Session212

Auditing Your Unix and Linux Operating Systems

AuditingYourUnixandLinuxOperatingSystems

Tuesday,May8,2012
8:30AM 10:00AM

Mik S hill
MikeSchiller
DirectorofSales&MarketingIT,TexasInstruments
CoAuthor,ITAuditing:UsingControlstoProtectInformationAssets
, g g f
 SPEAKER BIOGRAPHY
Mike Schiller, CISA, is the director of global server, database, and storage
infrastructure at Texas Instruments (TI) and is the co-author of IT
Auditing: Using Controls to Protect Information Assets (2011, McGraw-
Hill). He has more than 15 years of experience in the IT audit field,
including as the worldwide IT audit manager at TI and as the IT audit
manager at Sabre. He is an active speaker on IT auditing, including
conferences such as CACS, InfoSec World, and ASUG, and has been an
instructor of IT audit curriculum at Southern Methodist University.
Schiller has held numerous IT leadership positions at TI, including as the
director of user support, data centers, and asset management and
manager of support for TIs web applications and infrastructure.
 Agenda

TheBasics

AccountManagementandPasswordControls

File Security and Controls

FileSecurityandControls

NetworkSecurityandControls

A dit L
AuditLogs

SecurityMonitoringandGeneralControls

Tools
TheBasics
 TheBasics
e as cs
Why Audit Your Operating System?

Figure copyright 2011 The McGraw-Hill Companies

 TheBasics
e as cs
Unix Variants (examples)
Sun Solaris
HP-UX
HP UX
SCO Unix
AIX
IRIX

Linux Variants (examples)

Red Hat
Debian
Suse
Gentoo
Ubuntu
Note: commands in this presentation are Solaris and Red Hat but should work with most variants
 TheBasics
e as cs
Key Concepts

Everything in Unix is a file

The root of the file system is /

Everything else branches off from the root

root
root account = admin / super-user

If you can alter a file that someone is executing, you can

easily
il capture
t hi
his/her
/h accountt
 TheBasics
e as cs
File System Permissions

Every file and directory has permissions specified for:

Owner
Group
p
World (Other)

Three types of access are available:

Read (assigned a value of 4)
Write (assigned a value of 2)
Execute ((assigned
g a value of 1))
 TheBasics
e as cs
File System Permissions

E
Example:
l If permissions
i i on a fil
file or di
directory
t are di
displayed
l d as
rwxr-xr--
This means that the files owner has read, write, and execute
permissions on the file,
file the file
filess group has read and execute
permissions, and everyone else has read permissions.
This can also be described as 754 (rwx=7, r-x=5, r--=4).

Example: If permissions on a file or directory are displayed as

rw-r-----
This means that the files owner has read and write permissions on the
file the file
file, filess group has read permissions
permissions, and everyone else has no
permissions.
This can also be described as 640 (rw-=6, r--=4, ---=0).
 TheBasics
e as cs
File permissions example
> ls l /usr/bin

total 20180
-r-xr-xr-x
r xr xr x 1 bin sys 33600 Jul 26 2008 acctcom
-rwxrwxrwx 1 bin sys 122116 May 2 2006 adb
-r-xr-xr-x 1 bin mail 9076 May 2 2006 addbib
-r-s--x--x 1 root sys 335784 Jul 26 2008 admintool
-r-xr-xr-x
r xr xr x 17 bin sys 131 May 2 2006 alias
-r-xr-xr-x 1 bin sys 15068 May 2 2006 aliasadm
-rwxr-xr-x 1 bin sys 17228 Apr 25 2006 apm
dr-xr-xr-x 4 root sys 21984 May 2 2006 apropos
-r-xr-xr-x
r xr xr x 1 bin go 944 May 2 2006 arch
-r-xr-xr-x 1 bin rangers 5232 May 2 2006 asa
 TheBasics
e as cs
Interaction between file and directory permissions

Directory Permissions
- r x wx
- No access No access No access Delete file
D l t fil
Delete file
or read
missions

r No access No access Read data data

Delete file
or add to
File Perm

Add to or or clear
w No access No access clear data data
Delete file
Update or update
rw N access No
No N access d t
data d t
data

Cant Cant Delete file

x execute execute Execute or execute
 TheBasics
e as cs
File System Permissions Quiz

If a file has permissions set to 651, what access does it grant to the
owner? The group? The world?

