On 06 janv. 2013, at 23:11, Mike Tancsa wrote: > But if I make a simple php script to try and connect out, again, pflog0 > blocks it and logs it, but it does not show up in the audit logs > > 17:07:46.518501 rule 433/0(match): block out on em0: 64.7.xx.xx.36528 > > 8.8.8.8.25: Flags [S], seq 1724105073, win 65535, options [mss > 1460,nop,wscale 3,sackOK,TS val 177324430 ecr 0], length 0 > > Any idea what I am missing ?
I think auditd can catch events only for users that have logged in at least
once. To audit Apache, I've had to install setaudit and launch httpd process by
using setaudit with proper flags.
I've modified my /usr/local/etc/rc.d/apache22 file, mainly changing the start
command to start_cmd="apache22_auditstart" and adding the proper command
definition:
apache22_auditstart() {
echo "Starting apache22 with audit"
eval /usr/local/sbin/setaudit ${apache22_auditflags} ${command}
${apache22_flags} -k start
}
In /etc/rc.conf, I've added:
apache22_auditflags="-a www -m ex,lo,ad,-pc,fd,-fc,-fm,-fw"
I'm then able to log audit events for Apache, according to flags I've set in
apache22_auditflags.
hope this helps,
patpro
smime.p7s
Description: S/MIME cryptographic signature
