Softpanorama

May the source be with you, but remember the KISS principle ;-)
Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Classic Unix Security Tools

News See Also Recommended Links ssh Sudo PAM TCP Wrappers Tripwire
lsof nmap Tcpdump Ipchains netcat Snort Crack Etc

E-business does not wait for security standards. Everybody understands that Unix security can be much better if administrators install and use available security tools. Often this is not the case and often people do not use tools because there are so many of them.

In a recent survey SAFARI authors have found that the most frequent reasons for continuing to operate hosts without available countermeasures were:

At many of these sites, the basic computing infrastructure is an impediment to timely distribution of configuration changes. These sites operate at a substantially higher level of risk and are more likely to be compromised. Moreover they are also less likely to be able to adequately detect and recover from compromises. In case of compromises if the required resources for full recovery are unavailable temporary fixes create prerequisites for future troubles.

I created a list of several classic Unix security tools that IMHO should be considered before other tools and especially before buying any commercial security software:

  1. Pluggable authentication modules (PAM). They is very useful and largely underutilized security feature invented by Sun and most popular in Solaris environment although now implemented in all UNIXes. If it's not enabled by default it's not that difficult to configure PAM and select most useful modules. Checking of passwords (proactive !) against common blunders should be always enabled. I strongly believe that if PAM are not used in a particular installation then sysadmin is either ignorant or do not care about password security or both ;-). PAMs can also be used for token authentication, although currently shell wrapper is most common implementation.
     
  2. Sudo -- lessen risks by limiting number of SUID programs and providing better logging of who when and how is using root.
     
  3. Integrity checkers Tripwire is somewhat primitive and is not recommended. Several better tools are available
     
  4. Log analyses tools. Log analysis tools are covered in a separate page. Perl-based tools are preferable
     
  5. Internal vulnerability scanners(IVS). Universal internal scanners are endangered specie. Cops and Tiger contain a lot of interesting ideas but both now are obsolete. Perl-based tools are preferable.
     
  6. ssh should be used instead of regular telnet; especially if you are connecting to the computer from your ISP -- if ISP is compromised than you password can be stolen and your machine will be compromised next. SSH is pretty useful, easy to use and more secure than the archaic telnet/rlogin/rsh.
     
  7. TCP Wrappers can help to protect TCP/IP services listed in inetd.conf. They are installed by default in most Linux distributions including Red Hat (starting with v. 5.2), but not on Solaris. Also the sysadmin needs to configure them properly, which is often not the case :-(.  By using TCP_wrappers one can limit possibilities of connecting to machine using all services that are controlled via inetd.cong (including telnet and ftp) to the minimum number of sites.

Other tools that can be helpful, but IMHO they do not provide as great return on investment as tools mentioned above:


Top Visited
Switchboard
Latest
Past week
Past month

NEWS CONTENTS

News

[Jul 22, 2009] SECURITY: Nmap 5.00 Released

Jul 22, 2009 | Insecure.org

"Insecure.Org is pleased to announce the immediate, free availability of the Nmap Security Scanner version 5.00 from http://nmap.org/ . This is the first stable release since 4.76 (last September), and the first major release since the 4.50 release in 2007. Dozens of development releases led up to this."

Linux Layer 8 Security LG #166

While PAM hacking and modifications is a whole subject in and of itself, various keyloggers can be deployed using PAM. The "rootsh" utility - which allows you to enable a systems logger that will show everything logged to the terminal whenever anyone invokes sudo or logs in as a user - is a great immediate solution.

http://freshmeat.net/projects/rootsh/

General implementation recommendations include renaming "rootsh" to another seemingly innocuous sounding word - like "termd".

"rootsh" is immediately useful, especially if you have more than one system administrator or root user (although you should always disable root access completely in favor of logged sudo).

It's often too late when we realize that our sudoers file was not configured to be limited to only a select list of users, or was not logging (e.g., if we have inherited 200 machines installed with stock sudo -- see my August 2009 Linux Gazette "Layer 8 Linux Security" column on maintaining sudo via Puppet). So, perhaps it went unnoticed that a past disgruntled developer was accessing the system from his desktop via RDP to SSH and accessing root regularly via 'sudo su'.