How would a file with open permissions (rwxrwxrwx) be displayed

numerically?

You have read access to a file and full access to the directory in
which it resides. What access will you have to the file?
 TheBasics
e as cs
/etc/passwd file
Contains information on the systems users
Format:
F t
account:password:UID:GID:GECOS:directory:shell
Account - Name representing the user to the system (the name used when
logging
gg g in).
)
Password - Encrypted password (but note that it may be kept in /etc/shadow
instead).
UID - Numeric user ID
GID - Numeric g group
p ID for the users pprimaryyg
group
p
GECOS - Optional field used to store arbitrary additional information about the
account. It often contains the real name and/or employee ID of the user.
Directory - Location of the users home directory
Shell - Users default shell. The shell is the command line environment that
interprets commands and passes them to the kernel.
Be aware of centralized account management mechanisms (e.g. NIS,
NIS+, LDAP)
 TheBasics
e as cs
/etc/passwd file example
> more /etc/passwd
root:x:0:1:Super-User:/:/bin/ksh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer Admin:/usr/spool/lp:
smtp:x:0:0:Mail Daemon User:/:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
listen:x:37:4:Network Admin:/usr/net/nls:
nobody:x:60001:60001:Nobody:/:
noaccess:x:60002:60002:No Access User:/:
nobody4:x:65534:65534:SunOS 4.x Nobody:/:
sp1adm:x:228:500:SP1 R3 Admin. ID, SAP, 292-4283:/home/sp1adm:/bin/ksh
orasp1:x:229:250:SP1 R3 Oracle ID, SAP, 292-4243:/oracle/SP1:/bin/ksh
iss:x:2000:2000::/home/iss:/bin/ksh
camgr:x:6201:6200:camgr id for ca unicenter:/etc/admin/ca:/bin/csh
z485804:x:9601:9600:mike schiller, internal audits:/home/z485794:/bin/ksh
 TheBasics
e as cs
Password File Quiz

You have the following entry in the /etc/passwd file:

bruth:x:3:714:George Herman Ruth:/home/yankeestadium:/bin/bash

What is this users account name?

Where is this users home directory located?
What is this users User ID?
Where is this users shell located?
What is this users Group ID?
What is this users career home run total?
 TheBasics
e as cs
/etc/shadow file
Contains p
password information
Format:
account:password:lastchange:min:max:warn:inactive:expired:reserved
Account - Name representing the user to the system
Password - Encrypted password.
Lastchange - Number of days since the password was changed
Min - Minimum number of days allowed between password changes.
Max - Maximum number of days allowed between password changes.
Warn - Number of days before Max at which point the user will be
warned that they need to change their password.
Inactive - Number of days of inactivity after which the users account will
b di
be disabled
bl d
Expired - Number of days that the account has been disabled.
Reserved - An extra field that is not used.
 TheBasics
e as cs
/etc/shadow file example
> more /etc/shadow
root:uZr2N9hRN0MvQ:10::49::::
daemon:NP:6445::::::
bin:NP:6445::::::
sys:NP:6445::::::
adm:NP:6445::::::
lp:NP:6445::::::
smtp:NP:6445::::::
uucp:NP:6445::::::
nuucp:NP:6445::::::
listen:*LK*:::::::
nobody:NP:6445::::::
noaccess:NP:6445::::::
nobody4:NP:6445::::::
sp1adm:Rg2Hrntfnn4KQ:13::49::::
orasp1:NmHRn5qLgMQGI:11:0:49::::
1 N HR 5 L MQGI 11 0 49
iss:VxZfhrM8qeT.g:10:7:49:7:180::
camgr:M1HrN1Dv.55Ro:10:0:49:7:180::
z485804:xHRNWhzsSQPBY:40:7:49::::
 TheBasics
e as cs

