This is the mail archive of the
systemtap@sourceware.org
mailing list for the systemtap project.
Re: monitor changes to iptables
- From: Arkady <arkady dot miasnikov at gmail dot com>
- To: Daniel Doron <danielmeirdoron at gmail dot com>
- Cc: William Cohen <wcohen at redhat dot com>, systemtap at sourceware dot org
- Date: Fri, 13 Oct 2017 18:28:28 +0300
- Subject: Re: monitor changes to iptables
- Authentication-results: sourceware.org; auth=none
- References: <CAFwN=+w5JXcD7wT=fyvpM2L=Fc2wdVDBWMH0ef5Tm==oFb_fkw@mail.gmail.com> <0d43b4f5-7f71-c397-fdea-0fbb6e7b36bf@redhat.com> <CAFwN=+xuV5rmGPPjaEgnL2Be5Qmg+MJQb7BW_iehpSrnHwS3SA@mail.gmail.com> <41c613cb-18ca-0188-de7a-f29770bb4590@redhat.com> <CAFwN=+x6pS5ME8CbUvqBNJ-Khuezh1bArt5Xxc3uEpJeMdZKVw@mail.gmail.com>
You are looking for preferably exported hooks in
http://elixir.free-electrons.com/linux/v2.6.33/source/net/netfilter
Specifically you can start looking around
http://elixir.free-electrons.com/linux/latest/source/net/netlink/af_netlink.c#L1861
- this is the point where a netlink configuration packet hist the
netfilter API.
On Fri, Oct 13, 2017 at 6:16 PM, Daniel Doron <danielmeirdoron@gmail.com> wrote:
> Hi William,
>
> I am building an EDR Agent (End point detection and response) which
> role is to gather various information about activities of different
> processes and able to detect abnormal activity. One of the required
> sensors is a detector for iptable changes. A an example of threat
> using iptable rules is a malware which has gained access to the system
> and leaks information via port knocking method. Just one example...
> My goal is to gather information using SystemTap from inside the
> Kernel to avoid as much as possible being detected or thwarted.
> I hope this clarifies the goal.
>
> -Daniel
>
>
> On Wed, Oct 11, 2017 at 5:45 PM, William Cohen <wcohen@redhat.com> wrote:
>> On 10/11/2017 12:47 AM, Daniel Doron wrote:
>>> Hi William,
>>> Thanks for the suggestion. Correct me if I am wrong but:
>>> 1. auditctl does not provide real time / online logging facility
>>> 2. I would have to parse its logs to the get the info I want
>>> 3. Does it also use kprobes to get the info? I'll need to strace it to
>>> see how it works...
>>>
>>> I was thinking maybe monitor the ip_tables module directly, but I will
>>> need to figure out the relevant functions...
>>
>> Hi Daniel,
>>
>> The auditctl suggestion was a quick off the top of the head thought about some place that would have that information. There is a timestamp in the audit log information, so if one knowns when the problems occurs it should be possible to identify the events in the audit log happening around that time.
>>
>> It would be useful to describe what the problem that is being investigated. That background would some context to steer the discussion towards approaches that would best solve the problem.
>>
>> -Will
>>>
>>>
>>>
>>> On Tue, Oct 10, 2017 at 11:17 PM, William Cohen <wcohen@redhat.com> wrote:
>>>> On 10/10/2017 10:49 AM, Daniel Doron wrote:
>>>>> Hi,
>>>>>
>>>>> I am trying to figure out a way to monitor and log changes to iptables
>>>>> (netfilter). Any ideas would be appreciated...
>>>>>
>>>>> Thanks.
>>>>> Daniel.
>>>>>
>>>>
>>>> Hi Daniel,
>>>>
>>>> Would you need to use systemtap for this or would using auditctl as mentioned in the following be sufficient?
>>>>
>>>> https://unix.stackexchange.com/questions/206891/audit-on-changes-to-the-running-iptables-configuration
>>>>
>>>>
>>>> -Will
>>