[Xymon] Monitoring that iptables and SELinux are running / enabled

Jeremy Laidman jlaidman at rebel-it.com.au
Fri Apr 12 03:13:37 CEST 2013


On 11 April 2013 21:46, SebA <spah at syntec.co.uk> wrote:

> **
> Is there any code out there to monitor that
> (a) iptables is running (not just set to everything allowed)
> (b) SELinux is enabled
>

For the second one, you can add this to client-local.cfg:

file:/selinux/enforce:md5

then in analysis.cfg:

FILE /selinux/enforce MD5=cfcd208495d565ef66e7dff9f98764da red
"TEXT=SELinux is not enforcing"

This will warn if the contents of /selinux/enforce is not zero.  This also
warns if the file does not exist (such as when selinux is disabled).

You can't really do the same thing with iptables, because you need to be
root to dump the rules.  There's only so much the xymon user can do.  You
could check that the ip_tables kernel module is loaded with lsmod, or you
could check a file that a root cron job dumps to every 5 minutes.  You also
might want to be a bit careful that you're not transmitting iptables rules
in-the-clear to the Xymon server.  Perhaps something like this:

Create /etc/cron.d/dump-iptables with:

# analyse and report on iptables rules, for xymon to read
*/5 * * * * root { /usr/bin/iptables-save | grep "^:INPUT REJECT"
>/dev/null && echo "green: iptables default is reject" || echo "red:
iptables problem"; } | logger

This will put a messages in your syslog, which you can then match using
standard Xymon log monitoring.

One problem with this technique is that when someone stops the cronjob,
you'll simply stop getting log messages through.  There are ways to detect
or work around this.

J
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20130412/5f42d9b6/attachment.html>


More information about the Xymon mailing list