[Xymon] Monitoring that iptables and SELinux are running / enabled

12 Apr 2013

      Hi Jeremy,
Thanks! Those are some great ideas.
FYI, the md5 is different for me though:
$ xymondigest md5 /selinux/enforce
md5:c4ca4238a0b923820dcc509a6f75849b
$ cat /selinux/enforce
1[prompt]$
i.e. no carriage return or new line caracters.
For iptables the path is different on my system too, and my default is DROP
rather than REJECT:
$ sudo /sbin/iptables-save | grep "^:INPUT DROP" >/dev/null && echo "green:
iptables default is DROP" || echo "red: iptables problem";
green: iptables default is DROP
Presumably I could allow xymon user to run /sbin/iptables-save with sudo
though as I did.  I guess that's a bit trickier...  Oh well, let's have a
go!
Using xymon-client-4.3.10-1 RPM. It's working for me but (if anyone else
wants to use this) YMMV.  I've hacked up some example scripts so they work
in my environment and used your suggestion but coverted it to be sudoers
safe (I hope).
Create xymon-clientIPtablesCheck.sh in /etc/xymon-client/ext (and ensure it
is executable: chmod +x <filename>):
#!/bin/sh
Written by SebA 12/04/13 with help from articles on the net.
Test-Mode ?
TEST=0 => works in cooperation with Xymon agent (default)
TEST=1 => for testing, results to stdout (run "TEST=1 ./bb-testname.sh" on
cmd-line)
TEST>1 => for testing, but sending results to Xymon server without
activating script in hobbitlaunch.cfg
TEST=${TEST:-"0"}
if [ "$TEST" -gt "0" ]
then
You only need to change these if you want to test the script manually.
BBHOME="/usr/share/xymon-client"
. /etc/xymon-client/xymonclient.cfg
This did not work for me (include is not a valid command), so set the
parts we need:
XYMONSERVERS="CHANGEME.FOR.TESTING.ONLY"
PATH="/usr/libexec/xymon-client:/bin:/usr/bin:/sbin:/usr/sbin:/etc"  #
PATH setting for the client scripts.
BBQUERYCMD=$BB
[ "$TEST" = "1" ] && BB="echo"
fi
COLUMN=iptables	# Name of the column
COLOR=purple		# By default, there is no report.
MSG="iptables status"  # Not used.
Do whatever you need to test for something
#sudo /sbin/iptables-save | grep "^:INPUT DROP" >/dev/null
This would allow xymon user to get potentially sensitive information, so
put this into a new script instead:
sudo /sbin/iptables-check
RETVAL=$?
if [ $RETVAL -eq 0 ]
then
COLOR=green
MSG="iptables default is DROP"
else
COLOR=red
MSG="iptables problem"
fi
Tell Xymon about it
$BB $XYMONSERVERS "status $MACHINE.$COLUMN $COLOR date
${MSG}
"
exit 0
EOF
Create IPtablesCheck.cfg in /etc/xymon-client/ext:
[iptables-check]
ENVFILE $XYMONCLIENTHOME/etc/xymonclient.cfg
CMD $XYMONCLIENTHOME/ext/xymon-clientIPtablesCheck.sh
LOGFILE $XYMONCLIENTHOME/logs/iptables-check.log
INTERVAL 5m
EOF
Create /sbin/iptables-check with:
#!/bin/sh
/sbin/iptables-save | grep "^:INPUT DROP" >/dev/null
EOF
Check that permissions are suitable:
$ ls -l /sbin/iptables-check
-rwxr-xr-x 1 root root 63 Apr 12 11:08 /sbin/iptables-check
You don't want non-root to be able to modify this file. Everyone can run it,
but it will only work properly for root.
In /etc/sudoers add:
Defaults:xymon !requiretty
After:
Defaults    requiretty
And lower down in an appropriate section add:
xymon   ALL=(root)      NOPASSWD: /sbin/iptables-check
Kind regards,
SebA

From: Jeremy Laidman [mailto:jlaidman at rebel-it.com.au] 
Sent: 12 April 2013 02:14
To: SebA
Cc: xymon
Subject: Re: [Xymon] Monitoring that iptables and SELinux are
running / enabled
On 11 April 2013 21:46, SebA &lt;spah at syntec.co.uk> wrote:

			Is there any code out there to monitor that
	(a) iptables is running (not just set to everything allowed)
	(b) SELinux is enabled

For the second one, you can add this to client-local.cfg:

file:/selinux/enforce:md5

then in analysis.cfg:

FILE /selinux/enforce MD5=cfcd208495d565ef66e7dff9f98764da red
"TEXT=SELinux is not enforcing"
This will warn if the contents of /selinux/enforce is not zero.
This also warns if the file does not exist (such as when selinux is
disabled).
You can't really do the same thing with iptables, because you need
to be root to dump the rules.  There's only so much the xymon user can do.
You could check that the ip_tables kernel module is loaded with lsmod, or
you could check a file that a root cron job dumps to every 5 minutes.  You
also might want to be a bit careful that you're not transmitting iptables
rules in-the-clear to the Xymon server.  Perhaps something like this:
Create /etc/cron.d/dump-iptables with:

# analyse and report on iptables rules, for xymon to read
*/5 * * * * root { /usr/bin/iptables-save | grep "^:INPUT REJECT"
...
/dev/null && echo "green: iptables default is reject" || echo "red:
iptables problem"; } | logger
This will put a messages in your syslog, which you can then match
using standard Xymon log monitoring.
One problem with this technique is that when someone stops the
cronjob, you'll simply stop getting log messages through.  There are ways to
detect or work around this.
J

[Xymon] Monitoring that iptables and SELinux are running / enabled

spah＠syntec.co.uk

Written by SebA 12/04/13 with help from articles on the net.

Test-Mode ?

TEST=0 => works in cooperation with Xymon agent (default)

TEST=1 => for testing, results to stdout (run "TEST=1 ./bb-testname.sh" on

TEST>1 => for testing, but sending results to Xymon server without

You only need to change these if you want to test the script manually.

. /etc/xymon-client/xymonclient.cfg

This did not work for me (include is not a valid command), so set the

Do whatever you need to test for something

This would allow xymon user to get potentially sensitive information, so

Tell Xymon about it