inspec
inspec copied to clipboard
inspec
On OSX, have to be root for port resource to work properly
When using the port resource on OSX, as a normal user, not all ports are detected.
Inspec version: 4.56.20 lsof version: 4.91 OSX version: 12.5 (Monterey)
Describe the problem
- Inspec chooses from one of several different commands to get a list of open ports.
- The available commands on my own OSX are
lsof(inspec's default) andnetstat - On OSX,
lsofdoesn't return a full port list unless running as root. It actually just returns ports owned by the current user.
In this example you will see that listening port 22 (ssh) is absent
richard@beastie ~/ inspec shell
You are currently running on:
Name: mac_os_x
Families: darwin, bsd, unix, os
Release: 21.6.0
Arch: arm64
inspec> port.where(protocol:/tcp.*/).entries
=> [#<struct port=49152, address="0.0.0.0", protocol="tcp", process="rapportd", pid=1032>,
#<struct port=49152, address="::", protocol="tcp6", process="rapportd", pid=1032>,
#<struct port=59866, address="0.0.0.0", protocol="tcp", process="LogiMgrDaemon", pid=3452>,
#<struct port=41951, address="127.0.0.1", protocol="tcp", process="DYMO.WebApi.Server", pid=3594>]
inspec>
Using netstat we can see that port 22 is in fact listening
richard@beastie ~/ netstat -an |grep LISTEN
tcp4 0 0 127.0.0.1.41951 *.* LISTEN
tcp4 0 0 *.59866 *.* LISTEN
tcp6 0 0 *.49152 *.* LISTEN
tcp4 0 0 *.49152 *.* LISTEN
tcp4 0 0 *.88 *.* LISTEN
tcp6 0 0 *.88 *.* LISTEN
tcp4 0 0 *.5900 *.* LISTEN
tcp6 0 0 *.5900 *.* LISTEN
tcp4 0 0 *.22 *.* LISTEN
tcp6 0 0 *.22 *.* LISTEN
richard@beastie ~/
Using lsof as a normal user we get output that omits port 22
richard@beastie ~ lsof -nPi |grep LISTEN
rapportd 1032 richard 3u IPv4 0xe81267c924df9aa5 0t0 TCP *:49152 (LISTEN)
rapportd 1032 richard 4u IPv6 0xe81267c922cf8495 0t0 TCP *:49152 (LISTEN)
LogiMgrDa 3452 richard 4u IPv4 0xe81267c926a80575 0t0 TCP *:59866 (LISTEN)
DYMO.WebA 3594 richard 165u IPv4 0xe81267c926a77add 0t0 TCP 127.0.0.1:41951 (LISTEN)
richard@beastie ~
Using lsof as the root user we get output that includes port 22
richard@beastie ~ sudo lsof -nPi |grep LISTEN
launchd 1 root 8u IPv6 0xe81267c922cf6f95 0t0 TCP *:22 (LISTEN)
launchd 1 root 9u IPv4 0xe81267c924df7045 0t0 TCP *:22 (LISTEN)
launchd 1 root 11u IPv6 0xe81267c922cf6f95 0t0 TCP *:22 (LISTEN)
launchd 1 root 12u IPv4 0xe81267c924df7045 0t0 TCP *:22 (LISTEN)
launchd 1 root 16u IPv6 0xe81267c922cf7695 0t0 TCP *:5900 (LISTEN)
launchd 1 root 17u IPv4 0xe81267c924df7add 0t0 TCP *:5900 (LISTEN)
launchd 1 root 19u IPv6 0xe81267c922cf7695 0t0 TCP *:5900 (LISTEN)
launchd 1 root 20u IPv4 0xe81267c924df7add 0t0 TCP *:5900 (LISTEN)
rapportd 1032 richard 3u IPv4 0xe81267c924df9aa5 0t0 TCP *:49152 (LISTEN)
rapportd 1032 richard 4u IPv6 0xe81267c922cf8495 0t0 TCP *:49152 (LISTEN)
kdc 1074 root 5u IPv6 0xe81267c922cf6895 0t0 TCP *:88 (LISTEN)
kdc 1074 root 7u IPv4 0xe81267c924df65ad 0t0 TCP *:88 (LISTEN)
LogiMgrDa 3452 richard 4u IPv4 0xe81267c926a80575 0t0 TCP *:59866 (LISTEN)
DYMO.WebA 3594 richard 165u IPv4 0xe81267c926a77add 0t0 TCP 127.0.0.1:41951 (LISTEN)
richard@beastie ~
Possible Solutions
- Inspec uses a variety of commands to check for open ports so we could prefer
netstatorssoverlsof - The
lsofproblem can be fixed by usingsudo
