Yo, is it possible to detect addition/removal of UFW rules on Linux?

UFW is a fancy wrapper around iptables for Linux. You could use the Osquery

iptables

, however you will need to instruct Osquery to generate logs for addition/removal of IPtables. osquery config:

{
  "schedule": {
    "iptables_monitor": {
      "query": "SELECT * FROM iptables",
      "interval": 60,
      "removed": true
    }
  }
}

Oh yep, i think any modification to the iptables rules will triger a remove and add into the table yea? So I can just look for added/removed events on that table in the logs and I can know that iptables has been modified in theory right?

Yup but I would test it first

OFC, thanks