Date: Sun, 06 Jan 2013 17:46:58 -0500 From: Mike Tancsa <mike@sentex.net> To: Patrick Proniewski <patpro@patpro.net> Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Re: audit events confusion Message-ID: <50E9FEE2.7030106@sentex.net> In-Reply-To: <27758D4F-14E0-4BEB-AF89-E78D75FD89D7@patpro.net> References: <50E9F6A8.5050502@sentex.net> <27758D4F-14E0-4BEB-AF89-E78D75FD89D7@patpro.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 1/6/2013 5:25 PM, Patrick Proniewski wrote: > On 06 janv. 2013, at 23:11, Mike Tancsa wrote: > >> But if I make a simple php script to try and connect out, again, pflog0 >> blocks it and logs it, but it does not show up in the audit logs >> >> >> Any idea what I am missing ? > > I think auditd can catch events only for users that have logged in at least once. To audit Apache, I've had to install setaudit and launch httpd process by using setaudit with proper flags. > I've modified my /usr/local/etc/rc.d/apache22 file, mainly changing the start command to start_cmd="apache22_auditstart" and adding the proper command definition: > I'm then able to log audit events for Apache, according to flags I've set in apache22_auditflags. > Hi, Thanks for the reply! Where can I find setaudit ? ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50E9FEE2.7030106>