In startup ISPs and Web development shops in the mid-1990s, a "Nazi" Linux security administrator would often tire of being on-call 24x7 in an uncontrollable server farm, and come down with the avant-garde edict of "no shared root access", whereupon all developers just took escalated access via escaping system calls from emacs or vi, or via buffer overflows, and happily changed the access passwords for users: games, haldaemon, adm, lp, or sync. Similar shops and Linux un-professionals still exist, unfortunately.

Since any access to root via sudo can result in changes (and potential errors), a good keylogger makes a lot of sense as an easily setup secondary tracking mechanism.

PCI compliance and SOX both require controls in place for the root or administrative user. However, when mixed with corporate profit, these controls are loosely interpreted to the point of complete insecurity. If we cannot track change, we control nothing. Implementing a keylogger will take no more than fifteen to thirty minutes (and can easily be automated through Puppet), so if you suspect your systems of being accessed and the logs being wiped, or if you don't have the time to fully evaluate all binary checksums for rootkits, keyloggers can be a good immediate additional security tool.

By default, 'rootsh' logs to /var/log/rootsh/ (which can be changed during setup). Of course, 'rootsh' logs can be edited, like any logs, unless you use 'syslog-ng', or stunnel loghost or cron-based e-mail log burst, so hide them well. You will generally find that no one even notices that 'rootsh' is logging, and happily carry on as normal.

[Apr. 12, 2001] Quality Security Tools -- Top 50 Security Tools

In May/June of 2000, we conducted a survey of 1200 Nmap users from the nmap-hackers mailing list to determine their favorite security tools. Each respondent could list up to 5.

I was so impressed by the list they created that I am putting the top 50 up here where everyone can benefit from them. I think anyone in the security field would be well advised to go over the list and investigate any tools they are unfamiliar with. I also plan to point newbies to this page whenever they write me saying "I do not know where to start".

Respondents were allowed to list open source or commercial tools on any platform. Commercial tools are noted as such in the list below.

I may change this list occasionally as new tools are created and others fade into obscurity due to security enhancements becoming mainstream. Or maybe I'll just have another survey next year.

Also note that many of the descriptions in this list were taken from the Debian package descriptions, the Freshmeat descriptions, or from the home pages of the application. I didn't count any votes for Nmap because the survey was taken on an Nmap mailing list.

Without further ado, here is the list (starting with the most popular):

Nessus http://www.nessus.org
Description: Remote network security auditor, the client The Nessus Security Scanner is a security auditing tool. It makes possible to test security modules in an attempt to find vulnerable spots that should be fixed. . It is made up of two parts: a server, and a client. The server/daemon, nessusd, is in charge of the attacks, whereas the client, nessus, interferes with the user through nice X11/GTK+ interface. . This package contains the GTK+ 1.2 client, which exists in other forms and on other platforms, too.

Netcat http://www.l0pht.com/~weld/netcat/
Note: This is an unofficial site
Description: TCP/IP swiss army knife A simple Unix utility which reads and writes data across network connections using TCP or UDP protocol. It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts. At the same time it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities.

Tcpdump http://www.tcpdump.org
Description: A powerful tool for network monitoring and data acquisition This program allows you to dump the traffic on a network. It can be used to print out the headers of packets on a network interface that matches a given expression. You can use this tool to track down network problems, to detect "ping attacks" or to monitor the network activities.

Snort http://www.snort.org
Description: flexible packet sniffer/logger that detects attacks Snort is a libpcap-based packet sniffer/logger which can be used as a lightweight network intrusion detection system. It features rules based logging and can perform content searching/matching in addition to being used to detect a variety of other attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more. Snort has a real-time alerting capability, with alerts being sent to syslog, a separate "alert" file, or even to a Windows computer via Samba.

Saint http://www.wwdsi.com/saint/
Description: SAINT (Security Administrator's Integrated Network Tool) is a security assesment tool based on SATAN. Features include scanning through a firewall, updated security checks from CERT & CIAC bulletins, 4 levels of severity (red, yellow, brown, & green) and a feature rich HTML interface.

Ethereal http://ethereal.zing.org/
Description: Network traffic analyzer Ethereal is a network traffic analyzer, or "sniffer", for Unix and Unix-like operating systems. It uses GTK+, a graphical user interface library, and libpcap, a packet capture and filtering library.

Whisker http://www.wiretrip.net/rfp/p/doc.asp?id=21&iface=2
Description: Rain.Forest.Puppy's excellent CGI vulnerability scanner

Internet Security Scanner www.iss.net
Note: This tool costs significant $$$ to use, and does not come with source code.
Description: A popular commercial network security scanner.

