Network Socket Inode Validation

Network socket inode validation is a rule based utility intended to aid in the validation of inodes against each LISTEN socket on a system. The nature for this app is such that rouge binaries can easily hijack a user, program privileges, or work space; and utilize such to kill the old service & execute a new service on the known port they crashed. The best known examples of this trend is ‘tmp’ path uploaded content via php remote include exploits; which is executed, crashes the web server and starts a rouge httpd process and other such items. The execution cycle of NSIV is very simple, first it determines the running process ID of your binary followed by the trusted inode (that which is associated to the BIN variable).  Then, the PORT value is used to check that the binary holding said port open actually references back to the trusted inode, if it does not then we assume the service has been hijacked and the PID is killed / RST executed with optional e-mail alert dispatched. Currently only httpd, httpd ssl and named are monitored although you can add more if you are familiar with this program. As well, there will be a cron.d entry added to /etc/cron.d/nsiv, set to run it once every few minutes. Click here to visit this projects home page. Use the Edit Config link if you wish to change the default email to send alerts too (currently sends to "root"). Ignore the port 53 error, that can happen if you used NSD instead of BIND.