Tools

• Tripwire (intrusion detection)
  • See the tripwire tutorial
  • #/usr/sbin/tripwire --init

    Used to fingerprint important files (/etc/tripwire/twpol.txt) and save the fingerprints in a database (/var/lib/tripwire/$(HOSTNAME).twd)

  • # /usr/sbin/tripwire --check

    Used later to check that fingerprints of important files has not changed (ie by a rootkit).

  • Database should be moved to secure system between checks. Best to boot to single user mode, reinstall tripwire (or mount directories with installation intact) and then check with offline stored database.
• AIDE an alternative to tripwire.
• Misc Unix commands/files (intrusion detection/system monitoring)
  • last list users that logged in
  • /var/log log files
  • lsof list open files
  • top system performance
  • ps aux list processes
  • history command history for users
• SE Linux (hardening) fine grained permissions for linux
• Bastille Linux (system hardening)
  The Bastille Hardening program "locks down" an operating system, proactively configuring the system for increased security and decreasing its susceptibility to compromise. Bastille can also assess a system's current state of hardening, granularly reporting on each of the security settings with which it works.
  An article on hardening with Bastille linux.
• Windows Policy Editor gpedit.msc (XP Pro, Server) (system hardening)
  Used to configure system wide policies. For example, passwords, lengths, expiration etc.
• Windows Baseline Security Analyzer (system hardening)
  Analyze windows system, identify security vulnerabilities weak points.
• Windows Event Viewer (intrusion detection/system monitoring)
  like /var/log under linux.
• Sysinternals, tools including ProcessExplorer, RootkitRevealer