Free auditing software for linux

The Linux Security Auditing Tool (LSAT) is a post install security auditor for Linux/Unix.
Linux Security Auditing Tool checks many system configurations and local network settings on the system for common security/config errors and for packages that are not needed.
It (for now) works under Linux (x86: Gentoo, RedHat, Debian, Mandrake; Sparc: SunOS (2.x), Redhat sparc, Mandrake Sparc; Apple OS X).
Enhancements:
- The dependency on the popt library has been removed.
- This release adds extra passwd and group checks under Linux, a check for failed logins under Linux/Solaris, a check for kernel modules under Solaris, network interface stats, and routing checks. It fixes a problem in checknetforward giving false positives, and an issue where verbose output was not very consistent.
- The kernel module check under Linux has been modified.

glibc-audit is a modified version of glibc for application developers who check their code with an automatic memory access checker such as valgrind, Insure++, or Purify.
glibc-audit has been audited and cleaned up so that reports from the developers use of a memory access checker are more likely to be interesting to the developer, with less "noise" from the C library itself. Typically, glibc-audit initializes all of its local variables and structs before use. Ordinary glibc uses uninitialized dummy variables that are "dont-care" to its logic but reported by the memory access checker.
Also, the r_debug.r_brk protocol has been enhanced to co-operate with a co-resident auditor. If the auditor sets .r_brk, then the runtime loader will call the auditor directly whenever a shared library event occurs.
This is much more convenient than using breakpoints. By default the old breakpoint protocol works just like before. The new protocol is binary compatible with the old on machines where a pointer to a function is the same size as an ordinary pointer. Platforms where a pointer to a function is larger (such as HP-PA RISC, Alpha processor, or PowerPC) are not binary backward compatible, and will have to increment r_debug.r_version. Exising clients (such as gdb) also will see an ignorable type mismatch error when they are built. But for now, it is worth more not to antagonize gdb at runtime on x86.
The patch modifies 91 files. Compared to glibc-2.3.2-27.9, the additional code occupies 18 more bytes of .text, and 24 fewer bytes in the .so. On a nano-scopic scale, the typical execution cost is 0 to 3 CPU cycles per affected routine; the estimated median total impact is less than 1 second per machine per day. In the case of *printf(), glibc-audit is faster than glibc because the cleaned-up source helps gcc-3.2 avoid generating atrocious code when initializing printf_spec.info for parse_one_spec() in stdio-common/printf-parse.h.
Glibc-audit was constructed by running a memory access checker on the internal testcases of glibc, then analyzing the reported errors and modifying the source. The process revealed 10 memory access bugs in glibc-2.3.2-11.9. Seven were fixed in glibc-2.3.2-27.9, two more have been fixed in CVS, and one is a design flaw that probably will not be fixed.
Predecessor patches to glibc-audit-1 were submitted to the glibc project, but those patches were ignored [user "guest", password "guest"], declined, or rejected. There is enough improvement in usability and reliability to publish glibc-audit-1 separately.
The unmodified glibc-2.3.2-27.9.src.rpm is available from RedHat mirrors. rpmbuild -ba --target i686 took about 4 hours and 2.5GB of disk space on a machine with 1.1GHz CPU, 384MB RAM, UDMA100 disk.
Enhancements:
- The patches were updated to glibc-2.4-4.
- A glibc bug that interfered with gdb stop-on-solib-events was fixed.
- On x86, x86-64, and PowerPC, the __NR_open system call was improved to avoid leaking information from the user to the kernel.

Qmail Auditor consists of a email auditing tool.
QMail Auditor provides simple a method for auditing emails. It is easy to configure and uses regular expressions as rules.
The format of audit file is :
Any e-mail (outbound or inbound) have passed at this filter.
The valids "field header"(s) :
all - field from or to of e-mails
to - field to
from - field from
In case of regular expression you read the
# man re_format
# man regex
E-mail to forward is a valid mail account to redirect.
Example of this :
from nelio@walk.* auditoria@spyware.walk.com.br
to nelio@spyware.* auditoria@spyware.walk.com.br
Enhancements:
- Now the config file name has renamed.
- From audit (in /var/qmail/control for /var/qmail/control/auditor) and qmail-queue-real-audit for qmail-queue-real-auditor.

Domain Auditor project was written to audit and track accounts within a domain. This tool uses LDAP queries to a definable Active Directory server to find various definable classes of accounts.
Initially it will operate interactively, but capabilities may be added in the future to automate functions (i.e. generate reports on a scheduled basis). The installation script handles most installation chores, so setup is very straightforward.
The tool is beta status at this time, but is in being used to generate SOX reports for my employer.
Main features:
- Reports - This function will display a list of defined reports, when invoked it will generate a list of accounts from AD (via LDAP queries) the results returned will depend on what you have defined for the filter for any particular report class under Sysadmin
- Sys Admin - This function will allow you to changes the system settings for LDAP server and port, base DN, Bind DN, username and password, and the database settings (mySQL only at this time). You may also add the report class definitions and their matching LDAP filters within this module
- User Admin - This screen is used to define users for the system and their rights. Usernames are used as the primary value, and entered values are validated via LDAP queries
- Audit Logs - The system logs all changes to the information stored and this page will allow you to review the data from these logs

