Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
m
Mystery Incorporated
12/05/2020, 11:52 AMYo, is it possible to detect addition/removal of UFW rules on Linux?
c
CptOfEvilMinions
12/05/2020, 6:30 PMUFW is a fancy wrapper around iptables for Linux.
You could use the Osquery
iptables{
"schedule": {
"iptables_monitor": {
"query": "SELECT * FROM iptables",
"interval": 60,
"removed": true
}
}
}m
Mystery Incorporated
12/06/2020, 10:05 AMOh yep, i think any modification to the iptables rules will triger a remove and add into the table yea? So I can just look for added/removed events on that table in the logs and I can know that iptables has been modified in theory right?
c
CptOfEvilMinions
12/06/2020, 4:16 PMYup but I would test it first
👍 1
m
Mystery Incorporated
12/15/2020, 1:52 AMOFC, thanks