(717)-484-1062

Extending Linux Socket Monitor

Diagram of a Linux SocketLinux Socket Monitor by R-fx Networks is a good, automated, tool to let you know if an application is creating TCP and UDP sockets.

The caveat we’ve experienced over the years is that when you receive an LSM alert that might involve malicious malware or hacker activity on the server running LSM, you sometimes have milliseconds to log onto the server to hopefully catch the application opening sockets red handed.

If you are delayed or the application just runs that fast, by the time you are on the server, the port closed and the application is now in hiding.

I often agree necessity is the mother of invention, and I would like to share what we’ve done to extend the Linux Socket Monitor (LSM) to provide running process information, not just the netstat lines.

The extension requires modifying three files in /usr/local/lsm – I do suggest you backup all three files:

  • /usr/local/lsm/conf.lsm
  • /usr/local/lsm/lsm
  • /usr/local/lsm/status.lsm

For /usr/local/lsm/conf.lsm we are going to be adding four (4) lines:

PORTS="$INSPATH/dat/ports.list"
PIDS="$INSPATH/dat/pids.list"
DIFF_NET_FILE="$INSPATH/dat/diff_net.list"
PID_PROC_INFO="$INSPATH/dat/pid_proc.info"

For /usr/local/lsm/status.lsm the following needs to be added after the code

cat <$DIFF_NET
EOF

cat <

Finally, in /usr/local/lsm/lsm add the following after the following two lines:

echo "changes found in internet server sockets"

ALERT="true" 

tmpf $PIDS
tmpf $PORTS
tmpf $DIFF_NET_FILE
tmpf $PID_PROC_INFO

echo $DIFF_NET > $DIFF_NET_FILE

grep -Po ">.*?\:(\d+)" $DIFF_NET_FILE  |awk -F":" '{print $2}' > $PORTS
for port in `cat $PORTS`; do
         netstat -anp | grep :$port | awk  '{print $7}' | awk -F\/ '{print $1}' >> $PIDS
done

for pid in `cat $PIDS`; do
    echo "========= START =========" >> $PID_PROC_INFO
    echo "lsof -p $pid"  >> $PID_PROC_INFO
    lsof -p $pid >> $PID_PROC_INFO
    echo "Information from /proc/$pid" >> $PID_PROC_INFO
    cat /proc/$pid/cmdline >> $PID_PROC_INFO
    cat /proc/$pid/environ >> $PID_PROC_INFO
    ls /proc/$pid/exe >> $PID_PROC_INFO
    cat /proc/$pid/status >> $PID_PROC_INFO
    ls -lab /proc/$pid/fd >> $PID_PROC_INFO
    echo "--------- END ---------" >> $PID_PROC_INFO
done

Special thanks to pdreissen in the Parallels H-Sphere forum for assistance with the grep and awk command to parse $DIFF_NET ports.

If this was your server, and you are the security administrator, what other information would you add?

Share your thoughts in the comments below.