#!/bin/sh # # tiger - A UN*X security checking system # Copyright (C) 2000, 2001 Javier Fernandez-Sanguino Peņa # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 1, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # Please see the file `COPYING' for the complete copyright notice. # # check_listeningprocs - 23/08/2001 # # check_listeningprocs - 23/08/2001 - jfs # Removed netstat (the Linux file has it) since the different # UNIX implementations do not shared command line parameters # (lsof does) # # TODO: provide a way (based on the Linux version) to work with Netstat's # output (in Solaris -t or -u does not work and -p does not show processes # but net tables) # #----------------------------------------------------------------------------- TigerInstallDir='.' # # Set default base directory. # Order or preference: # -B option # TIGERHOMEDIR environment variable # TigerInstallDir installed location # basedir=${TIGERHOMEDIR:=$TigerInstallDir} for parm do case $parm in -B) basedir=$2; break;; esac done # # Verify that a config file exists there, and if it does # source it. # [ ! -r $basedir/config ] && { echo "--ERROR-- [init002e] No 'config' file in \`$basedir'." exit 1 } . $basedir/config . $BASEDIR/initdefs # # If run in test mode (-t) this will verify that all required # elements are set. # [ "$Tiger_TESTMODE" = 'Y' ] && { haveallcmds CAT CUT GREP AWK SORT UNIQ LSOF RM || exit 1 # Lsof is needed for this program since netstat does not work # the same across all Unix platforms haveallfiles BASEDIR WORKDIR || exit 1 haveallvars TESTLINK HOSTNAME message CONFIG init003c "" "$0: Configuration ok..." exit 0 } #------------------------------------------------------------------------ echo echo "# Checking listening processes " haveallcmds CAT LSOF GREP CUT AWK SORT UNIQ RM|| exit 1 okprocessusers=$Tiger_Listening_ValidUsers okprocess=$Tiger_Listening_ValidProcs [ ! -n "$okprocessusers" ] && okprocessusers="root" [ ! -n "$okprocess" ] && okprocess="" check_socket() { proc=$1 user=$2 type=$3 asocket=$4 socket=`echo $asocket | $CUT -f 2 -d : | $SED -e 's/-.*$//'` [ "$type" = "raw" ] && socket="(hex) $socket" address=`echo $asocket | $CUT -f 1 -d :` [ "$address" = "127.0.0.1" ] && address="loopback" [ "$address" = "0.0.0.0" -o "$address" = "00000000" -o "$address" = "*" ] && address="every" # Should address = 127.0.0.1 be considered harmful? # TODO: This could be an option case $proc in $okprocess) ;; *) case $user in $okprocessuser) [ "$address" = "every" -a "$Tiger_Listening_Every" != "N" ] && \ message WARN lin002i "" "The process \`$proc' is listening on socket $socket ($type) on $address interface." || \ message INFO lin002i "" "The process \`$proc' is listening on socket $socket ($type) on $address interface." ;; *) [ "$address" != "127.0.0.1" ] && { message WARN lin003w "" "The process \`$proc' is listening on socket $socket ($type on $address interface) is run by $user." } ;; esac ;; esac } $LSOF -n > $WORKDIR/procs.$$ > $WORKDIR/openprocs.$$ $CAT $WORKDIR/procs.$$ | $GREP "IPv" | $GREP -v "\->" | $AWK '{printf("%s %s %s %s\n", $1, $3, $7, $8)}' >> $WORKDIR/openprocs.$$ # Now check for raw sockets (some trojans use them too) $CAT $WORKDIR/procs.$$ | $GREP "raw" | $AWK '{printf("%s %s %s %s\n", $1, $3, $5, $7)}' >> $WORKDIR/openprocs.$$ $CAT $WORKDIR/openprocs.$$ | $SORT | $UNIQ | while read proc user type asocket do check_socket $proc $user $type $asocket done #$RM $WORKDIR/procs.$$ $WORKDIR/openprocs.$$ exit 0