You can achieve this with a simple bash script and some XSLT processing of nmap's output.
Let's say you put the list of allowed ports in the format you presented in /usr/local/etc/check-ports.conf
.
You can create a bash script (/usr/local/bin/check-ports
), which will call nmap <host> --excluded-ports <port_list>
for each line in your list:
#!/bin/bash
STYLESHEET=/usr/local/share/check-ports/nmap.xslt
cat /usr/local/etc/check-ports.conf |
while IFS=";" read -a line; do
options="-oX -"
if [ "${line[1]}" != "" ]; then
options="$options --exclude-ports ${line[1]}"
fi
/usr/bin/nmap $options ${line[0]} |
/usr/bin/xsltproc --stringparam expected "${line[1]}" $STYLESHEET -
done
and you put a simple XSLT stylesheet in /usr/local/share/check-ports/nmap.xslt
:
<?xml version="1.0"?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
<xsl:param name="expected"/>
<xsl:output method="text" />
<xsl:template match="/"><xsl:apply-templates select="//host" /></xsl:template>
<xsl:template match="host">
<xsl:apply-templates select="//port">
<xsl:with-param name="host" select="address/@addr" />
</xsl:apply-templates>
</xsl:template>
<xsl:template match="port[state/@state = 'open']">
<xsl:param name="host" />Alert: Found forbidden open port(s) on <xsl:value-of select="$host" />: <xsl:value-of select="@portid"/> (expected: <xsl:value-of select="$expected" />)
</xsl:template>
</xsl:stylesheet>
to transform nmap's XML output:
<nmaprun ...
<host starttime="1580679113" endtime="1580679113">
<address addr="127.0.0.1" addrtype="ipv4"/>
<ports>
<port protocol="tcp" portid="22">
<state state="open" reason="syn-ack" reason_ttl="0"/>
<service name="ssh" method="table" conf="3"/>
</port>
...
into the output you gave in the question.