Re: [redhat-lspp] [PATCH] promiscuous mode
On Mon, 2005-12-05 at 11:04 -0500, Steve Grubb wrote:
> I'd want to know of some other system on my network went
into
> promiscuous mode, but that system probably isn't being being
> audited. :-)
That's the basic idea. The events go to a central audit log analyzer in the
data center and the admin can see that a particular machine went into
promiscuous mode.
If a hostile user puts a machine in promiscuous mode then it's most
likely that the security of the machine in question has been broken, and
there is a possibility that a hostile device has been connected to the
network. In either case it seems likely that an audit message won't
propagate to a central server.
The real solution to this (IMHO) is smart switches that don't permit ARP
spoofing etc.