System Security Auditing/Monitoring Tools

Modified 6 November 2008

The U.S. Department of Defense has a wide range of documents known as the "STIGs" — Security Technical Implementation Guide. These describe US DOD's view of best practices. Get them here: http://iase.disa.mil/stigs/stig/

If you're in US DOD or a contractor to it, you will be regularly audited. If you convince the auditor that you're following the STIG, the audit will succeed quickly. If you don't follow a STIG item, that may be acceptable as long as you can provide an explanation of why you are doing that and what you are doing to provide the needed security in that area.

If you are not connected to DOD, then the STIGs may seem somewhat paranoid and of little interest. But they do provide a good starting point for your policy. At the very least, they provide an organized set of concerns to be addressed in your policy.

TARA, the Tiger Analytical Research Assistant, is an automated system administrator's assistant: http://www-arc.com/tara/index.shtml.

COPS has been a standard auditing tool, although it's getting awfully old: ftp://ftp.cerias.purdue.edu/pub/tools/unix/scanners/cops/

Titan automatically changes your system configuration to increase security, possibly breaking some functionality: http://www.fish2.com/titan/

Bastille takes you through a series of questions, educating along the way, possibly making configuration changes to increase security: http://www.bastille-linux.org/

Internet Security Systems, http://www.iss.net, makes system configuration testers with graphical interfaces. However, their tools are very expensive and have a difficult licensing scheme, and you don't necessarily get as much information as you can from the free tools.

Password cracking tools have clever rules implementing what users once thought were really keen ways to build passwords. Assume your threats have Crack, with the most up-to-date Crack rule sets, dictionaries of terms specific to your organization (e.g., phone directory, list of project and product names, building names, etc), and possibly huge dictionaries in several languages.

• Password crackers and related tools:
  • Cracking tools in general: http://www.packetstormsecurity.org/Crackers/
  • Unix-based Cracking tools:
    • http://www.packetstormsecurity.org/Crackers/crack/
    • ftp://coast.cs.purdue.edu/pub/tools/unix/pwdutils/crack/
• Crackerjack http://www.packetstormsecurity.org/Crackers/crackerjack.zip
• Slurpie http://www.packetstormsecurity.org/distributed/slurpie.tgz
• John the Ripper for Unix: http://www.packetstormsecurity.org/Crackers/
• Qrack http://www.packetstormsecurity.org/Crackers/
• Hades http://www.packetstormsecurity.org/Crackers/hades.zip
• Word lists in several languages:
  • ftp://ftp.ox.ac.uk/pub/wordlists/ — Czech, Danish, Turkish, Hindi, ...
  • http://www.und.nodak.edu/org/crypto/crypto/words/ Croat, Finnish, Irish, Polish, ...

Password Cracking Tools for the Windows NT Family (NT3.x, NT4.x, Win2000, WinXP, Win2003, Vista, etc)

• Rainbow Tables are the way to go. This attack is possible against Windows, and can crack any Windows password in seconds to minutes.
  • The free Ophcrack can crack any alpha-numeric Windows password. http://ophcrack.sourceforge.net/
  • You'll have to pay money for a Rainbow Table that can crack any Windows password. But for about US$ 300, you can have any Windows password in a few minutes.
  See the discussion of Rainbow Tables and the comparison of operating system authentication strength on my page about authentication.
• L0phtCrack has been be the standard NT password grabber and cracker. It's great stuff — it can dump your password hashes locally over over the net (with one of the pwdump series of tools), and it can reverse-engineer your passwords.
  • AtStake has commercialized L0phtCrack as LC4. The free version is LCP: http://www.lcpsoft.com/
• John the Ripper for Windows: http://www.packetstormsecurity.org/Crackers/john-16w.zip
• NTSweep http://www.packetstormsecurity.org/Crackers/ntsweep.zip
• Crack for the NT family a Crack replacement for the NT family. http://ftp.tux.org/pub/security/secnet/tools/ntcrack/
• Password Policy Enforcer is for the NT family from TP Information Systems: http://www.tpis.com.au/products/ppe/features.asp

More tool FTP sites:

• ftp://coast.cs.purdue.edu/pub/tools/
• http://doecirc.energy.gov/ciac/tools.html
• ftp://ftp.funet.fi/pub/unix/security

My how-to-secure-Linux-and-BSD page is at: http://www.cromwell-intl.com/security/linux-hardening.html

Back to the main Security Page

Home Page Unix/Linux TCP/IP Infosec Travel Radio Site Map Contact

© Bob Cromwell Jan 2009. Created with /bin/vi and ImageMagick, hosted on OpenBSD with Apache.    Root password available here