|
Softpanorama
(slightly skeptical)
Open Source Software Educational Society |
May the
source be with you,
but remember the KISS principle ;-)
|
Softpanorama University
Classic Unix Security Tools
E-business does not wait for security standards. Everybody understands that
Unix security can be much better if administrators install and use available
security tools. Often this is not the case and often people do not use
tools because there are so many of them. In a recent survey SAFARI authors have
found that the most frequent reasons for continuing to operate hosts without
available countermeasures were:
- Insufficient resources
- Difficulty in finding and understanding countermeasure information
- The inability to administer configuration management across a large
number of hosts.
At many of these sites, the basic computing infrastructure is an impediment
to timely distribution of configuration changes. These sites operate at a
substantially higher level of risk and are more likely to be compromised.
Moreover they are also less likely to be able to adequately detect and recover
from compromises. In case of compromises if the required resources for full
recovery are unavailable temporary fixes create prerequisites for future
troubles.
I created a list of several classic Unix security tools that IMHO should be
considered before other tools and especially before buying any commercial
security software:
- Installation minimizers/OS
hardening tools. They permit to determine what operating
system packages are required for a particular set of applications and select
only necessary packages for installation (and/or delete unnecessary after
installation). The minimal system is the most secure system and any
unnecessary service can be a source of troubles. Those tools are nost
developed for Solaris. See
SolarisTM Operating Environment Minimization for Security- A Simple,
Reproducible and Secure Application Installation Methodology
- Pluggable authentication modules (PAM). They is
very useful and largely underutilized security feature invented by Sun and
most popular in Solaris environment although now implemented in all UNIXes.
If it's not enabled by default it's not that difficult to configure PAM and
select most useful modules. Checking of passwords (proactive !) against
common blunders should be always enabled. I strongly believe that if PAM are
not used in a particular installation then sysadmin is either ignorant or do
not care about password security or both ;-). PAMs can also be used for token
authentication, although currently shell wrapper is most common
implementation.
- Sudo -- lessen risks by
limiting number of SUID programs and providing better logging of who when and
how is using root.
- Integrity checkers.
Tripwire seems to be a classic integrity
checker. There are alternatives but one such tool is a must for any security
conscious sysadmin. Tripwire is somewhat primitive, but its free. Several
other tools are available but non is more popular than Tripwire.
- Log analyses tools. Log
analysis tools are covered in a separate page. Perl-based tools are
preferable
- Hardening Scripts. Operating
system specific hardening scripts are the best (ASET and Titan for Solaris,
SUSE tools for Suse Linux, ,
Bastille for Red Hat etc.);
- Internal vulnerability scanners(IVS).
Universal internal scanners are endangered specie. Cops and Tiger contain a
lot of interesting ideas but both now are obsolete. Perl-based tools are
preferable.
- ssh should be used instead of regular telnet;
especially if you are connecting to the computer from your ISP -- if ISP is
compromised than you password can be stolen and your machine will be
compromised next. SSH is pretty useful, easy to use and more secure than the
archaic telnet/rlogin/rsh.|
- TCP Wrappers can
help to protect TCP/IP services listed in inetd.conf. They are installed by
default in most Linux distributions including Red Hat (starting with v. 5.2),
but not on Solaris. Also the sysadmin needs to configure them properly, which
is often not the case :-(. By using TCP_wrappers one can limit
possibilities of connecting to machine using all services that are controlled
via inetd.cong (including telnet and ftp) to the minimum number of sites.
- Configuration management tools. CVS,
cfengine (a
tool for managing the config files of a large network of computers), or other
specializes tools like
Host Factory,
SAFARI or Depot. Although none of them is a security tool per se,
they are very useful for understanding changes on a particular machine. Some
permit storing and parallel updating of all versions of config files. The
latter can prevent some costly mistakes. It also simplify recovery if
something happened.
