Date: Sun, 6 Jan 2013 23:25:16 +0100 From: Patrick Proniewski <patpro@patpro.net> To: Mike Tancsa <mike@sentex.net> Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Re: audit events confusion Message-ID: <27758D4F-14E0-4BEB-AF89-E78D75FD89D7@patpro.net> In-Reply-To: <50E9F6A8.5050502@sentex.net> References: <50E9F6A8.5050502@sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail-56--900688607
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
On 06 janv. 2013, at 23:11, Mike Tancsa wrote:
> But if I make a simple php script to try and connect out, again, =
pflog0
> blocks it and logs it, but it does not show up in the audit logs
>=20
> 17:07:46.518501 rule 433/0(match): block out on em0: 64.7.xx.xx.36528 =
>
> 8.8.8.8.25: Flags [S], seq 1724105073, win 65535, options [mss
> 1460,nop,wscale 3,sackOK,TS val 177324430 ecr 0], length 0
>=20
> Any idea what I am missing ?
I think auditd can catch events only for users that have logged in at =
least once. To audit Apache, I've had to install setaudit and launch =
httpd process by using setaudit with proper flags.
I've modified my /usr/local/etc/rc.d/apache22 file, mainly changing the =
start command to start_cmd=3D"apache22_auditstart" and adding the proper =
command definition:
apache22_auditstart() {
echo "Starting apache22 with audit"
eval /usr/local/sbin/setaudit ${apache22_auditflags} ${command} =
${apache22_flags} -k start=20
}
In /etc/rc.conf, I've added:
apache22_auditflags=3D"-a www -m ex,lo,ad,-pc,fd,-fc,-fm,-fw"
I'm then able to log audit events for Apache, according to flags I've =
set in apache22_auditflags.
hope this helps,
patpro=
--Apple-Mail-56--900688607
Content-Disposition: attachment;
filename=smime.p7s
Content-Type: application/pkcs7-signature;
name=smime.p7s
Content-Transfer-Encoding: base64
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIINTTCCBjQw
ggQcoAMCAQICAR4wDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0
Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAn
BgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MTAyNDIxMDE1NVoX
DTE3MTAyNDIxMDE1NVowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSsw
KQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFy
dENvbSBDbGFzcyAxIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAMcJg8zOLdgasSmkLhOrlr6KMoOMpohBllVHrdRvEg/q6r8jR+EK
75xCGhR8ToREoqe7zM9/UnC6TS2y9UKTpT1v7RSMzR0t6ndl0TWBuUr/UXBhPk+Kmy7bI4yW4urC
+y7P3/1/X7U8ocb8VpH/Clt+4iq7nirMcNh6qJR+xjOhV+VHzQMALuGYn5KZmc1NbJQYclsGkDxD
z2UbFqE2+6vIZoL+jb9x4Pa5gNf1TwSDkOkikZB1xtB4ZqtXThaABSONdfmv/Z1pua3FYxnCFmdr
