Using Syslog to track firewall changes $100



  • I would like to be able to track the changes made to sub items of Firewall.  Ie.. NAT, RULES.  I noticed that under Backup/Restore there is Config History but that does not give me detail of the changes made so I would not know exactly what was changed/deleted/created.  I currently do this on Cisco firewalls to keep track of changes.  This could simply be a check box under the syslog config page.  Another option could be under the config history tab to be able to mouse over or click on something which would show the changes but I think I would prefer syslog so I can control the history.

    Mark

    From Hoba

    This is not really built in but I guess it should be rather easy as you could just diff the different configs. A bounty of course would help to raise interest as I think this is a rather specific need that not too many people are interested in.



  • I started on some of this at one time (that's how the description in the backup/restore screen even shows), but with 100+ php files needing rather fine grained changes, I somewhat lost steam.  What's the specific output you are hoping to see?  That might help trigger some ideas on how to implement it better.

    –Bill

    PS. that doesn't mean I'm working on this, but I am somewhat interested.



  • PS. that doesn't mean I'm working on this, but I am somewhat interested.

    Got it.  I will assume nothing.  8)

    I have several sites which require logging of any firewall changes.  Meaning rule changes in the firewall or IP changes but mainly firewall rule changes so that if someone screws up a rule I can go back historically and see what was done by seeing what was changed, deleted, or added.

    The backup/restore screen is nice but gives no detail by looking at them as to what was actually done so if you restore….......you do not know exactly what is being restored.

    Mark



  • So are you looking for a different line for every firewall change, for example, if one rule were added, one deleted, and one modified, you would see the following in the syslog:

    added:    pass-wan-tcp/udp-any-192.168.1.11-60000-60500-NAT RTP Forwarding
    deleted:  pass-wan-tcp/udp-any-192.168.1.12-60000-60500-NAT RTP Forwarding
    changed: pass-wan-tcp-any-192.168.1.11-5060-NAT SIP Forwarding->pass-wan-tcp-any-192.168.1.12-5060-NAT SIP Forwarding

    Correct?

    And would you want NAT, alias, and schedule changes included in the log in a similar fashion?

    Or are you solely looking for a printout of the differences between current config and a potential restore config?



  • Older configs are stored in  /cf/conf/backup
    A simple diff could work…



  • Just a thought, RANCID might be able to handle something like this with a little work.  I think they have a module for Linux based devices.  The fact that pfSense keeps the entire config in one file would make this, probably, very simple if I'm right about RANCID having a clogin equivalent for Linux.  No changes would have to be made to pfSense because RANCID normally runs on your monitoring server (right beside Nagios and friends).

    A croned diff of the changes every half hour could do it from the pfSense box too, if pfSense has logger and diff in the normal distribution.

    RANCID is the best thing since sliced bread for tracking network appliance configuration changes.

    http://www.shrubbery.net/rancid/



  • I don't mind how it is done but would prefer the output be sent to syslog server.  I currently have several clients which use syslog to monitor changes in there current equipment and also monitor changes on windows servers.  Having pfsense log the changes to the syslog server allows me to continue with the central logging solution and not have to go to 2 differnt places for information.  Also my syslog server allows me to create audit reports which is sometimes requested by regulators.  I can bump this up to $100 if we are able to.

    Basically any changes which can affect the security of the device should be logged.  This includes and may not be limited to Firewall (on all interfaces), NAT, VPN,PPTP, user creation.  Since 1.3 allows you to create users it would be nice to be able to log who made which change or log the user login and logout which if logging the changes would be before and after the login.  Or to log who made the change.  This is important for financial insitutions who have very strict requirements regarding loggin and auditing.

    Bumping this up to $100



  • @kapara:

    Basically any changes which can affect the security of the device should be logged.  This includes and may not be limited to Firewall (on all interfaces), NAT, VPN,PPTP, user creation….

    You'll have to limit it somewhere…what exactly are your specs?



  • I like the idea of a diff running and sending the diff data to the syslog.  It could check every (length of time) 15 minutes to 1 hour for changes.  It could look at the config date and time stamp if it is different from the last time it performed a diff it would create a new diff and send to syslog.  This way you do not have to worry about the different areas.



  • kapara: is this bounty still valid I could have it done by Thursday possibly earlier? Would be incorporated into a multi-purpose package I've been writing.

    Mark



  • HI mcrane,

    I pretty much gave up on this bounty…does your idea integrate it into the CMI solution or does this integrate into a different solution and could you elaborate?

    Thanks



  • @kapara:

    I pretty much gave up on this bounty…does your idea integrate it into the CMI solution

    No, I couldn't deliver that in a day or two.

    @kapara:

    or does this integrate into a different solution and could you elaborate?

    Yes, If I do the bounty I would provide this feature using a new package I just wrote called PHPService. The detected changes would then be sent to the local syslog server which if set can then pass it on to a remote syslog server and would also show up in the local system logs.

    http://doc.pfsense.org/index.php/PHPService



  • Does your solution basically take the changes which are listed in the backup/restore page and send them via syslog or is it an entirely different process?  I ask this becasue one of the fustrations has been if you want to restore it is not easy to see the changes which the restore might implement.



  • @kapara:

    I like the idea of a diff running and sending the diff data to the syslog.  It could check every (length of time) 15 minutes to 1 hour for changes.  It could look at the config date and time stamp if it is different from the last time it performed a diff it would create a new diff and send to syslog.  This way you do not have to worry about the different areas.

    Just as requested use diff on the config.xml to build the patch instructions and send those to the syslog server. Could also write the diff patches to a directory.

    Diff as described in.
    http://devwiki.pfsense.org/SubmittingPatches


Locked