[ As you know "security program" is a really broad category. ]
I have lots of favorites, but I appreciate the
aide HIDS a lot. Another HIDS may be just as effective, but aide is what I'm accustomed to. My understanding is it's modeled after tripwire. Anyway, it has made my life a lot easier in situations where there are a couple sudoers on a box that I'd like to monitor for file changes in certain directories.
I also find the
lsof utility surprisingly useful for what could be considered security purposes. If there is a process on my system I don't recognize, I can easily take a look at what files it has open by using the process's PID. Contrived example (using a PID associated with cupsd):
Code:
# lsof -p 1032
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
cupsd 1032 root cwd VDIR 0,110 512 6994944 /usr/home/jail/10.0.0.101
cupsd 1032 root rtd VDIR 0,110 512 6994944 /usr/home/jail/10.0.0.101
cupsd 1032 root jld VDIR 0,110 512 6994944 /usr/home/jail/10.0.0.101
cupsd 1032 root txt VREG 0,110 620223 7160487 /usr/home/jail/10.0.0.101/usr/local/sbin/cupsd
cupsd 1032 root txt VREG 0,110 161600 6995046 /usr/home/jail/10.0.0.101/libexec/ld-elf.so.1
cupsd 1032 root txt VREG 0,110 64284 6995044 /usr/home/jail/10.0.0.101/lib/libz.so.3
cupsd 1032 root txt VREG 0,110 543878 7113945 /usr/home/jail/10.0.0.101/usr/local/lib/libgnutls.so.13
cupsd 1032 root txt VREG 0,110 340868 7090128 /usr/home/jail/10.0.0.101/usr/local/lib/libgcrypt.so.13
cupsd 1032 root txt VREG 0,110 13975 7090089 /usr/home/jail/10.0.0.101/usr/local/lib/libgpg-error.so.0
cupsd 1032 root txt VREG 0,110 501095 7160438 /usr/home/jail/10.0.0.101/usr/local/lib/libcups.so.2
cupsd 1032 root txt VREG 0,110 94448 6995023 /usr/home/jail/10.0.0.101/lib/libm.so.4
cupsd 1032 root txt VREG 0,110 28680 6995022 /usr/home/jail/10.0.0.101/lib/libcrypt.so.3
cupsd 1032 root txt VREG 0,110 140200 6995040 /usr/home/jail/10.0.0.101/lib/libpthread.so.2
cupsd 1032 root txt VREG 0,110 929420 6995020 /usr/home/jail/10.0.0.101/lib/libc.so.6
cupsd 1032 root txt VREG 0,110 39998 7843917 /usr/home/jail/10.0.0.101/usr/local/lib/libintl.so.8
cupsd 1032 root txt VREG 0,110 1041012 7822254 /usr/home/jail/10.0.0.101/usr/local/lib/libiconv.so.3
cupsd 1032 root 0u KQUEUE 0xc3814d00 count=0, state=0x2
cupsd 1032 root 1r VCHR 0,10 0t600 10 /usr/home/jail/10.0.0.101/dev (devfs) (like character special /dev/random)
cupsd 1032 root 2u VREG 0,110 105077 6995665 /usr/home/jail/10.0.0.101/var/log/cups/error_log
cupsd 1032 root 3u IPv4 0xc37e8570 0t0 TCP printer.bunnyland.local:ipp (LISTEN)
cupsd 1032 root 4u unix 0xc3611590 0t0 /var/run/cups.sock
cupsd 1032 root 5u IPv4 0xc3612ec4 0t0 UDP printer.bunnyland.local:ipp
cupsd 1032 root 6u PIPE 0xc3597660 16384 ->0xc3597718
cupsd 1032 root 7u PIPE 0xc3597718 0 ->0xc3597660
cupsd 1032 root 8u VREG 0,110 5094 6995918 /usr/home/jail/10.0.0.101/var/log/cups/page_log
cupsd 1032 root 9u VREG 0,110 107499 6995575 /usr/home/jail/10.0.0.101/var/log/cups/access_log