[redhat-lspp] [PATCH] promiscuous mode
Steve Grubb
sgrubb at redhat.com
Mon Dec 5 16:04:19 UTC 2005
On Monday 05 December 2005 10:48, Linda Knippers wrote:
> > Because quota and rlimit events represent violations of system resource
> > usage policy set forth by the administrator.
>
> They aren't really violations of a policy because the operation didn't
> succeed.
Just like my editing of /etc/shadow from a normal account won't succeed.
> Its really a case of someone bumping into a resource limit.
This is also a known sign of potential intrusion. There needs to be some more
investigation of the circumstances surrounding it, but almost all intrusion
detection system look at both of these.
> Isn't that why for quotas the message just goes to the user's tty
> rather than to syslog?
If it went to syslog, it would go to all users. That is not desirable and an
easy way to DoS someone else on the same machine. The messages can scroll so
fast that you can see what you are typing.
> I'd want to know of some other system on my network went into
> promiscuous mode, but that system probably isn't being being
> audited. :-)
That's the basic idea. The events go to a central audit log analyzer in the
data center and the admin can see that a particular machine went into
promiscuous mode.
-Steve
More information about the Linux-audit
mailing list