From owner-freebsd-hackers Thu Sep 13 15:51:59 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by hub.freebsd.org (Postfix) with ESMTP id 511FE37B413 for ; Thu, 13 Sep 2001 15:51:52 -0700 (PDT) Received: from hades.hell.gr (patr530-b081.otenet.gr [195.167.121.209]) by mailsrv.otenet.gr (8.11.5/8.11.5) with ESMTP id f8DMpkp27216; Fri, 14 Sep 2001 01:51:46 +0300 (EEST) Received: (from charon@localhost) by hades.hell.gr (8.11.6/8.11.6) id f8DMq3A43377; Fri, 14 Sep 2001 01:52:03 +0300 (EEST) (envelope-from charon@labs.gr) Date: Fri, 14 Sep 2001 01:52:03 +0300 From: Giorgos Keramidas To: Brian Somers Cc: hackers@FreeBSD.ORG Subject: Re: Checking changes to listening ports in /etc/security Message-ID: <20010914015203.A43352@hades.hell.gr> References: <200109132125.f8DLP2d97096@hak.lan.Awfulhak.org> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="n8g4imXOkfNTN/H1" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200109132125.f8DLP2d97096@hak.lan.Awfulhak.org>; from brian@freebsd-services.com on Thu, Sep 13, 2001 at 10:25:02PM +0100 X-PGP-Fingerprint: 3A 75 52 EB F1 58 56 0D - C5 B8 21 B6 1B 5E 4A C2 X-URL: http://students.ceid.upatras.gr/~keramida/index.html Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --n8g4imXOkfNTN/H1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline From: Brian Somers Subject: Re: Checking changes to listening ports in /etc/security Date: Thu, Sep 13, 2001 at 10:25:02PM +0100 > I like this idea. I think It would be worth making it diff against > /dev/null when netstat.today doesn't exist, so that the first time > this is run on a given machine, you get to see all the ports that are > open. Done. I duplicated the code of the second if[] since I could not easily come up with a version that does not use some kind of shell variable weirdness and still work the same way. I prefer to keep this clean and easy to understand. The attached patch makes /dev/null the first argument of diff when sockstat.today does not exist. > [.....] > +[ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat > [.....] > > I think this like is bogus. In fact, it looks like the > $daily_status_security_noamd periodic.conf tunable is broken. > > Oops ! I'll fix it after your changes go in. So far, two people like the change. Since I can't help in making the change go in, I trust that after checking I did not break anything that I missed in my tests, you'll either give me a 'go ahead' to send-pr or just commit this yourself? -giorgos --n8g4imXOkfNTN/H1 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=patch-security Index: security =================================================================== RCS file: /home/ncvs/src/etc/security,v retrieving revision 1.55 diff -u -r1.55 security --- security 4 Jul 2001 12:49:17 -0000 1.55 +++ security 13 Sep 2001 22:46:08 -0000 @@ -128,6 +128,29 @@ tee /dev/stderr | wc -l) [ $n -gt 0 -a $rc -lt 1 ] && rc=1 +# Show changes in listening tcp and udp ports: +# +[ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat +if ( sockstat -l46 | head -1 ;\ + sockstat -l46 | grep -v comsat | grep -v '^$' |\ + grep -v '^USER' | sort +5 ) | $cmd > $TMP ;then + if [ ! -f $LOG/sockstat.today ]; then + [ $rc -lt 1 ] && rc=1 + separator + echo "$host changes in listening ports:" + diff -b /dev/null $TMP + touch $LOG/sockstat.yesterday || rc=3 + mv $TMP $LOG/sockstat.today || rc=3 + elif ! cmp $LOG/sockstat.today $TMP >/dev/null 2>&1; then + [ $rc -lt 1 ] && rc=1 + separator + echo "$host changes in listening ports:" + diff -b $LOG/sockstat.today $TMP + mv $LOG/sockstat.today $LOG/sockstat.yesterday || rc=3 + mv $TMP $LOG/sockstat.today || rc=3 + fi +fi + # Show denied packets # if ipfw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then --n8g4imXOkfNTN/H1-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message