summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSteve Grubb <sgrubb@redhat.com>2005-12-03 08:39:35 -0500
committerAl Viro <viro@zeniv.linux.org.uk>2006-03-20 14:08:55 -0500
commit5bdb98868062c1b14025883049551af343233187 (patch)
tree1f15c49cf4c9535bb3897d5fedbe78b3a7651410
parenta6c043a887a9db32a545539426ddfc8cc2c28f8f (diff)
downloadop-kernel-dev-5bdb98868062c1b14025883049551af343233187.zip
op-kernel-dev-5bdb98868062c1b14025883049551af343233187.tar.gz
[PATCH] promiscuous mode
Hi, When a network interface goes into promiscuous mode, its an important security issue. The attached patch is intended to capture that action and send an event to the audit system. The patch carves out a new block of numbers for kernel detected anomalies. These are events that may indicate suspicious activity. Other examples of potential kernel anomalies would be: exceeding disk quota, rlimit violations, changes to syscall entry table. Signed-off-by: Steve Grubb <sgrubb@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-rw-r--r--include/linux/audit.h7
-rw-r--r--net/core/dev.c7
2 files changed, 13 insertions, 1 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h
index d760430..1c47c59 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -35,7 +35,8 @@
* 1400 - 1499 SE Linux use
* 1500 - 1599 kernel LSPP events
* 1600 - 1699 kernel crypto events
- * 1700 - 1999 future kernel use (maybe integrity labels and related events)
+ * 1700 - 1799 kernel anomaly records
+ * 1800 - 1999 future kernel use (maybe integrity labels and related events)
* 2000 is for otherwise unclassified kernel audit messages (legacy)
* 2001 - 2099 unused (kernel)
* 2100 - 2199 user space anomaly records
@@ -90,6 +91,10 @@
#define AUDIT_MAC_STATUS 1404 /* Changed enforcing,permissive,off */
#define AUDIT_MAC_CONFIG_CHANGE 1405 /* Changes to booleans */
+#define AUDIT_FIRST_KERN_ANOM_MSG 1700
+#define AUDIT_LAST_KERN_ANOM_MSG 1799
+#define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */
+
#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */
/* Rule flags */
diff --git a/net/core/dev.c b/net/core/dev.c
index 2afb0de..e9f84a6 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -115,6 +115,7 @@
#include <net/iw_handler.h>
#endif /* CONFIG_NET_RADIO */
#include <asm/current.h>
+#include <linux/audit.h>
/*
* The list of packet types we will receive (as opposed to discard)
@@ -2120,6 +2121,12 @@ void dev_set_promiscuity(struct net_device *dev, int inc)
printk(KERN_INFO "device %s %s promiscuous mode\n",
dev->name, (dev->flags & IFF_PROMISC) ? "entered" :
"left");
+ audit_log(current->audit_context, GFP_ATOMIC,
+ AUDIT_ANOM_PROMISCUOUS,
+ "dev=%s prom=%d old_prom=%d auid=%u",
+ dev->name, (dev->flags & IFF_PROMISC),
+ (old_flags & IFF_PROMISC),
+ audit_get_loginuid(current->audit_context));
}
}
OpenPOWER on IntegriCloud