Re: [Tiger-devel] [PATCH] Updated check_xinetd module.

[Javier Fernández-Sanguino Peña]

On Thu, Oct 23, 2003 at 02:14:46AM -0600, Ryan Bradetich wrote:
> Hello all,
> 
> This patch improves the check_xinetd module to start being useful.  This
> module impliments the following checks:

Great. I've included it under systems/Linux/2. I'm not including it (for 
the moment) in the generic version since it uses non-portable bash calls.

I think it would be great if xinetd's configuration file could be 
converted into something more easy to parse similarly as to how 'gen_inetd' 
works. That is, one service per line with all the options. That could 
simplify the code that parses the configuration file and would make it also 
more portable.

Notice that I've also added a number of TODOs of things that could be 
checked here including:

- whether the binaries pointed to by a 'server' directive are properly 
protected (i.e. belong to root user, proper permissions...)

- whether services are tcp protected or not (see below)

- whether services are listening only on localhost (bind directive)

- DoS attack prevention

- Logs of attempts (log_on_sucess, log_on_failure...)

Still, this is a very nice script. 

> Next steps include figuring out how to determing if the services are
> protected by tcpwrappers.  The only thing I can see so far is an entry
> like this in the /var/log/messages:

From reading xinetd.org's FAQ I see two ways to check for tcpd wrappers 
protection:

1.- xinetd is compiled with tcpwrappers (i.e. 'ldd /usr/sbin/xinetd' 
returns libwrap.so.0)

2.- a specific service's server is /usr/sbin/tcpd and the arguments define 
which binary is run.

Thanks!

Javi

PS: I've almost included all patches, hopefully all will be included in 
this week and a new release (3.2.2) with all of the bugs & enhancements 
will be provided before the end of the year.

signature.asc
Description: Digital signature