From: Bill Swingle <[EMAIL PROTECTED]>
Subject: Re: Checking changes to listening ports in /etc/security
Date: Wed, Sep 12, 2001 at 11:23:24AM -0700
> Why not use sockstat instead of netstat?
>
> -Bill
Simple. Because I had forgotten of sockstat. Probably because I've been
using netstat on linuxen, solaris, and everywhere else.
Now that I tried sockstat, I changed my /etc/security to remove netstat
and include a sockstat using part. I tested the attached patch, and now
I have only one little fine point to refine. When the sockstat test runs,
Sendmail will open connections to comsat (if that's enabled in the local
sendmail.cf).
If I keep the included 'grep -v comsat' it will not print extra lines for
comsat connections. However, if someone else opens a udp listening socket on
comsat port, it will not be detected by diff. On the other hand, leaving the
grep -v out, might cause false alarms to be brought up in security output.
I tend to prefer the one that includes comsat in the output[2].
The second attachment shows what the output of /etc/security looks like (with
the comsat output lines included).
I rather like the idea about sockstat. Thank you, Bill.
We now might just have a version that is good enough for a PR.
Any comments on the sockstat-using diffs, Bill (or anyone else)?
-giorgos
Index: security
===================================================================
RCS file: /home/ncvs/src/etc/security,v
retrieving revision 1.55
diff -u -r1.55 security
--- security 4 Jul 2001 12:49:17 -0000 1.55
+++ security 12 Sep 2001 22:00:50 -0000
@@ -128,6 +128,28 @@
tee /dev/stderr | wc -l)
[ $n -gt 0 -a $rc -lt 1 ] && rc=1
+# Show changes in listening tcp and udp ports:
+#
+[ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat
+if ( sockstat -l46 | head -1 ;\
+ sockstat -l46 | grep -v comsat | grep -v '^$' |\
+ grep -v '^USER' | sort +5 ) | $cmd > $TMP ;then
+ if [ ! -f $LOG/sockstat.today ]; then
+ [ $rc -lt 1 ] && rc=1
+ separator
+ echo "No $LOG/sockstat.today"
+ cp $TMP $LOG/sockstat.today || rc=3
+ fi
+ if ! cmp $LOG/sockstat.today $TMP >/dev/null 2>&1; then
+ [ $rc -lt 1 ] && rc=1
+ separator
+ echo "$host changes in listening ports:"
+ diff -b $LOG/sockstat.today $TMP
+ mv $LOG/sockstat.today $LOG/sockstat.yesterday || rc=3
+ mv $TMP $LOG/sockstat.today || rc=3
+ fi
+fi
+
# Show denied packets
#
if ipfw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
hades.hell.gr changes in listening ports:
7a8,10
> tty comsat 1504 0 udp4 *:512 *:*
> tty comsat 1504 1 udp4 *:512 *:*
> tty comsat 1504 2 udp4 *:512 *:*
