Auditing tcpdump&co
Steve Grubb
sgrubb at redhat.com
Tue Jun 1 13:23:21 UTC 2010
On Saturday, May 29, 2010 03:15:25 pm Jure Simsic wrote:
> I'm trying to catch all events of any net sniffers aka tcpdump, snoop,
> ethereal... I think I managed to make a rule that will do that:
This is hardwired into the linux kernel. As long as auditing is enabled, you
will get ANOM_PROMISCUOUS events.
> -a entry,always -S socketcall -F euid=0 -F a0=3
>
> I've played around and I think it does the trick. Do you see any problems
> with this rule?
Not needed.
> The problem I'm trying to solve now is how to get a daily report of all
> such events. I was trying to filter it on
> ausearch -m SYSCALL -sc socketcall -ue 0
aureport --start today --anomaly --summary -i
-Steve
More information about the Linux-audit
mailing list