TUCoPS :: Unix :: General :: securi~2.txt

CERT List of Security Tools

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

October 2, 1997
Version 1.2
ftp://info.cert.org/pub/tech_tips/security_tools


                    CERT(*) Coordination Center
                       List of Security Tools

This document describes tools that can be used to help secure a system and
deter break-ins.

In addition to the information in this document, we provide three companion
documents that may help you:

        ftp://info.cert.org/pub/tech_tips/UNIX_configuration_guidelines
        - contains suggestions for avoiding common UNIX system
          configuration problems that have been exploited

        ftp://info.cert.org/pub/tech_tips/intruder_detection_checklist
        - contains suggestions for determining if your system has been
          compromised

        ftp://info.cert.org/pub/tech_tips/root_compromise
        - contains suggested steps for recovering from a root compromise on
          a UNIX system

Also, please see our CERT advisory 01-README file and CERT vendor-initiated
bulletin 01-README file, which contain brief descriptions of all past CERT
advisories and vendor-initiated bulletins. These files are available from

        ftp://info.cert.org/pub/cert_advisories/01-README
        ftp://info.cert.org/pub/cert_bulletins/01-README

We encourage you to get all advisories that pertain to your system(s),
and to install the patches or workarounds described in the advisories.
We also encourage you to check with your vendor(s) regularly for any
updates or new patches that relate to your systems.

- -------------------------------------------------------------------------------

NOTES - When installing and using any security tool, read and follow all
        available directions. Ensure that use of the tool conforms to
        your organization's policies and procedures. Keep sensitive files,
        such as MD5 checksums, log files, off-line or on read-only media.

 *****************************************************************************
 *  The CERT Coordination Center does not formally review, evaluate, or      *
 *  endorse the tools and techniques described. The decision to use the      *
 *  tools and techniques described is the responsibility of each user or     *
 *  organization, and we encourage each organization to thoroughly evaluate  *
 *  new tools and techniques before installing or using them.
 *****************************************************************************

Network Monitoring Tools

   1. Argus

      Argus is a network monitoring tool that uses a client-server model to
      capture data and associate it into "transactions." The tool provides
      network-level auditing; it can verify compliance to a router
      configuration file, and information can be easily adapted to protocol
      analysis, intrusion detections, and other security needs. Argus is
      available from many sites, including

        ftp://ftp.net.cmu.edu/pub/argus-1.5/

   2. swatch

      Swatch, the Simple WATCHer program, is an easily configurable log file
      filter/monitor.  Swatch monitors log files and acts to filter out
      unwanted data and take one or more user-specified actions based on
      patterns in the log. Swatch is available from

        ftp://ftp.stanford.edu/general/security-tools/swatch/


Authentication/Password Tools

   3. Crack

      Crack is a freely available program designed to identify, by standard
      guessing techniques, UNIX DES encrypted passwords that can be found in
      widely available dictionaries. The guessing techniques are outlined in
      the Crack documentation.

      Many system administrators run Crack as a regular system
      administration procedure and notify account owners who have
      "crackable" passwords. Crack is available from

        ftp://info.cert.org/pub/tools/crack/

   4. Shadow passwords

      If your UNIX system has a shadow password capability, you should use
      it. Under a shadow password system, the /etc/passwd file does not
      have encrypted passwords in the password field. Instead, the
      encrypted passwords are held in a shadow file that is not world
      readable. Consult your system manuals to determine whether a shadow
      password capability is available on your system and to get details of
      how to set up and manage it.


Service-Filtering Tools

   5. TCP/IP wrapper program

      The TCP/IP wrapper program provides additional network logging
      information and gives a system administrator the ability to deny or
      allow access from certain systems or domains to the host on which the
      program is installed. Installation of this software does not require
      any modification to existing network software. This program is
      available from

        ftp://info.cert.org/pub/tools/tcp_wrappers/


Tools to Scan Hosts for Known Vulnerabilities

  6. ISS (Internet Security Scanner)

      ISS is a program that will interrogate all computers within a specified
      IP address range, determining the security posture of each with respect
      to several common system vulnerabilities. ISS is available from many
      sites, including

        ftp://info.cert.org/pub/tools/iss/

      For further information about ISS, see

    ftp://info.cert.org/pub/cert_advisories/CA-93:14.Internet.Security.Scanner

   7. SATAN (Security Administrator Tool for Analyzing Networks)

      SATAN is a testing and reporting tool that collects a variety of
      information about networked hosts. SATAN is available from many sites,
      including

        ftp://ftp.win.tue.nl/pub/security/satan-1.1.1.tar.Z

      For further information about SATAN, see

        ftp://info.cert.org/pub/cert_advisories/CA-95:06.satan
        ftp://info.cert.org/pub/cert_advisories/CA-95:07a.REVISED.satan.vul


Multi-Purpose Tools

   8. COPS (Computer Oracle and Password System)

      COPS is a publicly available collection of programs that attempt to
      identify security problems in a UNIX system. COPS does not attempt to
      correct any discrepancies found; it simply produces a report of its
      findings. COPS is available from

        ftp://info.cert.org/pub/tools/cops/

      and by uucp from uunet.uu.net.


