Hex dump of malware content.

System Security Auditing/Monitoring Tools

US DOD STIGs and SRRs and the Gold Disks

Things are changing, but the old terminology is still used.

The U.S. Department of Defense created a wide range of documents known as the "STIGs" — Security Technical Implementation Guide. These have described US DOD's view of best practices in the form of checklists. There are STIGs for operating systems, for example AIX 5.3, AIX 6.1, and Android 2.2 just within the As. And STIGs for network services: Apache 2.0, Apache 2.2, IIS 6.0, IIS 7.0, etc. And STIGs for use of biometrics, for instant messaging, for configuring Internet Explorer 10 and Google Chrome. Get them here: http://iase.disa.mil/stigs/

If you're in US DOD or a contractor to it, you will be regularly audited. If you convince the auditor that you're following the official checklist items, the audit will succeed quickly. If you don't follow a checklist item, that may be acceptable as long as you can provide an explanation of why you are doing that and what you are doing to provide the needed security in that area.

If you are not connected to DOD, then the STIGs may seem somewhat paranoid and of little interest. But they do provide a good starting point for your policy. At the very least, they provide an organized set of concerns to be addressed in your policy.

If you are in US DOD or are a contractor, DISA will give you their "Gold Disk" and its SRR or the System Requirements Review checklist, and the associated scripts that you can run to automate the process. However, unless you are part of DOD or one of their contractors, you cannot download the SRR scripts. You can certainly use Google to locate what claim to be the SRR scripts for your operating system, but you can't tell if they really are the real ones or not.

The plan for some time has been to create the Gold Disk scripts with new SRR software that tests a system for compliance to the STIG. And that leads us to...

SCAP Products

SCAP is the Security Content Automation Protocol. SCAP is much more than just a communication protocol. It is a method for automating vulnerability detection, patch and configuration management, policy compliance, and the communication between the needed components and for the generation of reports.

The U.S. Government pays contractors to test products and validate those capable of managing the Federal Desktop Core Configuration or FDCC control of system patching and configuration.

Vendor Product SCAP Validations
FDCC Scanner Authenticated Configuration Scanner Authenticated Vulnerability and Patch Scanner Unauthenticated Configuration Scanner
Arellia Security Analysis Solution
BigFix Security Configuration and Vulnerability Management Pack
bmc software BMC Automation Server
BMC BladeLogic Client Automation
CA Technologies CA IT Client Manager
The Center for Internet Security CIS Configuration Audit Tool
Core Security Technologies Core IMPACT Professional
Digital Defense Incorporated Frontline Vulnerability Manager
Dell KACE Dell KACE K1000 System Management Appliance
eEye Digital Security Retina
eIQ Networks SecureVue
Greenbone Greenbone Security Manager
HP SCAP Scanner
IBM Tivoli Endpoint Manager for Security and Compliance
LANDesk LANDesk Patch Manager 9.0 Extensions for Federal Desktops
LANDesk Security Suite 9.0 Extensions for Federal Desktops
Lumesion Security PatchLink Security Configuration Management for PatchLink Update
PatchLink Security Configuration Management for PatchLink Scan
McAfee Policy Auditor
Vulnerability Manager
Microsoft System Center Configuration Manager Extensions for SCAP
nCircle Configuration Compliance Manager
IP360
NetIQ NetIQ Secure Configuration Manager
Prism Microsystems EventTracker Enterprise
Qualys QualysGuard FDCC Scanner
Rapid 7 Nexpose
SAINT Vulnerability Scanner
Shavlik Shavlik Security Suite: Netchk Configure
Shavlik Security Suite: Netchk Protect
SignaCert Enterprise Trust Server
SPAWAR Systems Center Atlantic SCAP Compliance Checker
Symantec Control Compliance Suite
Symantec Risk Automation Suite
Telos Xacta IA Manager (Xacta Hostinfo)
Vendor Product FDCC Scanner Authenticated Configuration Scanner Authenticated Vulnerability and Patch Scanner Unauthenticated Configuration Scanner
SCAP Validations

Apple OS X Security Auditing Tools

osxlockdown was built to audit and remediate security configuration settings on OS X 10.11 (El Capitan).

Windows System Security Auditing Tools

There used to be a number of these types of tools, but they have disappeared. The Windows Security Configuration and Analysis Snap-In is one of the few tools available.
Introduction to the Security Configuration and Analysis Snap-In Applying security policies with the Security Configuration and Analysis Snap-In.

Windows Server 2003 has a Security Configuration Wizard. Get to know Windows Server 2003's Security Configuration Wizard Using the Secedit tool to work with security templates

Registry Live Watch can monitor the Windows registry and alert you to any changes. Someone told me that they had installed the PACE Anti-Piracy software, which then stealthily modifies the registry on some hidden schedule. If you know when the registry is being changed, then you have a chance of figuring out what is making the change.

PACE Anti-Piracy is described as software which "installs a kernel-level driver onto your Windows machine, does its best to blend into the woodwork (the device driver is named "TPKD", the support files get buried in a common-apps directory, and at no point in the its process of validating a trial period does it display its name or other information to the user), and uses some method of compiling unique information about your computer in order to do its anti-piracy thing. And there's no obvious way to get the PACE Anti-Piracy software off of your computer once it's there."

Network Vulnerability Scanners

Network Vulnerability Scanners

Lynis — Open-source and enterprise security auditing toolkits for Linux and other Unix-family operating systems

Lynis runs on Linux; the BSD family of OpenBSD, FreeBSD, NetBSD and others; MacOS X; and commercial Unixes including HP-UX and Solaris.

There is an open-source version, a collection of scripts.

Lynis Enterprise adds centralized management and reporting, further plugins, integration with other projects, and support.

Older Open-Source Tools for Linux/UNIX Family Security Auditing

Be aware that most of these have not been updated since the mid to late 2000s! For example, in mid-2014 I noticed that Bastille had not been updated since 2008.

TARA, the Tiger Analytical Research Assistant, is an automated system administrator's assistant.

COPS has been a standard auditing tool, although it's getting awfully old.

Titan automatically changes your system configuration to increase security, possibly breaking some functionality.

Bastille takes you through a series of questions, educating you along the way, possibly making configuration changes to increase security.

More tool FTP sites: Purdue CERIAS U.S. Department of Energy funet.fi