Other tools that can be helpful, but IMHO they do not provide as great return
on investment as tools mentioned above:
- Honeypots. I believe that
specialized honeypots as well as fake daemons on some production servers are
very useful and can serve as an effective alarm and deterrent mechanism. They
lessen predictability of the environment and and can drive port scanners
crazy...
- Port scanners like nmap, Satan,
Saint, etc. Internal scanning is generally much more efficient unless you
have really large network. Post scanners are often used as attack tools and
in such situation one should used decoys than drive them crazy (if incoming
ftp is disabled one neat trick is in addition to registering connection
attempt is randomly imitate different ftp daemons; that trick is useful for
other non-active but frequently attacked ports too. The main idea is to avoid
predictability of environment ;-)
- Password Checkers/Crackers like Crack. If you use PAM, you can prevent
users from choosing weak passwords and generally you do not need Crack.
Notes:
- Those pages are written by people for whom English is not a
native language. Some amount of grammar and spelling errors
should be expected.
- This is a Spartan WHYFF (We Help You For Free) site. It
cannot replace the best teachers and
the
best books.
- The site contain some obsolete pages as it develops like a
living tree... Some links on older pages
are broken. Please
try to use Google, Open directory, etc. to find a replacement link
(see
HOWTO search the WEB for details).
We would appreciate if you can
mail us a correct link.
|
|
[Apr. 12, 2001]
Quality Security Tools -- Top 50 Security Tools
In May/June of 2000, we conducted a survey of 1200
Nmap users from the
nmap-hackers mailing list
to determine their favorite security tools. Each respondent could list up to 5.
I was so impressed by the list they created that I am putting the top 50 up
here where everyone can benefit from them. I think anyone in the security field
would be well advised to go over the list and investigate any tools they are
unfamiliar with. I also plan to point newbies to this page whenever they write
me saying "I do not know where to start".
Respondents were allowed to list open source or commercial tools on any
platform. Commercial tools are noted as such in the list below.
I may change this list occasionally as new tools are created and others fade
into obscurity due to security enhancements becoming mainstream. Or maybe I'll
just have another survey next year.
Also note that many of the descriptions in this list were taken from the
Debian package descriptions, the
Freshmeat descriptions, or from the home
pages of the application. I didn't count any votes for
Nmap because the survey was taken
on an Nmap mailing list.
Without further ado, here is the list (starting with the most popular):
| Nessus |
http://www.nessus.org |
| Description: Remote network security auditor, the
client The Nessus Security Scanner is a security auditing tool. It makes
possible to test security modules in an attempt to find vulnerable spots
that should be fixed. . It is made up of two parts: a server, and a
client. The server/daemon, nessusd, is in charge of the attacks, whereas
the client, nessus, interferes with the user through nice X11/GTK+
interface. . This package contains the GTK+ 1.2 client, which exists in
other forms and on other platforms, too. |
| Netcat |
http://www.l0pht.com/~weld/netcat/ |
Note: This is an unofficial site
Description: TCP/IP swiss army knife A simple Unix utility which
reads and writes data across network connections using TCP or UDP
protocol. It is designed to be a reliable "back-end" tool that can be used
directly or easily driven by other programs and scripts. At the same time
it is a feature-rich network debugging and exploration tool, since it can
create almost any kind of connection you would need and has several
interesting built-in capabilities. |
| Tcpdump |
http://www.tcpdump.org |
| Description: A powerful tool for network monitoring
and data acquisition This program allows you to dump the traffic on a
network. It can be used to print out the headers of packets on a network
interface that matches a given expression. You can use this tool to track
down network problems, to detect "ping attacks" or to monitor the network
activities. |
| Snort |
http://www.snort.org |
| Description: flexible packet sniffer/logger that
detects attacks Snort is a libpcap-based packet sniffer/logger which can
be used as a lightweight network intrusion detection system. It features
rules based logging and can perform content searching/matching in addition
to being used to detect a variety of other attacks and probes, such as
buffer overflows, stealth port scans, CGI attacks, SMB probes, and much
more. Snort has a real-time alerting capability, with alerts being sent to
syslog, a separate "alert" file, or even to a Windows computer via Samba. |
| Saint |
http://www.wwdsi.com/saint/ |
| Description: SAINT (Security Administrator's
Integrated Network Tool) is a security assesment tool based on SATAN.
