Last week, I helped present an overview course for a bunch of IS Auditors of various backgrounds and experience; as part of my research for it, I built up a little collection of links, which I list below. There is a lot out there!
General internet knowledge
Well known ports
The official list
This tool shows what can be done by mashing activity logs with knowledge of who owns what IP address. See who has been editing your truth, at least until they start using IP anonymisers…:
Using organisation, domain names or IP addresses
…conversely, you could use it to see who from your organisation has been messing with Wikipedia when they should be doing real work.
Security hacking tricks
- Etherbat — Ethernet topology discovery Needs compiled. Not available as a .deb (tags: audit networking security tool unix visualization)
Network visualisation. scan all devices within specified subnets, draw and layout a map of your networks, monitor services of your devices and alert you in case some service has problems.
Dedicated Linux distributions
A few people are working on putting together bootable Live CDs with a collection of handy audit and security tools pre-loaded. Unfortunately none of them met my need for a simple to use basic package, but I guess someone will get there one day, so I will be watching developments.
This site is dedicated to the topic. The their FAQ claims to give all the information you need about the latest live security distributions, with links, articles, downloads and more. They encourage you to comment on articles or send in your own for posting.
I started down this route after coming across this:
Handy review of available free forensic and security testing solutions: Deft, Backtrack, HELIX
One of the reviewed Live CDs was DEFT, which seems closest to what I was looking for. With desktop access for Nessus and Airsnort it could cover about 80% of routine security audit work. So far though I’ve not been able to get the Nessus server to run on DEFT (crucial if you want to have a self-contained audit-system-on-a-CD) – I’ll post updates if I’m able to make any progress. Only then will I tackle Airsnort!
The other distrubutions are more hardcore, often consisting of shortcuts to the relevant console commands. Much more powerful and flexible, but dangerous and difficult to learn too! Other than the three above, I have also looked at:
Knoppix based distribution
a distribution which is derived from the Ubuntu distribution, and add packages related to security testing, and remove unneeded packages
Finally, some general resources for auditors:
Online guide to auditing Linux – good explanation of what files to look out for
Range of audit programmes to download and use. Login required, seems to need MSIE to download docs
All these links and more are in my del.icio.us collection here.