From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 62326 invoked by alias); 11 Oct 2017 04:47:44 -0000 Mailing-List: contact systemtap-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: systemtap-owner@sourceware.org Received: (qmail 62313 invoked by uid 89); 11 Oct 2017 04:47:43 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.2 spammy=william, William, HX-HELO:sk:mail-pg, Hx-spam-relays-external:sk:mail-pg X-HELO: mail-pg0-f43.google.com Received: from mail-pg0-f43.google.com (HELO mail-pg0-f43.google.com) (74.125.83.43) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 11 Oct 2017 04:47:42 +0000 Received: by mail-pg0-f43.google.com with SMTP id n4so380275pgn.0 for ; Tue, 10 Oct 2017 21:47:42 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=U5E+wdUPjIOSf/DBwpJa+KACEOnYRnm+ihbYF/GICBA=; b=WwMyg6eSGrhp6GF2RZnjmMTxjzLtIALDqlY1+9SM1vgEe/Hkj1fL2CxQKnk2XE6SSv jNf9+9J+l4thxhxXrj16Z1rliJ2Ik8qKd2tOIPlJVRffp4PS0Cn5WvOt1z7V0eAyOfT5 WfrgIVMsfLurXx3jjH1rDmLgtACc1NXkGidS9Aya4ONpwIHwa41gXG5OwEhoO3lrWwB1 cXxyuv7fQMU4nSs31P7hzUUBRsbLQpfFRLq5kuVSHWGkvcFwc+B1EueRor8FelNKuU4u vMx0jlYiK+V1T04fSVeJK1UxTAargdIbXc1xyqmvAX6f0POW8jsH2hc6GcJudmu5TlOp k4ng== X-Gm-Message-State: AMCzsaVwrnuxDe1ePPLQt92O5XHssuc0DaJzol5VmK7upgmC56hRINy3 FvoYsUYXbyY47bjDNGyUF7qa613JhZqpAac5tl0= X-Google-Smtp-Source: AOwi7QA/xfX76tupRhDlenlNVPj/NzF4NVtgdwwdyKYqZYHc3IiNtHkZX0Diwm134Ku3jYq52Kx2/BXvzcONHGogjSk= X-Received: by 10.101.76.195 with SMTP id n3mr14968695pgt.120.1507697260797; Tue, 10 Oct 2017 21:47:40 -0700 (PDT) MIME-Version: 1.0 Received: by 10.100.133.72 with HTTP; Tue, 10 Oct 2017 21:47:40 -0700 (PDT) In-Reply-To: <0d43b4f5-7f71-c397-fdea-0fbb6e7b36bf@redhat.com> References: <0d43b4f5-7f71-c397-fdea-0fbb6e7b36bf@redhat.com> From: Daniel Doron Date: Wed, 11 Oct 2017 04:47:00 -0000 Message-ID: Subject: Re: monitor changes to iptables To: William Cohen Cc: systemtap@sourceware.org Content-Type: text/plain; charset="UTF-8" X-IsSubscribed: yes X-SW-Source: 2017-q4/txt/msg00029.txt.bz2 Hi William, Thanks for the suggestion. Correct me if I am wrong but: 1. auditctl does not provide real time / online logging facility 2. I would have to parse its logs to the get the info I want 3. Does it also use kprobes to get the info? I'll need to strace it to see how it works... I was thinking maybe monitor the ip_tables module directly, but I will need to figure out the relevant functions... On Tue, Oct 10, 2017 at 11:17 PM, William Cohen wrote: > On 10/10/2017 10:49 AM, Daniel Doron wrote: >> Hi, >> >> I am trying to figure out a way to monitor and log changes to iptables >> (netfilter). Any ideas would be appreciated... >> >> Thanks. >> Daniel. >> > > Hi Daniel, > > Would you need to use systemtap for this or would using auditctl as mentioned in the following be sufficient? > > https://unix.stackexchange.com/questions/206891/audit-on-changes-to-the-running-iptables-configuration > > > -Will