AUDIT enabled in GENERIC but not in binary release kernel?

[Marian089]

I noticed something odd about the AUDIT subsystem in FreeBSD 14.1-RELEASE:

1. AUDIT is enabled in /usr/src/sys/amd64/conf/GENERIC:

options AUDIT # Security event auditing

1. However, the running kernel seems to not have AUDIT support:

• sysctl security.audit shows no entries
• auditd is running but not logging events properly ( all flags set and only login's are beeing logged )
• No audit-related messages in dmesg output

System details:

• FreeBSD 14.1-RELEASE
• GENERIC kernel (releng/14.1-n267679-10e31f0946d8)
• Fresh installation, no custom kernel

I can get AUDIT working by rebuilding the kernel, but shouldn't this feature be included in the binary release given it's enabled in GENERIC?

 

[JordanG]

From your description it seems that AUIDIT is there and working, just not working the way you expect.

Start by reading https://docs.freebsd.org/en/books/handbook/audit/

Then configure the feature to work the way you want.

 

[Kai Burghardt]

• sysctl security.audit shows no entries

The OID to check whether the audit(4) facility is available is kern.features.audit (should exist and be 1).​

• auditd is running but not logging events properly ( all flags set and only login's are beeing logged )

Could you elaborate what you mean by “not properly”? Currently your description sounds like it is logging the events you selected, but – I don’t know – say for an exec event the command /bin/sh gets garbled to covfefe, i. e. “not properly”. Could you maybe just share your configuration?​