[redhat-lspp] [PATCH] promiscuous mode
Russell Coker
rcoker at redhat.com
Mon Dec 5 20:11:36 UTC 2005
On Mon, 2005-12-05 at 11:04 -0500, Steve Grubb wrote:
> > I'd want to know of some other system on my network went into
> > promiscuous mode, but that system probably isn't being being
> > audited. :-)
>
> That's the basic idea. The events go to a central audit log analyzer in the
> data center and the admin can see that a particular machine went into
> promiscuous mode.
If a hostile user puts a machine in promiscuous mode then it's most
likely that the security of the machine in question has been broken, and
there is a possibility that a hostile device has been connected to the
network. In either case it seems likely that an audit message won't
propagate to a central server.
The real solution to this (IMHO) is smart switches that don't permit ARP
spoofing etc.
More information about the redhat-lspp
mailing list