Mirrors/inspec
2
0
Fork 0
mirror of https://github.com/inspec/inspec synced 2025-02-16 22:18:38 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #912 from chef/ap/port-win-process

Browse source 
Windows ports with pid and process name
This commit is contained in:
Dominik Richter 2016-08-12 20:59:28 +02:00 committed by GitHub
commit 5f1d83f196
5 changed files with 156 additions and 25 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
lib/resources/port.rb
View file

@ -122,13 +122,13 @@ module Inspec::Resources
# @see https://connect.microsoft.com/PowerShell/feedback/details/1349420/get-nettcpconnection-does-not-show-processid
class WindowsPorts < PortsInfo
def info
powershell_info || netstat_info
netstat_info || powershell_info
end
private
def powershell_info
cmd = inspec.command('Get-NetTCPConnection | Select-Object -Property State, Caption, Description, LocalAddress, LocalPort, RemoteAddress, RemotePort, DisplayName, Status | ConvertTo-Json')
cmd = inspec.command('Get-NetTCPConnection -state Listen | Select-Object -Property State, Caption, Description, LocalAddress, LocalPort, RemoteAddress, RemotePort, DisplayName, Status | ConvertTo-Json')
return nil if cmd.exit_status != 0
entries = JSON.parse(cmd.stdout)
@ -146,14 +146,21 @@ module Inspec::Resources
end
def netstat_info
cmd = inspec.command('netstat -an')
# retrieve processes grepping by LISTENING state with 0 lines before and 1 after to catch the process name
# also UDP ports have nothing in the State column
cmd = inspec.command('netstat -anbo | Select-String -CaseSensitive -pattern "^\s+UDP|\s+LISTENING\s+\d+$" -context 0,1')
return nil if cmd.exit_status != 0
lines = cmd.stdout.scan(/^\s*(tcp\S*|udp\S*)\s+(\S+):(\d+)\s+/i)
lines = cmd.stdout.scan(/^>\s*(tcp\S*|udp\S*)\s+(\S+):(\d+)\s+(\S+)\s+(\S*)\s+(\d+)\s+(.+)/i)
lines.map do |line|
pid = line[5].to_i
process = line[6].delete('[').delete(']').strip
process = 'System' if process == 'Can not obtain ownership information' && pid == 4
{
'port' => line[2].to_i,
'address' => line[1].delete('[').delete(']'),
'protocol' => line[0].downcase,
'pid' => pid,
'process' => process,
}
end
end

4
test/helper.rb
View file

@ -164,8 +164,8 @@ class MockLoader
'lsmod' => cmd.call('lsmod'),
'/sbin/sysctl -q -n net.ipv4.conf.all.forwarding' => cmd.call('sbin_sysctl'),
# ports on windows
'Get-NetTCPConnection | Select-Object -Property State, Caption, Description, LocalAddress, LocalPort, RemoteAddress, RemotePort, DisplayName, Status | ConvertTo-Json' => cmd.call('get-net-tcpconnection'),
'netstat -an' => cmd.call('netstat-an.utf8'),
'Get-NetTCPConnection -state Listen | Select-Object -Property State, Caption, Description, LocalAddress, LocalPort, RemoteAddress, RemotePort, DisplayName, Status | ConvertTo-Json' => cmd.call('get-net-tcpconnection'),
'netstat -anbo | Select-String -CaseSensitive -pattern "^\s+UDP|\s+LISTENING\s+\d+$" -context 0,1' => cmd.call('netstat-anbo-pipe-select-string-pattern.utf8'),
# lsof formatted list of ports (should be quite cross platform)
'lsof -nP -i -FpctPn' => cmd.call('lsof-nP-i-FpctPn'),
# ports on linux

