[redhat-lspp] [PATCH] promiscuous mode

Steve Grubb sgrubb at redhat.com
Mon Dec 5 16:04:19 UTC 2005


On Monday 05 December 2005 10:48, Linda Knippers wrote:
> > Because quota and rlimit events represent violations of system resource
> > usage policy set forth by the administrator.
>
> They aren't really violations of a policy because the operation didn't
> succeed.

Just like my editing of /etc/shadow from a normal account won't succeed.

> Its really a case of someone bumping into a resource limit. 

This is also a known sign of potential intrusion. There needs to be some more 
investigation of the circumstances surrounding it, but almost all intrusion 
detection system look at both of these.

> Isn't that why for quotas the message just goes to the user's tty
> rather than to syslog?

If it went to syslog, it would go to all users. That is not desirable and an 
easy way to DoS someone else on the same machine. The messages can scroll so 
fast that you can see what you are typing.

> I'd want to know of some other system on my network went into
> promiscuous mode, but that system probably isn't being being
> audited. :-)

That's the basic idea. The events go to a central audit log analyzer in the 
data center and the admin can see that a particular machine went into 
promiscuous mode.

-Steve




More information about the redhat-lspp mailing list