Chapter 9. Testing and Monitoring

To keep your system secure, be proactive: test for security holes and monitor for unusual activity. If you don't keep watch for break-ins, you may wake up one day to find your systems totally hacked and owned, which is no party.

In this chapter we cover useful tools and techniques for testing and monitoring your system, in the following areas:

Logins and passwords: Testing password strength, locating accounts with no password, and tracking suspicious login activity
Filesystems: Searching them for weak security, and looking for rootkits
Networking: Looking for open ports, observing local network use, packet-sniffing, tracing network processes, and detecting intrusions
Logging: Reading your system logs, writing log entries from various languages, configuring syslogd, and rotating log files

We must emphasize that our discussion of network monitoring and intrusion detection is fairly basic. Our recipes will get you started, but these important topics are complex, with no easy, turnkey solutions. You may wish to investigate additional resources for these purposes, such as:

Computer Incident Advisory Capability (CIAC) Network Monitoring Tools page: http://ciac.llnl.gov/ciac/ToolsUnixNetMon.html
Stanford Linear Accelerator (SLAC) Network Monitoring Tools page: http://www.slac.stanford.edu/xorg/nmtf/nmtf-tools.html
National Institutes of Health "Network and Network Monitoring Software" page: http://www.alw.nih.gov/Security/prog-network.html
Setting Up a Network Monitoring Console: http://com.pp.asu.edu/support/nmc/nmcdocs/nmc.html
Insecure.org's top 50 security tools: http://www.insecure.org/tools.html

Chapter 1. System Snapshots with Tripwire

Chapter 2. Firewalls with iptables and ipchains

Chapter 3. Network Access Control

Chapter 4. Authentication Techniques and Infrastructures

Chapter 5. Authorization Controls

Chapter 6. Protecting Outgoing Network Connections

Chapter 7. Protecting Files

Chapter 8. Protecting Email

Chapter 9. Testing and Monitoring

Recipe 9.1 Testing Login Passwords (John the Ripper)

Recipe 9.2 Testing Login Passwords (CrackLib)

Recipe 9.3 Finding Accounts with No Password

Recipe 9.4 Finding Superuser Accounts

Recipe 9.5 Checking for Suspicious Account Use

Recipe 9.6 Checking for Suspicious Account Use, Multiple Systems

Recipe 9.7 Testing Your Search Path

Recipe 9.8 Searching Filesystems Effectively

Recipe 9.9 Finding setuid (or setgid) Programs

Recipe 9.10 Securing Device Special Files

Recipe 9.11 Finding Writable Files

Recipe 9.12 Looking for Rootkits

Recipe 9.13 Testing for Open Ports

Recipe 9.14 Examining Local Network Activities

Recipe 9.15 Tracing Processes

Recipe 9.16 Observing Network Traffic

Recipe 9.17 Observing Network Traffic (GUI)

Recipe 9.18 Searching for Strings in Network Traffic

Recipe 9.19 Detecting Insecure Network Protocols

Recipe 9.20 Getting Started with Snort

Recipe 9.21 Packet Sniffing with Snort

Recipe 9.22 Detecting Intrusions with Snort

Recipe 9.23 Decoding Snort Alert Messages

Recipe 9.24 Logging with Snort

Recipe 9.25 Partitioning Snort Logs Into Separate Files

Recipe 9.26 Upgrading and Tuning Snort's Ruleset

Recipe 9.27 Directing System Messages to Log Files (syslog)

Recipe 9.28 Testing a syslog Configuration

Recipe 9.29 Logging Remotely

Recipe 9.30 Rotating Log Files

Recipe 9.31 Sending Messages to the System Logger

Recipe 9.32 Writing Log Entries via Shell Scripts

Recipe 9.33 Writing Log Entries via Perl

Recipe 9.34 Writing Log Entries via C

Recipe 9.35 Combining Log Files

Recipe 9.36 Summarizing Your Logs with logwatch

Recipe 9.37 Defining a logwatch Filter

Recipe 9.38 Monitoring All Executed Commands

Recipe 9.39 Displaying All Executed Commands

Recipe 9.40 Parsing the Process Accounting Log

Recipe 9.41 Recovering from a Hack

Recipe 9.42 Filing an Incident Report