Features include scanning through a firewall, updated security checks from
CERT & CIAC bulletins, 4 levels of severity (red, yellow, brown, & green)
and a feature rich HTML interface. |
| Ethereal |
http://ethereal.zing.org/ |
| Description: Network traffic analyzer Ethereal is a
network traffic analyzer, or "sniffer", for Unix and Unix-like operating
systems. It uses GTK+, a graphical user interface library, and libpcap, a
packet capture and filtering library. |
| Internet Security Scanner |
www.iss.net |
Note: This tool costs significant $$$ to use, and
does not come with source code.
Description: A popular commercial network security scanner. |
| Abacus Portsentry |
http://www.psionic.com/abacus/portsentry/ |
| Description: Portscan detection daemon PortSentry
has the ability to detect portscans(including stealth scans) on the
network interfaces of your machine. Upon alarm it can block the attacker
via hosts.deny, dropped route or firewall rule. It is part of the Abacus
program suite. . Note: If you have no idea what a port/stealth scan is,
I'd recommend to have a look at http://www.psionic.com/abacus/portsentry/
before installing this package. Otherwise you might easily block hosts
you'd better not(e.g. your NFS-server, name-server, ...). |
| DSniff |
http://naughty.monkey.org/~dugsong/dsniff/ |
| Description: A suite of powerful for sniffing
networks for passwords and other information. Includes sophisticated
techniques for defeating the "protection" of network switchers. |
| Tripwire |
http://www.tripwire.com/ |
Note: Depending on usage, this tool may have
expensive licensing feesassociated with it.
Description: A file and directory integrity checker. Tripwire is a
tool that aids system administrators and users in monitoring a designated
set of files for any changes. Used with system files on a regular (e.g.,
daily) basis, Tripwire can notify system administrators of corrupted or
tampered files, so damage control measures can be taken in a timely
manner. |
| Hping2 |
http://www.kyuzz.org/antirez/hping/ |
| Description: hping2 is a network tool able to send
custom ICMP/UDP/TCP packets and to display target replies like ping does
with ICMP replies. It handles fragmentation and arbitrary packet body and
size, and can be used to transfer files under supported protocols. Using
hping2, you can: test firewall rules, perform [spoofed] port scanning,
test net performance using different protocols, packet size, TOS (type of
service), and fragmentation, do path MTU discovery, tranfer files (even
between really Fascist firewall rules), perform traceroute-like actions
under different protocols, fingerprint remote OSs, audit a TCP/IP stack,
etc. hping2 is a good tool for learning TCP/IP. |
| SARA |
http://www-arc.com/sara/ |
| Description: The Security Auditor's Research
Assistant (SARA) is a third generation security analysis tool that is
based on the SATAN model which is covered by the GNU GPL-like open
license. It is fostering a collaborative environment and is updated
periodically to address latest threats. |
| Sniffit |
http://reptile.rug.ac.be/~coder/sniffit/sniffit.html |
| Description: packet sniffer and monitoring tool
sniffit is a packet sniffer for TCP/UDP/ICMP packets. sniffit is able to
give you very detailed technical info on these packets (SEC, ACK, TTL,
Window, ...) but also packet contents in different formats (hex or plain
text, etc. ). |
| SATAN |
http://www.fish.com/satan/ |
| Description: Security Auditing Tool for Analysing
Networks This is a powerful tool for analyzing networks for
vulnerabilities created for sysadmins that cannot keep a constant look at
bugtraq, rootshell and the like. |
| IPFilter |
http://coombs.anu.edu.au/ipfilter/ |
| Description: IP Filter is a TCP/IP packet filter,
suitable for use in a firewall environment. To use, it can either be used
as a loadable kernel module orincorporated into your UNIX kernel; use as a
loadable kernel module where possible is highly recommended. Scripts are
provided to install and patch system files, as required. |
| iptables/netfilter/ipchains/ipfwadm |
http://netfilter.kernelnotes.org/ |
| Description: IP packet filter administration for
2.4.X kernels Iptables is used to set up, maintain, and inspect the tables
of IP packet filter rules in the Linux kernel. The iptables tool also
supports configuration of dynamic and static network address translation. |
| Firewalk |
http://www.packetfactory.net/Projects/Firewalk/ |
| Description: Firewalking is a technique developed
by MDS and DHG that employs traceroute-like techniques to analyze IP
packet responses to determine gateway ACL filters and map networks.
