From owner-freebsd-hackers  Thu Sep 13 14:25:13 2001
Delivered-To: freebsd-hackers@freebsd.org
Received: from Awfulhak.org (gw.Awfulhak.org [217.204.245.18])
	by hub.freebsd.org (Postfix) with ESMTP id 205AA37B403
	for <hackers@FreeBSD.ORG>; Thu, 13 Sep 2001 14:25:10 -0700 (PDT)
Received: from hak.lan.Awfulhak.org (root@hak.lan.Awfulhak.org [fec0::1:12])
	by Awfulhak.org (8.11.6/8.11.6) with ESMTP id f8DLP6i22023;
	Thu, 13 Sep 2001 22:25:07 +0100 (BST)
	(envelope-from brian@freebsd-services.com)
Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1])
	by hak.lan.Awfulhak.org (8.11.6/8.11.6) with ESMTP id f8DLP2d97096;
	Thu, 13 Sep 2001 22:25:02 +0100 (BST)
	(envelope-from brian@freebsd-services.com)
Message-Id: <200109132125.f8DLP2d97096@hak.lan.Awfulhak.org>
X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4
To: Giorgos Keramidas <charon@labs.gr>
Cc: hackers@FreeBSD.ORG, brian@freebsd-services.com
Subject: Re: Checking changes to listening ports in /etc/security 
In-Reply-To: Message from Giorgos Keramidas <charon@labs.gr> 
   of "Wed, 12 Sep 2001 20:57:43 +0300." <20010912205743.A64992@hades.hell.gr> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Thu, 13 Sep 2001 22:25:02 +0100
From: Brian Somers <brian@freebsd-services.com>
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

> I've been adding an extra check in my local version of /etc/security for quite
> some time now.  All it does is use 'netstat' to grab a list of the listening
> tcp and udp ports of my machine and save it to /var/log/netstat.today
> (and /var/log/netstat.yesterday).  This way, when some service starts
> and listens on a new port the next run of /etc/security will log the
> fact in the usual stuff sent to root by mail.  I tested this running
> /etc/periodic/daily/450.security twice, and running a local IRC daemon between
> the two runs.  The output that is added to the message root receives looks
> like the following:
[.....]

I like this idea.  I think It would be worth making it diff against 
/dev/null when netstat.today doesn't exist, so that the first time 
this is run on a given machine, you get to see all the ports that are 
open.

[.....]
+[ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat
[.....]

I think this like is bogus.  In fact, it looks like the 
$daily_status_security_noamd periodic.conf tunable is broken.

Oops !  I'll fix it after your changes go in.
-- 
Brian <brian@freebsd-services.com>                <brian@Awfulhak.org>
      http://www.freebsd-services.com/        <brian@[uk.]FreeBSD.org>
Don't _EVER_ lose your sense of humour !      <brian@[uk.]OpenBSD.org>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message