Abacus Portsentry http://www.psionic.com/abacus/portsentry/
Description: Portscan detection daemon PortSentry has the ability to detect portscans(including stealth scans) on the network interfaces of your machine. Upon alarm it can block the attacker via hosts.deny, dropped route or firewall rule. It is part of the Abacus program suite. . Note: If you have no idea what a port/stealth scan is, I'd recommend to have a look at http://www.psionic.com/abacus/portsentry/ before installing this package. Otherwise you might easily block hosts you'd better not(e.g. your NFS-server, name-server, ...).

DSniff http://naughty.monkey.org/~dugsong/dsniff/
Description: A suite of powerful for sniffing networks for passwords and other information. Includes sophisticated techniques for defeating the "protection" of network switchers.

Tripwire http://www.tripwire.com/
Note: Depending on usage, this tool may have expensive licensing feesassociated with it.
Description: A file and directory integrity checker. Tripwire is a tool that aids system administrators and users in monitoring a designated set of files for any changes. Used with system files on a regular (e.g., daily) basis, Tripwire can notify system administrators of corrupted or tampered files, so damage control measures can be taken in a timely manner.

Cybercop Scanner http://www.pgp.com/asp_set/products/tns/ccscanner_intro.asp
Note: This tool costs significant $$$ to use, and does not come with source code. A powerful demo version is available for testing.
Description: Another popular commercial scanner

Hping2 http://www.kyuzz.org/antirez/hping/
Description: hping2 is a network tool able to send custom ICMP/UDP/TCP packets and to display target replies like ping does with ICMP replies. It handles fragmentation and arbitrary packet body and size, and can be used to transfer files under supported protocols. Using hping2, you can: test firewall rules, perform [spoofed] port scanning, test net performance using different protocols, packet size, TOS (type of service), and fragmentation, do path MTU discovery, tranfer files (even between really Fascist firewall rules), perform traceroute-like actions under different protocols, fingerprint remote OSs, audit a TCP/IP stack, etc. hping2 is a good tool for learning TCP/IP.

SARA http://www-arc.com/sara/
Description: The Security Auditor's Research Assistant (SARA) is a third generation security analysis tool that is based on the SATAN model which is covered by the GNU GPL-like open license. It is fostering a collaborative environment and is updated periodically to address latest threats.

Sniffit http://reptile.rug.ac.be/~coder/sniffit/sniffit.html
Description: packet sniffer and monitoring tool sniffit is a packet sniffer for TCP/UDP/ICMP packets. sniffit is able to give you very detailed technical info on these packets (SEC, ACK, TTL, Window, ...) but also packet contents in different formats (hex or plain text, etc. ).

SATAN http://www.fish.com/satan/
Description: Security Auditing Tool for Analysing Networks This is a powerful tool for analyzing networks for vulnerabilities created for sysadmins that cannot keep a constant look at bugtraq, rootshell and the like.

IPFilter http://coombs.anu.edu.au/ipfilter/
Description: IP Filter is a TCP/IP packet filter, suitable for use in a firewall environment. To use, it can either be used as a loadable kernel module orincorporated into your UNIX kernel; use as a loadable kernel module where possible is highly recommended. Scripts are provided to install and patch system files, as required.

iptables/netfilter/ipchains/ipfwadm http://netfilter.kernelnotes.org/
Description: IP packet filter administration for 2.4.X kernels Iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. The iptables tool also supports configuration of dynamic and static network address translation.

Firewalk http://www.packetfactory.net/Projects/Firewalk/
Description: Firewalking is a technique developed by MDS and DHG that employs traceroute-like techniques to analyze IP packet responses to determine gateway ACL filters and map networks. Firewalk the tool employs the technique to determine the filter rules in place on a packet forwarding device. The newest version of the tool, firewalk/GTK introduces the option of using a graphical interface and a few bug fixes.

Strobe http://www.insecure.org/nmap/index.html#other
Description: A "Classic" high-speed TCP port scanner

L0pht Crack http://www.l0pht.com/l0phtcrack/
Note: No source code is included (except in research version) and their is a $100 registration fee.
Description: L0phtCrack is an NT password auditting tool. It will compute NT user passwords from the cryptographic hashes that are stored by the NT operation system. L0phtcrack can obtain the hashes through many sources (file, network sniffing, registry, etc) and it has numerous methods of generating password guesses (dictionary, brute force, etc).