Firewalk the tool employs the technique to determine the filter rules in
place on a packet forwarding device. The newest version of the tool,
firewalk/GTK introduces the option of using a graphical interface and a
few bug fixes. |
| L0pht Crack |
http://www.l0pht.com/l0phtcrack/ |
Note: No source code is included (except in
research version) and their is a $100 registration fee.
Description: L0phtCrack is an NT password auditting tool. It will
compute NT user passwords from the cryptographic hashes that are stored by
the NT operation system. L0phtcrack can obtain the hashes through many
sources (file, network sniffing, registry, etc) and it has numerous
methods of generating password guesses (dictionary, brute force, etc). |
| John The Ripper |
http://www.openwall.com/john/ |
| Description: An active password cracking tool john,
normally called john the ripper, is a tool to find weak passwords of your
users. |
| Hunt |
http://www.cri.cz/kra/index.html#HUNT |
| Description: Advanced packet sniffer and connection
intrusion. Hunt is a program for intruding into a connection, watching it
and resetting it. . Note that hunt is operating on Ethernet and is best
used for connections which can be watched through it. However, it is
possible to do something even for hosts on another segments or hosts that
are on switched ports. |
| OpenSSH / SSH |
http://www.openssh.com/
http://www.ssh.com/commerce/index.html |
Note: The ssh.com version cost money for some uses,
but source code is available.
Description: Secure rlogin/rsh/rcp replacement (OpenSSH) OpenSSH is
derived from OpenBSD's version of ssh, which was in turn derived from ssh
code from before the time when ssh's license was changed to be non-free.
Ssh (Secure Shell) is a program for logging into a remote machine and for
executing commands on a remote machine. It provides secure encrypted
communications between two untrusted hosts over an insecure network. X11
connections and arbitrary TCP/IP ports can also be forwarded over the
secure channel. It is intended as a replacement for rlogin, rsh and rcp,
and can be used to provide rdist, and rsync with a secure communication
channel. |
| tcp wrappers |
ftp://ftp.porcupine.org/pub/security/index.html |
| Description: Wietse Venema's TCP wrappers library
Wietse Venema's network logger, also known as TCPD or LOG_TCP. . These
programs log the client host name of incoming telnet, ftp, rsh, rlogin,
finger etc. requests. Security options are: access control per host,
domain and/or service; detection of host name spoofing or host address
spoofing; booby traps to implement an early-warning system. |
| Ntop |
http://www.ntop.org |
| Description: display network usage in top-like
format ntop is a Network Top program. It displays a summary of network
usage by machines on your network in a format reminicent of the unix top
utility. . It can also be run in web mode, which allows the display to be
browsed with a web browser. |
| traceroute/ping/telnet |
http://www.linux.com |
| Description: These are utilities that virtually all
UNIX boxes already have. In fact, even Windows NT has them ( but the
traceroute command is called tracert ). |
| NAT (NetBIOS Auditing Tool) |
http://www.tux.org/pub/security/secnet/tools/nat10/ |
Note: This is an unofficial download site.