/etc/group
g p file
Contains information on user groups
Format: name:password:GID:users
Name - Name of the group
Password - Group password (if used)
GID - Numeric group ID
Users - List of users who are a member of the group. Note that members
off the
th group whoh are assigned
i d tto it th
through
h th
their
i GID iin //etc/password
t / d
wont necessarily be in this list.
 TheBasics
e as cs
/etc/group file example
> more /etc/group
root::0:
other::1:root
bin::2:root,daemon
sys::3:root,bin,adm
adm::4:root,daemon
uucp::5:root
mail::6:root
tty::7:root,adm
lp::8:root,adm
nuucp::9:root
staff::10:
daemon::12:root
sysadmin::14:
smmsp::25:
g
gdm::44:
webservd::80:
postgres::90:
nobody::60001:
noaccess::60002:
nogroup::65534:
sshd::60014:
 TheBasics
e as cs
Methods for Executing Commands with Elevated Privilege

sudo
Allows a specific user to execute a specific command with the privilege
of another user
Frequently used for selective root access
Configured in /etc/sudoers

SUID
A SUID (Set-UID) file allows users to execute that file under the
privileges of the ID that owns the file
Frequently used to allow all users to execute a specific command with
root access
Permissions on a SUID file are displayed as (example):
rwsr-sr-x
 TheBasics
e as cs
Important Linux and UNIX Navigation Commands for Auditors
cd - Change Directory

ls - List Directory Contents

ls l uses long listing format for the files within the directory,
displaying file permissions
ls ld provides the long listing format for the directory itself
ls al provides the long listing format for the files within the
directory, including the (.) dotfiles

more, cat, less - List File Contents

ypcat
ypcat - List NIS File Contents ((niscat
niscat for NIS+)

sudo allows privileged execution of specific commands

find
 Unix/Linux Test Steps
Unix/LinuxTestSteps
Categories:
g

Account Management and Password

File Security

Network
N t kSSecurity
it

Audit Logs
g

Security Monitoring and General Controls

AccountManagementand
Passwords
 AccountManagementandPasswordTestSteps
g p

Note: For all steps in this section, remember to consider centralized

account management tools (e.g. NIS, NIS+,
NIS , LDAP)

1. Review account management processes (adds, deletes)

2. Ensure UIDs are unique

If two users have the same UID, they can fully access each
others files and can 'kill' each others processes.
cat /etc/passwd
/ / | awk -F: '{print $3}'
$ | uniq -d

3. Ensure passwords are shadowed

/etc/passwd is world readable by design; /etc/shadow is not
Prevents the use of password-cracking tools against encrypted
passwords
 AccountManagementandPasswordTestSteps
g p

4. Review file permissions of password and shadow password files

Access to alter these files provides ability to perform account

management and escalate privileges

The /etc/passwd file should only be writable by root and the

/etc/shadow file should only be readable by root.

ls -l /etc/passwd
Expected output:
-rw-r--r-- 1 root sys 728 Jan 26 16:23 /etc/passwd

ls -l /etc/shadow
Expected output:
-rw------- 1 root sys 374 Jan 26 16:23 /etc/shadow
 AccountManagementandPasswordTestSteps
g p

5. Evaluate the strength of system passwords

Review password composition controls (e.g. min password

length, max password age, min password age)

more /etc/default/passwd (Solaris)

more /etc/login.defs (Red Hat)

Look for the presence of tools to enhance password

composition requirements (e.g. npasswd)

