Date: Sun, 06 Jan 2013 17:11:52 -0500 From: Mike Tancsa <mike@sentex.net> To: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: audit events confusion Message-ID: <50E9F6A8.5050502@sentex.net>
next in thread | raw e-mail | index | archive | help
On a rather full customer web server, I am trying to track down whose web site script is trying to make outbound network connections when they should not be. In /etc/security/audit_control, I added to the flags line dir:/var/audit flags:lo,aa,-nt minfree:5 to log failed network connection. When I try an make an outbound connection to something that is blocked in pf, it seems to sometimes work. eg. from the command line, if I manually try via telnet 8.8.8.8 25 pf shows 17:03:23.572682 rule 433/0(match): block out on em0: 64.7.x.x.17017 > 8.8.8.8.25: Flags [S], seq 1420411574, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 177061484 ecr 0], length 0 and praudit records it as expected including the userid who tried to do it. header,79,11,connect(2),0,Sun Jan 6 17:06:04 2013, + 439 msec,argument,1,0x3,fd,subject,tw,tw,tw,tw,tw,54100,54064,13556,64.7.yy.yy,return,failure : Operation not permitted,4294967295,trailer,79, But if I make a simple php script to try and connect out, again, pflog0 blocks it and logs it, but it does not show up in the audit logs 17:07:46.518501 rule 433/0(match): block out on em0: 64.7.xx.xx.36528 > 8.8.8.8.25: Flags [S], seq 1724105073, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 177324430 ecr 0], length 0 Any idea what I am missing ? This is a RELENG_8 box from this week. ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50E9F6A8.5050502>