Description: The NetBIOS Auditing Tool (NAT) is designed to explore
the NETBIOS file-sharing services offered by the target system. It
implements a stepwise approach to gather information and attempt to obtain
file system-level access as though it were a legitimate local client. |
| scanlogd |
http://www.openwall.com/scanlogd/ |
| Description: A portscan detecting tool Scanlogd is
a daemon written by Solar Designer to detect portscan attacks on your
machine. |
| NFR |
http://www.nfr.com |
Note: Source code was once freely available but I
do not know if this is still the case. Some usage may cost money.
Description: A commercial sniffing application for creating
intrusion detection systems. |
| logcheck |
http://www.psionic.com/abacus/logcheck/ |
| Description: Mails anomalies in the system logfiles
to the administrator Logcheck is part of the Abacus Project of security
tools. It is a program created to help in the processing of UNIX system
logfiles generated by the various Abacus Project tools, system daemons,
Wietse Venema's TCP Wrapper and Log Daemon packages, and the Firewall
Toolkit© by Trusted Information Systems Inc.(TIS). . Logcheck helps spot
problems and security violations in your logfiles automatically and will
send the results to you in e-mail. This program is free to use at any
site. Please read the disclaimer before you use any of this software. |
| Perl |
http://www.perl.org |
| Description: A very powerful scripting language
which is often used to create "exploits" for the purpose of verifying
security vulnerabilities. Of course, it is also used for all sorts of
other things. |
| Ngrep |
http://www.packetfactory.net/Projects/ngrep/ |
| Description: grep for network traffic ngrep strives
to provide most of GNU grep's common features, applying them to the
network layer. ngrep is a pcap-aware tool that will allow you to specify
extended regular expressions to match against data payloads of packets. It
currently recognizes TCP, UDP and ICMP across Ethernet, PPP, SLIP and null
interfaces, and understands bpf filter logic in the same fashion as more
common packet sniffing tools, such as tcpdump and snoop. |
| Cheops |
http://www.marko.net/cheops/ |
| Description: A GTK based network "swiss-army-knife"
Cheops gives a simple interface to most network utilities, maps local or
remote networks and can show OS types of the machines on the network. |
| Vetescan |
http://www.self-evident.com/ |
| Description: Vetescan is a bulk vulnerability
scanner which contains programs to check for and/or exploit many remote
network security exploits that are known for Windows or UNIX. It includes
various programs for doing different kinds of scanning. Fixes for
vulnerablities are included along with the exploits. |
| Libnet |
http://www.packetfactory.net/libnet/ |
| Description: Routines for the construction and
handling of network packets. libnet provides a portable framework for
low-level network packet writing and handling. . Libnet features portable
packet creation interfaces at the IP layer and link layer, as well as a
host of supplementary functionality. Still in it's infancy however, the
library is evolving quite a bit. Additional functionality and stability
are added with each release. . Using libnet, quick and simple packet
assembly applications can be whipped up with little effort. With a bit
more time, more complex programs can be written (Traceroute and ping were
easily rewritten using libnet and libpcap). |
| Crack / Libcrack |
http://www.users.dircon.co.uk/~crypto/ |
| Description: Crack 5 is an update version of Alec
Muffett's classiclocal password cracker. Traditionally these allowed any
user of a system to crack the /etc/passwd and determine the passwords of
other users (or root) on the system. Modern systems require you to obtain
read access to /etc/shadow in order to perform this. It is still a good
idea for sysadmins to run a cracker occasionally to verify that all users
have strong passwords. |
| Cerberus Internet Scanner |
http://www.cerberus-infosec.co.uk/cis.shtml |
| Description: CIS is a free security scanner written
and maintained by Cerberus Information Security, Ltd and is designed to
help administrators locate and fix security holes in their computer
