Port Drift Detector
A read-only Bash toolkit that inventories every listening TCP/UDP port on a Linux host, maps it to the owning process and unit, diffs against an expected baseline you declare once, and flags silent drift — new listeners, moved ports, processes that used to bind 127.0.0.1 but now bind 0.0.0.0, unit files whose ExecStart changed. Runs nightly, diffs visibly. Catches the 'who opened 8080?' question before the pen-tester does.
A read-only Bash toolkit that inventories every listening TCP/UDP port on a Linux host, maps it to the owning process and unit, diffs against an expected baseline you declare once, and flags silent drift — new listeners, moved ports, processes that used to bind 127.0.0.1 but now bind 0.0.0.0, unit files whose ExecStart changed. Runs nightly, diffs visibly. Catches the 'who opened 8080?' question before the pen-tester does.
What's Inside
- 📦port-drift-detector.sh — Main scanner: maps every listener to PID, process name, and systemd unit; writes a normalized snapshot
- 📦baseline-check.sh — Diff engine: flags NEW, WIDEN, MOVED, and GONE drift in severity order; exits non-zero on any finding
- 📦baseline.conf — Human-editable expected-state declaration with commented examples for 10 common services
- 📦install.sh — Idempotent installer: creates log directory, drops logrotate config, installs nightly cron job; includes --uninstall
- 📦port-drift-logrotate.conf — Daily log rotation, 30-day retention, compressed; ready for /etc/logrotate.d/
- 📦runbook.md — Full operator runbook: baseline capture, all four alert types, remediation steps, FAQ (IPv6, alerting, busybox)
- 📦README.md — Quick start, baseline format explanation, architecture diagram, companion product notes
One-time purchase
10/10