Free smbd audit software for linux

SMBD Audit application is a set of VFS audit module for Samba 3 and web frontend to view and search samba audit logs.

Module stores logs directly into MySQL database with libmysqlclient.

You can search database by Login, Address, Share, Action, Log Message(specify filename or directory name), From and To Date.

Here is a very short list of what SMBD Audit package includes, and what it does.

- a VFS audit module, to provide logging to MySQL database

- a web front end to view and search logs.

Spike PHP Security Audit Tool project is a tool that performs a static analysis of PHP code for security exploits.
Usage:
To install, unzip Spike phpSecAudit package.
> unzip spike_phpSecAudit.zip
Change directory to your php repository.
> cd /path/to/code/to/audit
Execute the run.php, passing the file name or directory to audit.
> php /path/to/spike_phpSecAudit/run.php test_file.php
or
> php /path/to/spike_phpSecAudit/run.php dir_name
Enhancements:
- Modified to be PHP 4 friendly.
- A few functions have been added to the knowledge base: extract, shell_exec, pcntl_exec, and exec.
- The organization of the knowledge base file (vuln_db.xml) has been slightly improved.
- The _getAllPhpFiles function may miss a few (unverified).
- The tokenizer needs to be able to differentiate between a native function call and class method call of the same name, i.e. mail() and $class->mail().

SLAD is a tool for performing local security checks against GNU/Linux systems.

SLAD has been primarily developed for the BOSS project to work together with Nessus to enhance its local scanning capabilities. For example, scanning for weak passwords with a tool like John-the-Ripper is something that simply cannot be achieved by a network scan.

Therefore, SLAD is required to be installed on every GNU/Linux system where local auditing needs to be done. SLAD can then be used as a stand-alone application or more conveniently through Nessus. For usage with Nessus two NASL plugins are provided for interfacing between Nessus and SLAD

The Version 2.0 provides a XML Interface for Parameters and easy integration of additional audit-parameters and tools. To help the administrator to integrate a new feature-set, a development-documentation is provided with the cvs.

SLAD has been tested and verified on the following platforms:

RedHat Fedora Core 3
SuSe 9.2
Debian 3.0 (woody)
Debian 3.1 (sarge)
ERPOSS3
Gentoo Linux 2004.3

SLAD is implemented in Perl and provides an extendable plugin architecture allowing to use various GPL-based security scanners and auditing tools under one common framework. Currently, SLAD comes packaged with

John-the-Ripper
Chkrootkit
LSOF
ClamAV
Tripwire
TIGER

As a result SLAD delivers reports of these locally installed auditing and analysis tools. When used with Nessus the individual reports are wrapped into a standard Nessus report.

SLAD as well as the SLAD NASL Plugins can be downloaded from this Website in their current stable release V2.0.

Installation:

You can use our "easy-to-use" GTK installer, this installer downloads the lastest SLAD Release Binary, and install it on the target system. You only need to provide the login for the traget system.

SNARE (System iNtrusion Analysis and Reporting Environment) is a kernel patch, daemon, and Gnome2 GUI, that together provide a host intrusion detection facility and C2-style auditing/event logging capability for Linux similar to the Basic Security Module (BSM) for Solaris, or the Windows Event Log.
SNARE is divided into three key components:
The Kernel changes
In order to collect event log data, Snare needs to add auditing support into the operating system. You can choose to either install a binary version of the kernel, with Snare already integrated, or you can apply a patch to your kernel source.
Although we try hard to make Snare as easy to install as possible, there are hundreds of different distributions and kernel versions, and it would be an immense task to build Snare for each variant. We are hoping that recent efforts towards creating a native auditing subsystem for linux will soon mean that the kernel component of the Snare for Linux agent, will no longer be required.
The Snare Audit Daemon
The Snare audit daemon acts as an interface between the Linux kernel, and the security administrator. It allow you to turn on events, filter the output, and potentially push audit log information back to a central location for collection, analysis and archival.
The Snare Micro-Web Server, and Audit GUI
The Snare audit GUI provides a graphical user interface to the Snare audit daemon. It allows you to add, remove or modify audit objectives, and change reporting options.
The Micro-Web Server, is embedded in the audit daemon, and provides a very simple configuration capability that can be managed from your web browser.
Enhancements:
- Added support for compound matching elements (e.g. name=/etc/* name!=/etc/blah/*)
- Improved authentication support for remote control interface
- Updated SELinux policy (RHEL5 support)
- Improved automatic audit configuration using objective returncode detection to pre filter unnecessary records
- Fixed element matching error
- Fixed error in criticality reporting (e.g. criticality was always zero)
- Fixed race condition that could potentially clear all audit rules on restart
- Improved effeciency allowing a higher throughput
- Improved installer for easier deployment
- Disabled local logging by default

JTrigger is a drum machine and sample player for midi input.
Main features:
- Low resource usage
- Theoretical limit of 2048 samples loaded (16 channels, one per note)
- Uses JACK and ALSA Sequencer interfaces
- Interfaces well with hardware drum trigger pads (hence the name)
- Velocity sensitive
- GPL License
Enhancements:
- Several segfaults during weird situations were caught.
- Bugs affecting the gain and audit controls in the UI were fixed.
- A typo in the configuration affecting parser was corrected.
- Several compile problems were fixed.

