AUDIT_PROCESS_ON_PORT
This check queries the process running on a given port. The check relies on ouput of “netstat -ano” and “tasklist /svc” to determine which process is running on which TCP/UDP port.
Usage
<custom_item>
type: AUDIT_PROCESS_ON_PORT
description: "Audit Process on Port"
value_type: [value_type]
value_data: [value]
port_type: [port_type]
port_no: [port_no]
port_option: [port_option]
check_type: CHECK_TYPE
<item>
The allowed types are:
value_type: POLICY_TEXTvalue_data:Arbitrary string, e.g., "foo.exe"port_type: TCPorUDPport_no:port number, e.g., 80, 445port_option: CAN_BE_CLOSED
Considerations:
- If
port_optionis set to CAN_BE_CLOSED, then the check returns a PASS result if the port is not open on the remote system, otherwise it generates an error. - Windows 2000 and earlier do not support “netstat –ano”, so this check only works against Windows XP and above.
Examples
The following example checks whether the process running on tcp port 5900 is either “vss.exe” or “vssrvc.exe”.
<custom_item>
type: AUDIT_PROCESS_ON_PORT
description: "Audit OPEN PORT SERVICE"
value_type: POLICY_TEXT
value_data: "vssrvc.exe" || "vss.exe"
port_type: TCP
port_no: "5900"
port_option: CAN_BE_CLOSED
</custom_item>
The following example is similar to the first example, except that this example demonstrates use of check_type.
<custom_item>
type: AUDIT_PROCESS_ON_PORT
description: "Audit Process on Port - check_regex"
value_type: POLICY_TEXT
value_data: "foo.exe" || "vss.+"
port_type: TCP
port_no: "5900"
check_type: CHECK_REGEX
</custom_item>