systems. Runs on Windows NT or 2000. No source code is provided. |
| Swatch |
http://www.stanford.edu/~atkins/swatch/ |
| Description: Swatch was originally written to
actively monitor messages as they were written to a log file via the UNIX
syslog utility. It has multiple methods of alarming, both visually and by
triggering events. The perfect tools for a master loghost. This is a beta
release of version 3.0, so please use it with caution. The code is still
slightly ahead of the documentation, but examples exist. NOTE: Works
flawlessly on Linux (RH5), BSDI and Solaris 2.6 (patched). |
| OpenBSD |
http://www.openbsd.org |
| Description: The OpenBSD project produces a FREE,
multi-platform 4.4BSD-based UNIX-like operating system. Our efforts place
emphasis on portability, standardization, correctness, security, and
cryptography. OpenBSD supports binary emulation of most programs from SVR4
(Solaris), FreeBSD, Linux, BSDI, SunOS, and HPUX. |
| Nemesis |
http://www.packetninja.net/nemesis/ |
| Description: The Nemesis Project is designed to be
acommandline-based, portable human IP stack for UNIX/Linux. The suite is
broken down by protocol, and should allow for useful scripting of injected
packet streams from simple shell scripts. |
| LSOF |
ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/ |
| Description: List open files. Lsof is a
Unix-specific diagnostic tool. Its name stands for LiSt Open Files, and it
does just that. It lists information about any files that are open by
processes current running on the system. The binary is specific to kernel
version 2.2 |
| Lids |
http://www.turbolinux.com.cn/lids/ |
| Description: The LIDS is an intrusion
detection/defense system inLinux kernel. The goal is to protect linux
systems against root intrusions, by disabling some system calls in the
kernel itself. As you sometimes need to administrate the system, you can
disable LIDS protection. |
| IPTraf |
http://cebu.mozcom.com/riker/iptraf/ |
| Description: Interactive Colorful IP LAN Monitor
IPTraf is an ncurses-based IP LAN monitor that generates various network
statistics including TCP info, UDP counts, ICMP and OSPF information,
Ethernet load info, node stats, IP checksum errors, and others. . Note
that since 2.0.0 IPTraf requires a kernel >= 2.2 |
| IPLog |
http://ojnk.sourceforge.net/ |
| Description: iplog is a TCP/IP traffic logger.
Currently, it is capable of logging TCP, UDP and ICMP traffic. iplog 2.0
is a complete re-write of iplog 1.x, resulting in greater portability and
better performance. iplog 2.0 contains all the features of iplog 1.x as
well as several new ones. Major new features include a packet filter and
detection of more scans and attacks. It currently runs on Linux, FreeBSD,
OpenBSD, BSDI and Solaris. Ports to other systems, as well as any
contributions at all, are welcome at this time. |
| Fragrouter |
http://www.anzen.com/research/nidsbench/ |
| Description: Fragrouter is aimed at testing the
correctness of a NIDS,according to the specific TCP/IP attacks listed in
the Secure Networks NIDS evasion paper. [2] Other NIDS evasion toolkits
which implement these attacks are in circulation among hackers or
publically available, and it is assumed that they are currently being used
to bypass NIDSs |
| Queso |
http://www.apostols.org/projectz/queso/ |
Note: A couple of the OS detection tests in Queso
were later incorporated into Nmap.
A paper we wrote on OS detection is available
here.
Description: Guess the operating system of a remote machine by
looking in the TCP replies. |
| GPG/PGP |
http://www.gnupg.org/
http://www.pgp.com |
| Description: The GNU Privacy Guard (GnuPG) is a
complete and free replacement for PGP, developed in Europe. Because it
does not use IDEA or RSA it can be used without any restrictions. GnuPG is
a RFC2440 (OpenPGP) compliant application. PGP is the famous encryption
program which helps secure your data from eavesdroppers and other risks. |
[Nov. 19, 2000]
System Administration xinetd
xinetd - extended Internet services daemon - provides a good
security against intrusion and reduces the risks of Deny of Services (DoS)
attacks. Like the well known couple (inetd+tcpd), it allows to fix the access rights for a given
machine, but it can do much more. In this article we will discover its many
features.
