Date: Fri, 14 Sep 2001 01:52:03 +0300 From: Giorgos Keramidas <charon@labs.gr> To: Brian Somers <brian@freebsd-services.com> Cc: hackers@FreeBSD.ORG Subject: Re: Checking changes to listening ports in /etc/security Message-ID: <20010914015203.A43352@hades.hell.gr> In-Reply-To: <200109132125.f8DLP2d97096@hak.lan.Awfulhak.org>; from brian@freebsd-services.com on Thu, Sep 13, 2001 at 10:25:02PM %2B0100 References: <charon@labs.gr> <200109132125.f8DLP2d97096@hak.lan.Awfulhak.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--n8g4imXOkfNTN/H1
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
From: Brian Somers <brian@freebsd-services.com>
Subject: Re: Checking changes to listening ports in /etc/security
Date: Thu, Sep 13, 2001 at 10:25:02PM +0100
> I like this idea. I think It would be worth making it diff against
> /dev/null when netstat.today doesn't exist, so that the first time
> this is run on a given machine, you get to see all the ports that are
> open.
Done. I duplicated the code of the second if[] since I could not easily come
up with a version that does not use some kind of shell variable weirdness
and still work the same way. I prefer to keep this clean and easy to
understand. The attached patch makes /dev/null the first argument of diff
when sockstat.today does not exist.
> [.....]
> +[ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat
> [.....]
>
> I think this like is bogus. In fact, it looks like the
> $daily_status_security_noamd periodic.conf tunable is broken.
>
> Oops ! I'll fix it after your changes go in.
So far, two people like the change. Since I can't help in making the change
go in, I trust that after checking I did not break anything that I missed in
my tests, you'll either give me a 'go ahead' to send-pr or just commit this
yourself?
-giorgos
--n8g4imXOkfNTN/H1
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=patch-security
Index: security
===================================================================
RCS file: /home/ncvs/src/etc/security,v
retrieving revision 1.55
diff -u -r1.55 security
--- security 4 Jul 2001 12:49:17 -0000 1.55
+++ security 13 Sep 2001 22:46:08 -0000
@@ -128,6 +128,29 @@
tee /dev/stderr | wc -l)
[ $n -gt 0 -a $rc -lt 1 ] && rc=1
+# Show changes in listening tcp and udp ports:
+#
+[ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat
+if ( sockstat -l46 | head -1 ;\
+ sockstat -l46 | grep -v comsat | grep -v '^$' |\
+ grep -v '^USER' | sort +5 ) | $cmd > $TMP ;then
+ if [ ! -f $LOG/sockstat.today ]; then
+ [ $rc -lt 1 ] && rc=1
+ separator
+ echo "$host changes in listening ports:"
+ diff -b /dev/null $TMP
+ touch $LOG/sockstat.yesterday || rc=3
+ mv $TMP $LOG/sockstat.today || rc=3
+ elif ! cmp $LOG/sockstat.today $TMP >/dev/null 2>&1; then
+ [ $rc -lt 1 ] && rc=1
+ separator
+ echo "$host changes in listening ports:"
+ diff -b $LOG/sockstat.today $TMP
+ mv $LOG/sockstat.today $LOG/sockstat.yesterday || rc=3
+ mv $TMP $LOG/sockstat.today || rc=3
+ fi
+fi
+
# Show denied packets
#
if ipfw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
--n8g4imXOkfNTN/H1--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010914015203.A43352>