English Chinese (Simplified) (zh_CN)
Chapter 17. Security Event Auditing
The FreeBSD operating system includes support for security event auditing. Event auditing supports reliable, fine-grained, and configurable logging of a variety of security-relevant system events, including logins, configuration changes, and file and network access. These log records can be invaluable for live system monitoring, intrusion detection, and postmortem analysis. FreeBSD implements Sun(TM)'s published Basic Security Module (BSM) Application Programming Interface (API) and file format, and is interoperable with the Solaris(TM) and Mac OS(R) X audit implementations.
Understand UNIX(R) and FreeBSD basics (crossref:basics[basics,FreeBSD Basics]).
Be familiar with the basics of kernel configuration/compilation (crossref:kernelconfig[kernelconfig,Configuring the FreeBSD Kernel]).
Have some familiarity with security and how it pertains to FreeBSD (crossref:security[security,Security]).
_event_: an auditable event is any event that can be logged using the audit subsystem. Examples of security-relevant events include the creation of a file, the building of a network connection, or a user logging in. Events are either "attributable", meaning that they can be traced to an authenticated user, or "non-attributable". Examples of non-attributable events are any events that occur before authentication in the login process, such as bad password attempts.
_class_: a named set of related events which are used in selection expressions. Commonly used classes of events include "file creation" (fc), "exec" (ex), and "login_logout" (lo).
_record_: an audit log entry describing a security event. Records contain a record event type, information on the subject (user) performing the action, date and time information, information on any objects or arguments, and a success or failure condition.
_selection expression_: a string containing a list of prefixes and audit event class names used to match events.
User space support for event auditing is installed as part of the base FreeBSD operating system. Kernel support is available in the [.filename]#GENERIC# kernel by default, and man:auditd[8] can be enabled by adding the following line to [.filename]#/etc/rc.conf#:
# service auditd start
<<event-selection>> summarizes the default audit event classes:
| Class Name
| Description
| Action

|all
|all
|Match all event classes.

|aa
|authentication and authorization
|

|ad
|administrative
|Administrative actions performed on the system as a whole.

|ap
|application
|Application defined action.

|cl
|file close
|Audit calls to the `close` system call.

|ex
|exec
|Audit program execution. Auditing of command line arguments and environmental variables is controlled via man:audit_control[5] using the `argv` and `envv` parameters to the `policy` setting.

|fa
|file attribute access
|Audit the access of object attributes such as man:stat[1] and man:pathconf[2].

|fc
|file create
|Audit events where a file is created as a result.

|fd
|file delete
|Audit events where file deletion occurs.

|fm
|file attribute modify
|Audit events where file attribute modification occurs, such as by man:chown[8], man:chflags[1], and man:flock[2].

|fr
|file read
|Audit events in which data is read or files are opened for reading.

|fw
|file write
|Audit events in which data is written or files are written or modified.

|io
|ioctl
|Audit use of the `ioctl` system call.

|ip
|ipc
|Audit various forms of Inter-Process Communication, including POSIX pipes and System V IPC operations.

|lo
|login_logout
|Audit man:login[1] and man:logout[1] events.

|na
|non attributable
|Audit non-attributable events.

|no
|invalid class
|Match no audit events.

|nt
|network
|Audit events related to network actions such as man:connect[2] and man:accept[2].

|ot
|other
|Audit miscellaneous events.

|pc
|process
|Audit process operations such as man:exec[3] and man:exit[3].
Each audit event class may be combined with a prefix indicating whether successful/failed operations are matched, and whether the entry is adding or removing matching for the class and type. <<event-prefixes>> summarizes the available prefixes:
| Prefix
| Action

|+
|Audit successful events in this class.

|-
|Audit failed events in this class.

|^
|Audit neither successful nor failed events in this class.

|^+
|Do not audit successful events in this class.

|^-
|Do not audit failed events in this class.
[.filename]#audit_warn#: a customizable shell script used by man:auditd[8] to generate warning messages in exceptional situations, such as when space for audit records is running low or when the audit trail file has been rotated.
The [.filename]#audit_control# File
If the `dist` field is set to `on` or `yes`, hard links will be created to all trail files in [.filename]#/var/audit/dist#.
The `minfree` entry defines the minimum percentage of free space for the file system where the audit trail is stored.
The `policy` entry specifies a comma-separated list of policy flags controlling various aspects of audit behavior. The `cnt` indicates that the system should continue running despite an auditing failure (this flag is highly recommended). The other flag, `argv`, causes command line arguments to the man:execve[2] system call to be audited as part of command execution.