From owner-freebsd-hackers Mon Sep 17 4:29:26 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from Awfulhak.org (gw.Awfulhak.org [217.204.245.18]) by hub.freebsd.org (Postfix) with ESMTP id 7953937B40F for ; Mon, 17 Sep 2001 04:29:21 -0700 (PDT) Received: from hak.lan.Awfulhak.org (root@hak.lan.Awfulhak.org [fec0::1:12]) by Awfulhak.org (8.11.6/8.11.6) with ESMTP id f8HBTGg23481; Mon, 17 Sep 2001 12:29:18 +0100 (BST) (envelope-from brian@freebsd-services.com) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.11.6/8.11.6) with ESMTP id f8HBTAR28246; Mon, 17 Sep 2001 12:29:10 +0100 (BST) (envelope-from brian@freebsd-services.com) Message-Id: <200109171129.f8HBTAR28246@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: Giorgos Keramidas Cc: Brian Somers , hackers@FreeBSD.ORG, brian@freebsd-services.com Subject: Re: Checking changes to listening ports in /etc/security In-Reply-To: Message from Giorgos Keramidas of "Fri, 14 Sep 2001 17:57:18 +0300." <20010914175718.A1118@hades.hell.gr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 17 Sep 2001 12:29:10 +0100 From: Brian Somers Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > From: Brian Somers > Subject: Re: Checking changes to listening ports in /etc/security > Date: Fri, Sep 14, 2001 at 12:18:43PM +0100 > > > I think the attached patch makes things slightly better. We only run > > sockstat once, and remove the trailing whitespace that sockstat emits > > (making the diff lines look better when viewed on an 80 column > > screen). > > Ahem, that's what happens when one works in 132 column modes. > Yes, trailing spaces are better removed. > > > Could you look these over ? If you're happy with this I can commit > > it. > > Looks great to me. I tested it with the usual four runs of > periodic/daily/450.status-security that I used for my versions. > It works great :) I found a problem... if you reboot a machine, lots of diffs come up because of the PID column. I've got a version running locally that dykes out the PID stuff from the report. It also displays the header line above the diff output for a bit of context. If it works ok over the next few days I'll commit it. I've attached the patch FYI. > -giorgos -- Brian http://www.freebsd-services.com/ Don't _EVER_ lose your sense of humour ! Index: security =================================================================== RCS file: /home/ncvs/src/etc/security,v retrieving revision 1.55 diff -u -r1.55 security --- security 4 Jul 2001 12:49:17 -0000 1.55 +++ security 17 Sep 2001 00:37:01 -0000 @@ -128,6 +128,31 @@ tee /dev/stderr | wc -l) [ $n -gt 0 -a $rc -lt 1 ] && rc=1 +# Show changes in listening tcp and udp ports: +# +sockstat -l46 | { + read line + echo "${line}" + sed -e /^USER/d -e /comsat/d -e '/^[ ]*$/d' | sort +5 +} | sed -e 's/[ ][ ]*$//' -e 's/\(..................\)...../\1/' >${TMP} + +if [ ! -f ${LOG}/sockstat.today ]; then + [ ${rc} -lt 1 ] && rc=1 + separator + echo "${host} changes in listening ports:" + diff -b /dev/null ${TMP} + touch ${LOG}/sockstat.yesterday || rc=3 + mv ${TMP} ${LOG}/sockstat.today || rc=3 +elif ! cmp ${LOG}/sockstat.today ${TMP} >/dev/null 2>&1; then + [ ${rc} -lt 1 ] && rc=1 + separator + echo "${host} changes in listening ports:" + sed '1{ s/^/ /; q; }' ${TMP} + diff -b ${LOG}/sockstat.today ${TMP} + mv ${LOG}/sockstat.today ${LOG}/sockstat.yesterday || rc=3 + mv ${TMP} ${LOG}/sockstat.today || rc=3 +fi + # Show denied packets # if ipfw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message