audit events confusion

Mike Tancsa mike at sentex.net
Sun Jan 6 22:12:02 UTC 2013


On a rather full customer web server, I am trying to track down whose
web site script is trying to make outbound network connections when they
should not be.  In /etc/security/audit_control, I added to the flags line

dir:/var/audit
flags:lo,aa,-nt
minfree:5

to log failed network connection.  When I try an make an outbound
connection to something that is blocked in pf, it seems to sometimes
work.  eg. from the command line, if I manually try via telnet 8.8.8.8 25

pf shows
17:03:23.572682 rule 433/0(match): block out on em0: 64.7.x.x.17017 >
8.8.8.8.25: Flags [S], seq 1420411574, win 65535, options [mss
1460,nop,wscale 3,sackOK,TS val 177061484 ecr 0], length 0

and praudit records it as expected including the userid who tried to do it.

header,79,11,connect(2),0,Sun Jan  6 17:06:04 2013, + 439
msec,argument,1,0x3,fd,subject,tw,tw,tw,tw,tw,54100,54064,13556,64.7.yy.yy,return,failure
: Operation not permitted,4294967295,trailer,79,


But if I make a simple php script to try and connect out, again, pflog0
blocks it and logs it, but it does not show up in the audit logs


17:07:46.518501 rule 433/0(match): block out on em0: 64.7.xx.xx.36528 >
8.8.8.8.25: Flags [S], seq 1724105073, win 65535, options [mss
1460,nop,wscale 3,sackOK,TS val 177324430 ecr 0], length 0

Any idea what I am missing ?

This is a RELENG_8 box from this week.

	---Mike


-- 
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/


More information about the freebsd-security mailing list