How to Use `auditd` for System Auditing on FreeBSD Operating System

System auditing is a critical aspect of maintaining the security and integrity of any operating system. It allows administrators to monitor and record events that occur on the system, providing a detailed trail of activities that can be used for forensic analysis, compliance, and troubleshooting. FreeBSD, a robust and secure operating system, includes a powerful auditing framework known as auditd. This article provides a comprehensive guide on how to use auditd for system auditing on FreeBSD.

Introduction to auditd

auditd is the user-space daemon responsible for managing and logging audit events on FreeBSD. It works in conjunction with the kernel’s auditing subsystem to capture and store detailed information about system activities. These activities can include file access, system calls, user logins, and more. The audit logs generated by auditd are invaluable for detecting unauthorized access, understanding system behavior, and ensuring compliance with security policies.

Prerequisites

Before diving into the configuration and usage of auditd, ensure that you have:

1. FreeBSD Installed: A working installation of FreeBSD (version 10 or later is recommended).
2. Root Access: Administrative privileges are required to configure and manage auditd.
3. Basic Command-Line Knowledge: Familiarity with the FreeBSD command-line interface (CLI) is essential.

Installing auditd

FreeBSD includes auditd as part of its base system, so there is no need to install it separately. However, you may need to enable and configure it. To verify if auditd is installed, you can use the following command:

pkg info audit

If auditd is not installed, you can install it using the pkg package manager:

pkg install audit

Enabling and Configuring auditd

Step 1: Enable Auditing in the Kernel

To enable auditing, you need to configure the FreeBSD kernel to support the audit subsystem. This is done by adding the following lines to your kernel configuration file (/usr/src/sys/amd64/conf/GENERIC or a custom kernel configuration file):

options AUDIT
options KERN_AUDIT

After modifying the kernel configuration, rebuild and install the kernel:

cd /usr/src
make buildkernel KERNCONF=GENERIC
make installkernel KERNCONF=GENERIC

Reboot the system to load the new kernel with auditing support.

Step 2: Configure auditd

The primary configuration file for auditd is /etc/security/audit_control. This file defines the audit classes, policies, and other settings. Here is an example configuration:

# /etc/security/audit_control
#
# Audit control file for auditd

# Define the audit classes
#
# class:name:description
#
class:lo:Login/Logout
class:fc:File Creation
class:fw:File Write
class:fr:File Read
class:fa:File Attribute Change
class:aa:Audit Administration
class:ap:Application
class:ad:Administration
class:all:All Events

# Define the audit policies
#
# policy:flags
#
policy:cnt,argv,arge,path

# Define the audit trail
#
# trail:/path/to/audit/log
#
trail:/var/audit/audit.log

# Define the minimum free space for audit logs
#
# minfree:percentage
#
minfree:5

In this configuration:

• Classes: Define the types of events to be audited. Each class is associated with a specific type of event (e.g., file creation, login/logout).
• Policies: Define the behavior of the audit system. For example, cnt allows the system to continue running even if the audit log is full.
• Trail: Specifies the location of the audit log file.
• Minfree: Sets the minimum percentage of free space required on the filesystem where the audit logs are stored.

Step 3: Start and Enable auditd

Once the configuration is complete, start the auditd service:

service auditd start

To ensure that auditd starts automatically at boot, add it to the system’s startup services:

sysrc auditd_enable="YES"

Step 4: Verify Auditing is Active

To verify that auditing is active, you can use the audit command:

audit -n

This command will display the current audit configuration and status. You should see output indicating that auditing is enabled and the configured classes and policies are active.

Using auditd for System Auditing

Viewing Audit Logs

Audit logs are stored in the location specified by the trail directive in the audit_control file (e.g., /var/audit/audit.log). To view the audit logs, you can use the praudit command:

praudit /var/audit/audit.log

This command will display the contents of the audit log in a human-readable format. Each log entry includes detailed information about the event, such as the user, process, and system call involved.

Filtering Audit Logs

The auditreduce command can be used to filter and analyze audit logs. For example, to view only the login/logout events, you can use:

auditreduce -c lo /var/audit/audit.log | praudit

This command filters the audit log to include only events classified under the lo (login/logout) class.

Real-Time Monitoring

To monitor audit events in real-time, you can use the tail command in combination with praudit:

tail -f /var/audit/audit.log | praudit

This command will continuously display new audit events as they are logged, allowing you to monitor system activity in real-time.

Managing Audit Logs

Over time, audit logs can grow large and consume significant disk space. To manage audit logs, you can use the audit command to rotate and compress logs:

audit -r

This command rotates the current audit log and compresses the old log file. You can also configure log rotation using cron jobs or other automation tools.

Advanced Configuration

Customizing Audit Classes

You can customize the audit classes to suit your specific needs. For example, if you want to audit only file-related events, you can modify the audit_control file to include only the relevant classes:

class:fc:File Creation
class:fw:File Write
class:fr:File Read
class:fa:File Attribute Change

Setting Audit Policies

Audit policies control how the audit system behaves. For example, you can set the argv and arge policies to include command-line arguments and environment variables in the audit logs:

policy:cnt,argv,arge,path

Configuring Audit Triggers

Audit triggers allow you to define specific conditions under which auditing should be enabled or disabled. For example, you can configure auditing to start only when a specific user logs in:

audit -u username -e

This command enables auditing for the specified user.

Conclusion

auditd is a powerful tool for system auditing on FreeBSD, providing detailed insights into system activities and enhancing security. By following the steps outlined in this article, you can enable, configure, and manage auditd to monitor and log events on your FreeBSD system. Whether you are a system administrator, security professional, or compliance officer, auditd offers the flexibility and robustness needed to maintain a secure and auditable system environment.

Remember that auditing is just one component of a comprehensive security strategy. Regularly review and analyze audit logs, implement strong access controls, and stay informed about security best practices to ensure the ongoing security and integrity of your FreeBSD systems.