/+N2JLKutIxMYqQOJebr/f/h5t95m4JgrM3Y/w7YX9d7YAL9jvN4SydHsU6n65cCAwEAAaOCAa0w
ggGpMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBRTcu2SnODaywFc
fH6WNU7y1LhRgjAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRa
MFgwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYh
aHR0cDovL3d3dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6
Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5j
b20vc2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0
dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cu
c3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQEFBQADggIBAAqDCH14qywG
XLhjjF6uHLkjd02hcdh9hrw+VUsv+q1eeQWB21jWj3kJ96AUlPCoEGZ/ynJNScWy6QMVQjbbMXlt
UfO4n4bGGdKo3awPWp61tjAFgraLJgDk+DsSvUD6EowjMTNx25GQgyYJ5RPIzKKR9tQW8gGK+2+R
HxkUCTbYFnL6kl8Ch507rUdPPipJ9CgJFws3kDS3gOS5WFMxcjO5DwKfKSETEPrHh7p5shuuNktv
sv6hxHTLhiMKX893gxdT3XLS9OKmCv87vkINQcNEcIIoFWbP9HORz9v3vQwR4e3ksLc2JZOAFK+s
sS5XMEoznzpihEP0PLc4dCBYjbvSD7kxgDwZ+Aj8Q9PkbvE9sIPP7ON0fz095HdThKjiVJe6vofq
+n6b1NBc8XdrQvBmunwxD5nvtTW4vtN6VY7mUCmxsCieuoBJ9OlqmsVWQvifIYf40dJPZkk9YgGT
zWLpXDSfLSplbY2LL9C9U0ptvjcDjefLTvqSFc7tw1sEhF0n/qpA2r0GpvkLRDmcSwVyPvmjFBGq
Up/pNy8ZuPGQmHwFi2/14+xeSUDG2bwnsYJQG2EdJCB6luQ57GEnTA/yKZSTKI8dDQa8Sd3zfXb1
9mOgSF0bBdXbuKhEpuP9wirslFe6fQ1t5j5R0xi72MZ8ikMu1RQZKCyDbMwazlHiMIIHETCCBfmg
AwIBAgIDBQpEMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRD
b20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYG
A1UEAxMvU3RhcnRDb20gQ2xhc3MgMSBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0EwHhcN
MTIxMDA0MDQzOTI4WhcNMTMxMDA0MTg0MzA2WjBZMRkwFwYDVQQNExB6bTg4dll2aWZKejR0SWo5
MRowGAYDVQQDDBFwYXRwcm9AcGF0cHJvLm5ldDEgMB4GCSqGSIb3DQEJARYRcGF0cHJvQHBhdHBy
by5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPnjSHKomiN/ouGyfzNJwkkB3K
aZGRWv+DkP+X29YKei9/uIoMJ5dPqebvpQe3Xjt45a/QC30xFmF/WLhIkconC4+1xjFEMkP5VKuU
1SkrFmQW9ZEF9wYGBBtJG7q9jKBqSJdz3DJyd3gIfHwbuTa7eK0G5GztU9jkEac/JJ0DqakQ0nZ1
IdwrULAN5RQQHPD5+6uzNOI8xJk2QIJG+6hBoR1hl0Y6v8tYrTqo2sRGMFjBZoORFc58gIR9DeP1
VT/7Nu5OLAGYqZkprAU3+ZGP1PZO4c6XlDyUAAhLos7tuHD79owAM33uYJxqrWuB6Oq/KC0MN3Bn
NrWL3DLepPeVAgMBAAGjggOsMIIDqDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDAdBgNVHSUEFjAU
BggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFLXTKAc1MLwuaL4NGpy86bc7H0qbMB8GA1Ud
IwQYMBaAFFNy7ZKc4NrLAVx8fpY1TvLUuFGCMBwGA1UdEQQVMBOBEXBhdHByb0BwYXRwcm8ubmV0
MIICIQYDVR0gBIICGDCCAhQwggIQBgsrBgEEAYG1NwECAjCCAf8wLgYIKwYBBQUHAgEWImh0dHA6
Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cuc3Rh
cnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwgfcGCCsGAQUFBwICMIHqMCcWIFN0YXJ0Q29tIENl
