Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Yo, is it possible to detect addition/removal of UFW rules on Linux?

UFW is a fancy wrapper around iptables for Linux.

You could use the Osquery `iptables` , however you will need to instruct Osquery to generate logs for addition/removal of IPtables.

osquery config:
```{
  "schedule": {
    "iptables_monitor": {
      "query": "SELECT * FROM iptables",
      "interval": 60,
      "removed": true
    }
  }
}```


Oh yep, i think any modification to the iptables rules will triger a remove and add into the table yea? So I can just look for added/removed  events on that table in the logs and I can know that iptables has been modified in theory right?