From: Bill Swingle <[EMAIL PROTECTED]> Subject: Re: Checking changes to listening ports in /etc/security Date: Wed, Sep 12, 2001 at 11:23:24AM -0700 > Why not use sockstat instead of netstat? > > -Bill Simple. Because I had forgotten of sockstat. Probably because I've been using netstat on linuxen, solaris, and everywhere else. Now that I tried sockstat, I changed my /etc/security to remove netstat and include a sockstat using part. I tested the attached patch, and now I have only one little fine point to refine. When the sockstat test runs, Sendmail will open connections to comsat (if that's enabled in the local sendmail.cf). If I keep the included 'grep -v comsat' it will not print extra lines for comsat connections. However, if someone else opens a udp listening socket on comsat port, it will not be detected by diff. On the other hand, leaving the grep -v out, might cause false alarms to be brought up in security output. I tend to prefer the one that includes comsat in the output[2]. The second attachment shows what the output of /etc/security looks like (with the comsat output lines included). I rather like the idea about sockstat. Thank you, Bill. We now might just have a version that is good enough for a PR. Any comments on the sockstat-using diffs, Bill (or anyone else)? -giorgos
Index: security =================================================================== RCS file: /home/ncvs/src/etc/security,v retrieving revision 1.55 diff -u -r1.55 security --- security 4 Jul 2001 12:49:17 -0000 1.55 +++ security 12 Sep 2001 22:00:50 -0000 @@ -128,6 +128,28 @@ tee /dev/stderr | wc -l) [ $n -gt 0 -a $rc -lt 1 ] && rc=1 +# Show changes in listening tcp and udp ports: +# +[ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat +if ( sockstat -l46 | head -1 ;\ + sockstat -l46 | grep -v comsat | grep -v '^$' |\ + grep -v '^USER' | sort +5 ) | $cmd > $TMP ;then + if [ ! -f $LOG/sockstat.today ]; then + [ $rc -lt 1 ] && rc=1 + separator + echo "No $LOG/sockstat.today" + cp $TMP $LOG/sockstat.today || rc=3 + fi + if ! cmp $LOG/sockstat.today $TMP >/dev/null 2>&1; then + [ $rc -lt 1 ] && rc=1 + separator + echo "$host changes in listening ports:" + diff -b $LOG/sockstat.today $TMP + mv $LOG/sockstat.today $LOG/sockstat.yesterday || rc=3 + mv $TMP $LOG/sockstat.today || rc=3 + fi +fi + # Show denied packets # if ipfw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
hades.hell.gr changes in listening ports: 7a8,10 > tty comsat 1504 0 udp4 *:512 *:* > tty comsat 1504 1 udp4 *:512 *:* > tty comsat 1504 2 udp4 *:512 *:*