I've been adding an extra check in my local version of /etc/security for quite
some time now. All it does is use 'netstat' to grab a list of the listening
tcp and udp ports of my machine and save it to /var/log/netstat.today
(and /var/log/netstat.yesterday). This way, when some service starts
and listens on a new port the next run of /etc/security will log the
fact in the usual stuff sent to root by mail. I tested this running
/etc/periodic/daily/450.security twice, and running a local IRC daemon between
the two runs. The output that is added to the message root receives looks
like the following:
hades.hell.gr changes in listening ports:
4a5,6
> tcp4 0 0 *.6667 *.* LISTEN
> tcp4 0 0 *.7325 *.* LISTEN
7a10
> udp4 0 0 *.* *.*
10a14
> udp4 0 0 *.7007 *.*
Does the attached patch below seem interesting to anyone else, too?
Should I send-pr it, or just keep merging it with my own security checks,
and leave things as they are?
-giorgos
Index: security
===================================================================
RCS file: /home/ncvs/src/etc/security,v
retrieving revision 1.55
diff -u -r1.55 security
--- security 4 Jul 2001 12:49:17 -0000 1.55
+++ security 12 Sep 2001 17:25:53 -0000
@@ -128,6 +128,26 @@
tee /dev/stderr | wc -l)
[ $n -gt 0 -a $rc -lt 1 ] && rc=1
+# Show changes in listening tcp and udp ports:
+#
+[ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat
+if ( netstat -natl | grep LISTEN | sort ; echo "--"; netstat -na | grep '^udp' | sort
+) | $cmd > $TMP; then
+ if [ ! -f $LOG/netstat.today ]; then
+ [ $rc -lt 1 ] && rc=1
+ separator
+ echo "No $LOG/netstat.today"
+ cp $TMP $LOG/netstat.today || rc=3
+ fi
+ if ! cmp $LOG/netstat.today $TMP >/dev/null 2>&1; then
+ [ $rc -lt 1 ] && rc=1
+ separator
+ echo "$host changes in listening ports:"
+ diff -b $LOG/netstat.today $TMP
+ mv $LOG/netstat.today $LOG/netstat.yesterday || rc=3
+ mv $TMP $LOG/netstat.today || rc=3
+ fi
+fi
+
# Show denied packets
#
if ipfw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
