This file: ftp://ftp.cert.dfn.de/pub/tools/audit/01-README information about this subdirectory: Audit tools for better control of system activities. ----- directory: /pub/tools/audit/RIACS/ RIACS (Intelligent Auditing and Categorizing System) is a file scanning system which generates a listing of a file system and compares it with previously-generated listings; the changes are reported. Both local and remote file system auditing is provided. Logging is done on a time- driven basis. This directory contains information, the latest version and patches. directory: /pub/tools/audit/Watcher/ WATCHER is a program to watch the system, reporting only when it finds something amiss. It monitors system statistics, such as disk space, process load or machine status. In case of problems WATCHER mails the problem report to the system manager. This directory contains information, the latest version and patches. directory: /pub/tools/audit/argus/ Argus is a generic IP network transaction auditing tool. Argus runs as an application level daemon, reading network datagrams from a specified interface. This directory holds the new argus 2.x versions. The old argus 1.x can be found at /pub/tools/audit/argus-old [This directory is a mirror from ftp:/qosient.com/pub/argus] directory: /pub/tools/audit/argus-old/ Argus is a generic IP network transaction auditing tool. Argus runs as an application level daemon, reading network datagrams from a specified interface. This directory contains the old argus 1.x versions. The current argus 2.x versions are at /pub/tools/audit/argus [This directory is a mirror from ftp://ftp.andrew.cmu.edu/pub/argus] directory: /pub/tools/audit/arpwatch/ This directory contains source code for arpwatch, a tool that monitors ethernet activity and keeps a database of ethernet/ip address pairings. It also reports certain changes via email. [This directory is a mirror from ftp://ee.lbl.gov/] directory: /pub/tools/audit/authd/ AUTHD is an implementation of RFC931, the Authentication Server, which provides any remote host the name of those users owning a TCP connection to the remote site. This directory contains information, the latest version and patches. directory: /pub/tools/audit/chklastlog/ chklastlog : a tool to check for overwritten information in /var/adm/lastlogin on SunOS 4.x systems. (chklastlog, v 1.0, DFN-CERT, September 1994) directory: /pub/tools/audit/chkrootkit/ chkrootkit is a tool to check for traces of an installed rootkit. [This directory is a mirror from ftp://www.chkrootkit.org/pub/seg/pac] directory: /pub/tools/audit/chkwtmp/ chkwtmp : a tool to check for overwritten information in /var/adm/wtmp on SunOS 4.x systems. (chkwtmp, v 1.0, DFN-CERT, September 1994) directory: /pub/tools/audit/courtney/ Courtney monitors the network and identifies the source machines of SATAN probes/attacks. Courtney receives input from tcpdump counting the number of new services a machine originates within a certain time window. If one machine connects to numerous services within that time window, courtney identifies that machine as a potential SATAN host. [This directory is a mirror from ftp://ciac.llnl.gov/pub/ciac/sectools/unix] directory: /pub/tools/audit/elwiz/ directory: /pub/tools/audit/gabriel/ The gabriel software package from Los Altos Technologies, Inc. allows a system administrator to detect network probes like the ones generated by SATAN. [This directory is a mirror from ftp://orange.best.com/pub/lat] directory: /pub/tools/audit/logcheck/ directory: /pub/tools/audit/logsurfer/ The logsurfer program is a tool to monitor arbitrary logfiles (for example syslog-messages), automatically anaylse them and invoke actions. directory: /pub/tools/audit/natas/ Natas is a simple daemon to log tcp probes. directory: /pub/tools/audit/netlog/ NETLOG is a set of three programs: The TCPLOGGER/UDPLOGGER programs log all TCP (UDP) connections (sessions) on a subnet, the EXTRACT program is used to select specific records of the log files. [This directory is a mirror from ftp://net.tamu.edu/pub/security/TAMU] directory: /pub/tools/audit/pidentd/ PIDENTD is a program that implements the RFC1413 identification server. It looks up specific TCP/IP connections and returns the user name of the process owning that connection. This directory contains information, the latest version and patches. It also contains LIBIDENT which is a small library to interface the Ident protocol server. [This directory is a mirror from ftp://ftp.lysator.liu.se/pub/ident/(servers|libs)] directory: /pub/tools/audit/scanlogd/ scanlogd is a TCP port scan detection tool, originally designed to illustrate various attacks an IDS developer has to deal with, for a Phrack Magazine article. Thus, unlike some of the other port scan detection tools out there, scanlogd is designed to be totally safe to use. [NOTE: This is a link to the directory /pub/tools/net/Openwall/projects/scanlogd] directory: /pub/tools/audit/swatch/ SWATCH is a program which monitors different log files, such as syslog, filters out unwanted data and performs user-defined actions (e.g. send mail) upon certain high-priority events (e.g. repeated login failures). This directory contains information, the latest version and patches. [This directory is a mirror from ftp://ftp.stanford.edu/general/security-tools/swatch] directory: /pub/tools/audit/syslog/ Surrogate syslog library for those systems that have TCP/IP but no syslog library. This version logs to /usr/spool/mqueue/syslog, unless the SYSLOGFILE macro is defined otherwise. This directory contains information, the latest version and patches. directory: /pub/tools/audit/vulture/ VULTURE is a system status program that monitors certain activity in the system, or activity related to it's user. The program gives information about incoming mail and login/logout activity. This directory contains information, the latest version and patches.