Log firewall changes

[Burkhard Schultheis]

Hi,

I want to get an email from OSSEC when a port is opened or closed in the
firewall. Therefore I changed "no_log" in firewall_rules.xml to "log".
But the OSSEC failed to start. What's wrong? How to get the desired
emails for firewall changes? It's OSSEC v3.3.0 on CentOS 6.10.

Thanks in advance!

Regards
Burkhard

[dan (ddp)]

On Mon, Feb 17, 2020 at 9:25 AM Burkhard Schultheis
<burkhard....@web.de> wrote:
>
> Hi,
>
> I want to get an email from OSSEC when a port is opened or closed in the
> firewall. Therefore I changed "no_log" in firewall_rules.xml to "log".
> But the OSSEC failed to start. What's wrong? How to get the desired
> emails for firewall changes? It's OSSEC v3.3.0 on CentOS 6.10.
>

What do you mean by "a port is opened or closed in the firewall?" Do
you mean when a program is listening on a port,
or the ruleset is modified to allow traffic through a particular port?

What type of firewall?

I don't think "log" is a valid value for <options>. Just remove the line.
You can look at the ossec.log on the server for more details as to why
it's failing.

> Thanks in advance!
>
> Regards
> Burkhard
>

> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/359319ec-a624-3014-710b-68b871fa514d%40web.de.

[Schultheis Burkhard]

Hi,

I want to get a message, when the ruleset of iptables gets modified. But
I see that iptables doesn't log its changes. Or am I wrong?

Thanks!

Regards
Burkhard

[dan (ddp)]

On Tue, Feb 18, 2020 at 1:52 AM Schultheis Burkhard
<burkhard....@gmail.com> wrote:
>
> Hi,
>

> I want to get a message, when the ruleset of iptables gets modified. But
> I see that iptables doesn't log its changes. Or am I wrong?
>

I'm not aware of a log, but I'm far from an expert.

If you're running an OSSEC agent on the system, it should be easy to
add a command to watch for changes.
This is probably a naive command to run, but I'm not sure what a
better one would be at the moment.
This goes in the ossec.conf of the agent with the iptables
configuration you want to monitor.

<localfile>
<log_format>full_command</log_format>
<alias>iptables_check</alias>
<command>iptables -nL</command>
<frequency>60</frequency>
</localfile>

Every 60ish seconds the command "iptables -nL" is run. The contents of
this command are sent to the OSSEC server.

Then you create a rule to match this command in local_rules.xml.
Something like this:
<rule id="800001" level="10>
<if_sid>530</if_sid>
<match>ossec: output: 'iptables_check'</match>
<check_diff />
<description>iptables configuration has changed.</description>
</rule>

I haven't tested the above explicitly, but I have created a number of
similar commands.
Rule 530 looks for 'ossec: output:' to group command/full_command stuff.
We're looking specifically for 'iptables_check' because that's the
alias configured in the <localfile> configuration above.
'<check_diff />' should show some of the changes (if there are
changes) in the alert body.

Alternatively, you could cron a script to run `iptables -nL' and save
the data to a file. Then use syscheck to monitor that file for
changes.
Then when the file changes, syscheck notices and creates an appropriate alert.

> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/54e1a186-73f1-aa03-afc0-8bc762b833b2%40gmail.com.