17.3 Installing Audit Support

User space support for Event Auditing is installed as part of the base FreeBSD operating system. Kernel support for Event Auditing is compiled in by default, but support for this feature must be explicitly compiled into the custom kernel by adding the following line to the kernel configuration file:

options    AUDIT

Rebuild and reinstall the kernel via the normal process explained in Chapter 8.

Once an audit-enabled kernel is built, installed, and the system has been rebooted, enable the audit daemon by adding the following line to rc.conf(5):

auditd_enable="YES"

Audit support must then be started by a reboot, or by manually starting the audit daemon:

/etc/rc.d/auditd start