On a rather full customer web server, I am trying to track down whose web site script is trying to make outbound network connections when they should not be. In /etc/security/audit_control, I added to the flags line dir:/var/audit flags:lo,aa,-nt minfree:5 to log failed network connection. When I try an make an outbound connection to something that is blocked in pf, it seems to sometimes work. eg. from the command line, if I manually try via telnet 8.8.8.8 25 pf shows 17:03:23.572682 rule 433/0(match): block out on em0: 64.7.x.x.17017 > 8.8.8.8.25: Flags [S], seq 1420411574, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 177061484 ecr 0], length 0 and praudit records it as expected including the userid who tried to do it. header,79,11,connect(2),0,Sun Jan 6 17:06:04 2013, + 439 msec,argument,1,0x3,fd,subject,tw,tw,tw,tw,tw,54100,54064,13556,64.7.yy.yy,return,failure : Operation not permitted,4294967295,trailer,79, But if I make a simple php script to try and connect out, again, pflog0 blocks it and logs it, but it does not show up in the audit logs 17:07:46.518501 rule 433/0(match): block out on em0: 64.7.xx.xx.36528 > 8.8.8.8.25: Flags [S], seq 1724105073, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 177324430 ecr 0], length 0 Any idea what I am missing ? This is a RELENG_8 box from this week. ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike at sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/
On 06 janv. 2013, at 23:11, Mike Tancsa wrote:> But if I make a simple php script to try and connect out, again, pflog0 > blocks it and logs it, but it does not show up in the audit logs > > 17:07:46.518501 rule 433/0(match): block out on em0: 64.7.xx.xx.36528 > > 8.8.8.8.25: Flags [S], seq 1724105073, win 65535, options [mss > 1460,nop,wscale 3,sackOK,TS val 177324430 ecr 0], length 0 > > Any idea what I am missing ?I think auditd can catch events only for users that have logged in at least once. To audit Apache, I've had to install setaudit and launch httpd process by using setaudit with proper flags. I've modified my /usr/local/etc/rc.d/apache22 file, mainly changing the start command to start_cmd="apache22_auditstart" and adding the proper command definition: apache22_auditstart() { echo "Starting apache22 with audit" eval /usr/local/sbin/setaudit ${apache22_auditflags} ${command} ${apache22_flags} -k start } In /etc/rc.conf, I've added: apache22_auditflags="-a www -m ex,lo,ad,-pc,fd,-fc,-fm,-fw" I'm then able to log audit events for Apache, according to flags I've set in apache22_auditflags. hope this helps, patpro -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4346 bytes Desc: not available URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20130106/8f5323a3/attachment.bin>
On 1/7/2013 1:48 AM, Patrick Proniewski wrote:> On 06 janv. 2013, at 23:46, Mike Tancsa wrote: > >> Hi, >> Thanks for the reply! Where can I find setaudit ? > > you might find some useful info here too: > > http://forums.freebsd.org/showthread.php?t=23716Thanks very much! I now see some audit logs generated. Next step is to reduce it down to a more manageable level. Given the above thread, I can see how this was dejavu all over again for you :) If you or anyone else can point me to any other interesting resources about the world of audit, I would love to see it. I guess some interesting stuff is going in the 10 branch as well. ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike at sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/