Execute password-cracking tools to identify weak passwords

Review process for setting and communicating initial passwords

 AccountManagementandPasswordTestSteps
g p

/etc/default/passwd example

> more /etc/default/passwd

#ident "@(#)passwd.dfl 1.3 02/07/14 SMI"
MAXWEEKS=7
MINWEEKS=1
PASSLENGTH=6
 AccountManagementandPasswordTestSteps
g p
6. Evaluate the usage of groups and determine their restrictiveness

R i
Review th
the contents
t t off the
th password
d and
d group fil
file(s)
( )

7. Review for usage of shared accounts

R i
Review th
the contents
t t off the
th password
d file(s)
fil ( )

The owner of each account should be obvious

GECOS field in /etc/passwd file if often used for this

Question any accounts that seem to be shared

If a shared account is necessary (e.g. application account)

Users should log in as themselves first
Use su or sudo to access the shared account
Shared accounts can be locked to force this behavior

Review /etc/sudoers file and processes for managing this file

 AccountManagementandPasswordTestSteps
g p

8. Evaluate access to super-user (root-level) access

Review password file(s) and ID all accounts with UID of 0

Question the need for any besides root to have UID 0

Evaluate control of passwords for UID 0 accounts

Prevent direct root logins to ensure accountability

Sysadmins should log in as themselves first
Use su or sudo to access root
Use files such as /etc/default/login
/etc/default/login, /etc/securetty
/etc/securetty,
/etc/sshd_config, and /etc/ftpusers to force this behavior

Review /etc/sudoers file and processes for managing this file

 AccountManagementandPasswordTestSteps
g p
9. Review the security of directories in the default user path and in roots path
If not secure, filename spoofing
p g is p
possible

The default setting for users paths may be found in /etc/default/login,

/etc/profile, or one of the files in /etc/skel.
View the contents of these files with more filename
fil
Then review permissions on directories in path with ls -ld
directoryname

To view your own path: echo $PATH

Example
/usr/bin:/usr/sbin:/sbin:.
Have sysadmin use this command to show roots
root s path

Evaluate use of current directory (depicted by .) in paths

 AccountManagementandPasswordTestSteps
g p

10. Review the security of user home directories and config files

Can allow privileged access to accounts

Location of home directories can be viewed in the password file

ls ld command will show permissions on a directory

l command will show the permission on the files

l al
ls
(including the config files) within a directory

Typically want to limit write access to users

user s home directory and
the configuration files to only the user (owner)
FileSecurity
 FileSecurityTestSteps
e Secu ty est Steps
1. Review file permissions for critical files and related directories

Typical targets for review:

/bin, /usr/bin, /sbin, /usr/sbin, /usr/local/bin (programs that
interpret commands)
/etc (files that contain such information as passwords, group
memberships, and trusted hosts and files that control the
execution of various daemons)
/usr or /var (contain various accounting logs)
The kernel (core of the O/S)
Key application data and intellectual property specific to the
server being reviewed

ls ld command will show permissions on a directory

ls l command will show the permission on a file
ls l
 FileSecurityTestSteps
e Secu ty est Steps
Common UNIX and Linux directories
/bin - location of most of the system binaries (programs)
/sbin - contains binaries that are reserved for use by privileged accounts
/etc - contains system configuration files
/home - typical location for user home directories
/var - contains information that programs
g need to keep track of as theyy run
(such as the process ID on the system); usually contains log files as well
/lib - system and application libraries; these arent executed directly, but are
used by applications as they run
/opt - many add
add-on
on packages will be installed here
/usr - place for user-added packages; often /usr will duplicate many of the
top-level directories within itself, so youll have /usr/etc, /usr/bin, etc.
/root - the home directory for the root account is often here
/tmp - temporary directory that any user can typically access
/dev - you will find device files in this directory representing the hardware in
your system
Text copyright 2011 The McGraw-Hill Companies
 FileSecurityTestSteps
e Secu ty est Steps
2. Review the system for open directories (drwxrwxrwx)

Anyone can delete files within the directory and replace them
with their own files of the same name

