From owner-freebsd-hackers Fri Sep 14 4:21:28 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from Awfulhak.org (gw.Awfulhak.org [217.204.245.18]) by hub.freebsd.org (Postfix) with ESMTP id 26E4137B409 for ; Fri, 14 Sep 2001 04:21:23 -0700 (PDT) Received: from hak.lan.Awfulhak.org (root@hak.lan.Awfulhak.org [172.16.0.12]) by Awfulhak.org (8.11.6/8.11.6) with ESMTP id f8EBLKi25525; Fri, 14 Sep 2001 12:21:20 +0100 (BST) (envelope-from brian@freebsd-services.com) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.11.6/8.11.6) with ESMTP id f8EBIhd29603; Fri, 14 Sep 2001 12:18:43 +0100 (BST) (envelope-from brian@freebsd-services.com) Message-Id: <200109141118.f8EBIhd29603@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: Giorgos Keramidas Cc: Brian Somers , hackers@FreeBSD.ORG Subject: Re: Checking changes to listening ports in /etc/security In-Reply-To: Message from Giorgos Keramidas of "Fri, 14 Sep 2001 01:52:03 +0300." <20010914015203.A43352@hades.hell.gr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 14 Sep 2001 12:18:43 +0100 From: Brian Somers Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > From: Brian Somers > Subject: Re: Checking changes to listening ports in /etc/security > Date: Thu, Sep 13, 2001 at 10:25:02PM +0100 > > > I like this idea. I think It would be worth making it diff against > > /dev/null when netstat.today doesn't exist, so that the first time > > this is run on a given machine, you get to see all the ports that are > > open. > > Done. I duplicated the code of the second if[] since I could not easily come > up with a version that does not use some kind of shell variable weirdness > and still work the same way. I prefer to keep this clean and easy to > understand. The attached patch makes /dev/null the first argument of diff > when sockstat.today does not exist. [.....] Hi, I think the attached patch makes things slightly better. We only run sockstat once, and remove the trailing whitespace that sockstat emits (making the diff lines look better when viewed on an 80 column screen). Could you look these over ? If you're happy with this I can commit it. Cheers. -- Brian http://www.freebsd-services.com/ Don't _EVER_ lose your sense of humour ! Index: security =================================================================== RCS file: /home/ncvs/src/etc/security,v retrieving revision 1.55 diff -u -r1.55 security --- security 4 Jul 2001 12:49:17 -0000 1.55 +++ security 14 Sep 2001 11:12:09 -0000 @@ -128,6 +128,30 @@ tee /dev/stderr | wc -l) [ $n -gt 0 -a $rc -lt 1 ] && rc=1 +# Show changes in listening tcp and udp ports: +# +sockstat -l46 | { + read line + echo "$line" + sed -e /^USER/d -e /comsat/d -e '/^[ ]*$/d' | sort +5 +} | sed 's/[ ][ ]*$//' >${TMP} + +if [ ! -f $LOG/sockstat.today ]; then + [ $rc -lt 1 ] && rc=1 + separator + echo "$host changes in listening ports:" + diff -b /dev/null $TMP + touch $LOG/sockstat.yesterday || rc=3 + mv $TMP $LOG/sockstat.today || rc=3 +elif ! cmp $LOG/sockstat.today $TMP >/dev/null 2>&1; then + [ $rc -lt 1 ] && rc=1 + separator + echo "$host changes in listening ports:" + diff -b $LOG/sockstat.today $TMP + mv $LOG/sockstat.today $LOG/sockstat.yesterday || rc=3 + mv $TMP $LOG/sockstat.today || rc=3 +fi + # Show denied packets # if ipfw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message