109.6. Basic Security Module Auditing (im_bsm)
This module provides support for parsing events logged using Sun’s Basic Security Module (BSM) Auditing API. This module reads directly from the kernel. See also xm_bsm.
The BSM /dev/auditpipe
device file is available on FreeBSD and macOS. On
Solaris, the device file is not available and the log files must be read and
parsed with im_file and xm_bsm as shown in the
example.
109.6.1. Setup
For information about setting up BSM Auditing, see the xm_bsm Setup section.
109.6.2. Configuration
The im_bsm module accepts the following directives in addition to the common module directives.
- DeviceFile
-
This optional directive specifies the device file from which to read BSM events. If this is not specified, it defaults to
/dev/auditpipe
.
- EventFile
-
This optional directive can be used to specify the path to the audit event database containing a mapping between event names and numeric identifiers. The default location is
/etc/security/audit_event
which is used when the directive is not specified.
109.6.3. Fields
See the xm_bsm Fields.
109.6.4. Examples
This configuration reads BSM audit events directly from the kernel via the
(default) /dev/auditpipe
device file (which is not available on Solaris, see
the xm_bsm example instead).