[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Auditing tcpdump&co



Hi,

I'm trying to catch all events of any net sniffers aka tcpdump, snoop, ethereal... I think I managed to make a rule that will do that:

-a entry,always -S socketcall -F euid=0 -F a0=3

I've played around and I think it does the trick. Do you see any problems with this rule?

The problem I'm trying to solve now is how to get a daily report of all such events. I was trying to filter it on
ausearch -m SYSCALL -sc socketcall -ue 0
but I get all possilble sshd,ftpd and the bunch as well.. I could do post processing with a whitelist and ignore all I know are ok, but it would be much nicer if I could get the search a bit narrower in the first place. Any ideas?

Thanks
Jure

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]