On Saturday, May 29, 2010 03:15:25 pm Jure Simsic wrote: > I'm trying to catch all events of any net sniffers aka tcpdump, snoop, > ethereal... I think I managed to make a rule that will do that:
This is hardwired into the linux kernel. As long as auditing is enabled, you will get ANOM_PROMISCUOUS events. > -a entry,always -S socketcall -F euid=0 -F a0=3 > > I've played around and I think it does the trick. Do you see any problems > with this rule? Not needed. > The problem I'm trying to solve now is how to get a daily report of all > such events. I was trying to filter it on > ausearch -m SYSCALL -sc socketcall -ue 0 aureport --start today --anomaly --summary -i -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
