Wednesday, October 10, 2007

Security assessments of Solaris systems

One of the banes of our lives whilst doing vulnerability assessments of Solaris has been finding what process owns a given TCP port that may be listening. On Linux this is easy to establish with a 'netstat -p', but Solaris has always called for the additional lsof package to help out. You could always mess about with pfiles to find the answer, but now somebody has kindly written a wrapper around it and created pcp.

Here's a quick example...


root@web ~ # netstat -an | grep LISTEN
88.111.12.111.80 *.* 0 0 49152 0 LISTEN
127.0.0.1.25 *.* 0 0 49152 0 LISTEN
127.0.0.1.587 *.* 0 0 49152 0 LISTEN
88.111.12.111.22 *.* 0 0 49152 0 LISTEN


During our assessment we spot the open port 587, and we're a little unsure about it. So we run pcp with the '-p' switch and the port number...


root@web ~ # pcp -p 587
PID Process Name and Port
_________________________________________________________
853 /usr/lib/sendmail 587
sockname: AF_INET 127.0.0.1 port: 587
_________________________________________________________



Et voila! It's sendmail with a process ID of 853. So simple.

pcp is a great tool to establish what process owns a listening port, and makes assessing Solaris systems considerably easier!

No comments: