:: Re: [DNG] Tiger is being confusing.
Etusivu
Poista viesti
Vastaa
Lähettäjä: onefang
Päiväys:  
Vastaanottaja: dng
Aihe: Re: [DNG] Tiger is being confusing.
On 2023-02-07 18:50:24, Antoine wrote:
> On Tuesday, 7 February at 16:37, onefang wrote:
> > I've been trying out the tiger security tool for some time. So far I've
> > disable one of it's checks coz it was all bogus.
> >
> > Now I'm looking at it's lin003w listening processes checker. I get
> > emails full of lines like this -
> >
> > NEW: --WARN-- [lin003w] The process `muse4' is listening on socket 4844092 (IPv4 on 4844092 interface) is run by 87260.
> >
> > Yep, I'm running MusE. I thought the "socket" was a port number, but
> > that's way to high to be a port number. I don't have any interfaces with
> > numbers like that. The number at the end should be a user, bat again
> > isn't that way too high for user ID?
>
> Network connection ports are sockets, yes, but *nices can also have sockets
> as files (run "ss -x" to see which ones are open on your system, and "ss
> -lx" to see the listening ones).


I didn't know about the ss command, thanks. It's not showing anything
like the numbers in the tiger output, but I'll have to wait for the next
tiger email and check again.

> On my system, they're mostly in the 20000 range, but if those are inode
> numbers, they could vary a good deal on different systems.
>
> There are several inode-related settings in /proc/sys/fs, but I admit I
> don't know exactly what each one means. You'd need to ask more knowledgeable
> people on this list.
>
> >
> > The socket number always matches the interface number, and changes often,
> > the number at the end always changes, there'll be heaps of these lines in
> > any given email, and other processes mentioned as well. Rarely my actual
> > user name is listed at the end. The specific processes do indeed have
> > IPv4 ports open, one is MariaDB listening to localhost on the usual MySQL
> > port, one is an OpenSim viewer that is connected my OpenSim server. Not
> > sure why MusE has a UDP port 0.0.0.0 listed, but it is connected to JACK,
> > and I have no idea if that involves UDP.
> >
> > Can't find anything on the web with those too high numbers or numeric
> > users. Is this yet more bogus tiger reports? Is tiger any good? What
> > are the good alternatives?


--
A big old stinking pile of genius that no one wants
coz there are too many silver coated monkeys in the world.