FreeBSD Mail Archives

Date:      Sun, 6 Jan 2013 23:25:16 +0100
From:      Patrick Proniewski <patpro@patpro.net>
To:        Mike Tancsa <mike@sentex.net>
Cc:        "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>
Subject:   Re: audit events confusion
Message-ID:  <27758D4F-14E0-4BEB-AF89-E78D75FD89D7@patpro.net>
In-Reply-To: <50E9F6A8.5050502@sentex.net>
References:  <50E9F6A8.5050502@sentex.net>

index | next in thread | previous in thread | raw e-mail


[-- Attachment #1 --]
On 06 janv. 2013, at 23:11, Mike Tancsa wrote:

> But if I make a simple php script to try and connect out, again, pflog0
> blocks it and logs it, but it does not show up in the audit logs
> 
> 17:07:46.518501 rule 433/0(match): block out on em0: 64.7.xx.xx.36528 >
> 8.8.8.8.25: Flags [S], seq 1724105073, win 65535, options [mss
> 1460,nop,wscale 3,sackOK,TS val 177324430 ecr 0], length 0
> 
> Any idea what I am missing ?

I think auditd can catch events only for users that have logged in at least once. To audit Apache, I've had to install setaudit and launch httpd process by using setaudit with proper flags.
I've modified my /usr/local/etc/rc.d/apache22 file, mainly changing the start command to start_cmd="apache22_auditstart" and adding the proper command definition:

apache22_auditstart() {
        echo "Starting apache22 with audit"
        eval /usr/local/sbin/setaudit ${apache22_auditflags} ${command} ${apache22_flags} -k start 
}

In /etc/rc.conf, I've added:

apache22_auditflags="-a www -m ex,lo,ad,-pc,fd,-fc,-fm,-fw"

I'm then able to log audit events for Apache, according to flags I've set in apache22_auditflags.

hope this helps,
patpro
[-- Attachment #2 --]
0�	*�H��
��0�10	+0�	*�H��
��
M0�40��0
	*�H��
0}10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1)0'U StartCom Certification Authority0
071024210155Z
171024210155Z0��10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 1 Primary Intermediate Client CA0�"0
	*�H��
�0�
��	���-��)�.����2����A�UG��o��#G�
�B|N�D�����Rp�M-��B��=o���-�we�5��J�Qpa>O��.�#������.���_�<���V��
[~�*��*�p�z��~�3�W�G�.ᘟ����Ml�r[�<C�e�6���f����q������O���"��u��xf�WN�#�u����i���c�gk��v$����Lb�%�������y��`�����_�{`���xK'G�N�����0��0U�0�0U�0USr풜���\|~�5N�ԸQ�0U#0�N��@[�i�0�4hC�A��0f+Z0X0'+0�http://ocsp.startssl.com/ca0-+0�!http://www.startssl.com/sfsca.crt0[UT0R0'�%�#�!http://www.startssl.com/sfsca.crl0'�%�#�!http://crl.startssl.com/sfsca.crl0��U y0w0u+��70f0.+"http://www.startssl.com/policy.pdf04+(http://www.startssl.com/intermediate.pdf0
	*�H��
�
�}x�,\�c�^��#wM�q�}��>UK/��^y��X֏y	����f�rMIŲ�B6�1ymQ󸟆�ҨݬZ���0���&��;�@��#13qۑ��&	��̢������o�	6�r��_��;�GO>*I�(	7�4���XS1r3��)!�Ǉ�y��6Ko����tˆ#
_�w�S�r���
�;�B
A�Dp�(f��s�������䰷6%�����.W0J3�:b�C�<�8t X����1�<��C��n�=�����t==�wS���T������~���\�wkB�f�|1��5���zU��P)��(���I��j��VB��!����OfI=b��b�\4�-*em��/нSJm�7���N�����[�]'��@ڽ��D9�Kr>���R��7/��|�o���^I@�ټ'��Pa$ z��9�a'L�)��(�
�I��}v��c�H]�۸�D����*�W�}
m�>Q����|�C.�(,�l��Q�0�0���
D0
	*�H��
0��10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 1 Primary Intermediate Client CA0
121004043928Z
131004184306Z0Y10U
zm88vYvifJz4tIj910Upatpro@patpro.net1 0	*�H��
	patpro@patpro.net0�"0
	*�H��
�0�
�Ϟ4�*��7�.'�4�$��i��Z�������
z/��'�O����^;x��}1aX�H��'���1D2C�T���)+d���I����jH�s�2rwx||�6�x��l�S���?$����vu!�+P�
������4�<ę6@�F��A�a�F:��X�:���F0X�f���|��}
��U?�6�N,���)�7�����N�Η�<�K����p���3}�`�j�k���(-7pg6���2ޤ�����0��0	U00U�0U%0++0U��(50�.h�
���;J�0U#0�Sr풜���\|~�5N�ԸQ�0U0�patpro@patpro.net0�!U �0�0�+��70��0.+"http://www.startssl.com/policy.pdf04+(http://www.startssl.com/intermediate.pdf0��+0��0' StartCom Certification Authority0��This certificate was issued according to the Class 1 Validation requirements of the StartCom CA policy, reliance only for the intended purpose in compliance of the relying party obligations.0��+0��0' StartCom Certification Authority0dLiability and warranties are limited! See section "Legal and Limitations" of the StartCom CA policy.06U/0-0+�)�'�%http://crl.startssl.com/crtu1-crl.crl0��+��009+0�-http://ocsp.startssl.com/sub/class1/client/ca0B+0�6http://aia.startssl.com/certs/sub.class1.client.ca.crt0#U0�http://www.startssl.com/0
	*�H��
�3aCY0�~�
���V�$W:�¾B�#�����5�K�5��au=iI���Q�.j�Kv�b��`x���=��.E%U�zO/A�4���ţ�}��g�P��+�>�[�)�����=�ꯊ&w@�Ur�d)֜s��߫@��ec
�� M$v�7�~��_�*�6%��޹m��>���T^?��`����������3�|���sg/��q/��4<(~^*_�'PfR=����k���/[,d������k�+
�,]v��m�1�o0�k0��0��10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 1 Primary Intermediate Client CA
D0	+���0	*�H��
	1	*�H��
0	*�H��
	1
130106222517Z0#	*�H��
	1*����L�~�$��a�e8�0��	+�71��0��0��10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 1 Primary Intermediate Client CA
D0��*�H��
	1�����0��10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 1 Primary Intermediate Client CA
D0
	*�H��
�w9���xjhޒ;�3���٣�2�Đ�I	��'�N��7�����p�C��_�R</�D�Cڜ��T�qF1`�\�l-��0�?]�ɿ6HIU_�]�"����,z"��Ԉ�`���
y�����������"��Na�QV�����0��cR_�r��ںҜu���j�0ES�r�֍xW�t�l�z��l��i�h<��s9ˢ�S�`�ݞ���k�p0�C��-˨%����QGd

help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?27758D4F-14E0-4BEB-AF89-E78D75FD89D7>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation