From 76d4891ca0b06ba368d185f78d24e7d8a5382fd4 Mon Sep 17 00:00:00 2001 From: Eugeni Dodonov Date: Wed, 10 Mar 2010 14:35:49 +0000 Subject: Added support for ignoring changes in pid when checking for open ports (#56744) --- conf/level.audit_daily | 1 + conf/level.audit_weekly | 1 + conf/level.fileserver | 1 + conf/level.netbook | 1 + conf/level.none | 1 + conf/level.secure | 1 + conf/level.standard | 1 + conf/level.webserver | 1 + cron-sh/scripts/02_network.sh | 7 ++++++- src/msec/plugins/audit.py | 7 ++++++- 10 files changed, 20 insertions(+), 2 deletions(-) diff --git a/conf/level.audit_daily b/conf/level.audit_daily index 330ef3a..9d87b99 100644 --- a/conf/level.audit_daily +++ b/conf/level.audit_daily @@ -20,6 +20,7 @@ CHECK_USERS=daily CHECK_GROUPS=daily NOTIFY_WARN=yes CHECK_OPEN_PORT=daily +IGNORE_PID_CHANGES=yes CHECK_FIREWALL=daily CHECK_RPM_PACKAGES=daily CHECK_RPM_INTEGRITY=daily diff --git a/conf/level.audit_weekly b/conf/level.audit_weekly index a9e8090..fdc1d8c 100644 --- a/conf/level.audit_weekly +++ b/conf/level.audit_weekly @@ -20,6 +20,7 @@ CHECK_USERS=weekly CHECK_GROUPS=weekly NOTIFY_WARN=yes CHECK_OPEN_PORT=weekly +IGNORE_PID_CHANGES=yes CHECK_FIREWALL=weekly CHECK_RPM_PACKAGES=weekly CHECK_RPM_INTEGRITY=weekly diff --git a/conf/level.fileserver b/conf/level.fileserver index 1c9ea9c..61f167d 100644 --- a/conf/level.fileserver +++ b/conf/level.fileserver @@ -38,6 +38,7 @@ ENABLE_PASSWORD=yes NOTIFY_WARN=no WIN_PARTS_UMASK=000 CHECK_OPEN_PORT=daily +IGNORE_PID_CHANGES=yes CHECK_FIREWALL=daily SHELL_TIMEOUT=0 ALLOW_REMOTE_ROOT_LOGIN=without-password diff --git a/conf/level.netbook b/conf/level.netbook index 15ac1a7..cf6e2ba 100644 --- a/conf/level.netbook +++ b/conf/level.netbook @@ -38,6 +38,7 @@ ENABLE_PASSWORD=yes NOTIFY_WARN=yes WIN_PARTS_UMASK=000 CHECK_OPEN_PORT=no +IGNORE_PID_CHANGES=yes CHECK_FIREWALL=no SHELL_TIMEOUT=0 ALLOW_REMOTE_ROOT_LOGIN=no diff --git a/conf/level.none b/conf/level.none index e963d3d..8817ccf 100644 --- a/conf/level.none +++ b/conf/level.none @@ -38,6 +38,7 @@ ENABLE_PASSWORD= NOTIFY_WARN= WIN_PARTS_UMASK= CHECK_OPEN_PORT= +IGNORE_PID_CHANGES= CHECK_FIREWALL= SHELL_TIMEOUT= ALLOW_REMOTE_ROOT_LOGIN= diff --git a/conf/level.secure b/conf/level.secure index 0857b91..32bea9d 100644 --- a/conf/level.secure +++ b/conf/level.secure @@ -38,6 +38,7 @@ ENABLE_PASSWORD=yes NOTIFY_WARN=no WIN_PARTS_UMASK=022 CHECK_OPEN_PORT=daily +IGNORE_PID_CHANGES=no CHECK_FIREWALL=daily SHELL_TIMEOUT=600 ALLOW_REMOTE_ROOT_LOGIN=no diff --git a/conf/level.standard b/conf/level.standard index 8e2c6a7..0a9f0e0 100644 --- a/conf/level.standard +++ b/conf/level.standard @@ -38,6 +38,7 @@ ENABLE_PASSWORD=yes NOTIFY_WARN=yes WIN_PARTS_UMASK=000 CHECK_OPEN_PORT=daily +IGNORE_PID_CHANGES=yes CHECK_FIREWALL=daily SHELL_TIMEOUT=0 ALLOW_REMOTE_ROOT_LOGIN=without-password diff --git