What is Promiscuous mode
Promiscuous mode or promisc mode is a feature that makes the ethernet card pass all traffic it received to the kernel. It is usually used by a packet sniffing program like Wireshark, and tcpdump. If there was such program intentionally running or bridged networking for hardware virtualization, the “promiscuous mode” message might be simply ignored. Otherwise, deep investigation on that system will be required due to a security issue.
When there is no audit daemon running on the system, the “audit” message will be logged into /var/log/messages file instead of /var/log/audit/audit.log file. They are informational messages for kernel auditing.
The option PROMISC has been fully deprecated from initscripts in RHEL 7.
# grep PROMISC -B 1 /usr/share/doc/initscripts-9.49.41/sysconfig.txt
No longer supported:
PROMISC=yes|no (enable or disable promiscuous mode)
So, in order to configure interface(s) in promiscuous mode permanently, follow the steps given below.
Configuring Promiscuous mode on Interface in CentOS/RHEL 7
1. Create a custom systemd unit file using an editor such as vi or vim.
# vi /etc/systemd/system/promisc.service
2. A oneshot using a oneline command can be used.
Single Interface Example
In the example below only one interface is being placed into promiscuous mode:
# cat /etc/systemd/system/promisc.service [Unit] Description=Bring up an interface in promiscuous mode during boot After=network.target [Service] Type=oneshot ExecStart=/usr/sbin/ip link set dev ens9 promisc on TimeoutStartSec=0 RemainAfterExit=yes [Install] WantedBy=default.target
Multiple Interfaces Example
Below example is setting more than one interface into promiscuous mode:
# cat /etc/systemd/system/promisc.service [Unit] Description=Makes an interface run in promiscuous mode at boot After=network.target [Service] Type=oneshot ExecStart=/usr/sbin/ip link set dev ens9 promisc on ExecStart=/usr/sbin/ip link set dev ens12 promisc on TimeoutStartSec=0 RemainAfterExit=yes [Install] WantedBy=default.target
3. Ensure that systemd is now aware of the new service:
# systemctl daemon-reload
Verification
Reboot the server and check to see if the interface is in promiscuous mode:
# reboot
# ip addr
1: lo: [LOOPBACK,UP,LOWER_UP] mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: ens9: [BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP] mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:fe:7d:f2 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.203/24 brd 192.168.122.255 scope global dynamic ens9
valid_lft 3398sec preferred_lft 3398sec
3: ens12: [BROADCAST,MULTICAST] mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 52:54:00:9f:37:9e brd ff:ff:ff:ff:ff:ff
4: ens10: [BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP] mtu 1500 qdisc pfifo_fast master bond0 state UP group default qlen 1000
link/ether 52:54:00:30:ef:19 brd ff:ff:ff:ff:ff:ff
5: ens11: [BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP] mtu 1500 qdisc pfifo_fast master bond0 state UP group default qlen 1000
link/ether 52:54:00:30:ef:19 brd ff:ff:ff:ff:ff:ff
6: bond0: [BROADCAST,MULTICAST,MASTER,UP,LOWER_UP] mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 52:54:00:30:ef:19 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.95/24 brd 192.168.122.255 scope global dynamic bond0
valid_lft 3396sec preferred_lft 3396sec
The interface ens9 is now in promiscuous mode upon boot.