man lsof_ps

NAME

  lsof_ps - use 'lsof -Pi' to get and parse open ports

SYNOPSIS

  lsof_ps.ksh [-options]

DESCRIPTION

  The lsof_ps.ksh script is distributed with uaxtools and is invoked by lsof_ports to
  analyze open ports on a collection of systems or can be used stand-alone on a  sin-
  gle  system.   The  results of 'lsof -Pi' is merged with ps output and filtered for
  documented acceptable open ports to produce a report of anomalies.

  Many sites use external scans on a periodic (typically monthly) basis.  While  this
  is  not a bad idea, especially when implementing new systems, it is not very effec-
  tive.  A monthly scan will likely only uncover a longer term problem.  In addition,
  most  sites  implement  iptables  blocking  external  network  queries beyond those
  required for node purpose  and  related,established  commmunications.   This  makes
  external scans ineffective to identify ports users may have inappropriately opened.
  This script can easily be run daily or more frequently.  Building the filter for  a
  system  generally  requires watching for a period of time and some understanding of
  what users are doing.  It typically only needs to be run on  network  facing  nodes
  unless a proxy service is being used for ipforward.

OPTIONS

  -debug
          debug info display.

  -f file
         lsof  file  name  for reanalyis.  Logs by default are in /var/local/lsof and
         new filename defaults as YYYYmmdd.HHMM.lsof.

  -u filter
         This filter is a ksh case statement sourced by lsof_ps.ksh, The  distributed
         default is /usr/local/adm/etc/lsof_ps.filter.

  -quiet
          do NOT show undefined userid:executable ports.

ACKNOWLEDGEMENTS

  Written at the University of Alaska.  Ongoing maintenance via SourceForge by Denali
  Sun Consulting.

  Suggestions or bug reports can be directed to denalisun907@gmail.com.

RELATED INFORMATION

  See: uaxtools(8), lsof_ports(8), push(8).