Date: Mon, 17 Sep 2001 12:29:10 +0100 From: Brian Somers <brian@freebsd-services.com> To: Giorgos Keramidas <charon@labs.gr> Cc: Brian Somers <brian@freebsd-services.com>, hackers@FreeBSD.ORG, brian@freebsd-services.com Subject: Re: Checking changes to listening ports in /etc/security Message-ID: <200109171129.f8HBTAR28246@hak.lan.Awfulhak.org> In-Reply-To: Message from Giorgos Keramidas <charon@labs.gr> of "Fri, 14 Sep 2001 17:57:18 %2B0300." <20010914175718.A1118@hades.hell.gr>
next in thread | previous in thread | raw e-mail | index | archive | help
> From: Brian Somers <brian@freebsd-services.com>
> Subject: Re: Checking changes to listening ports in /etc/security
> Date: Fri, Sep 14, 2001 at 12:18:43PM +0100
>
> > I think the attached patch makes things slightly better. We only run
> > sockstat once, and remove the trailing whitespace that sockstat emits
> > (making the diff lines look better when viewed on an 80 column
> > screen).
>
> Ahem, that's what happens when one works in 132 column modes.
> Yes, trailing spaces are better removed.
>
> > Could you look these over ? If you're happy with this I can commit
> > it.
>
> Looks great to me. I tested it with the usual four runs of
> periodic/daily/450.status-security that I used for my versions.
> It works great :)
I found a problem... if you reboot a machine, lots of diffs come up
because of the PID column. I've got a version running locally that
dykes out the PID stuff from the report. It also displays the header
line above the diff output for a bit of context. If it works ok over
the next few days I'll commit it.
I've attached the patch FYI.
> -giorgos
--
Brian <brian@freebsd-services.com> <brian@Awfulhak.org>
http://www.freebsd-services.com/ <brian@[uk.]FreeBSD.org>
Don't _EVER_ lose your sense of humour ! <brian@[uk.]OpenBSD.org>
Index: security
===================================================================
RCS file: /home/ncvs/src/etc/security,v
retrieving revision 1.55
diff -u -r1.55 security
--- security 4 Jul 2001 12:49:17 -0000 1.55
+++ security 17 Sep 2001 00:37:01 -0000
@@ -128,6 +128,31 @@
tee /dev/stderr | wc -l)
[ $n -gt 0 -a $rc -lt 1 ] && rc=1
+# Show changes in listening tcp and udp ports:
+#
+sockstat -l46 | {
+ read line
+ echo "${line}"
+ sed -e /^USER/d -e /comsat/d -e '/^[ ]*$/d' | sort +5
+} | sed -e 's/[ ][ ]*$//' -e 's/\(..................\)...../\1/' >${TMP}
+
+if [ ! -f ${LOG}/sockstat.today ]; then
+ [ ${rc} -lt 1 ] && rc=1
+ separator
+ echo "${host} changes in listening ports:"
+ diff -b /dev/null ${TMP}
+ touch ${LOG}/sockstat.yesterday || rc=3
+ mv ${TMP} ${LOG}/sockstat.today || rc=3
+elif ! cmp ${LOG}/sockstat.today ${TMP} >/dev/null 2>&1; then
+ [ ${rc} -lt 1 ] && rc=1
+ separator
+ echo "${host} changes in listening ports:"
+ sed '1{ s/^/ /; q; }' ${TMP}
+ diff -b ${LOG}/sockstat.today ${TMP}
+ mv ${LOG}/sockstat.today ${LOG}/sockstat.yesterday || rc=3
+ mv ${TMP} ${LOG}/sockstat.today || rc=3
+fi
+
# Show denied packets
#
if ipfw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200109171129.f8HBTAR28246>