From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Auditing tcpdump&co
Date: Tue, 1 Jun 2010 09:23:21 -0400
Message-ID: <201006010923.21648.sgrubb@redhat.com>
References: <AANLkTilW8ETkDV6XBSAEL5MV23pXcMhYVTCMm4CY33sy@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <AANLkTilW8ETkDV6XBSAEL5MV23pXcMhYVTCMm4CY33sy@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Saturday, May 29, 2010 03:15:25 pm Jure Simsic wrote:
> I'm trying to catch all events of any net sniffers aka tcpdump, snoop,
> ethereal... I think I managed to make a rule that will do that:

This is hardwired into the linux kernel. As long as auditing is enabled, you 
will get ANOM_PROMISCUOUS events.


> -a entry,always -S socketcall -F euid=0 -F a0=3
> 
> I've played around and I think it does the trick. Do you see any problems
> with this rule?

Not needed.


> The problem I'm trying to solve now is how to get a daily report of all
> such events. I was trying to filter it on
> ausearch -m SYSCALL -sc socketcall -ue 0

aureport --start today --anomaly --summary -i

-Steve