Integrity-Checking Tools

   9. MD5

      MD5 is a cryptographic checksum program. MD5 takes as input a message
      of arbitrary length and produces as output a 128-bit "fingerprint" or
      "message digest" of the input. It is thought to be computationally
      infeasible to produce two messages having the same message digest or
      to produce any message having a given pre-specified target message
      digest. MD5 is found in RFC 1321. See

        ftp://info.cert.org/pub/tools/md5/

  10. Tripwire

      Tripwire checks file and directory integrity; it is a utility that
      compares a designated set of files and directories to information
      stored in a previously generated database. Any differences are
      flagged and logged, including added or deleted entries. When run
      against system files on a regular basis, Tripwire enables you to spot
      changes in critical system files and to immediately take appropriate
      damage control measures. Tripwire is available from many sites,
      including

        ftp://info.cert.org/pub/tools/tripwire/


Other Tools

  11. lsof

      lsof lists open files and what UNIX processes have them open. lsof is
      available from

        ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/

  12. ifstatus

      The ifstatus program can be run on UNIX systems to identify network
      interfaces that are in debug or promiscuous mode. Network interfaces
      in these modes may be a sign that an intruder is monitoring the network
      to steal passwords and other traffic (see CERT advisory CA-94:01).

      The program does not print any output (unless -v is given) unless it
      finds interfaces in "bad" modes. So, it's easy to run ifstatus from
      cron once an hour or so. If you have a modern cron that mails the
      output of cron jobs to their owner, use a line like this:

        00  *  *  *  * /usr/local/etc/ifstatus

      If you have a version of cron that doesn't do this, use the
      "run-ifstatus" shell script instead (edit the script to use the right
      path to the command):

        00  *  *  *  * /usr/local/etc/run-ifstatus

      ifstatus is available from many sites, including

      ftp://info.cert.org/pub/tools/ifstatus/ifstatus.tar.Z
      ftp://coast.cs.purdue.edu/pub/tools/unix/ifstatus/ifstatus.tar.Z

  13. smrsh

      With all versions of sendmail, we recommend that you use the sendmail
      restricted shell program, smrsh, by Eric Allman (the original author of
      sendmail). When configured correctly, the smrsh program can help protect
      against a vulnerability that can allow unauthorized remote or local
      users to execute programs as any system user other than root. For
      example, smrsh can prevent an intruder from using pipes (|) to execute
      arbitrary commands on your system.

      We encourage you to use smrsh regardless of whether you use the vendor's
      supplied sendmail or install sendmail yourself, and regardless of
      patches that have been installed.

      Beginning with sendmail version 8.7.1, smrsh is included in the
      sendmail distribution, in the subdirectory smrsh. See the
      RELEASE_NOTES file for a description of how to integrate smrsh into
      your sendmail configuration file.

      smrsh is also available from many sites, including

        ftp://info.cert.org/pub/tools/smrsh/
        ftp://ftp.uu.net/pub/security/smrsh/

      Warning: If you are running such an old version of sendmail that you
               must install smrsh separately, intruders will continue to be
               able to exploit vulnerabilities that were fixed in later
               versions of sendmail. We urge you to upgrade to the current
               version of sendmail mail and then run the tools, which are
               included with the distribution.

      Refer to the following files for further information about smrsh:

        ftp://info.cert.org/pub/cert_advisories/CA-93:16.sendmail.vulnerability
        ftp://info.cert.org/pub/cert_advisories/CA-95:11.sun.sendmail-oR.vul

  14. mail.local

      Some versions of /bin/mail based on BSD 4.3 UNIX are vulnerable
      because of timing windows in the way /bin/mail uses publicly writable
      directories. If you cannot install a patch from your vendor, replace
      /bin/mail with mail.local.

      Beginning with sendmail version 8.7.1, mail.local is included in the
      sendmail distribution, in the subdirectory mail.local. The program is
      also available from many sites, including

        ftp://info.cert.org/pub/tools/mail.local/

      For further information about mail.local, see

    ftp://info.cert.org/pub/cert_advisories/CA-95:02.binmail.vulnerabilities


Other Reading About Security Tools

   For a list of additional security tools, see Appendix B of the "UNIX
   Computer Security Checklist" developed by the Australian Computer
   Emergency Response Team (AUSCERT). A copy of the AUSCERT checklist can
   be found in

        ftp://info.cert.org/pub/tech_tips/AUSCERT_checklist1.1

   The CERT Coordination Center maintains a directory of information that has
   come to our attention concerning the most current releases of software,
   releases that contain security improvements. The directory is by no means
   complete, but it does contain pointers to the latest versions of some
   security tools. The location is

        ftp://info.cert.org/pub/latest_sw_versions


- ------------------------------------------------------------------------------

Copyright 1996 Carnegie Mellon University. Conditions for use, disclaimers,
and sponsorship information can be found in
http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff .
If you do not have FTP or web access, send mail to cert@cert.org with
"copyright" in the subject line.

CERT is registered in the U.S. Patent and Trademark Office.



-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQA/AwUBOBTCMlr9kb5qlZHQEQKa2ACgyjMuJ9nycHoeTnDEUWlz8by+nVYAoOb+
JtFsibQA5MRfoRtIYwpsct/q
=0F8t
-----END PGP SIGNATURE-----

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH