User space support for Event Auditing is installed as part of the base FreeBSD operating system as of 6.2-RELEASE. However, Event Auditing support must be explicitly compiled into the kernel by adding the following lines to the kernel configuration file:
options AUDIT
Rebuild and reinstall the kernel via the normal process explained in Chapter 8.
Once the kernel is built, installed, and the system has been rebooted, enable the audit daemon by adding the following line to rc.conf(5):
auditd_enable="YES"
Audit support must then be started by a reboot, or by manually starting the audit daemon:
/etc/rc.d/auditd start
This, and other documents, can be downloaded from ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/.
For questions about FreeBSD, read the documentation before contacting <questions@FreeBSD.org>.
For questions about this documentation, e-mail <doc@FreeBSD.org>.