audit events confusion
Mike Tancsa
mike at sentex.net
Sun Jan 6 22:12:02 UTC 2013
On a rather full customer web server, I am trying to track down whose
web site script is trying to make outbound network connections when they
should not be. In /etc/security/audit_control, I added to the flags line
dir:/var/audit
flags:lo,aa,-nt
minfree:5
to log failed network connection. When I try an make an outbound
connection to something that is blocked in pf, it seems to sometimes
work. eg. from the command line, if I manually try via telnet 8.8.8.8 25
pf shows
17:03:23.572682 rule 433/0(match): block out on em0: 64.7.x.x.17017 >
8.8.8.8.25: Flags [S], seq 1420411574, win 65535, options [mss
1460,nop,wscale 3,sackOK,TS val 177061484 ecr 0], length 0
and praudit records it as expected including the userid who tried to do it.
header,79,11,connect(2),0,Sun Jan 6 17:06:04 2013, + 439
msec,argument,1,0x3,fd,subject,tw,tw,tw,tw,tw,54100,54064,13556,64.7.yy.yy,return,failure
: Operation not permitted,4294967295,trailer,79,
But if I make a simple php script to try and connect out, again, pflog0
blocks it and logs it, but it does not show up in the audit logs
17:07:46.518501 rule 433/0(match): block out on em0: 64.7.xx.xx.36528 >
8.8.8.8.25: Flags [S], seq 1724105073, win 65535, options [mss
1460,nop,wscale 3,sackOK,TS val 177324430 ecr 0], length 0
Any idea what I am missing ?
This is a RELENG_8 box from this week.
---Mike
--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
More information about the freebsd-security
mailing list