[Novalug] Who moved my IPTables?

Jon LaBadie novalugml@jgcomp.com
Sun Aug 14 10:51:57 EDT 2016


On Sun, Aug 14, 2016 at 10:36:18AM -0400, Jon LaBadie via Novalug wrote:
> On Sun, Aug 14, 2016 at 08:29:24AM -0400, Miles D. Oliver via Novalug wrote:
> > I can't provide specific details of content of files because it is a secure
> > site.
> > 
> > To me its clear that a process is changing iptables, I have to find out
> > what process is doing it.
> > 
> > I started with the usual suspects when something is changed like starting
> > with cron and looking into
> > shell scripts that could call iptables and expanding from that.
> > 
> > audit.log is giving me details on a pid but when I look for it, it isn't
> > running so its harder to find.
> > 
> > Pointing me to tools like systemtap are probably going to yield the
> > information I need.
> 
> I presume audit.log is also giving a time stamp and likely the
> process ends shortly after that.
> 
> Not sure if linux has it, but unix had a command as part of
> system and process accounting (sar etc.) that could report
> every process based on it end time.  I think it was named
> commandcon or ???
> 
> Anyone know if that made it to linux?
> 
Answering my own question, yes.
It is called "lastcomm" on linux.

HTH
-- 
Jon H. LaBadie                  novalugml@jgcomp.com
 11226 South Shore Rd		(703) 787-0688 (H)
 Reston, VA  20190		(703) 935-6720 (C)



More information about the Novalug mailing list