Date: Fri, 14 Sep 2001 12:18:43 +0100 From: Brian Somers <brian@freebsd-services.com> To: Giorgos Keramidas <charon@labs.gr> Cc: Brian Somers <brian@freebsd-services.com>, hackers@FreeBSD.ORG Subject: Re: Checking changes to listening ports in /etc/security Message-ID: <200109141118.f8EBIhd29603@hak.lan.Awfulhak.org> In-Reply-To: Message from Giorgos Keramidas <charon@labs.gr> of "Fri, 14 Sep 2001 01:52:03 %2B0300." <20010914015203.A43352@hades.hell.gr>
next in thread | previous in thread | raw e-mail | index | archive | help
> From: Brian Somers <brian@freebsd-services.com>
> Subject: Re: Checking changes to listening ports in /etc/security
> Date: Thu, Sep 13, 2001 at 10:25:02PM +0100
>
> > I like this idea. I think It would be worth making it diff against
> > /dev/null when netstat.today doesn't exist, so that the first time
> > this is run on a given machine, you get to see all the ports that are
> > open.
>
> Done. I duplicated the code of the second if[] since I could not easily come
> up with a version that does not use some kind of shell variable weirdness
> and still work the same way. I prefer to keep this clean and easy to
> understand. The attached patch makes /dev/null the first argument of diff
> when sockstat.today does not exist.
[.....]
Hi,
I think the attached patch makes things slightly better. We only run
sockstat once, and remove the trailing whitespace that sockstat emits
(making the diff lines look better when viewed on an 80 column
screen).
Could you look these over ? If you're happy with this I can commit
it.
Cheers.
--
Brian <brian@freebsd-services.com> <brian@Awfulhak.org>
http://www.freebsd-services.com/ <brian@[uk.]FreeBSD.org>
Don't _EVER_ lose your sense of humour ! <brian@[uk.]OpenBSD.org>
Index: security
===================================================================
RCS file: /home/ncvs/src/etc/security,v
retrieving revision 1.55
diff -u -r1.55 security
--- security 4 Jul 2001 12:49:17 -0000 1.55
+++ security 14 Sep 2001 11:12:09 -0000
@@ -128,6 +128,30 @@
tee /dev/stderr | wc -l)
[ $n -gt 0 -a $rc -lt 1 ] && rc=1
+# Show changes in listening tcp and udp ports:
+#
+sockstat -l46 | {
+ read line
+ echo "$line"
+ sed -e /^USER/d -e /comsat/d -e '/^[ ]*$/d' | sort +5
+} | sed 's/[ ][ ]*$//' >${TMP}
+
+if [ ! -f $LOG/sockstat.today ]; then
+ [ $rc -lt 1 ] && rc=1
+ separator
+ echo "$host changes in listening ports:"
+ diff -b /dev/null $TMP
+ touch $LOG/sockstat.yesterday || rc=3
+ mv $TMP $LOG/sockstat.today || rc=3
+elif ! cmp $LOG/sockstat.today $TMP >/dev/null 2>&1; then
+ [ $rc -lt 1 ] && rc=1
+ separator
+ echo "$host changes in listening ports:"
+ diff -b $LOG/sockstat.today $TMP
+ mv $LOG/sockstat.today $LOG/sockstat.yesterday || rc=3
+ mv $TMP $LOG/sockstat.today || rc=3
+fi
+
# Show denied packets
#
if ipfw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200109141118.f8EBIhd29603>