Re: [redhat-lspp] [PATCH] promiscuous mode
On Monday 05 December 2005 10:48, Linda Knippers wrote:
> Because quota and rlimit events represent violations of system
resource
> usage policy set forth by the administrator.
They aren't really violations of a policy because the operation didn't
succeed.
Just like my editing of /etc/shadow from a normal account won't succeed.
Its really a case of someone bumping into a resource limit.
This is also a known sign of potential intrusion. There needs to be some more
investigation of the circumstances surrounding it, but almost all intrusion
detection system look at both of these.
Isn't that why for quotas the message just goes to the user's
tty
rather than to syslog?
If it went to syslog, it would go to all users. That is not desirable and an
easy way to DoS someone else on the same machine. The messages can scroll so
fast that you can see what you are typing.
I'd want to know of some other system on my network went into
promiscuous mode, but that system probably isn't being being
audited. :-)
That's the basic idea. The events go to a central audit log analyzer in the
data center and the admin can see that a particular machine went into
promiscuous mode.
-Steve