Make sure no ports are open

[zupo]

What happened?

@jcerjak had an idea to also check that no ports are open. I.e. maybe a developer runs ngrok or a local Apache server and forgets to turn it off. Maybe even installs Postgres and doesn't configure it properly and now data leaks are possible.

Version

/

Relevant log output

No response

[dz0ny]

Using osquery and custom checks

id: open-ports
titlePass: No open ports found
titleFail: Open ports found
# get list out open ports, count lines, if lines are found print 1
check: |
  /usr/local/bin/osqueryi 'SELECT lp.port, p.cmdline FROM listening_ports lp JOIN processes p ON lp.pid = p.pid WHERE lp.port != 0 and p.name != "rapportd" and lp.address = "0.0.0.0";' --list --header=false | wc -l | xargs | awk '{ if ($1 >= 1) {print "1"} else {print "0"}}'
result:
  integer: 0