John The Ripper http://www.openwall.com/john/
Description: An active password cracking tool john, normally called john the ripper, is a tool to find weak passwords of your users.

Hunt http://www.cri.cz/kra/index.html#HUNT
Description: Advanced packet sniffer and connection intrusion. Hunt is a program for intruding into a connection, watching it and resetting it. . Note that hunt is operating on Ethernet and is best used for connections which can be watched through it. However, it is possible to do something even for hosts on another segments or hosts that are on switched ports.

OpenSSH / SSH http://www.openssh.com/
http://www.ssh.com/commerce/index.html
Note: The ssh.com version cost money for some uses, but source code is available.
Description: Secure rlogin/rsh/rcp replacement (OpenSSH) OpenSSH is derived from OpenBSD's version of ssh, which was in turn derived from ssh code from before the time when ssh's license was changed to be non-free. Ssh (Secure Shell) is a program for logging into a remote machine and for executing commands on a remote machine. It provides secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. It is intended as a replacement for rlogin, rsh and rcp, and can be used to provide rdist, and rsync with a secure communication channel.

tcp wrappers ftp://ftp.porcupine.org/pub/security/index.html
Description: Wietse Venema's TCP wrappers library Wietse Venema's network logger, also known as TCPD or LOG_TCP. . These programs log the client host name of incoming telnet, ftp, rsh, rlogin, finger etc. requests. Security options are: access control per host, domain and/or service; detection of host name spoofing or host address spoofing; booby traps to implement an early-warning system.

Ntop http://www.ntop.org
Description: display network usage in top-like format ntop is a Network Top program. It displays a summary of network usage by machines on your network in a format reminicent of the unix top utility. . It can also be run in web mode, which allows the display to be browsed with a web browser.

traceroute/ping/telnet http://www.linux.com
Description: These are utilities that virtually all UNIX boxes already have. In fact, even Windows NT has them ( but the traceroute command is called tracert ).

NAT (NetBIOS Auditing Tool) http://www.tux.org/pub/security/secnet/tools/nat10/
Note: This is an unofficial download site.
Description: The NetBIOS Auditing Tool (NAT) is designed to explore the NETBIOS file-sharing services offered by the target system. It implements a stepwise approach to gather information and attempt to obtain file system-level access as though it were a legitimate local client.

scanlogd http://www.openwall.com/scanlogd/
Description: A portscan detecting tool Scanlogd is a daemon written by Solar Designer to detect portscan attacks on your machine.

Sam Spade http://samspade.org/t/
http://www.samspade.org/
Description: Online tools for investigating IP addresses and tracking down spammers.

NFR http://www.nfr.com
Note: Source code was once freely available but I do not know if this is still the case. Some usage may cost money.
Description: A commercial sniffing application for creating intrusion detection systems.

logcheck http://www.psionic.com/abacus/logcheck/
Description: Mails anomalies in the system logfiles to the administrator Logcheck is part of the Abacus Project of security tools. It is a program created to help in the processing of UNIX system logfiles generated by the various Abacus Project tools, system daemons, Wietse Venema's TCP Wrapper and Log Daemon packages, and the Firewall Toolkit© by Trusted Information Systems Inc.(TIS). . Logcheck helps spot problems and security violations in your logfiles automatically and will send the results to you in e-mail. This program is free to use at any site. Please read the disclaimer before you use any of this software.

Perl http://www.perl.org
Description: A very powerful scripting language which is often used to create "exploits" for the purpose of verifying security vulnerabilities. Of course, it is also used for all sorts of other things.

Ngrep http://www.packetfactory.net/Projects/ngrep/
Description: grep for network traffic ngrep strives to provide most of GNU grep's common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular expressions to match against data payloads of packets. It currently recognizes TCP, UDP and ICMP across Ethernet, PPP, SLIP and null interfaces, and understands bpf filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.

Cheops http://www.marko.net/cheops/
Description: A GTK based network "swiss-army-knife" Cheops gives a simple interface to most network utilities, maps local or remote networks and can show OS types of the machines on the network.

Vetescan http://www.self-evident.com/
Description: Vetescan is a bulk vulnerability scanner which contains programs to check for and/or exploit many remote network security exploits that are known for Windows or UNIX. It includes various programs for doing different kinds of scanning. Fixes for vulnerablities are included along with the exploits.