13
test/unit/mock/cmd/netstat-an.utf8
View file

@ -1,13 +0,0 @@
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:22 0.0.0.0:0 LISTENING
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 10.209.66.139:3389 10.209.88.35:60413 ESTABLISHED
TCP 10.209.66.139:53843 10.209.10.18:80 CLOSE_WAIT
TCP [::]:135 [::]:0 LISTENING
TCP [::]:445 [::]:0 LISTENING
UDP 0.0.0.0:123 *:*
UDP 0.0.0.0:161 *:*
UDP [::]:123 *:*

99
test/unit/mock/cmd/netstat-anbo-pipe-select-string-pattern.utf8 Normal file
View file

@ -0,0 +1,99 @@
> TCP 0.0.0.0:22 0.0.0.0:0 LISTENING 1264
[sshd.exe]
> TCP 0.0.0.0:42 0.0.0.0:0 LISTENING 3576
[wins.exe]
> TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4
Can not obtain ownership information
> TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 564
RpcSs
> TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 4
Can not obtain ownership information
> TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
Can not obtain ownership information
> TCP 0.0.0.0:3300 0.0.0.0:0 LISTENING 1120
[Syslogd_Service.exe]
> TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 1764
TermService
> TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
Can not obtain ownership information
> TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
Can not obtain ownership information
> TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 372
[wininit.exe]
> TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 752
EventLog
> TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 784
Schedule
> TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING 1028
[spoolsv.exe]
> TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING 464
Can not obtain ownership information
> TCP 0.0.0.0:49157 0.0.0.0:0 LISTENING 472
[lsass.exe]
> TCP 0.0.0.0:49312 0.0.0.0:0 LISTENING 3576
[wins.exe]
> TCP 10.0.2.15:139 0.0.0.0:0 LISTENING 4
Can not obtain ownership information
> TCP 192.168.56.98:139 0.0.0.0:0 LISTENING 4
Can not obtain ownership information
> TCP [::]:22 [::]:0 LISTENING 1264
[sshd.exe]
> TCP [::]:80 [::]:0 LISTENING 4
Can not obtain ownership information
> TCP [::]:135 [::]:0 LISTENING 564
RpcSs
> TCP [::]:443 [::]:0 LISTENING 4
Can not obtain ownership information
> TCP [::]:445 [::]:0 LISTENING 4
Can not obtain ownership information
> TCP [::]:3389 [::]:0 LISTENING 1764
TermService
> TCP [::]:5985 [::]:0 LISTENING 4
Can not obtain ownership information
> TCP [::]:47001 [::]:0 LISTENING 4
Can not obtain ownership information
> TCP [::]:49152 [::]:0 LISTENING 372
[wininit.exe]
> TCP [::]:49153 [::]:0 LISTENING 752
EventLog
> TCP [::]:49154 [::]:0 LISTENING 784
Schedule
> TCP [::]:49155 [::]:0 LISTENING 1028
[spoolsv.exe]
> TCP [::]:49156 [::]:0 LISTENING 464
Can not obtain ownership information
> TCP [::]:49157 [::]:0 LISTENING 472
[lsass.exe]
> TCP [::]:49312 [::]:0 LISTENING 3576
[wins.exe]
> UDP 0.0.0.0:42 *:* 3576
[wins.exe]
> UDP 0.0.0.0:161 *:* 3004
[snmp.exe]
> UDP 0.0.0.0:514 *:* 1120
[Syslogd_Service.exe]
> UDP 0.0.0.0:3389 *:* 1764
TermService
> UDP 0.0.0.0:5355 *:* 908
Dnscache
> UDP 0.0.0.0:64133 *:* 1120
[Syslogd_Service.exe]
> UDP 0.0.0.0:64134 *:* 1636
[Syslogd_Manager.exe]
> UDP 10.0.2.15:137 *:* 4
Can not obtain ownership information
> UDP 10.0.2.15:138 *:* 4
Can not obtain ownership information
> UDP 127.0.0.1:53235 *:* 3576
[wins.exe]
> UDP 192.168.56.98:137 *:* 4
Can not obtain ownership information
> UDP 192.168.56.98:138 *:* 4
Can not obtain ownership information
> UDP [::]:161 *:* 3004
[snmp.exe]
> UDP [::]:3389 *:* 1764
TermService
> UDP [::]:5355 *:* 908
Dnscache