You could now ask which daemon should I choose xinetd or
inetd. As a matter of fact, xinetd requires a bit more administration,
especially as long as it won't be included into distributions (it is in Red
Hat 7.0). The most secure solution is to use xinetd on machines with public
access (like Internet) since it offers a better defense. For machines within
a local network inetd should be
enough.
In case of broken links
please try to use Google search. If you find the page please notify
us about new location
Top 75 Network Security Tools
Stephen E. Hansen, E. Todd Atkins,
Automated System Monitoring and Notification With Swatch
Abstract: This paper describes an approach to monitoring events on a
large number of servers and workstations. While modern UNIX systems are capable
of logging a variety of information concerning the health and status of their
hardware and operating system software, they are generally not configured to do
so . Even when this information is logged, it is often hidden in places that are
either not monitored regularly or are susceptible to deletion or modification by
a successful intruder. Also, a system administrator must often monitor several,
perhaps dozens, of systems. To address these problems, our approach begins with
the modification of certain system programs to enhance their logging
capabilities. In addition, our approach calls for the logging facilities on each
of these systems to be configured in such a way as to send a copy of the
critical system and security related information to a dependable, secure,
central logging host system . As one might expect, this central log can see a
megabyte or more of data in a single day. To keep a system administrator from
being overwhelmed by a large quantity of data we have developed an easily
configurable log file filter/monitor, called swatch . Swatch monitors log files
and acts to filter out unwanted data and take one or more user specified actions
(ring bell, send mail, execute a script, etc .) based upon patterns in the log .
See also:
i005_P3_swatchv3
LinuxPlanet -
Tutorials - Linux Networking Using Ipchains - Multiple Machines, A Single
Connection
Security for the Home Network LG #46
IP Chains
HOWTO
Application:
ipchains
Stable Version: 1.3.8
Brief Description:
Linux packet filter control utility (replaces ipfwadm for kernels 2.1.102+).
Application:
Deception Toolkit
Stable Version: 0.7
stable version:
0.7
homepage:
http://all.net/dtk/dtk.html
download location:
http://all.net/dtk/download.html
author: Fred Cohen
Application:
check-ps
Development Version: 1.2alpha5
Brief Description:
Reports or kills processes 'hidden' from the system administrator
Vic Abell,
lsof
Abstract: Lsof version 3 lists open files for running UNIX processes. It
is a descendent of ofiles, fstat, lsof version 1, and lsof version 2.
For system amdinistration on UNIX or UNIX-like systems, lsof (LiSt Open
Files) is a life-saver. lsof will show what files a program has open, to include
network connections, shared libraries, pipes, sockets, etc. It is the Swiss Army
knife of programmer/administrator tools. See author Vic Abel's home page for
details:
http://people.freebsd.org/~abe/
sXid
All in one suid/sgid monitoring script written in C
sXid is an all in one suid/sgid monitoring program written in C and designed
to be run from cron on a regular basis. It has many features not found in other
more "specific" scripts of this kind. Basically it tracks any changes in your
s[ug]id files and folders. If there are any new ones, ones that aren't set any
more, or they have changed bits or other modes then it reports the changes.
This version is mainly bug fixes and changes for compiles on more OS's
including HP/UX, AIX, and a few Solaris fixes. It should be a little more
efficient as well.
Copyright © 1996-2008 by Dr. Nikolai Bezroukov.
www.softpanorama.org was
created as a service to the UN Sustainable Development Networking Programme (SDNP)
in the author free time.
Submit
comments This document is an industrial compilation designed and created
exclusively for educational use and is placed under the copyright of the
Open Content License(OPL).
Original materials copyright belong to respective owners. Quotes are made
for educational purposes only in compliance with the fair use doctrine.
Standard disclaimer: The statements, views and opinions presented on
this web page are those of the author and are not endorsed by, nor do they necessarily
reflect, the opinions of the author present and former employers, SDNP or any other
organization the author may be associated with. We do not warrant the correctness
of the information provided or its fitness for any purpose.
Created: May 16, 1997; Last modified:
June 05, 2008
