On Tue, Feb 18, 2020 at 1:52 AM Schultheis Burkhard
<burkhard.schulth...@gmail.com> wrote:
>
> Hi,
>
> I want to get a message, when the ruleset of iptables gets modified. But
> I see that iptables doesn't log its changes. Or am I wrong?
>
I'm not aware of a log, but I'm far from an expert.
If you're running an OSSEC agent on the system, it should be easy to
add a command to watch for changes.
This is probably a naive command to run, but I'm not sure what a
better one would be at the moment.
This goes in the ossec.conf of the agent with the iptables
configuration you want to monitor.
<localfile>
<log_format>full_command</log_format>
<alias>iptables_check</alias>
<command>iptables -nL</command>
<frequency>60</frequency>
</localfile>
Every 60ish seconds the command "iptables -nL" is run. The contents of
this command are sent to the OSSEC server.
Then you create a rule to match this command in local_rules.xml.
Something like this:
<rule id="800001" level="10>
<if_sid>530</if_sid>
<match>ossec: output: 'iptables_check'</match>
<check_diff />
<description>iptables configuration has changed.</description>
</rule>
I haven't tested the above explicitly, but I have created a number of
similar commands.
Rule 530 looks for 'ossec: output:' to group command/full_command stuff.
We're looking specifically for 'iptables_check' because that's the
alias configured in the <localfile> configuration above.
'<check_diff />' should show some of the changes (if there are
changes) in the alert body.
Alternatively, you could cron a script to run `iptables -nL' and save
the data to a file. Then use syscheck to monitor that file for
changes.
Then when the file changes, syscheck notices and creates an appropriate alert.
> Thanks!
>
> Regards
> Burkhard
>
> Am 17.02.2020 um 16:20 schrieb dan (ddp):
> > On Mon, Feb 17, 2020 at 9:25 AM Burkhard Schultheis
> > <burkhard.schulth...@web.de> wrote:
> >> Hi,
> >>
> >> I want to get an email from OSSEC when a port is opened or closed in the
> >> firewall. Therefore I changed "no_log" in firewall_rules.xml to "log".
> >> But the OSSEC failed to start. What's wrong? How to get the desired
> >> emails for firewall changes? It's OSSEC v3.3.0 on CentOS 6.10.
> >>
> > What do you mean by "a port is opened or closed in the firewall?" Do
> > you mean when a program is listening on a port,
> > or the ruleset is modified to allow traffic through a particular port?
> >
> > What type of firewall?
> >
> > I don't think "log" is a valid value for <options>. Just remove the line.
> > You can look at the ossec.log on the server for more details as to why
> > it's failing.
> >
> >> Thanks in advance!
> >>
> >> Regards
> >> Burkhard
> >>
> >> --
> >>
> >> ---
> >> You received this message because you are subscribed to the Google Groups
> >> "ossec-list" group.
> >> To unsubscribe from this group and stop receiving emails from it, send an
> >> email to ossec-list+unsubscr...@googlegroups.com.
> >> To view this discussion on the web visit
> >> https://groups.google.com/d/msgid/ossec-list/359319ec-a624-3014-710b-68b871fa514d%40web.de.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/54e1a186-73f1-aa03-afc0-8bc762b833b2%40gmail.com.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ossec-list/CAMyQvMrfwgfGs7n8EstEPH5VoWMYQVqS%3DyNuTuY%3Da3dEE%2Bzw4Q%40mail.gmail.com.