Retina http://www.eeye.com/html/Products/Retina.html
Note: Commercial product with no source code available. A demo binary is available for testing.
Description: A commercial security scanner by the great guys at eeye.

Libnet http://www.packetfactory.net/libnet/
Description: Routines for the construction and handling of network packets. libnet provides a portable framework for low-level network packet writing and handling. . Libnet features portable packet creation interfaces at the IP layer and link layer, as well as a host of supplementary functionality. Still in it's infancy however, the library is evolving quite a bit. Additional functionality and stability are added with each release. . Using libnet, quick and simple packet assembly applications can be whipped up with little effort. With a bit more time, more complex programs can be written (Traceroute and ping were easily rewritten using libnet and libpcap).

Crack / Libcrack http://www.users.dircon.co.uk/~crypto/
Description: Crack 5 is an update version of Alec Muffett's classiclocal password cracker. Traditionally these allowed any user of a system to crack the /etc/passwd and determine the passwords of other users (or root) on the system. Modern systems require you to obtain read access to /etc/shadow in order to perform this. It is still a good idea for sysadmins to run a cracker occasionally to verify that all users have strong passwords.

Cerberus Internet Scanner http://www.cerberus-infosec.co.uk/cis.shtml
Description: CIS is a free security scanner written and maintained by Cerberus Information Security, Ltd and is designed to help administrators locate and fix security holes in their computer systems. Runs on Windows NT or 2000. No source code is provided.

Swatch http://www.stanford.edu/~atkins/swatch/
Description: Swatch was originally written to actively monitor messages as they were written to a log file via the UNIX syslog utility. It has multiple methods of alarming, both visually and by triggering events. The perfect tools for a master loghost. This is a beta release of version 3.0, so please use it with caution. The code is still slightly ahead of the documentation, but examples exist. NOTE: Works flawlessly on Linux (RH5), BSDI and Solaris 2.6 (patched).

OpenBSD http://www.openbsd.org
Description: The OpenBSD project produces a FREE, multi-platform 4.4BSD-based UNIX-like operating system. Our efforts place emphasis on portability, standardization, correctness, security, and cryptography. OpenBSD supports binary emulation of most programs from SVR4 (Solaris), FreeBSD, Linux, BSDI, SunOS, and HPUX.

Nemesis http://www.packetninja.net/nemesis/
Description: The Nemesis Project is designed to be acommandline-based, portable human IP stack for UNIX/Linux. The suite is broken down by protocol, and should allow for useful scripting of injected packet streams from simple shell scripts.

LSOF ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/
Description: List open files. Lsof is a Unix-specific diagnostic tool. Its name stands for LiSt Open Files, and it does just that. It lists information about any files that are open by processes current running on the system. The binary is specific to kernel version 2.2

Lids http://www.turbolinux.com.cn/lids/
Description: The LIDS is an intrusion detection/defense system inLinux kernel. The goal is to protect linux systems against root intrusions, by disabling some system calls in the kernel itself. As you sometimes need to administrate the system, you can disable LIDS protection.

IPTraf http://cebu.mozcom.com/riker/iptraf/
Description: Interactive Colorful IP LAN Monitor IPTraf is an ncurses-based IP LAN monitor that generates various network statistics including TCP info, UDP counts, ICMP and OSPF information, Ethernet load info, node stats, IP checksum errors, and others. . Note that since 2.0.0 IPTraf requires a kernel >= 2.2

IPLog http://ojnk.sourceforge.net/
Description: iplog is a TCP/IP traffic logger. Currently, it is capable of logging TCP, UDP and ICMP traffic. iplog 2.0 is a complete re-write of iplog 1.x, resulting in greater portability and better performance. iplog 2.0 contains all the features of iplog 1.x as well as several new ones. Major new features include a packet filter and detection of more scans and attacks. It currently runs on Linux, FreeBSD, OpenBSD, BSDI and Solaris. Ports to other systems, as well as any contributions at all, are welcome at this time.

Fragrouter http://www.anzen.com/research/nidsbench/
Description: Fragrouter is aimed at testing the correctness of a NIDS,according to the specific TCP/IP attacks listed in the Secure Networks NIDS evasion paper. [2] Other NIDS evasion toolkits which implement these attacks are in circulation among hackers or publically available, and it is assumed that they are currently being used to bypass NIDSs

Queso http://www.apostols.org/projectz/queso/
Note: A couple of the OS detection tests in Queso were later incorporated into Nmap. A paper we wrote on OS detection is available here.
Description: Guess the operating system of a remote machine by looking in the TCP replies.