a/conf/level.webserver b/conf/level.webserver index b303a40..1f81d09 100644 --- a/conf/level.webserver +++ b/conf/level.webserver @@ -38,6 +38,7 @@ ENABLE_PASSWORD=yes NOTIFY_WARN=no WIN_PARTS_UMASK=000 CHECK_OPEN_PORT=daily +IGNORE_PID_CHANGES=no CHECK_FIREWALL=daily SHELL_TIMEOUT=0 ALLOW_REMOTE_ROOT_LOGIN=without-password diff --git a/cron-sh/scripts/02_network.sh b/cron-sh/scripts/02_network.sh index f790dee..c50af4c 100755 --- a/cron-sh/scripts/02_network.sh +++ b/cron-sh/scripts/02_network.sh @@ -25,7 +25,12 @@ if [[ -f ${FIREWALL_TODAY} ]]; then fi if check_is_enabled "${CHECK_OPEN_PORT}" ; then - netstat -pvlA inet,inet6 2> /dev/null > ${OPEN_PORT_TODAY}; + if [[ ${IGNORE_PID_CHANGES} = yes ]]; then + FILTER="sed -e s/\([0-9]*\)\/\(.*\)$/\2/g" + else + FILTER="cat" + fi + netstat -pvlA inet,inet6 2> /dev/null | $FILTER > ${OPEN_PORT_TODAY}; Filter ${OPEN_PORT_TODAY} CHECK_OPEN_PORT Count ${INFOS} ${OPEN_PORT_TODAY} "Total of open network ports" fi diff --git a/src/msec/plugins/audit.py b/src/msec/plugins/audit.py index 4b72262..cb0b2ed 100644 --- a/src/msec/plugins/audit.py +++ b/src/msec/plugins/audit.py @@ -42,6 +42,7 @@ class audit: config.SETTINGS['FIX_UNOWNED'] = ("audit.fix_unowned", config.VALUES_YESNO) config.SETTINGS['CHECK_PROMISC'] = ("audit.check_promisc", config.VALUES_PERIODIC) config.SETTINGS['CHECK_OPEN_PORT'] = ("audit.check_open_port", config.VALUES_PERIODIC) + config.SETTINGS['IGNORE_PID_CHANGES'] = ("audit.ignore_pid_changes", config.VALUES_PERIODIC) config.SETTINGS['CHECK_FIREWALL'] = ("audit.check_firewall", config.VALUES_PERIODIC) config.SETTINGS['CHECK_PASSWD'] = ("audit.check_passwd", config.VALUES_PERIODIC) config.SETTINGS['CHECK_SHADOW'] = ("audit.check_shadow", config.VALUES_PERIODIC) @@ -67,7 +68,7 @@ class audit: # preparing msecgui menu for check in ["CHECK_PERMS", "CHECK_PERMS_ENFORCE", "CHECK_USER_FILES", "CHECK_SUID_ROOT", "CHECK_SUID_MD5", "CHECK_SGID", - "CHECK_WRITABLE", "CHECK_UNOWNED", "FIX_UNOWNED", "EXCLUDE_REGEXP", "CHECK_PROMISC", "CHECK_OPEN_PORT", "CHECK_FIREWALL", + "CHECK_WRITABLE", "CHECK_UNOWNED", "FIX_UNOWNED", "EXCLUDE_REGEXP", "CHECK_PROMISC", "CHECK_OPEN_PORT", "IGNORE_PID_CHANGES", "CHECK_FIREWALL", "CHECK_PASSWD", "CHECK_SHADOW", "CHECK_CHKROOTKIT", "CHECK_RPM_PACKAGES", "CHECK_RPM_INTEGRITY", "CHECK_SHOSTS", "CHECK_USERS", "CHECK_GROUPS", "TTY_WARN", "SYSLOG_WARN", "MAIL_EMPTY_CONTENT", "CHECK_ON_BATTERY"]: @@ -191,6 +192,10 @@ class audit: """Patterns to exclude from disk checks. This parameter is parsed as a regex (7), so you may use complex expressions.""" pass + def ignore_pid_changes(self, param): + """Ignore changes in process IDs when checking for open network ports.""" + pass + def check_promisc(self, param): ''' Activate ethernet cards promiscuity check.''' cron = self.configfiles.get_config_file(CRON) -- cgit v1.2.1