# Security Event Auditing with auditd



## kobodjo (Mar 26, 2012)

Hello all,

I am relatively new with FreeBSD and playing around with the system. I have a few questions regarding security event auditing with auditd. I have two users on the system, i.e. root and kobodjo, and I want to be able to log all the*ir* actions. Therefore, in the audit_user file, I have the following entries:

```
root:all:
kobodjo:all:
```

Unfortunatelly, auditd is not logging much information. The only information that is logged is when user kobojdo *su*'s to root, nothing more.

What is also a bit confusing me is section 18.3 of the user manual. It states that "User space support for Event Auditing is installed as part of the base FreeBSD operating system. Kernel support for Event Auditing is compiled in by default, but support for this feature must be explicitly compiled into the custom kernel by adding the following line to the kernel configuration file: options AUDIT"

So, do I or do I not have to compile a new kernel to make the auditing (as I want it as stated above) work?

My second question is, if it is possible to send this auditing information to a server apart from writing it to the local filesystem?

Much thanks in advance!

Greetings,
Kobodjo.


----------



## DutchDaemon (Mar 26, 2012)

If you're running the GENERIC kernel, AUDIT is compiled in. If you want to run a non-GENERIC kernel, you have to put AUDIT in yourself. That's what it says.


----------



## SirDice (Mar 27, 2012)

kobodjo said:
			
		

> My second question is, if it is possible to send this auditing information to a server apart from writing it to the local filesystem?


There's some work being done to do this securely. I have no idea what the current status is though. According to the post it should have been finished by now.

http://lists.freebsd.org/pipermail/freebsd-announce/2012-January/001407.html


----------



## mamalos (Mar 27, 2012)

I assume that if /var/audit is a shared filesystem, you could be able to write your data on a remote server. Moreover, if you only want the text version of the audit trail, you could use *praudit* or *auditreduce* to connect with /dev/auditpipe and redirect their output to a shared filesystem.


----------



## kobodjo (Apr 2, 2012)

Hello all,

I got it working. The funny stuff is that if you use root:all:no in the audit_user file, nothing is being logged instead of all.

Is this a bug?


----------

