Some applications (XFree86, bin...) open up UDP sockets when making outbound communications. It is not clear if these sockets can be used to comunication back to the application (it seems it's not possible to do so) however the way 'check_listentingprocs' determines open sockets/ports makes (what looks like) some false positives constantly appear related to UDP ports. Like this: From: Tiger automatic auditor at XXXXX Date: 14 Nov 2002 17:00:09 -0000 Cc: recipient list not shown: ; Subject: Tiger Auditing Report for XXXXX # Checking listening processes OLD: --WARN-- [lin003w] The process `XFree86' is listening on socket 1042 (UDP on every interface) is run by root. #else /* TIGERCHANGES */ OLD: --WARN-- [lin003w] The process `XFree86' is listening on socket 1064 (UDP on every interface) is run by root. If this is a false positive it should be plugged out the script. Javi