditing by default), socket types and domains are converted to BSM format when written out, and bugs are fixed in IPC permission token encoding.

1.1 alpha 5 openbsm-1.1-alpha5.tgz 544K 2009-01-11

In this revision, OpenBSM is modified to map local protocol family constants and socket types to wire versions, as the specific constant values vary by OS; a stub libauditd(3) man page is added, errno constants are renamed, full error string text is not compiled into kernels when OpenBSM code is used there, warnings are fixed on many platforms, and the launchd label for audit is changed on Mac OS X.

1.1 alpha 4 openbsm-1.1-alpha4.tgz 544K 2008-12-19

In this revision, most functional components of auditd(8) are moved to a new libauditd(3), so that they can be shared by auditd(8) on FreeBSD and launchd(8) on Mac OS X. In addition, audit_submit(3) is taught to accept local errno values (as it did before the additional of a BSM error number space), further cleanup of the user audit event ID space is performed in order to avoid collisions with other systems, au_strerror(3) is added to allow printing of error numbers without converting to local numbers (which may lose fidelity), and audit crash recovery is improved as auditd now maintains a current trail link and cleans up if it discovers auditd failed during the last rotation. In Mac OS X, ASL(3) is used instead of syslog(3) for system logging.

1.1 alpha 3 openbsm-1.1-alpha3.tgz 512K 2008-12-07

In this revision, OpenBSM maps between local and wire values for the errno error space, bugs are fixed in the encoding of execve arguments and environmental variables, support for the portable AUT_SOCKET_EX token type is added, and the BSM header version is bumped to give OpenBSM 1.1 its own file format version due to non-trivial changes in tokens.

1.1 alpha 2 openbsm-1.1-alpha2.tgz 512K 2008-11-11

In this revision, BSM include files required by OS vendors for use in kernels are broken out into a separate include directory, a configure option is added to force use of native rather than OpenBSM sys includes if desired, strlcpy() and strlcat() are used in preference to less robust APIs, compatibility defines for old Darwin event identifiers are removed, support for exended header tokens (containing host information) is added to the BSM library and auditd(8), and can be set in audit_control(5).

1.1 alpha 1 openbsm-1.1-alpha1.tgz 496K 2008-07-31

In this revision, support for Mac OS X 10.5 is introduced, including new events specific to Leopard, and support for the Mach IPC audit trigger method. auditreduce(1) grows an invert flag, and allows selecting of more than one event. A number of bugs are fixed, including in XML trail conversion, BSM record writing, and audit_control file access.

These snapshots are from the development of OpenBSM 1.0:

Version Download Size Date Description
1.0 alpha 15 openbsm-1.0-alpha15.tgz 480K 2007-07-16

Bugs fixed in the handling of IPv6 addresses, auditreduce, and additional audit event identifiers added for new system calls.

1.0 alpha 14 openbsm-1.0-alpha14.tgz 480K 2007-04-16

Support for the zonename token type added, a variety of endian-related bugs in IPv6 addresses fixed, OpenBSM becomes warning clean for gcc1, and various man page updated.

1.0 alpha 13 openbsm-1.0-alpha13.tgz 480K 2006-11-25

Man page documentation substantially imrpved, XML printing support added to praudit(8), and support for more 64-bit token types.

1.0 alpha 12 openbsm-1.0-alpha12.tgz 480K 2006-09-24

audit_control(5) filesz configuration added in order to support automated rotation of audit trails based on file size, regular expression matching for paths added to auditreduce, an audit_warn event is generated on rotation, and a number of other bugs fixed and documentation improved.

1.0 alpha 11 openbsm-1.0-alpha11.tgz 480K 2006-09-20

audit_control(5) control of audit policy is introduced, and and significant number of bugs relating to execve(2) argument auditing and trail rotation are fixed.

1.0 alpha 10 openbsm-1.0-alpha10.tgz 464K 2006-09-02

auditd(8) now submits complete audit records, including full return information, as part of its operation.

1.0 alpha 9 openbsm-1.0-alpha9.tgz 464K 2006-08-26

Many BSM_/bsm_ constants are renamed to AUDIT_/audit_, the audit filter module API has been refined, and a number of bugs have been fixed..

1.0 alpha 8 openbsm-1.0-alpha8.tgz 464K 2006-08-16

Non-Solaris audit events have been renumbered to avoid future collisions, and a unique OpenBSM header token version number has been adopted. A variety of other bugs have been fixed, and cleanups made.

1.0 alpha 7 openbsm-1.0-alpha7.tgz 464K 2006-06-27

Improvements in the creation of subject tokens and in code portability.

1.0 alpha 6 openbsm-1.0-alpha6.tgz 464K 2006-06-02

An experimental audit filter API is introduced, APIs for application-submitted audit records are improved, and bugs are fixed.

1.0 alpha 5 openbsm-1.0-alpha5.tgz 432K 2006-03-04

OpenBSM now uses autoconf/automake, allowing it to build on Mac OS X and Linux.

1.0 alpha 4 openbsm-1.0-alpha4.tgz 86K 2006-02-23

This is the first version of OpenBSM and incorporates the OpenBSM code as present on FreeBSD CVS at this date.

    Copyright 2000-2012 Robert N. M. Watson. All rights reserved.
    Copyright 2005 SPARTA, Inc. All rights reserved.
    Copyright 2002, Leigh T. Denault. All rights reserved.
    Copyright 2002, 2003 Networks Associates, Inc. All rights reserved.
    $P4: //depot/projects/trustedbsd/www/openbsm.page#50 $