Auditing tcpdump&co
Jure Simsic
jure.simsic at gmail.com
Sat May 29 19:15:25 UTC 2010
Hi,
I'm trying to catch all events of any net sniffers aka tcpdump, snoop,
ethereal... I think I managed to make a rule that will do that:
-a entry,always -S socketcall -F euid=0 -F a0=3
I've played around and I think it does the trick. Do you see any problems
with this rule?
The problem I'm trying to solve now is how to get a daily report of all such
events. I was trying to filter it on
ausearch -m SYSCALL -sc socketcall -ue 0
but I get all possilble sshd,ftpd and the bunch as well.. I could do post
processing with a whitelist and ignore all I know are ok, but it would be
much nicer if I could get the search a bit narrower in the first place. Any
ideas?
Thanks
Jure
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20100529/f1d0b803/attachment.htm>
More information about the Linux-audit
mailing list