From owner-freebsd-security@FreeBSD.ORG  Sun Jan  6 22:47:08 2013
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by hub.freebsd.org (Postfix) with ESMTP id F1FF65B6
 for <freebsd-security@freebsd.org>; Sun,  6 Jan 2013 22:47:08 +0000 (UTC)
 (envelope-from mike@sentex.net)
Received: from smarthost1.sentex.ca (smarthost1-6.sentex.ca
 [IPv6:2607:f3e0:0:1::12])
 by mx1.freebsd.org (Postfix) with ESMTP id C2E2B1BC1
 for <freebsd-security@freebsd.org>; Sun,  6 Jan 2013 22:47:08 +0000 (UTC)
Received: from [192.168.43.26] (pyroxene.sentex.ca [199.212.134.18])
 by smarthost1.sentex.ca (8.14.5/8.14.5) with ESMTP id r06Ml7LH092329;
 Sun, 6 Jan 2013 17:47:07 -0500 (EST) (envelope-from mike@sentex.net)
Message-ID: <50E9FEE2.7030106@sentex.net>
Date: Sun, 06 Jan 2013 17:46:58 -0500
From: Mike Tancsa <mike@sentex.net>
Organization: Sentex Communications
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
 rv:12.0) Gecko/20120428 Thunderbird/12.0.1
MIME-Version: 1.0
To: Patrick Proniewski <patpro@patpro.net>
Subject: Re: audit events confusion
References: <50E9F6A8.5050502@sentex.net>
 <27758D4F-14E0-4BEB-AF89-E78D75FD89D7@patpro.net>
In-Reply-To: <27758D4F-14E0-4BEB-AF89-E78D75FD89D7@patpro.net>
X-Enigmail-Version: 1.4.2
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.72 on 64.7.153.18
Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Jan 2013 22:47:09 -0000

On 1/6/2013 5:25 PM, Patrick Proniewski wrote:
> On 06 janv. 2013, at 23:11, Mike Tancsa wrote:
> 
>> But if I make a simple php script to try and connect out, again, pflog0
>> blocks it and logs it, but it does not show up in the audit logs
>>
>>
>> Any idea what I am missing ?
> 
> I think auditd can catch events only for users that have logged in at least once. To audit Apache, I've had to install setaudit and launch httpd process by using setaudit with proper flags.
> I've modified my /usr/local/etc/rc.d/apache22 file, mainly changing the start command to start_cmd="apache22_auditstart" and adding the proper command definition:

> I'm then able to log audit events for Apache, according to flags I've set in apache22_auditflags.
> 

Hi,
	Thanks for the reply!  Where can I find setaudit ?

	---Mike


-- 
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/