GPG/PGP http://www.gnupg.org/
http://www.pgp.com
Description: The GNU Privacy Guard (GnuPG) is a complete and free replacement for PGP, developed in Europe. Because it does not use IDEA or RSA it can be used without any restrictions. GnuPG is a RFC2440 (OpenPGP) compliant application. PGP is the famous encryption program which helps secure your data from eavesdroppers and other risks.

[Nov. 19, 2000] System Administration xinetd

xinetd - extended Internet services daemon - provides a good security against intrusion and reduces the risks of Deny of Services (DoS) attacks. Like the well known couple (inetd+tcpd), it allows to fix the access rights for a given machine, but it can do much more. In this article we will discover its many features.

You could now ask which daemon should I choose xinetd or inetd. As a matter of fact, xinetd requires a bit more administration, especially as long as it won't be included into distributions (it is in Red Hat 7.0). The most secure solution is to use xinetd on machines with public access (like Internet) since it offers a better defense. For machines within a local network inetd should be enough.


See also

Recommended Links

Softpanorama hot topic of the month

Softpanorama Recommended

Top articles

Sites

Top 75 Network Security Tools


Swatch

Stephen E. Hansen, E. Todd Atkins, Automated System Monitoring and Notification With Swatch
Abstract: This paper describes an approach to monitoring events on a large number of servers and workstations. While modern UNIX systems are capable of logging a variety of information concerning the health and status of their hardware and operating system software, they are generally not configured to do so . Even when this information is logged, it is often hidden in places that are either not monitored regularly or are susceptible to deletion or modification by a successful intruder. Also, a system administrator must often monitor several, perhaps dozens, of systems. To address these problems, our approach begins with the modification of certain system programs to enhance their logging capabilities. In addition, our approach calls for the logging facilities on each of these systems to be configured in such a way as to send a copy of the critical system and security related information to a dependable, secure, central logging host system . As one might expect, this central log can see a megabyte or more of data in a single day. To keep a system administrator from being overwhelmed by a large quantity of data we have developed an easily configurable log file filter/monitor, called swatch . Swatch monitors log files and acts to filter out unwanted data and take one or more user specified actions (ring bell, send mail, execute a script, etc .) based upon patterns in the log .

See also: i005_P3_swatchv3


IP chains

LinuxPlanet - Tutorials - Linux Networking Using Ipchains - Multiple Machines, A Single Connection

Security for the Home Network LG #46

IP Chains HOWTO

Application: ipchains
Stable Version: 1.3.8

Brief Description:
Linux packet filter control utility (replaces ipfwadm for kernels 2.1.102+).


Deception toolkit

Application: Deception Toolkit
Stable Version: 0.7

stable version: 0.7

homepage: http://all.net/dtk/dtk.html

download location: http://all.net/dtk/download.html


author:
Fred Cohen


Minitools

check-ps lsof sXid last Etc

Application: check-ps
Development Version: 1.2alpha5

Brief Description:
Reports or kills processes 'hidden' from the system administrator

lsof

Vic Abell, lsof
Abstract: Lsof version 3 lists open files for running UNIX processes. It is a descendent of ofiles, fstat, lsof version 1, and lsof version 2.

For system amdinistration on UNIX or UNIX-like systems, lsof (LiSt Open Files) is a life-saver. lsof will show what files a program has open, to include network connections, shared libraries, pipes, sockets, etc. It is the Swiss Army knife of programmer/administrator tools. See author Vic Abel's home page for details: http://people.freebsd.org/~abe/

sXid

sXid

All in one suid/sgid monitoring script written in C

sXid is an all in one suid/sgid monitoring program written in C and designed to be run from cron on a regular basis. It has many features not found in other more "specific" scripts of this kind. Basically it tracks any changes in your s[ug]id files and folders. If there are any new ones, ones that aren't set any more, or they have changed bits or other modes then it reports the changes.

This version is mainly bug fixes and changes for compiles on more OS's including HP/UX, AIX, and a few Solaris fixes. It should be a little more efficient as well.



Etc

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes.   If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner. 

ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.  

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least


Copyright © 1996-2016 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Created: May 16, 1997; Last modified: September 12, 2017