You are here: Compliance Check Types > Windows Configuration > Custom Items > AUDIT_PROCESS_ON_PORT

AUDIT_PROCESS_ON_PORT

This check queries the process running on a given port. The check relies on ouput of “netstat -ano” and “tasklist /svc” to determine which process is running on which TCP/UDP port.

Usage

<custom_item>

type: AUDIT_PROCESS_ON_PORT

description: "Audit Process on Port"

value_type: [value_type]

value_data: [value]

port_type: [port_type]

port_no: [port_no]

port_option: [port_option]

check_type: CHECK_TYPE

<item>

The allowed types are:

  • value_type: POLICY_TEXT
  • value_data: Arbitrary string, e.g., "foo.exe"
  • port_type: TCP or UDP
  • port_no: port number, e.g., 80, 445
  • port_option: CAN_BE_CLOSED

Considerations:

  • If port_option is set to CAN_BE_CLOSED, then the check returns a PASS result if the port is not open on the remote system, otherwise it generates an error.
  • Windows 2000 and earlier do not support “netstat –ano”, so this check only works against Windows XP and above.

Examples

The following example checks whether the process running on tcp port 5900 is either “vss.exe” or “vssrvc.exe”.

<custom_item>

type: AUDIT_PROCESS_ON_PORT

description: "Audit OPEN PORT SERVICE"

value_type: POLICY_TEXT

value_data: "vssrvc.exe" || "vss.exe"

port_type: TCP

port_no: "5900"

port_option: CAN_BE_CLOSED

</custom_item>

The following example is similar to the first example, except that this example demonstrates use of check_type.

<custom_item>

type: AUDIT_PROCESS_ON_PORT

description: "Audit Process on Port - check_regex"

value_type: POLICY_TEXT

value_data: "foo.exe" || "vss.+"

port_type: TCP

port_no: "5900"

check_type: CHECK_REGEX

</custom_item>

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.