The Argus Open Project is focused on developing network activity audit strategies that can do real work for the network architect, administrator and network user.
LATEST NEWS
Mon Jun 19 10:44:52 EDT 2006 *argus-3.0.0 testing has started!
Welcome to the Argus Open Project, home of Argus, the network Audit Record Generation and Utilization System. The Argus Open Project main goal is developing network activity audit strategies that can do real work for the network architect, administrator and network user.
Argus is a fixed-model Real Time Flow Monitor designed to track and report on the status and performance of all network transactions seen in a data network traffic stream. Argus provides a common data format for reporting flow metrics such as connectivity, capacity, demand, loss, delay, and jitter on a per transaction basis. The record format that Argus uses is flexible and extensible, supporting generic flow identifiers and metrics, as well as application/protocol specific information.
Argus can be used to analyze and report on the contents of packet capture files or it can run as a continuous monitor, examining data from a live interface; generating an audit log of all the network activity seen in the packet stream. Argus can be deployed to monitor individual end-systems, or an entire enterprises network activity. As a continuous monitor, Argus provides both push and pull data handling models, to
allow flexible strategies for collecting network audit data. Argus data clients support a range of operations, such as sorting, aggregation, archival and reporting. There is XML support for Argus data, which makes handling Argus data a bit easier, see ArgusRecord.xsd.
The network transaction audit data that Argus generates has been used for a wide range of tasks including Security Management, Network Billing and Accounting, Network Operations Management and Performance Analysis.
Argus currently runs on Linux, Solaris, FreeBSD, OpenBSD, NetBSD, and MAC OS X and its client programs have also been ported to Cygwin. The software should be portable to many versions of Unix with little or no modification. Performance is such that auditing an entire enterprises Internet activity can be accomplished using
modest computing resources. The Argus Open Project is an ongoing and active project. If you areinterested in participating, check out the mailing lists and sign up today!
Enhancements:
- Multithreaded
- Daemon Support
- Configuration Files
- Syslog Support
- Secure Access
- Audit Record Changes
- Variable Length Records
- Argus Source Identifier
- Sequence Number
- Transaction Reference Number
- Security Layer (ESP) Support
- Application Layer Byte Counts
- Application Layer Data Capture
- Multiprotocol Support
- Enhanced Performance Reporting
- Enhanced TCP Status Reporting
- Enhanced Aggregation Support
- Server Changes
- Improved Accuracy
- Improved Reliability
- Improved Fragment Support
- Multiprotocol Support
- Authenticated Access
- Confidential Access
- Enhanced Physical Interface Support
- Multiple Physical Interface Support
- Multiple Output File Support
- Independant Output Filters
- Server Side Filtering
- Improved Signal Handling
- Daemon Support
- Syslog Event Reporting
- System Configuration
- Environment Variable Support
- Enhanced Performance Reporting
- Response Time Determination Support
- User Data Capture Support
- Client Changes
- Multiple Server Support
- Configurable Output Formats
- Cisco Netflow Record Support
- Environment Variable Support
- Configuration
- XML Data Support
- Excel Data Importation Support
- User Data Printing
- ragrep()
- Support Scripts and Programs
- System startup routines
- Sample configurations
- Sample Argus Archiving scripts
- argusbug Bug reporting tool
- Magic file support
- Documentation
- Better documenation?
- HTML man pages.
- FAQ
- HOW-TO

NiX - WVS is a tool for webmasters to audit their website security.
Main features:
- Full multithreaded engine everywhere
- Supports atm. max. 10 proxies (Will use random proxy for every request. Of course site audit can be done without any proxy as well.
- You can configure how many threads will be used for each Module
- Uses a ramdisk for better performance
- Very customizable, you can define timeouts, misc options like Useragent and so on
- Easy customizable modules, very easy to add new dir/file checks and for example new LFI/RFI bugs etc...
- Current modules =>
- Full site crawler
- Directory and filechecks (Also nested Dir/File checks can be defined to be done)
- xScan attack database (Uses Milw0rm vulnerabilities, several hundreds already added but need still lot of work...)
- Parameter manipulation engine supports atm. only Local File Inclusion and Remote File Inclusion tests. Much more will be added like SQL Injections/XSS/CRLF Injects/Cookie manipulation and so on...
- It have also nice logic like if there was not anything to crawl, it wont do nested directory checks even you defined it do that and so on.