cnRpZmljYXRpb24gQXV0aG9yaXR5MAMCAQEagb5UaGlzIGNlcnRpZmljYXRlIHdhcyBpc3N1ZWQg
YWNjb3JkaW5nIHRvIHRoZSBDbGFzcyAxIFZhbGlkYXRpb24gcmVxdWlyZW1lbnRzIG9mIHRoZSBT
dGFydENvbSBDQSBwb2xpY3ksIHJlbGlhbmNlIG9ubHkgZm9yIHRoZSBpbnRlbmRlZCBwdXJwb3Nl
IGluIGNvbXBsaWFuY2Ugb2YgdGhlIHJlbHlpbmcgcGFydHkgb2JsaWdhdGlvbnMuMIGcBggrBgEF
BQcCAjCBjzAnFiBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTADAgECGmRMaWFiaWxp
dHkgYW5kIHdhcnJhbnRpZXMgYXJlIGxpbWl0ZWQhIFNlZSBzZWN0aW9uICJMZWdhbCBhbmQgTGlt
aXRhdGlvbnMiIG9mIHRoZSBTdGFydENvbSBDQSBwb2xpY3kuMDYGA1UdHwQvMC0wK6ApoCeGJWh0
dHA6Ly9jcmwuc3RhcnRzc2wuY29tL2NydHUxLWNybC5jcmwwgY4GCCsGAQUFBwEBBIGBMH8wOQYI
KwYBBQUHMAGGLWh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9zdWIvY2xhc3MxL2NsaWVudC9jYTBC
BggrBgEFBQcwAoY2aHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvc3ViLmNsYXNzMS5jbGll
bnQuY2EuY3J0MCMGA1UdEgQcMBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzANBgkqhkiG9w0B
AQUFAAOCAQEAM2FDWTDUfusK/57vjVYFjCRXOqjCvkK+ESP2qYOm/jXYS+Q1jLFhdT0OaUkajM4H
5VHcLmq0S3bvYu/rYHi19dE9+f0uRSVVqHpPL0GpNK7E2MWjwH306me7UMCnK6M+gFuYKZX487AT
v8w9rATqr4omdwZAzlVytxJkKdacc4jq36tAlaFlYw2j45sgTSR2qjfufoiUX3+OKo02JfLp3rlt
o6g+i8v9VF4/2NVgrfbd2fqAEODCgdjmqe0zjXy52n/ncxpnL6XjcS+LtzQ8KH5eKl/hJ1BmAFIO
PQ7e9aT5a/AT1/cCLwRbfyxkuvSavp/la9wrCqEsXXbZHKdtsjGCA28wggNrAgEBMIGUMIGMMQsw
CQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMSBQcmltYXJ5
IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAwUKRDAJBgUrDgMCGgUAoIIBrzAYBgkqhkiG9w0BCQMx
CwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xMzAxMDYyMjI1MTdaMCMGCSqGSIb3DQEJBDEW
BBQqBokekRnz10zsfuYkh+dhvGU4mjCBpQYJKwYBBAGCNxAEMYGXMIGUMIGMMQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlm
aWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMSBQcmltYXJ5IEludGVybWVk
aWF0ZSBDbGllbnQgQ0ECAwUKRDCBpwYLKoZIhvcNAQkQAgsxgZeggZQwgYwxCzAJBgNVBAYTAklM
MRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZp
Y2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAxIFByaW1hcnkgSW50ZXJtZWRp
YXRlIENsaWVudCBDQQIDBQpEMA0GCSqGSIb3DQEBAQUABIIBAB53OY+PvXhqaN6SFBs77TP8C4mg
C9mj5J8y7sSQzkkJjMcdDicb7E6BiTcX0f2RwNBwikOm21+0UhkIPAYvH71ErkPanLSDVLFxRhwx
YIxckWwaLdvTMMo/XefJvxQ2SElVX75dnSKnw+oeAcsseiIClPrUiNhgFLzaA40NeZD2/RmfvdgE
H3/s1ePs2CIF86D6TmEE91FWouwaA+brCKMw8cx/Y1JfsnLr/hvautKcHnWDrwbZav4wRRZ/U9Vy
GpcAAdaNeFfmhXSwbLh6kf9s1uxp/Wg8nrBzOcuioVMPthBgsRbdnrzH62v2cDCCf0OsiB8ty6gl
1NkGuJxRR2QAAAAAAAA=
--Apple-Mail-56--900688607--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?27758D4F-14E0-4BEB-AF89-E78D75FD89D7>