[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Auditing tcpdump&co



On Saturday, May 29, 2010 03:15:25 pm Jure Simsic wrote:
> I'm trying to catch all events of any net sniffers aka tcpdump, snoop,
> ethereal... I think I managed to make a rule that will do that:

This is hardwired into the linux kernel. As long as auditing is enabled, you 
will get ANOM_PROMISCUOUS events.


> -a entry,always -S socketcall -F euid=0 -F a0=3
> 
> I've played around and I think it does the trick. Do you see any problems
> with this rule?

Not needed.


> The problem I'm trying to solve now is how to get a daily report of all
> such events. I was trying to filter it on
> ausearch -m SYSCALL -sc socketcall -ue 0

aureport --start today --anomaly --summary -i

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]