[Novalug] Who moved my IPTables?

Sean McGowan spmcgowan@gmail.com
Sun Aug 14 11:04:57 EDT 2016


On Sun, Aug 14, 2016 at 10:36 AM, Jon LaBadie via Novalug <
novalug@firemountain.net> wrote:

> On Sun, Aug 14, 2016 at 08:29:24AM -0400, Miles D. Oliver via Novalug
> wrote:
> > I can't provide specific details of content of files because it is a
> secure
> > site.
> >
> > To me its clear that a process is changing iptables, I have to find out
> > what process is doing it.
> >
> > I started with the usual suspects when something is changed like starting
> > with cron and looking into
> > shell scripts that could call iptables and expanding from that.
> >
> > audit.log is giving me details on a pid but when I look for it, it isn't
> > running so its harder to find.
> >
> > Pointing me to tools like systemtap are probably going to yield the
> > information I need.
>
> I presume audit.log is also giving a time stamp and likely the
> process ends shortly after that.
>
> Not sure if linux has it, but unix had a command as part of
> system and process accounting (sar etc.) that could report
> every process based on it end time.  I think it was named
> commandcon or ???
>
> Anyone know if that made it to linux?
>


the psacct package may have a utility that will work for you.
install psacct
start the service

sa and lastcomm come in the package and might work for you
http://man7.org/linux/man-pages/man8/sa.8.html
http://linux.die.net/man/1/lastcomm

specifically, turn on accounting and `# lastcomm --command iptables`


also, i saw a thread that talked about some vpns sercuring nat via iptables
https://www.centos.org/forums/viewtopic.php?t=58281

-- 
Sean McGowan <spmcgowan@gmail.com>

-Give a man a fire, warm him for a day, light a man on fire and warm him
for the rest of his life.



More information about the Novalug mailing list