I'm looking into auditing solutions, and in addition to the pretty straightforward auditd, found https://krvtz.net/posts/practical-process-audit-on-freebsd.html which hints at analysing the collected trail using bsmtrace3 rules.
I would rather like to ask about auditing in practice, beyond what is written. If you have experience monitoring a number of FreeBSD boxes for audit and security purposes, I would be glad to hear about these points:
I would rather like to ask about auditing in practice, beyond what is written. If you have experience monitoring a number of FreeBSD boxes for audit and security purposes, I would be glad to hear about these points:
- Setup for shipping logs to a remote (if substantially different from `praudit /dev/auditpipe | homebrew-script-to-send-somewhere`)
- Batched or real-time analysis (recommended software, rulesets, practices on reviewing/creating rulesets)
- War stories