By placing the sticky bit on the directory (drwxrwxrwt), only the

owner of a file can delete it

find / -type d -perm -777

Finds directories with world write permissions

Use judgment focus on directories where key data is stored

 FileSecurityTestSteps
e Secu ty est Steps
3. Evaluate the security of SUID files on the system

SUID (Set-UID) files allow users to execute them under the

privileges of another UID

If an SUID file is writable by someone other than the owner, it

may be possible for the owning account to be compromised

fi d / -perm -u+s
find +
Provides a list of all SUID files (must be run by superuser)
Review file permissions using ls -l command
 FileSecurityTestSteps
e Secu ty est Steps
SUID permissions example
> find / -perm -u+s

total 290874
-rwsr-sr-x 3 alexbkup alexbkup 8564848 Mar 13 2007 Xalex
-rwsr-sr-x 14 alexbkup alexbkup 5574456 Mar 13 2007 alex-cntrl
-rwsr-sr-x 14 alexbkup alexbkup 5574456 Mar 13 2007 alex-command
-rwsr-sr-x 14 alexbkup alexbkup 5574456 Mar 13 2007 alex-dbase
-rwsr-sr-x 14 alexbkup alexbkup 5574456 Mar 13 2007 alex-device
-rwsr-sr-x
rwsr sr x 14 alexbkup alexbkup 5574456 Mar 13 2007 alex-media
alex media
-rwsr-srwx 1 root root 5245540 Mar 13 2007 alex-net
-rwsr-sr-x 14 alexbkup alexbkup 5574456 Mar 13 2007 alex-opcard
-rwsr-sr-x 14 alexbkup alexbkup 5574456 Mar 13 2007 alex-option
-rwsr-sr-x 14 alexbkup alexbkup 5574456 Mar 13 2007 alex-perms
-rwsr-sr-x 14 alexbkup
l bk alexbkup
l bk 5574456 Mar 13 2007 alex-person
l
 FileSecurityTestSteps
e Secu ty est Steps
4. Review the default umask value
D
Determines
i what
h permissions
i i new fil
files and
d di
directories
i will
ill h
have b
by d
default
f l

Type umask to see your own umask

The umask
Th k subtracts
bt t privileges
i il when
h fil
files and
d di
directories
t i are created
t d
Normal default 777
Minus the umask 027
Default permissions on this server 750
Thi provides
This id ffullll access tto th
the owner, readd andd execute
t access tto th
the
group, and no access to the world.

Recommended default umask values:

027 (group
( write
it andd allll world
ld access removed)
d)
037 (group write/execute and all world access removed)

Note that users can change their umask value

W t a secure default,
Want d f lt requiring
i i conscious
i d
decision
i i tto reduce
d security
it
 FileSecurityTestSteps
e Secu ty est Steps
5. Review the security of files referenced within crontab entries
A cron executes a p program
g at a p
preset time

The crontab contains all of the crons scheduled on the system

All crons are run as if the owner of the crontab is running them

If a file being executed within a crontab is not secure, it may allow for
the execution of arbitrary commands

Use ls -l on /usr/spool/cron/crontabs or /var/spool/cron/crontabs to

see contents of crontab directory

Use more to see contents of each file within directory

Use ls -l and ls -ld to see the permissions of the files being

executed
t d within
ithi crobtab
bt b entries
t i andd th
their
i di
directories
t i
 FileSecurityTestSteps
e Secu ty est Steps
cron example
> ls l /usr/spool/cron/crontabs
-rw------- 1 root sys 190 Jul 13 2007 adm
-r-------- 1 root root 452 Jan 21 2005 lp
-rw------- 1 root root 3696 Jan 26 16:39 root
-rw-------
rw 1 root sys 308 Jul 13 2007 sys
-r-------- 1 root sys 404 Jan 19 2008 uucp

