From owner-freebsd-security@FreeBSD.ORG Sun Jan 6 22:30:45 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 2DC631F2 for ; Sun, 6 Jan 2013 22:30:45 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from rack.patpro.net (rack.patpro.net [193.30.227.216]) by mx1.freebsd.org (Postfix) with ESMTP id B13361B12 for ; Sun, 6 Jan 2013 22:30:44 +0000 (UTC) Received: from rack.patpro.net (localhost [127.0.0.1]) by rack.patpro.net (Postfix) with ESMTP id 812431CC020; Sun, 6 Jan 2013 23:25:19 +0100 (CET) X-Virus-Scanned: amavisd-new at patpro.net Received: from amavis-at-patpro.net ([127.0.0.1]) by rack.patpro.net (rack.patpro.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VKZi2o1E7z00; Sun, 6 Jan 2013 23:25:17 +0100 (CET) Received: from [127.0.0.1] (localhost [127.0.0.1]) by rack.patpro.net (Postfix) with ESMTP; Sun, 6 Jan 2013 23:25:17 +0100 (CET) Subject: Re: audit events confusion Mime-Version: 1.0 (Apple Message framework v1085) Content-Type: multipart/signed; boundary=Apple-Mail-56--900688607; protocol="application/pkcs7-signature"; micalg=sha1 From: Patrick Proniewski In-Reply-To: <50E9F6A8.5050502@sentex.net> Date: Sun, 6 Jan 2013 23:25:16 +0100 Message-Id: <27758D4F-14E0-4BEB-AF89-E78D75FD89D7@patpro.net> References: <50E9F6A8.5050502@sentex.net> To: Mike Tancsa X-Mailer: Apple Mail (2.1085) Cc: "freebsd-security@freebsd.org" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Jan 2013 22:30:45 -0000 --Apple-Mail-56--900688607 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On 06 janv. 2013, at 23:11, Mike Tancsa wrote: > But if I make a simple php script to try and connect out, again, = pflog0 > blocks it and logs it, but it does not show up in the audit logs >=20 > 17:07:46.518501 rule 433/0(match): block out on em0: 64.7.xx.xx.36528 = > > 8.8.8.8.25: Flags [S], seq 1724105073, win 65535, options [mss > 1460,nop,wscale 3,sackOK,TS val 177324430 ecr 0], length 0 >=20 > Any idea what I am missing ? I think auditd can catch events only for users that have logged in at = least once. To audit Apache, I've had to install setaudit and launch = httpd process by using setaudit with proper flags. I've modified my /usr/local/etc/rc.d/apache22 file, mainly changing the = start command to start_cmd=3D"apache22_auditstart" and adding the proper = command definition: apache22_auditstart() { echo "Starting apache22 with audit" eval /usr/local/sbin/setaudit ${apache22_auditflags} ${command} = ${apache22_flags} -k start=20 } In /etc/rc.conf, I've added: apache22_auditflags=3D"-a www -m ex,lo,ad,-pc,fd,-fc,-fm,-fw" I'm then able to log audit events for Apache, according to flags I've = set in apache22_auditflags. hope this helps, patpro= --Apple-Mail-56--900688607 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIINTTCCBjQw ggQcoAMCAQICAR4wDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAn BgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MTAyNDIxMDE1NVoX DTE3MTAyNDIxMDE1NVowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSsw KQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFy dENvbSBDbGFzcyAxIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAMcJg8zOLdgasSmkLhOrlr6KMoOMpohBllVHrdRvEg/q6r8jR+EK 75xCGhR8ToREoqe7zM9/UnC6TS2y9UKTpT1v7RSMzR0t6ndl0TWBuUr/UXBhPk+Kmy7bI4yW4urC +y7P3/1/X7U8ocb8VpH/Clt+4iq7nirMcNh6qJR+xjOhV+VHzQMALuGYn5KZmc1NbJQYclsGkDxD z2UbFqE2+6vIZoL+jb9x4Pa5gNf1TwSDkOkikZB1xtB4ZqtXThaABSONdfmv/Z1pua3FYxnCFmdr /+N2JLKutIxMYqQOJebr/f/h5t95m4JgrM3Y/w7YX9d7YAL9jvN4SydHsU6n65cCAwEAAaOCAa0w ggGpMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBRTcu2SnODaywFc fH6WNU7y1LhRgjAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRa MFgwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYh aHR0cDovL3d3dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6 Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5j b20vc2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0 dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cu c3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQEFBQADggIBAAqDCH14qywG XLhjjF6uHLkjd02hcdh9hrw+VUsv+q1eeQWB21jWj3kJ96AUlPCoEGZ/ynJNScWy6QMVQjbbMXlt UfO4n4bGGdKo3awPWp61tjAFgraLJgDk+DsSvUD6EowjMTNx25GQgyYJ5RPIzKKR9tQW8gGK+2+R HxkUCTbYFnL6kl8Ch507rUdPPipJ9CgJFws3kDS3gOS5WFMxcjO5DwKfKSETEPrHh7p5shuuNktv sv6hxHTLhiMKX893gxdT3XLS9OKmCv87vkINQcNEcIIoFWbP9HORz9v3vQwR4e3ksLc2JZOAFK+s sS5XMEoznzpihEP0PLc4dCBYjbvSD7kxgDwZ+Aj8Q9PkbvE9sIPP7ON0fz095HdThKjiVJe6vofq +n6b1NBc8XdrQvBmunwxD5nvtTW4vtN6VY7mUCmxsCieuoBJ9OlqmsVWQvifIYf40dJPZkk9YgGT zWLpXDSfLSplbY2LL9C9U0ptvjcDjefLTvqSFc7tw1sEhF0n/qpA2r0GpvkLRDmcSwVyPvmjFBGq Up/pNy8ZuPGQmHwFi2/14+xeSUDG2bwnsYJQG2EdJCB6luQ57GEnTA/yKZSTKI8dDQa8Sd3zfXb1 9mOgSF0bBdXbuKhEpuP9wirslFe6fQ1t5j5R0xi72MZ8ikMu1RQZKCyDbMwazlHiMIIHETCCBfmg AwIBAgIDBQpEMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRD b20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYG A1UEAxMvU3RhcnRDb20gQ2xhc3MgMSBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0EwHhcN MTIxMDA0MDQzOTI4WhcNMTMxMDA0MTg0MzA2WjBZMRkwFwYDVQQNExB6bTg4dll2aWZKejR0SWo5 MRowGAYDVQQDDBFwYXRwcm9AcGF0cHJvLm5ldDEgMB4GCSqGSIb3DQEJARYRcGF0cHJvQHBhdHBy by5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPnjSHKomiN/ouGyfzNJwkkB3K aZGRWv+DkP+X29YKei9/uIoMJ5dPqebvpQe3Xjt45a/QC30xFmF/WLhIkconC4+1xjFEMkP5VKuU 1SkrFmQW9ZEF9wYGBBtJG7q9jKBqSJdz3DJyd3gIfHwbuTa7eK0G5GztU9jkEac/JJ0DqakQ0nZ1 IdwrULAN5RQQHPD5+6uzNOI8xJk2QIJG+6hBoR1hl0Y6v8tYrTqo2sRGMFjBZoORFc58gIR9DeP1 VT/7Nu5OLAGYqZkprAU3+ZGP1PZO4c6XlDyUAAhLos7tuHD79owAM33uYJxqrWuB6Oq/KC0MN3Bn NrWL3DLepPeVAgMBAAGjggOsMIIDqDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDAdBgNVHSUEFjAU BggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFLXTKAc1MLwuaL4NGpy86bc7H0qbMB8GA1Ud