Security event auditing refers to the reliable and secure logging of security-related system events. It allows for post mortem analysis or live monitoring of system intrusions, as well as intrusion detection. It is also an essential part of the Common Access Protection Profile (CAPP) for Common Criteria (CC), a certification necessary for a system to be used in certain critical environments.
Auditing support has been around for a long time in commercial Unix systems like Solaris. In the BSD world however, it is a relatively unknown and new concept. Starting from version 6.2, FreeBSD provides support for it by means of the audit(4) kernel subsystem.
This talk aims at introducing the FreeBSD audit(4) facility, its supporting tools and benefits, as well as its limitations.