-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 24 May 2005, Taylor, Grant wrote:
From my experience with -m owner/group (extremely limited I must admit) I don't think it's possible. The messages in /var/log/messages don't seem to have any uid information, and afaik there isn't any sort of variables that iptables has in to do this sort of thing.
Would it be possible to get the LOG target to log the PID of the process that tried to send the traffic out? If this could be done it would be a relatively trivial to write a daemon that would watch the log looking for the LOG liens (presumably with a special pattern in the --log-prefix parameter as a key) and try to identify who ran the process that has the PID in question. The only caveat that comes to mind is that process might spawn and die / close before the daemon could identify who was running it so I would be tempted to send the traffic to user space QUEUE (I think) to something that would ultimately just drop it but that could introduce a pause long enough (or do the searching it's self) for the user identification to take place?
I am in no way capable of writing such applications / daemons, but I know there are those who are. This is just my $.02 on it.
Of course these are internal users, and so if one might not beable to control the binaries packets, perhaps one looks to control access or abilities of users with the binary? This might be a place for another admin tool, say sudo, or chmod/chown?
Thanks,
Ron DuFresne
- -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFClCFLst+vzJSwZikRAr9QAJwLlw1sWvrTIvc1TX5Db4NmJ7qSWACfRib5 mAQOsllflyFhPuUnkVMUyDI= =LjzP -----END PGP SIGNATURE-----