50
test/unit/resources/port_test.rb
View file

@ -56,17 +56,53 @@ describe 'Inspec::Resources::Port' do
it 'verify port on MacOs x' do
resource = MockLoader.new(:osx104).load_resource('port', 2022)
_(resource.listening?).must_equal true
_(resource.pids).must_equal [6835]
_(resource.protocols).must_equal ['tcp']
_(resource.processes).must_equal ['VBoxHeadl']
_(resource.addresses).must_equal ["127.0.0.1"]
end
it 'verify port on Windows 2012' do
it 'verify port on Windows 2012r2' do
resource = MockLoader.new(:windows).load_resource('port', 135)
_(resource.listening?).must_equal true
_(resource.pids).must_equal [564]
_(resource.protocols).must_equal ['tcp']
_(resource.processes).must_equal ['RpcSs']
_(resource.addresses).must_equal ['0.0.0.0', '::']
end
it 'verify SSL port on Windows 2012r2' do
resource = MockLoader.new(:windows).load_resource('port', 443)
_(resource.listening?).must_equal true
_(resource.pids).must_equal [4]
_(resource.protocols).must_equal ['tcp']
_(resource.processes).must_equal ['System']
_(resource.addresses).must_equal ['0.0.0.0', '::']
end
it 'verify syslog port on Windows 2012r2' do
resource = MockLoader.new(:windows).load_resource('port', 514)
_(resource.listening?).must_equal true
_(resource.pids).must_equal [1120]
_(resource.protocols).must_equal ['udp']
_(resource.processes).must_equal ['Syslogd_Service.exe']
_(resource.addresses).must_equal ['0.0.0.0']
end
it 'verify not listening port on Windows' do
resource = MockLoader.new(:windows).load_resource('port', 666)
_(resource.listening?).must_equal false
_(resource.addresses).must_equal []
_(resource.protocols).must_equal []
_(resource.processes).must_equal []
_(resource.addresses).must_equal ["::", "192.168.10.157"]
_(resource.addresses).must_equal []
end
it 'verify all ports on Windows 2012r2' do
resource = MockLoader.new(:windows).load_resource('port')
resource.entries.length.must_equal 49
resource.protocols('tcp').entries.length.must_equal 34
resource.protocols('udp').entries.length.must_equal 15
end
it 'verify port on Windows 2008 (unpriviledged)' do
@ -78,8 +114,9 @@ describe 'Inspec::Resources::Port' do
resource = ml.load_resource('port', 135)
_(resource.listening?).must_equal true
_(resource.pids).must_equal [564]
_(resource.protocols).must_equal ['tcp']
_(resource.processes).must_equal []
_(resource.processes).must_equal ['RpcSs']
_(resource.addresses).must_equal %w{0.0.0.0 ::}
end
@ -91,9 +128,9 @@ describe 'Inspec::Resources::Port' do
.values.each { |r| r.stdout = '' }
resource = ml.load_resource('port')
resource.entries.length.must_equal 9
resource.protocols('tcp').entries.length.must_equal 6
resource.protocols('udp').entries.length.must_equal 3
resource.entries.length.must_equal 49
resource.protocols('tcp').entries.length.must_equal 34
resource.protocols('udp').entries.length.must_equal 15
end
it 'verify port on FreeBSD' do
@ -108,6 +145,7 @@ describe 'Inspec::Resources::Port' do
it 'verify port on wrlinux' do
resource = MockLoader.new(:wrlinux).load_resource('port', 22)
_(resource.listening?).must_equal true
_(resource.pids).must_equal [1]
_(resource.protocols).must_equal %w{ tcp tcp6 }
_(resource.processes).must_equal ['sshd']
_(resource.addresses).must_equal ["0.0.0.0", "::"]