-
Notifications
You must be signed in to change notification settings - Fork 0
/
audit4_summ.pl
186 lines (149 loc) · 4.49 KB
/
audit4_summ.pl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
#!/usr/bin/perl
#
# name : audit4_summ.pl
#
# FUNCTION: Summarise results from audit4.sh on several machines.
#
# USAGE: cat results1 results2 | ./audit4_summ.pl
#
# History :
# 2006.6.17/sb First version
# 2006.6.20/sb Add local services file.
#
# TESTED ON:
$debug =''; # '1'=debug (useful), ''=no debug (quiet)
$services_file='/etc/services'; #
$matrix1='matrix_listen.csv'; # file name for list of active servers
$matrix2='matrix_est.csv'; # file name for established session
$bad_ports1='^9$|^19$|^23$|^514$|^515$|^544$|^636$';
# Ports we recommend to block
# --- perl security precautions ---
$ENV{'PATH'} = '/usr/bin:/usr/sbin:/bin:/sbin:/usr/etc';
$ENV{'SHELL'} = '/bin/sh';
$ENV{'IFS'} = '';
umask(077); # -rw-------
$os=`uname -r`; # Get OS revision
$os_name=`uname -s`; # Get OS name
#print "uname -s returns $os_name\n" if $debug;
if ( -s "services" ) { # found local services
$services_file='./services';
} else {
$services_file='/etc/services';
}
print "Using $services_file for portname lookup.\n";
## Read in a service definiton file
open(F, "<$services_file");
while($line = <F>) {
chop($line);
#print "LINE: $line\n";
if ($line =~ /^(\S+)\s+(\d+)\/(tcp|udp)\s+(\S*)\s*#*\s*(.*)/) {
#print "Name=$1,Port=$2,Proto=$3,Comment=$5\n";
# store port name in $services[proto][port_no]
if (! defined( $services{$3}{$2}{'name'} )) {
$services{$3}{$2}{'name'}=$1;
}
if (! defined( $services{$3}{$2}{'comment'} )) {
$services{$3}{$2}{'comment'}=$5;
}
}
next;
} # finished reading input
close(F);
## Main loop from stdin
while($line = <STDIN>) {
chop($line);
## First build listen matrix
if ($line =~ /Listen_(tcp|udp)/) {
$proto=$1;
@fields = split(/;/, $line);
# Merge hosts fields to one
#$host="$fields[1];$fields[2];$fields[3]";
$host=$fields[1];
$port=$fields[4];
#print "$proto $port\n";
if (! defined( $matrix2{$host} )) {
$matrix2{$host}=$fields[2];
}
if (! defined( $matrix3{$host} )) {
$matrix3{$host}=$fields[3];
}
# Save list of ports found, by port
if (! defined $mat{$port}) { $mat{$port}=1 };
# Save list of ports found, by host,protocol
if (! defined( $matrix{$host}{$proto}{$port} )) {
$matrix{$host}{$proto}{$port}=1;
}
}
## established matrix ####
elsif ($line =~ /Session_(tcp|udp);/) {
$proto_s=$1;
@fields = split(/;/, $line);
#print "Established $proto_s Fields: $fields[1], $fields[2]\n";
if ($fields[1] =~ /127.0.0.1/) {
# ignore for now
} else {
@from_fields = split(/\./, $fields[1]);
@to_fields = split(/\./, $fields[2]);
$from="$from_fields[0].$from_fields[1].$from_fields[2].$from_fields[3]";
$to ="$to_fields[0].$to_fields[1].$to_fields[2].$to_fields[3]";
$from_port=$from_fields[4];
$to_port =$to_fields[4];
#print "$proto_s;$from;$from_port;$to;$to_port\n";
push @established, "$proto_s;$from;$from_port;$to;$to_port\n";
}
} # if line
next;
} # finished reading input
#foreach $p (sort keys %mat) {
# print "Port $p\n";
#}
####### now print analysis
print ("Writing Listen matrix to: $matrix1\n");
open(F, ">$matrix1");
## Title line, sort ports by number
# The meat:
print F "Host;Service;Service Description;Comment;";
foreach $host (sort keys %matrix) {
print F "$host;";
}
print F "\n";
print F "OS;;;;";
foreach $host (sort keys %matrix) {
print F "$matrix2{$host};";
}
print F "\n";
print F "OS rev;;;;";
foreach $host (sort keys %matrix) {
print F "$matrix3{$host};";
}
print F "\n";
## list all tcp, then ports
foreach $proto ('tcp','udp') {
foreach $p (sort {$a<=>$b} keys %mat) {
# Get service name, for tcp and udp
#($srv1,$x,$x)=getservbyport($p,$proto);
#$line= "Port $proto $p $srv1";
$srv1=$services{$proto}{$p}{'name'};
$line= "Port $proto $p;$services{$proto}{$p}{'name'};$services{$proto}{$p}{'comment'};";
$found_flag=0;
foreach $host (sort keys %matrix) {
if ($matrix{$host}{$proto}{$p}==1) {
#$line=$line . ";$p";
$line=$line . ";X";
$found_flag=1;
} else {
$line=$line . "; ";
}
}
if ($found_flag==1) {print F "$line\n";}
}
}
close(F);
print ("Writing Active matrix to: $matrix2\n");
open(F, ">$matrix2");
print F "Proto;From IP;From Port;To IP;To Port\n";
foreach $line (sort @established) {
print F $line;
}
close(F);
#eof