> more /usr/spool/cron/crontabs/root

# The root crontab should be used to perform accounting data collection.
#
# The rtc command is run to adjust the real time clock if and when
# daylight savings time changes.
#
0 2 * * 0,4 /etc/cron
/etc/cron.d/logchecker
d/logchecker
5 4 * * 6 /usr/lib/newsyslog
15 3 * * * /usr/lib/fs/nfs/nfsfind
1 2 * * * [ -x /usr/sbin/rtc ] && /usr/sbin/rtc -c > /dev/null 2>&1
0 1,13 * * * > /var/adm/wtmp 2>/dev/null
45 23 * * * /usr/bin/cp
/ / / /
/etc/hosts
/ /
/etc/hosts.bak
/ > /
/dev/null
/ 2>&1
NetworkSecurity
 NetworkSecurityTestSteps
et o Secu ty est Steps
1. Evaluate necessity and security of enabled services
Everyy network service is a p
potential vector for attack

Unnecessary and unsecured network services allow someone who has

no business being on the system to either gain access to the system or
disrupt the system

Use netstat an to determine active services

If a service isnt needed, disable it

Having a secure OS baseline to start with reduces unnecessary services

If a service is needed, ensure security patches are being monitored

and applied and that the service is configured securely

Execute a network vulnerability-scanning tool in order to check for

current vulnerabilities in the environment
 NetworkSecurityTestSteps
et o Secu ty est Steps
2. Evaluate the usage of trusted access
Trusted access p
provides the ability
y for users to access the system
y
remotely without the usage of a password
/etc/hosts.equiv file creates trust relationships with specific machines
.rhosts files creates trust relationships with specific users on specific
machines ((located within individual home directories))
Trusted access can also be granted via SSH keys
The user places his public key into a file called authorized_keys2 in
the .ssh subdirectory of their home directory on the trusting machine

Security of the trusting system is dependent on the security of the

trusted system

D l t where
Delete h possible;
ibl minimize
i i i and
d secure otherwise
th i

Ensure monitoring and approval mechanisms exist

Avoid + - defines all systems on the network as trusted

 NetworkSecurityTestSteps
et o Secu ty est Steps

3. Review for the usage of secure protocols

Certain protocols (e.g. telnet, ftp, rsh, rlogin, and rcp) transmit
all information in clear text, including userID and password

These can be disabled and replaced with secure (encrypted)

alternatives
Telnet, rsh, and rlogin can be replaced by ssh
Ftp can be replaced by sftp or scp
Rcp can be replaced by scp
 NetworkSecurityTestSteps
et o Secu ty est Steps

4. Evaluate the usage of .netrc files

Used to automate logons, primarily with FTP

May contain passwords

find / -name '.netrc' -print -exec more {} \;

Will display the contents of all .netrc files on the system
Must be run as superuser for thorough list

Ensure file permissions are locked down

 NetworkSecurityTestSteps
et o Secu ty est Steps

5. Ensure a legal warning banner is displayed when connecting

Text is frequently located in /etc/issue and /etc/sshd_config

6. Review the usage of modems on the server

Bypass corporate perimeter security and allow direct access to

the machine from outside the network

Preferable to have access to a machine channeled through

standard corporate external access mechanisms such as VPN
or RAS
AuditLogs
 AuditLogTestSteps
ud t og est Steps
1. Evaluate the contents, security, monitoring, and retention of system audit
logs
g

sulog
Typically /usr/adm/sulog, /var/adm/sulog, or /var/log/auth.log

sudo
d llog
Typically written to the syslog but this can be changed in /etc/sudoers

syslog
/etc/syslog.conf
y g file determines where each message
g type
yp is routed

Invalid logon attempts

/var/adm/loginlog on Solaris, /etc/btmp on HP-UX

wtmp
Typically /usr/adm/wtmp, /var/adm/wtmp or /etc/wtmp

utmp
Typically located at /etc/utmp on UNIX and /var/run/utmp on Linux
 AuditLogTestSteps
ud t og est Steps

