kernel event auditing for NetBSD?

["Jeremy C. Reed" <reed%reedmedia.net@localhost>]

I attended a presentation showing FreeBSD's kernel event auditing. It 
looked interesting and useful. I think it provides features that are 
required by some government and company security evaluations.

It is like a very advanced acct(2) process accounting.

It has a kernel side (of course) that would be a slow process to add all 
the places to report. Plus some userland tools can identify themselves 
too. Then some userland tools (in the openbsm packege for Sun's Basic 
Security Module) that are used to configure/control the auditing and 
process the auditing output. These are common configurations and output 
so are portable over multiple systems. As far as I know openbsm (the 
tools) haven't been used on NetBSD yet (I didn't try yet since unclear 
from website where latest it available -- maybe in FreeBSD source tree).

As a summary, by enabling various features to watch, it can output an 
audit trail of logins, processes forked, system calls, for the effective 
and real and login user and group, etc. The output can be used for 
near-real time triggers.

Here are some links:

 FreeBSD Handbook: Security Event Auditing chapter
 http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/audit.html

 OpenBSM: Open Source Basic Security Module (BSM) Audit Implementation
 http://www.trustedbsd.org/openbsm.html

 TrustedBSD Security Event Auditing
 http://www.trustedbsd.org/audit.html

 Trusted Solaris Audit Administration
 http://docs.sun.com/app/docs/doc/805-8121/6j7kril2d?l=en&a=view

 Mailing lists related to this
 http://www.trustedbsd.org/mailinglists.html


Has anyone discussed this before for NetBSD? (I didn't see from 
searching mail-index with google.) Any thoughts on this?