&Associates |
Auditor augments the White Glove distribution by providing the following additional capabilities:
PSL: PSL is a process analyzer for looking at processes in a system and providing a report on their sensibility. It runs the Unix/Linux ps command, identifies various processes, and reports on things it finds unusual. It is a handy tool for looking at a live system and seeing what's up. To run type:
/usr/local/auditor/psl.pl OR /usr/local/auditor/psl.sh
For checks against historical changes, use:
/usr/local/auditor/psl.pl > baseline
and later:
/usr/local/auditor/psl.pl > current diff baseline current
To install on your system, copy /usr/local/auditor/psl.pl to your system and run from there.
Verify: Verify checks profiles of programs run against historical records using the 'lastcomm' command. To run it on a live system for the first time:
cp /usr/local/auditor/verify/* /tmp cd /tmp verify mv found allowed
This provides a baseline of all programs run as stores in the 'lastcomm' file. We assume (for now) that all of these programs are allowed. Thereafter:
cp /usr/local/auditor/verify* /tmp cd /tmp verify
This points out all programs not run since last verified and run since last verified but not in previous baseline. If some of the programs found in the initial step are not desired, edit them from the 'allowed' file. This program is particularly useful in firewalls and similar applications where a relatively small number of programs are run regularly and other programs are rarely supposed to be run.
To use on your systems, copy the 'verify' program to your computer and use it from there.
Tracer: Tracer is an audit tool that looks at Unix/Linux configuration and other files searching for known vulnerabilities and configuration faults. It identifies the faults, prescribes actions to take to mitigate risks, and produces a report. Output can be fed directly into a shell script to repair many of the faults automatically. To run:
cd /usr/local/auditor/tracer/tracer ./tracer.pl -hThis will provide help on tracer. For more details, press here for the Tracer Manual.
Tracer can be run on mounted file systems (treating them as root on their own systems) to allow the CD to booted for audit. It can also be installed on other systems and used for auditing there.
Tracker: Tracker is a set of tools that provide assistance in tracking sites over the Internet. It retrieves available information from the Internet and provides it to the use for further use. Specifically, it looks up domain names, IP addresses, ownership, and DNS records, and reports them. It handles multiple IP addresses for names and multiple names for IP addresses. To run:
cd /usr/local/auditor/tracker tracker
It will prompt for an IP address or hostname and go from there. Command line versions are also available. Review results in detail.
Auditor is NOW available