Packit (Packet toolkit) is a network auditing tool. Its value is derived from its ability to customize, inject, monitor, and manipulate IP traffic.
By allowing you to define (spoof) nearly all TCP, ICMP, IP, ARP, UDP, RARP, and Ethernet header options, Packit can be useful in testing firewalls, intrusion detection/prevention systems, port scanning, simulating network traffic, and general TCP/IP auditing. Packit is also an excellent tool for learning TCP/IP.
Packit 1.0 requires libnet 1.1.2 or greater as well as libpcap. It has been successfully compiled and tested to run on FreeBSD, NetBSD, OpenBSD, MacOS X and Linux.
Due to shifting priorities, this project is now in maintenance mode. If you find a bug, either submit a patch or email me the details. Ill do my best to put out fix in a reasonable amount of time.
Enhancements:
Injection:
- Bugfix NULL bytes in the payload (patch contributed by: Jason Copenhaver)
General:
- Updates to several build routines to support libnet 1.1.2+

Devil-Linux is a distribution which boots and runs completely from CDROM. The configuration can be saved to a floppy diskette or a USB pen drive.
Devil Linux was originally intended to be a dedicated firewall/router but now Devil-Linux can also be used as a server for many applications. Attaching an optional hard drive is easy, and many network services are included in the distribution.
The system is designed to install without the use of a hard drive. It requires the use of a CDROM and a write-protected floppy.
The CDROM provides the operating system, and the floppy provides the configuration information, via a tarball that is unpacked into the /etc directory. In this way, the system is fully configurable, yet the running system has no writeable device.
Main features:
- Boots from CD
- Traditionally Devil Linux boots from a CD-ROM which is read-only by nature. This means an intruder will not be able to install i.e. an "ordinary" root kit.
- Boots from USB pendrive
- As all movable parts in your computer, the CD-ROM is prone to failure. This is the reason why we provide a script to install the entire system on an USB pendrive. Note: You need a computer which is able to boot from USB harddisks, in order to use this feature.
- Configuration is saved on a floppy disc or on a USB Flash Media
- Due to the read-only nature of CD-ROMs, you need a place to save your configuration files. This can either traditionally be on a floppy disc or on a USB flash media (like a pendrive), to increase the reliability.
- Configuration can be burned on CD
- There are cases when you have to ensure that the configuration cant be modified. This is the reason why we provide the feature for loading the configuration archive from the (read-only) CD-ROM.
- No need for a harddisk although it can optionally be used for data storage
- Most distributions need a harddisk for data storage, with DL this is completely optional. Reasons for adding harddisk data storage would be, i.e. when you use DL as your mail server or for file sharing. DL uses dynamic disc configuration via the Logical Volume Manager, which makes adding and maintaining the harddisk storage easy (regardless if you have only 1 GB or 1 TB of data).
- Support for Intel 486 and higher
- Got some old boxes in your bone yard? For most internet connection an old computer is enough to play the role of your Firewall, this is the reason why we still support 486 CPUs. But were not stuck with old technologies, we also provide you a version vor 686 CPUs with SMP support.
- IPTables/Netfilter Support
- State of-the-art firewall functionality is provided by IPTables/Netfilter, which includes features like connection tracking. Devil-Linux adds many more Netfilter modules then you find in your standard Linux Kernel.
- Create your own, customized version with our Build System
- Since everybody has different requirements, Devil-Linux provides you with an easy-to-use build system, which enables you to create your own customized version. You can i.e. only add the packages you need on your machine or even add features which are currently missing in the mainstream version.
- Directly supported by Firewall Builder
- Dont like writing your Firewall rules by hand? Get Firewall Builder and use a great GUI tool to create your ruleset. Firewall Builder supports writing the rules directly onto your configuration floppy.
- No graphical desktop
- Devil-Linux has not support for i.e. X-Server. This greatly reduces the requirements to run DL and also greatly increases security by reducing the number of running programs. (Try this on Windows...)
- Almost all binaries are compiled with the GCC Stack Smashing Protector
- Except of a very few exceptions, all binaries are compiled with the GCC Stack Smashing Protector. Applications written in C will be protected by the method that automatically inserts protection code into an application at compilation time. The protection is realized by buffer overflow detection and the variable reordering feature to avoid the corruption of pointers.
- Improved Kernel Security through GRSecurity
- GRSecurity adds several new features and protection mechanisms to the Linux Kernel itself. This includes Chroot restrictions (did you know that it is easy to break out of a non-protected chroot jail?), Address space modification protection (like PAX), Auditing features, Randomization features and much more.
- Easy to use chroot
- Devil-Linux has support for chroot jails which is easy to use. Just define what you need in a configuration file and our jail script will take care of the rest. Some pre-defined configurations are already available.

Digiqual project was created to manage the quality, Environmental and security system in a factory.
Digiqual can manage some important aspetti of integrated system:
- Non Conformity
- Supplier Evaluation
- Maintenance
- Documents
- Supplier qualification
- Internal Audit

hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired to the ping(8) unix command, but hping isnt only able to send ICMP echo requests.
It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features.
Main features:
- Firewall testing
- Advanced port scanning
- Network testing, using different protocols, TOS, fragmentation
- Manual path MTU discovery
- Advanced traceroute, under all the supported protocols
- Remote OS fingerprinting
- Remote uptime guessing
- TCP/IP stacks auditing
- hping can also be useful to students that are learning TCP/IP.
Enhancements:
- Fixed a problem with the checksum code. Some packet was generated with the wrong checksum! Please upgrade to rc3 ASAP.
- Scan mode. You can use hping as a low-level automated TCP port scanner. An example of output follows