auditd anomaly report ANOM_PROMISCUOUS

asked 2017-09-17 12:51:06 -0500


I installed Fedora 26 on my laptop on September 14th. Checking reports from auditd, the output of the "aureport -n -i" anomalies report is:

Anomaly Report

date time type exe term host auid event

  1. 09/14/2017 14:38:25 ANOM_PROMISCUOUS ? ? ? unset 181
  2. 09/14/2017 16:23:03 ANOM_PROMISCUOUS ? ? ? unset 180
  3. 09/14/2017 19:44:17 ANOM_PROMISCUOUS ? ? ? unset 179
  4. 09/14/2017 20:12:28 ANOM_ABEND /usr/bin/gnome-shell (deleted) ? ? root 341
  5. 09/14/2017 20:31:06 ANOM_PROMISCUOUS ? ? ? unset 182
  6. 09/14/2017 20:48:02 ANOM_PROMISCUOUS ? ? ? unset 195
  7. 09/14/2017 21:29:19 ANOM_PROMISCUOUS ? ? ? unset 185
  8. 09/15/2017 04:50:50 ANOM_PROMISCUOUS ? ? ? unset 176
  9. 09/15/2017 13:09:41 ANOM_PROMISCUOUS ? ? ? unset 184
  10. 09/15/2017 18:21:37 ANOM_PROMISCUOUS ? ? ? unset 183
  11. 09/16/2017 11:27:53 ANOM_ABEND /usr/bin/gnome-shell ? ? myusername 349
  12. 09/16/2017 12:12:35 ANOM_PROMISCUOUS ? ? ? unset 182
  13. 09/16/2017 12:17:34 ANOM_PROMISCUOUS ? ? ? unset 184
  14. 09/16/2017 16:08:30 ANOM_ABEND /usr/bin/gnome-shell ? ? myusername 537
  15. 09/17/2017 00:59:36 ANOM_PROMISCUOUS ? ? ? unset 187
  16. 09/17/2017 01:02:26 ANOM_PROMISCUOUS ? ? ? unset 183

From the Red Hat website I read:

ANOM_PROMISCUOUS: Triggered when a device enables or disables promiscuous mode.

And when I read the Wikipedia entry for Promiscuous mode:

"As promiscuous mode can be used in a malicious way to sniff on a network, one might be interested in detecting network devices that are in promiscuous mode. In promiscuous mode, some software might send responses to frames even though they were addressed to another machine. However, experienced sniffers can prevent this (e.g., using carefully designed firewall settings)."

I connect to the internet through my phone, USB tethered.

What is causing my device to enable promiscuous mode?

What can I do to prevent my device from enabling promiscuous mode?

edit retag flag offensive close merge delete

Comments

Can you get the actual lines from the audit.log?

ssieb gravatar imagessieb ( 2017-09-18 14:10:06 -0500 )edit