Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: ascii <ascii@××××××××.com>
To: gentoo-hardened@l.g.o
Cc: jpfo@×××××.org
Subject: Re: [gentoo-hardened] Ports, protocols, and services
Date: Thu, 10 Aug 2006 16:12:49
Message-Id: 20060810160756.763852@host238-184.pool8256.interbusiness.it
In Reply to: [gentoo-hardened] Ports, protocols, and services by "Otin
1 Otin, Jean-Paul F. wrote:
2 > Output from nmap, lsof, and sockstat run against a Gentoo Linux system
3 > would be helpful.
4
5 i think this is stuff indipendent from the distribution, anyway:
6
7 sudo netstat -anp | grep ' LISTEN '
8
9 will give you listen sockets associated to pid
10
11 sudo netstat -anp | grep ' LISTEN ' | sed 's/ */ /g'
12
13 makes this computer readable
14
15 excuse me for the >900 chars oneliner : )
16
17 time sudo netstat -anp | grep ' LISTEN ' | sed 's/ */ /g' | php -r
18 'echo "<!-- credits/spam: Francesco <ascii> Ongaro, http://www.ush.it/
19 -->\n"; $s = trim(file_get_contents("php://stdin")); $s = explode("\n",
20 $s); $p = trim(shell_exec("ps aux | sed \"s/ */ /g\"")); $p =
21 explode("\n", $p); $pc = count($p); foreach ($s as $l) { $cmd = "NULL";
22 $a = explode(" ", $l, 7); /*print_r($a);*/ list($pid, $name) =
23 explode("/", $a[6], 2); $name = trim($name); for ($i=0; $i<$pc; $i++) if
24 (substr($p[$i], stripos($p[$i], " ")+1, strlen((string)$pid)) == $pid)
25 $cmd = $p[$i]; $spid = (int)intval($pid); $pstree =
26 trim(shell_exec("pstree -aAclpu $spid | sed \"s/|-/ /g\" | sed \"s/\`-/
27 /g\" | sed \"s/|/ /g\"")); $lsof = trim(shell_exec("sudo lsof -np $spid
28 | grep -v \"COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME\" | sed \"s/
29 */ /g\"")); echo "<p>\n <name>$name</name>\n <pid>$pid</pid>\n
30 <listen>{$a[3]}</listen>\n <cmd>$cmd</cmd>\n <pstree>$pstree</pstree>\n
31 <lsof>$lsof</lsof>\n</p>"; }' > report.xml
32
33 gives you a nice "xml" file with lsof and pstree of each listening
34 process (only the listening pid not his childs)
35
36 naturally this could be improved but you haven't specified your final
37 scope so i stop here
38
39 if you are using grsec proc restrictions you could have to call pstree
40 with sudo, else this should work from non-root user using sudo when
41 needed
42
43 regards, Francesco 'ascii' Ongaro
44 --
45 gentoo-hardened@g.o mailing list
Report Message
Find on MARC Find on Google Groups