audit events confusion
Patrick Proniewski
patpro at patpro.net
Sun Jan 6 22:30:45 UTC 2013
On 06 janv. 2013, at 23:11, Mike Tancsa wrote:
> But if I make a simple php script to try and connect out, again, pflog0
> blocks it and logs it, but it does not show up in the audit logs
>
> 17:07:46.518501 rule 433/0(match): block out on em0: 64.7.xx.xx.36528 >
> 8.8.8.8.25: Flags [S], seq 1724105073, win 65535, options [mss
> 1460,nop,wscale 3,sackOK,TS val 177324430 ecr 0], length 0
>
> Any idea what I am missing ?
I think auditd can catch events only for users that have logged in at least once. To audit Apache, I've had to install setaudit and launch httpd process by using setaudit with proper flags.
I've modified my /usr/local/etc/rc.d/apache22 file, mainly changing the start command to start_cmd="apache22_auditstart" and adding the proper command definition:
apache22_auditstart() {
echo "Starting apache22 with audit"
eval /usr/local/sbin/setaudit ${apache22_auditflags} ${command} ${apache22_flags} -k start
}
In /etc/rc.conf, I've added:
apache22_auditflags="-a www -m ex,lo,ad,-pc,fd,-fc,-fm,-fw"
I'm then able to log audit events for Apache, according to flags I've set in apache22_auditflags.
hope this helps,
patpro
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4346 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20130106/8f5323a3/attachment.bin>
More information about the freebsd-security
mailing list