Configuration of Auditd on FreeBSD

Posted on April 07, 2015 in systems, unix, freebsd, auditd

Auditd is a tool to monitor filesystem and events on a server. It is natively installed on FreeBSD. To enable it, we first add this line to the /etc/rc.conf file :

auditd_enable="YES"

And we start the service :

/etc/rc.d/auditd start

By default, auditd records very few events. We need to modify the configurations files. The configuration directory is /etc/security. Important files are :

  • /etc/security/audit_control
  • /etc/security/audit_user

For example, in /etc/security/audit_user, we can have these lines :

root:lo:no
nicolas:lo:no

Here, we log all logged in/out sessions for the user root and nicolas. More details for the configuration can be found on the FreeBSD Site. In order to see realtime monitoring, we can type :

praudit /dev/auditpipe

Or, to read logfile in the /var/audit/ directory :

auditreduce /var/audit/current | praudit

Results :

header,104,11,user authentication,0,Wed Jun  1 14:53:39 2011, + 965 msec
subject,root,root,wheel,root,wheel,26712,0,0,0.0.0.0
text,Authentication for user <patpro>
return,success,0
trailer,104