#Triple D Consulting #Network Attached Device Diagnostic System #README File Agent Name: firewall Agent Agent Version: Version 2.2 Agent Author: David Blizard Agent Date: 2003-May-26 Agent Purpose: Agent monitors iptables for a change. Will error once per change and save a backup of tables if there is a change. Agent How Does It work: Note: Sudo must be used to run this agent, see Install Instructions. Errors once per tables change and then updates itself and will not error again untill there is another change. Upon a change the tables are backed up into a tar file containing two files - a copy of the tables created with the 'iptables -L -n' command and a restore file created with iptables-save command which may be used in conjunction with the iptables-restore command to restore the state of the tables before the change. Both files and the tar file are date stamped with the time at which the agent noticed the change in the firewall tables. If no errors occur then the current tables are displayed. If tables change error occurs and displays the output of the diff command (the change in the tables) and the current tables (after the change) and the location of bakup files. If the iptables or diff command fails a warning is sent and the output of the error is displayed. All archived files and state history as well as the current good tables (used to compare with) are stored in /usr/local/bcnu/data/firewall-archive. Agent History: This is version 2.2 of the firewall agent. Added state changes and made command errors (diff and iptables) into warnings. Version 2.2 takes one parameter, the password for BCNU user so it can use sudo. Added sudo option in version 2.2 for those not running BCNU as root or cant use setuid scripts. Agent Installation Instructions: Place agent in the agents directory within the $BCNUHOME directory. Add entry to agents file. agent:firewall:0-24:2:2:enbabled:: Add entry to sudo config file - /etc/sudoers(Redhat). bcnu_username ALL=NOPASSWD:/sbin/iptables -L -n,/sbin/iptables-save -c Agent call example: agent:firewall:0-24:2:2:enbabled:: Agent Operating Dependancies: Linux (Tested on Redhat 7.3) iptables kernel support sudo Agent Application Dependancies: iptables and sudo support diff command BCNU v1.22 Features To Add: -----------------TESTING - FIREWALL VERSION 2.0-------------------------- NOTE: NEW TESTS WILL BE UP SOON FOR VERSION 2.2. Tested by: Dustin and Dave Date Tested: April 25, 2003 Testing platform: Redhat 7.3, iptables-1.2.5-3, BCNU v1.22, Linux kernel 2.4.18-3 Testing methodology: We tested on two identical platforms. We tested error conditions by adding iptables rules to force an error and by changing the file that the agent checks the tables against. Both worked as expected. After getting a bug at home due to dns resolve I added the -n option to iptables command to display only ip addresses and do no domain name resolutions. For this reason the user must also do this when supplying the good tables for the agent to use. The diff error was tested by changing the supplied good tables filename to another name so diff command would fail. The iptables error was forced by changing the script to run iptables instead of /sbin/iptables so it would not find the binary in its path. Error conditions: Firewall Tables Changed - Expected response: "error - firewall tables changed" BCNU error message and output from diff command and state history Actual response: "error - firewall tables changed" BCNU error message and output from diff command and state history Sample output: "error - firewall tables changed, tables backed up" BCNU message 3,4d2 < ACCEPT tcp -- 24.77.33.79 0.0.0.0/0 tcp dpt:22 < ACCEPT tcp -- 24.77.33.79 0.0.0.0/0 tcp dpt:22 *****Firewall Tables Changed on Thu May 1 11:42:36 PDT 2003***** Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 24.77.33.79 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 24.77.33.79 0.0.0.0/0 tcp dpt:22 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ***Firewall State History*** Wed Apr 30 10:08:12 PDT 2003 /usr/local/bcnu/data/archive/firewall.Apr30-100812.tgz Wed Apr 30 10:35:22 PDT 2003 /usr/local/bcnu/data/archive/firewall.Apr30-103522.tgz Thu May 1 11:42:36 PDT 2003 /usr/local/bcnu/data/archive/firewall.May1-114236.tgz Warning conditions: Iptables Command Failed - Expected response: "warning - iptables command failed" BCNU error message and stderr output Actual response: "warning - iptables command failed" BCNU error message and stderr output Sample output: warning - iptables command failed bash: iptables: command not found Diff Command Failed - No such file Expected response: "warning - diff command failed - No such file" BCNU error message and stderr output Actual response: "warning - diff command failed - No such file" BCNU error message and stderr output Sample output: warning - diff command failed - No such file iptables diff: iptables: No such file or directory Unknown Diff Error Expected response: "warning - unknown error - diff command" BCNU error message and stderr output Actual response: NOTE: did not test - occurs when diff returns an exit status other then 0,1,2 Sample output: NOTE: did not test - occurs when diff returns an exit status other then 0,1,2 Successful conditions: Firewall Tables Unchanged - Expected response: "ok - firewall tables unchanged" BCNU ok message with current tables and state history Actual response: "ok - firewall tables unchanged" BCNU ok message with current tables and state history Sample output: "ok - firewall tables unchanged" BCNU message Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ***Firewall State History*** Wed Apr 30 10:08:12 PDT 2003 /usr/local/bcnu/data/archive/firewall.Apr30-100812.tgz Wed Apr 30 10:35:22 PDT 2003 /usr/local/bcnu/data/archive/firewall.Apr30-103522.tgz