Jim's Security Tools

The following is a collection of tools designed to help sysadmins monitor their systems. There's no guarantee you'll like any of them, but I hope they help. In the course of writing them over about a 9 month period, I've found different ways to do different things, so there are some inconsitencies in programming style and design amongst the programs. One day, I'll decide on the One True Way do things, and they'll all conform.

DataTrack-0.3.tar.gz
Program for tracking hashed data . For use with the fsaudit program.

Notify-0.2.tar.gz
Data output object. For use with the Watchlog modules.

ProcTreeNode-0.1.tar.gz
Make a tree out of ps output...also used to check for unauthorized root shells

ProcTree-0.1.tar.gz
Make a process tree using the Proc::ProcessTable module. Only tested on Solaris, although Linux may work. Check out the current state of the Proc::ProcessTable module.

Watchlog-0.2.tar.gz
Watches your logs ala tail -f and reports nasty things.

0.1->0.2 Fixed bug that could hang the program after a log rotation

catchscan
Log ports scans to syslog

fsaudit
Checks filesystems for suspicious directory names

ifcheck
Checks for promisc mode on Solaris

logstats-0.8.tar.gz
Stats on your logs, fast.

unsuid
Turn off all unwanted suid programs -- run in a cron job before your most recent patches are disted out

Notes:

All of the capitalized programs are perl modules, not programs or scripts per se
Some of the perl modules may not have Makefile.PL files: untar into your site_perl
ProcTreeNode and ProcTree should be combined into one module that uses Proc::ProcessTable when possible, ps output otherwise. I decided that uidcheck should be a tree iterator, not a class method, thus the descrepancy between the two modules. (These really need more work, but you may find them useful...one thing you can do with Proc::ProcessTable is re-write ps, put it in your homedir or some such place, and it's likely that if someone rootkits your machine(s), they'll miss a perl script in your homedir, so you'll continue to get reliable process info)
fsaudit and unsuid should be combined in a modular fs checking program, similar to Watchlog
logstats appears to be the most complete program at this time...getting all the logs nailed down is a bear...there are some example classes in the tarball
Watchlog : Solaris admins should get paged when the regexp
```
		attempt to execute code on stack
```
shows up in the logs...be sure to put
```
		set noexec_user_stack = 1
		set noexec_user_stack_log = 1
```
in /etc/system and reboot. (Although this can get tripped by non-malicious programs as well)
Watchlog and logstats are meant to co-exist, so you may want to have similar entries checked for in both programs