On Tue, Feb 18, 2020 at 1:52 AM Schultheis Burkhard <burkhard.schulth...@gmail.com> wrote: > > Hi, > > I want to get a message, when the ruleset of iptables gets modified. But > I see that iptables doesn't log its changes. Or am I wrong? >
I'm not aware of a log, but I'm far from an expert. If you're running an OSSEC agent on the system, it should be easy to add a command to watch for changes. This is probably a naive command to run, but I'm not sure what a better one would be at the moment. This goes in the ossec.conf of the agent with the iptables configuration you want to monitor. <localfile> <log_format>full_command</log_format> <alias>iptables_check</alias> <command>iptables -nL</command> <frequency>60</frequency> </localfile> Every 60ish seconds the command "iptables -nL" is run. The contents of this command are sent to the OSSEC server. Then you create a rule to match this command in local_rules.xml. Something like this: <rule id="800001" level="10> <if_sid>530</if_sid> <match>ossec: output: 'iptables_check'</match> <check_diff /> <description>iptables configuration has changed.</description> </rule> I haven't tested the above explicitly, but I have created a number of similar commands. Rule 530 looks for 'ossec: output:' to group command/full_command stuff. We're looking specifically for 'iptables_check' because that's the alias configured in the <localfile> configuration above. '<check_diff />' should show some of the changes (if there are changes) in the alert body. Alternatively, you could cron a script to run `iptables -nL' and save the data to a file. Then use syscheck to monitor that file for changes. Then when the file changes, syscheck notices and creates an appropriate alert. > Thanks! > > Regards > Burkhard > > Am 17.02.2020 um 16:20 schrieb dan (ddp): > > On Mon, Feb 17, 2020 at 9:25 AM Burkhard Schultheis > > <burkhard.schulth...@web.de> wrote: > >> Hi, > >> > >> I want to get an email from OSSEC when a port is opened or closed in the > >> firewall. Therefore I changed "no_log" in firewall_rules.xml to "log". > >> But the OSSEC failed to start. What's wrong? How to get the desired > >> emails for firewall changes? It's OSSEC v3.3.0 on CentOS 6.10. > >> > > What do you mean by "a port is opened or closed in the firewall?" Do > > you mean when a program is listening on a port, > > or the ruleset is modified to allow traffic through a particular port? > > > > What type of firewall? > > > > I don't think "log" is a valid value for <options>. Just remove the line. > > You can look at the ossec.log on the server for more details as to why > > it's failing. > > > >> Thanks in advance! > >> > >> Regards > >> Burkhard > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google Groups > >> "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, send an > >> email to ossec-list+unsubscr...@googlegroups.com. > >> To view this discussion on the web visit > >> https://groups.google.com/d/msgid/ossec-list/359319ec-a624-3014-710b-68b871fa514d%40web.de. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/54e1a186-73f1-aa03-afc0-8bc762b833b2%40gmail.com. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMrfwgfGs7n8EstEPH5VoWMYQVqS%3DyNuTuY%3Da3dEE%2Bzw4Q%40mail.gmail.com.