Sulog
g example
p
SU 07/14 13:54 + pts/1 root-sp1adm
SU 07/16 12:47 + pts/2 root-sp1adm
SU 07/16 13:01 + pts/1
p root-sp1adm
p
SU 07/16 15:45 + pts/4 iss-root
SU 07/17 11:21 + pts/6 iss-root
SU 07/17 13:03 + pts/6 iss-root
SU 07/18 11:02 - pts/4 aa170450
aa170450-rtcov
rtcov
SU 07/18 11:02 + pts/4 aa170450-rtcov
SU 07/20 20:05 + pts/0 root-sp1adm
SU 07/20 20:08 + pts/1 root-sp1adm
SU 07/20 22:01 + pts/0 root-sp1adm
SU 07/20 22:03 + pts/1 root-sp1adm
SecurityMonitoringandGeneral
Controls
 SecurityMonitoringandGeneralControls
y g
1. Review procedures for monitoring the state of security on the system

Level of monitoring should be contingent on the criticality of the system

and the inherent risk of the environment

Four primary types of security monitoring

Network vulnerability scanning
Host-based vulnerability scanning
Intrusion detection
Intrusion prevention

Assess frequency of monitoring

Look for evidence that the security monitoring tools are actually used
and acted upon
 SecurityMonitoringandGeneralControls
y g

2. Review security of standard build for new systems

Audit a system freshly created from the baseline

Determines whether new systems are secure by default

If you start with a standard secure OS build, you only need to

add the network services required by the application
 SecurityMonitoringandGeneralControls
y g
3. Ensure appropriate physical controls and operations are in place to provide for
system protection and availability

Physical security

Environmental controls

Capacity planning

Change management

System monitoring

Backup processes

Disaster recovery planning

Secure coding practices and reviews for custom applications

Tools
 Tools
oo s
The open source community has provided many tools that can assist the auditor:
Nessus (network vulnerability scanner)
http://www nessus org/
http://www.nessus.org/
http://www.openvas.org/
NMAP (check for open ports)
http://nmap.org
Chkrootkit (identify both known rootkits running on a system and suspicious
suspicious
files or processes)
http://www.chkrootkit.org/
http://www.netadmintools.com/art279.html
John the Ripper and Crack (check password strength)
ftp://ftp.cerias.purdue.edu/pub/tools/unix/pwdutils/crack/
http://www.openwall.com/john/
Tiger / TARA (host-based vulnerability scanner)
http://savannah nongnu org/projects/tiger/
http://savannah.nongnu.org/projects/tiger/
http://www-arc.com/tara/
Tripwire (intrusion detection / integrity checker)
http://sourceforge.net/projects/tripwire/
Note: the author assumes no responsibility for the impact of using these tools in your environment.
 Tools
oo s
Print resources:

Practical UNIX & Internet Security by Simson Garfinkel, Gene

Spafford, and Alan Schwartz, published by O'Reilly Media, Inc.

Essential System Administration by leen Frisch, published

by O'Reilly Media, Inc.

IT Auditing: Using Controls to Protect Information Assets,

Second Edition by Chris Davis and Mike Schiller
 Tools
oo s

Online resources:
http://isaca.org/
standards and security guidance
http://www.sans.org/rr/
certifications and other documents from SANS
http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/index.shtm
security configuration guides from the National Security Agency
http://csrc.nist.gov/publications/PubsSPs.html
security guidelines from the National Institute of Standards and Technologies
http://sectools.org/
top security tools as generated from a survey of NMAP users
http://seclists.org/
security-oriented mailing lists
http://www.securityfocus.com/
mailing lists, news, vulnerabilities
http://cve.mitre.org/
along with the vulnerability database section of securityfocus, a good site to begin research
on potential vulnerabilities
Thankyou!
 Collaborate Contribute Connect

www.isaca.org/knowledge-center
The Knowledge Center is a collection of
resources and online communities that
connect ISACA members globally, across
industries and by professional focus - under
one umbrella. Add or reply to a discussion,
post a document or link, connect with other
ISACA members, or create a wiki by
participating in a community today!