Make sure no ports are open
zupo opened this issue · 1 comments
zupo commented
What happened?
@jcerjak had an idea to also check that no ports are open. I.e. maybe a developer runs ngrok or a local Apache server and forgets to turn it off. Maybe even installs Postgres and doesn't configure it properly and now data leaks are possible.
Version
/
Relevant log output
No response
dz0ny commented
Using osquery and custom checks
id: open-ports
titlePass: No open ports found
titleFail: Open ports found
# get list out open ports, count lines, if lines are found print 1
check: |
/usr/local/bin/osqueryi 'SELECT lp.port, p.cmdline FROM listening_ports lp JOIN processes p ON lp.pid = p.pid WHERE lp.port != 0 and p.name != "rapportd" and lp.address = "0.0.0.0";' --list --header=false | wc -l | xargs | awk '{ if ($1 >= 1) {print "1"} else {print "0"}}'
result:
integer: 0