check_scan.sh

an unofficial nmap scanner plugin for nagios that I wrote to satisfy my own needs.

Here's what it does:

  1. On the initial scan, it creates a baseline scan for future comparison.

  2. On each subsequent check, it compares the new scan against the baseline.

  3. Changes are reported in “warning” status, showing the open port.

  4. check_scan.sh does a “TCP connect scan”, so it doesn't have to run as root.

Screen shots of nagios, check_scan.sh as a service:

Scan check OK







To use

Just copy everything between the dotted lines, then paste the text into an empty

text file that you can modify to work as a shell script. My nagios plugins are

owned by root.root and located in the /usr/lib/nagios/plugins directory, so that's

where I put it, doing a “chown root.root” then “chmod 755” like all the other plugins.

If you don't know how to use nagios, RTFM (no offense intended), but the

“quick-n-dirty” instructions are:

  1. Once you've got the script in the plugin path (such as /usr/lib/nagios/plugins)

  2. And, it has the proper ownership and permissions (chown root.root, chmod 755)

  3. add to checkcommand.cfg: command[check_scan]=$USER1$/check_scan.sh -H $HOSTADDRESS$

    (if you get an error with that syntax, copy the below “define command” format)

  4. or, for Debian Sarge (like me), in /etc/nagios-plugins/config create a file (such as scan.cfg) with the

    following information ( i just copied ftp.cfg and changed that):

    define command{

      command_name check_scan

      command_line /usr/lib/nagios/plugins/check_scan.sh -H $HOSTADDRESS$

      }

  5. edit /etc/nagios/service.cfg (sample):

    define service{

      use generic-service

      host_name galveston

      service_description SCAN

      is_volatile 0

      check_period 24x7

      max_check_attempts 3

      normal_check_interval 5

      retry_check_interval 1

      contact_groups security

      notification_interval 240

      notification_period 24x7

      notification_options c,r

      check_command check_scan

      }

Once all that is done, you should be able to do an “/etc/init.d/nagios reload”

It works for me. Your mileage may vary. :) Yes, I know the code isn't

fancy, and it's not the official plugin format, and may cause cancer in

rats. If that concerns you, fix it, don't use it, whatever.


If you find any errors, or have any suggestions, please email me at:

mark AT altsec.info


And, please please please support nagios, nmap, and the other fine

open source people out there. It's a GNU day dawning.

P.S. Did I mention that this has been tested only on Linux?



The body of check_scan.sh

(copy it, or save this link)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

#!/bin/sh # check_scan.sh
# works as a nagios plugin to do an nmap scan of a system
# The difference between this script and what I've seen elsewhere
# is check_scan.sh provides a baseline of scan data for comparison.
#
# Copyright (C) 2005 Mark Stingley
# mark AT altsec.info
#
# If you need help with your security or systems administration,
# see http://www.altsec.info
#
# Dependencies: nmap, nagios, linux
#
# README: (1) check the variables below in the section named
# SET THESE VARIABLES. Also, verify the path for
# the GNU/Linux utilities referenced
# (2) the other requirement is a directory that the
# nagios user can write to. I used /etc/nagios,
# since the directories created there contain
# baseline nmap scan data
# (3) the scan files are kept in /etc/nagios/scancheck
# in the scans directory. The last scan is simply
# named by the ip address of the host, such as:
# 192.168.25.3. The baseline scan for that host
# would be 192.168.25.3.base
# (4) to modify the baseline and eliminate warnings
# about ports, edit the scan file IP-address.base
# in /etc/nagios/scancheck/scans. Just be sure
# that the data is a default "sort", or comparison
# won't work. The alternative is to simply cat
# the last scan file to the baseline, such as:
# cat #.#.#.# > #.#.#.#.base
#
# Installation: simply copy this script to your plugin directory,
# make sure it is executable and has the proper
# ownership
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# See http://www.gnu.org/licenses/licenses.html#GPL or write to the
# Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston,
# MA 02111-1307 USA
#
# Changelog:
# 20051011 revised from a 2004 script "scancheck.sh"
#
# ToDo:
# 1. rewrite in perl or C
# 2. incorporate exclusion lists
# 3. incorporate critical port lists
#
# - - - - - - - - SET THESE VARIABLES - - - - - - - - - - - -
BASEDIR=/etc/nagios/scancheck #where to keep everything
#must be nagios user writable
NMAPPATH=/usr/bin #where is nmap
#------------------------------------------------------------

#note... to run manually, you have to supply a dummy
#argument 1, since the ip address is arg2

IP=$2

if [ ! "$IP" ]; then

  echo "No IP address supplied"
  exit 0

fi


SCANDIR=$BASEDIR/scans
FILEDIR=$BASEDIR/files
CHANGED=0
INITIAL=0


if [ ! -d $BASEDIR ]; then

  mkdir $BASEDIR

fi


if [ ! -d $SCANDIR ]; then

  mkdir $SCANDIR

fi

if [ ! -d $FILEDIR ]; then

  mkdir $FILEDIR

fi


if [ ! -f $SCANDIR/$IP.base ]; then

  touch $SCANDIR/$IP.base
  INITIAL=1

fi

SCANTIME=`/bin/date +%Y%m%d-%H%M`

/usr/bin/nmap -sT -P0 $IP | /bin/grep -w open | \
/usr/bin/sort > $SCANDIR/$IP

DIFF=`/usr/bin/comm -23 $SCANDIR/$IP $SCANDIR/$IP.base`

if [ "$DIFF" ]; then

  CHANGED=1
  DIFFSTR=`echo "$DIFF" | /usr/bin/awk '{print $1}' | \
    /usr/bin/paste -s -d " " -`

fi

if [ $INITIAL -eq 1 ]; then

  /bin/cat $SCANDIR/$IP > $SCANDIR/$IP.base
  echo "Initial scan"
  exit 0

fi

if [ $CHANGED -eq 1 ]; then

  echo "Scan $SCANTIME: NEW $DIFFSTR"
  exit 1

else

  echo "$SCANTIME: no change"
  exit 0

fi

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -



Copyright © 2005 Mark Stingley