FreeBSD Developer: Paweł Jakub Dawidek

The FreeBSD audit facility provides fine-grained, configurable logging of security-relevant events. One of the key purposes of logging security events is postmortem analysis in case of system compromise. Currently the kernel can push audit records directly into a file or make them available through /dev/auditpipe device. Because audit logs are stored locally by the kernel, an attacker has access to them once the system is compromised, which enables him to remove trails of his activity.

The auditdistd project goal is to securely and reliably distribute audit records over the TCP/IP network from a local auditdistd daemon to a remote auditdistd daemon. In case of source system compromise, attacker’s activity can be analysed using data collected by the remote system, as only remote system’s audit logs can be trusted then.

This project was completed in February 2012.