Security event auditing with auditd

dionysis.skordoulis

I see that auditd is disabled in /etc/defaults/rc.conf

auditd_enable="NO"	# Run the audit daemon.
auditd_program="/usr/sbin/auditd"	# Path to the audit daemon.
auditd_flags=""		# Which options to pass to the audit daemon.

I would like to enable it with some certain events that are not covered with the pfSense logging feature, such as auditing of command line arguments within a shell. In addition, these to be forward via rsyslog.

Is this possible? Any insights are more than welcome.

stephenw10

pfSense doesn't use the FreeBSD RC system so making changes there does nothing.

Also auditd is not included by default so to use that would require a number of custom changes.

I don't see any references to other attempts so some development would be required.

Steve

dad98253

@stephenw10
I would welcome such a feature, too. The netgate/pfsense firewall is possibly the most security critical system on the network that it protects. To not have auditd enabled by default makes no sense to me.

-John

p.s., (off subject) BTW, it would be really nice if we had a tripwire plugin as well!

stephenw10

Both those things should be a feature request in redmine if there is not something existing: https://redmine.pfsense.org/