On 1/6/2013 5:25 PM, Patrick Proniewski wrote: > On 06 janv. 2013, at 23:11, Mike Tancsa wrote: > >> But if I make a simple php script to try and connect out, again, pflog0 >> blocks it and logs it, but it does not show up in the audit logs >> >> >> Any idea what I am missing ? > > I think auditd can catch events only for users that have logged in at least once. To audit Apache, I've had to install setaudit and launch httpd process by using setaudit with proper flags. > I've modified my /usr/local/etc/rc.d/apache22 file, mainly changing the start command to start_cmd="apache22_auditstart" and adding the proper command definition: > I'm then able to log audit events for Apache, according to flags I've set in apache22_auditflags. > Hi, Thanks for the reply! Where can I find setaudit ? ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"