From owner-freebsd-security@FreeBSD.ORG Sun Jan 6 22:12:02 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 98CE7D39 for ; Sun, 6 Jan 2013 22:12:02 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1-6.sentex.ca [IPv6:2607:f3e0:0:1::12]) by mx1.freebsd.org (Postfix) with ESMTP id 69A221A48 for ; Sun, 6 Jan 2013 22:12:02 +0000 (UTC) Received: from [192.168.43.26] (pyroxene.sentex.ca [199.212.134.18]) by smarthost1.sentex.ca (8.14.5/8.14.5) with ESMTP id r06MC0qj089810 for ; Sun, 6 Jan 2013 17:12:00 -0500 (EST) (envelope-from mike@sentex.net) Message-ID: <50E9F6A8.5050502@sentex.net> Date: Sun, 06 Jan 2013 17:11:52 -0500 From: Mike Tancsa Organization: Sentex Communications User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20120428 Thunderbird/12.0.1 MIME-Version: 1.0 To: "freebsd-security@freebsd.org" Subject: audit events confusion X-Enigmail-Version: 1.4.2 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.72 on 64.7.153.18 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Jan 2013 22:12:02 -0000 On a rather full customer web server, I am trying to track down whose web site script is trying to make outbound network connections when they should not be. In /etc/security/audit_control, I added to the flags line dir:/var/audit flags:lo,aa,-nt minfree:5 to log failed network connection. When I try an make an outbound connection to something that is blocked in pf, it seems to sometimes work. eg. from the command line, if I manually try via telnet 8.8.8.8 25 pf shows 17:03:23.572682 rule 433/0(match): block out on em0: 64.7.x.x.17017 > 8.8.8.8.25: Flags [S], seq 1420411574, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 177061484 ecr 0], length 0 and praudit records it as expected including the userid who tried to do it. header,79,11,connect(2),0,Sun Jan 6 17:06:04 2013, + 439 msec,argument,1,0x3,fd,subject,tw,tw,tw,tw,tw,54100,54064,13556,64.7.yy.yy,return,failure : Operation not permitted,4294967295,trailer,79, But if I make a simple php script to try and connect out, again, pflog0 blocks it and logs it, but it does not show up in the audit logs 17:07:46.518501 rule 433/0(match): block out on em0: 64.7.xx.xx.36528 > 8.8.8.8.25: Flags [S], seq 1724105073, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 177324430 ecr 0], length 0 Any idea what I am missing ? This is a RELENG_8 box from this week. ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/