On 11 April 2013 21:46, SebA <spah at syntec.co.uk> wrote:

** Is there any code out there to monitor that (a) iptables is running (not just set to everything allowed) (b) SELinux is enabled

For the second one, you can add this to client-local.cfg:

file:/selinux/enforce:md5

then in analysis.cfg:

FILE /selinux/enforce MD5=cfcd208495d565ef66e7dff9f98764da red "TEXT=SELinux is not enforcing"

This will warn if the contents of /selinux/enforce is not zero. This also warns if the file does not exist (such as when selinux is disabled).

You can't really do the same thing with iptables, because you need to be root to dump the rules. There's only so much the xymon user can do. You could check that the ip_tables kernel module is loaded with lsmod, or you could check a file that a root cron job dumps to every 5 minutes. You also might want to be a bit careful that you're not transmitting iptables rules in-the-clear to the Xymon server. Perhaps something like this:

Create /etc/cron.d/dump-iptables with:

analyse and report on iptables rules, for xymon to read

*/5 * * * * root { /usr/bin/iptables-save | grep "^:INPUT REJECT"

/dev/null && echo "green: iptables default is reject" || echo "red: iptables problem"; } | logger

This will put a messages in your syslog, which you can then match using standard Xymon log monitoring.

One problem with this technique is that when someone stops the cronjob, you'll simply stop getting log messages through. There are ways to detect or work around this.

J