From owner-freebsd-security  Tue Nov 28 12:16:14 2000
Delivered-To: freebsd-security@freebsd.org
Received: from mail.gmx.net (pop.gmx.net [194.221.183.20])
	by hub.freebsd.org (Postfix) with SMTP id 65C0137B400
	for <freebsd-security@FreeBSD.ORG>; Tue, 28 Nov 2000 12:16:08 -0800 (PST)
Received: (qmail 20706 invoked by uid 0); 28 Nov 2000 20:16:02 -0000
Received: from p3ee21610.dip.t-dialin.net (HELO speedy.gsinet) (62.226.22.16)
  by mail.gmx.net (mail07) with SMTP; 28 Nov 2000 20:16:02 -0000
Received: (from sittig@localhost)
	by speedy.gsinet (8.8.8/8.8.8) id SAA29652
	for freebsd-security@FreeBSD.ORG; Tue, 28 Nov 2000 18:16:42 +0100
Date: Tue, 28 Nov 2000 18:16:42 +0100
From: Gerhard Sittig <Gerhard.Sittig@gmx.net>
To: freebsd-security@FreeBSD.ORG
Subject: Re: sockstat in /etc/security (was: fics)
Message-ID: <20001128181642.M27042@speedy.gsinet>
Mail-Followup-To: freebsd-security@FreeBSD.ORG
References: <Pine.GSO.4.30.0011271505560.19184-100000@nova.fnal.gov> <Pine.LNX.4.30.0011271701480.32226-200000@calliope.cs.brandeis.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <Pine.LNX.4.30.0011271701480.32226-200000@calliope.cs.brandeis.edu>; from meshko@cs.brandeis.edu on Mon, Nov 27, 2000 at 05:04:02PM -0500
Organization: System Defenestrators Inc.
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, Nov 27, 2000 at 17:04 -0500, Mikhail Kruk wrote:
> 
> [ ... sockstat(1) survey ... ]
> 
> I added it to my /etc/security and it seems to work.
> diff file is attached (with the new 4.2 compatible version by Tim)
> 
> [ ... ]
> 
> 78a79,95
> > # Show changes in the open tcp sockets
> > #
> > if sockstat|grep "\*.[0-9 ]*\*.\*"|cut -c1-9,10-18,39-45|sort -u|sort -n +2 > $TMP; then

What do you expect to be the exit status of this command (look at
"man sh" and search for "Pipelines")?  Reading "man sort" and
searching for "exit" and "resu" I don't see any(!) defined return
value for the "sort -n" invocation.

I would even dare to say this /etc/security block shouldn't have
*any* condition for execution.  Changing from or to zero
listening sockets (installing a new machine or disabling all
services) is something you definitely want to know.  Maybe the
suid files' list is the best template to derive from.


virtually yours   82D1 9B9C 01DC 4FB4 D7B4  61BE 3F49 4F77 72DE DA76
Gerhard Sittig   true | mail -s "get gpg key" Gerhard.Sittig@gmx.net
-- 
     If you don't understand or are scared by any of the above
             ask your parents or an adult to help you.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message