[Novalug] Who moved my IPTables?
Jon LaBadie
novalugml@jgcomp.com
Sun Aug 14 10:51:57 EDT 2016
On Sun, Aug 14, 2016 at 10:36:18AM -0400, Jon LaBadie via Novalug wrote:
> On Sun, Aug 14, 2016 at 08:29:24AM -0400, Miles D. Oliver via Novalug wrote:
> > I can't provide specific details of content of files because it is a secure
> > site.
> >
> > To me its clear that a process is changing iptables, I have to find out
> > what process is doing it.
> >
> > I started with the usual suspects when something is changed like starting
> > with cron and looking into
> > shell scripts that could call iptables and expanding from that.
> >
> > audit.log is giving me details on a pid but when I look for it, it isn't
> > running so its harder to find.
> >
> > Pointing me to tools like systemtap are probably going to yield the
> > information I need.
>
> I presume audit.log is also giving a time stamp and likely the
> process ends shortly after that.
>
> Not sure if linux has it, but unix had a command as part of
> system and process accounting (sar etc.) that could report
> every process based on it end time. I think it was named
> commandcon or ???
>
> Anyone know if that made it to linux?
>
Answering my own question, yes.
It is called "lastcomm" on linux.
HTH
--
Jon H. LaBadie novalugml@jgcomp.com
11226 South Shore Rd (703) 787-0688 (H)
Reston, VA 20190 (703) 935-6720 (C)
More information about the Novalug
mailing list