Thread: Programs
View Single Post
  #2   (View Single Post)  
Old 2nd May 2008
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 445
Default

[ As you know "security program" is a really broad category. ]

I have lots of favorites, but I appreciate the aide HIDS a lot. Another HIDS may be just as effective, but aide is what I'm accustomed to. My understanding is it's modeled after tripwire. Anyway, it has made my life a lot easier in situations where there are a couple sudoers on a box that I'd like to monitor for file changes in certain directories.

I also find the lsof utility surprisingly useful for what could be considered security purposes. If there is a process on my system I don't recognize, I can easily take a look at what files it has open by using the process's PID. Contrived example (using a PID associated with cupsd):
Code:
# lsof -p 1032
COMMAND  PID USER   FD     TYPE     DEVICE SIZE/OFF    NODE NAME
cupsd   1032 root  cwd     VDIR      0,110      512 6994944 /usr/home/jail/10.0.0.101
cupsd   1032 root  rtd     VDIR      0,110      512 6994944 /usr/home/jail/10.0.0.101
cupsd   1032 root  jld     VDIR      0,110      512 6994944 /usr/home/jail/10.0.0.101
cupsd   1032 root  txt     VREG      0,110   620223 7160487 /usr/home/jail/10.0.0.101/usr/local/sbin/cupsd
cupsd   1032 root  txt     VREG      0,110   161600 6995046 /usr/home/jail/10.0.0.101/libexec/ld-elf.so.1
cupsd   1032 root  txt     VREG      0,110    64284 6995044 /usr/home/jail/10.0.0.101/lib/libz.so.3
cupsd   1032 root  txt     VREG      0,110   543878 7113945 /usr/home/jail/10.0.0.101/usr/local/lib/libgnutls.so.13
cupsd   1032 root  txt     VREG      0,110   340868 7090128 /usr/home/jail/10.0.0.101/usr/local/lib/libgcrypt.so.13
cupsd   1032 root  txt     VREG      0,110    13975 7090089 /usr/home/jail/10.0.0.101/usr/local/lib/libgpg-error.so.0
cupsd   1032 root  txt     VREG      0,110   501095 7160438 /usr/home/jail/10.0.0.101/usr/local/lib/libcups.so.2
cupsd   1032 root  txt     VREG      0,110    94448 6995023 /usr/home/jail/10.0.0.101/lib/libm.so.4
cupsd   1032 root  txt     VREG      0,110    28680 6995022 /usr/home/jail/10.0.0.101/lib/libcrypt.so.3
cupsd   1032 root  txt     VREG      0,110   140200 6995040 /usr/home/jail/10.0.0.101/lib/libpthread.so.2
cupsd   1032 root  txt     VREG      0,110   929420 6995020 /usr/home/jail/10.0.0.101/lib/libc.so.6
cupsd   1032 root  txt     VREG      0,110    39998 7843917 /usr/home/jail/10.0.0.101/usr/local/lib/libintl.so.8
cupsd   1032 root  txt     VREG      0,110  1041012 7822254 /usr/home/jail/10.0.0.101/usr/local/lib/libiconv.so.3
cupsd   1032 root    0u  KQUEUE 0xc3814d00                  count=0, state=0x2
cupsd   1032 root    1r    VCHR       0,10    0t600      10 /usr/home/jail/10.0.0.101/dev (devfs) (like character special /dev/random)
cupsd   1032 root    2u    VREG      0,110   105077 6995665 /usr/home/jail/10.0.0.101/var/log/cups/error_log
cupsd   1032 root    3u    IPv4 0xc37e8570      0t0     TCP printer.bunnyland.local:ipp (LISTEN)
cupsd   1032 root    4u    unix 0xc3611590      0t0         /var/run/cups.sock
cupsd   1032 root    5u    IPv4 0xc3612ec4      0t0     UDP printer.bunnyland.local:ipp
cupsd   1032 root    6u    PIPE 0xc3597660    16384         ->0xc3597718
cupsd   1032 root    7u    PIPE 0xc3597718        0         ->0xc3597660
cupsd   1032 root    8u    VREG      0,110     5094 6995918 /usr/home/jail/10.0.0.101/var/log/cups/page_log
cupsd   1032 root    9u    VREG      0,110   107499 6995575 /usr/home/jail/10.0.0.101/var/log/cups/access_log
__________________
Kill your t.v.
Reply With Quote