IwQYMBaAFFNy7ZKc4NrLAVx8fpY1TvLUuFGCMBwGA1UdEQQVMBOBEXBhdHByb0BwYXRwcm8ubmV0 MIICIQYDVR0gBIICGDCCAhQwggIQBgsrBgEEAYG1NwECAjCCAf8wLgYIKwYBBQUHAgEWImh0dHA6 Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cuc3Rh cnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwgfcGCCsGAQUFBwICMIHqMCcWIFN0YXJ0Q29tIENl cnRpZmljYXRpb24gQXV0aG9yaXR5MAMCAQEagb5UaGlzIGNlcnRpZmljYXRlIHdhcyBpc3N1ZWQg YWNjb3JkaW5nIHRvIHRoZSBDbGFzcyAxIFZhbGlkYXRpb24gcmVxdWlyZW1lbnRzIG9mIHRoZSBT dGFydENvbSBDQSBwb2xpY3ksIHJlbGlhbmNlIG9ubHkgZm9yIHRoZSBpbnRlbmRlZCBwdXJwb3Nl IGluIGNvbXBsaWFuY2Ugb2YgdGhlIHJlbHlpbmcgcGFydHkgb2JsaWdhdGlvbnMuMIGcBggrBgEF BQcCAjCBjzAnFiBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTADAgECGmRMaWFiaWxp dHkgYW5kIHdhcnJhbnRpZXMgYXJlIGxpbWl0ZWQhIFNlZSBzZWN0aW9uICJMZWdhbCBhbmQgTGlt aXRhdGlvbnMiIG9mIHRoZSBTdGFydENvbSBDQSBwb2xpY3kuMDYGA1UdHwQvMC0wK6ApoCeGJWh0 dHA6Ly9jcmwuc3RhcnRzc2wuY29tL2NydHUxLWNybC5jcmwwgY4GCCsGAQUFBwEBBIGBMH8wOQYI KwYBBQUHMAGGLWh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9zdWIvY2xhc3MxL2NsaWVudC9jYTBC BggrBgEFBQcwAoY2aHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvc3ViLmNsYXNzMS5jbGll bnQuY2EuY3J0MCMGA1UdEgQcMBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzANBgkqhkiG9w0B AQUFAAOCAQEAM2FDWTDUfusK/57vjVYFjCRXOqjCvkK+ESP2qYOm/jXYS+Q1jLFhdT0OaUkajM4H 5VHcLmq0S3bvYu/rYHi19dE9+f0uRSVVqHpPL0GpNK7E2MWjwH306me7UMCnK6M+gFuYKZX487AT v8w9rATqr4omdwZAzlVytxJkKdacc4jq36tAlaFlYw2j45sgTSR2qjfufoiUX3+OKo02JfLp3rlt o6g+i8v9VF4/2NVgrfbd2fqAEODCgdjmqe0zjXy52n/ncxpnL6XjcS+LtzQ8KH5eKl/hJ1BmAFIO PQ7e9aT5a/AT1/cCLwRbfyxkuvSavp/la9wrCqEsXXbZHKdtsjGCA28wggNrAgEBMIGUMIGMMQsw CQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0 YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMSBQcmltYXJ5 IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAwUKRDAJBgUrDgMCGgUAoIIBrzAYBgkqhkiG9w0BCQMx CwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xMzAxMDYyMjI1MTdaMCMGCSqGSIb3DQEJBDEW BBQqBokekRnz10zsfuYkh+dhvGU4mjCBpQYJKwYBBAGCNxAEMYGXMIGUMIGMMQswCQYDVQQGEwJJ TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlm aWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMSBQcmltYXJ5IEludGVybWVk aWF0ZSBDbGllbnQgQ0ECAwUKRDCBpwYLKoZIhvcNAQkQAgsxgZeggZQwgYwxCzAJBgNVBAYTAklM MRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZp Y2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAxIFByaW1hcnkgSW50ZXJtZWRp YXRlIENsaWVudCBDQQIDBQpEMA0GCSqGSIb3DQEBAQUABIIBAB53OY+PvXhqaN6SFBs77TP8C4mg C9mj5J8y7sSQzkkJjMcdDicb7E6BiTcX0f2RwNBwikOm21+0UhkIPAYvH71ErkPanLSDVLFxRhwx YIxckWwaLdvTMMo/XefJvxQ2SElVX75dnSKnw+oeAcsseiIClPrUiNhgFLzaA40NeZD2/RmfvdgE H3/s1ePs2CIF86D6TmEE91FWouwaA+brCKMw8cx/Y1JfsnLr/hvautKcHnWDrwbZav4wRRZ/U9Vy GpcAAdaNeFfmhXSwbLh6kf9s1uxp/Wg8nrBzOcuioVMPthBgsRbdnrzH62v2cDCCf0OsiB8ty6gl 1NkGuJxRR2QAAAAAAAA= --Apple-Mail-56--900688607--