RE: UNIX/Windows audit scripts

["Todd Towles" <toddtowles () brookshires com>]

Have you tried the Helix Linux boot CD?  http://www.e-fense.com/helix/index2.html

Helix is a customized distribution of the Knoppix Live Linux CD. Helix has more than just a bootable live CD. You can 
still boot into a customized Linux environment that includes customized linux kernels, excellent hardware detection and 
many applications dedicated to Incident Response and Forensics. Helix has been modified very carefully to NOT touch the 
host computer in any way and it is forensically sound. Helix wil not auto mount swap space, it will also not auto mount 
any found devices. Helix also has a special Windows autorun side for Incident Response and Forensics. Helix is used by 
SANS for training in Track 8: System Forensics, Investigation and Response. 

You can run a Forensics to a remote Netcat that is listening, pretty sweet.

-Todd

> -----Original Message-----
> From: Javier Fernandez-Sanguino [mailto:jfernandez () germinus com] 
> Sent: Friday, March 04, 2005 3:11 AM
> To: pen-test () securityfocus com
> Subject: UNIX/Windows audit scripts
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi there,
>
> I have just returned from an audit in which I have been 
> extensively used a set of audit scripts to extract 
> information to do a "white box"
> analysis of a set of systems. Running an "advanced" tool on 
> those systems [1] was not an option and I used a simple shell 
> script (batch in the Windows 2000/XP/2003 case) that would 
> extract the relevant information from the system (installed 
> software and patches, permissions, TCP/IP listeners, 
> processes, etc.) and allow me to review that manually and 
> fill in the appropiate checklist.
>
> After developing my own I have been able to find only a few 
> similar scripts out there. Marc Heuse's set of audit scripts 
> [2] and Seán Boran's UNIX/Linux local audit tool [3]. Has 
> anyone written / used similar scripts?
>
> Please refrain from suggesting me using tools like ISS's Host 
> Scanner, Nessus (and its Local Security Checks), the CIS 
> scoring tool, Titan or similar software. I'm actually looking 
> for audit scripts less than 8-10Kb in size that do not need 
> any installation and can be run without a GUI to just output 
> information that will be later on analysed. I'm not looking 
> for something that will do both the information extraction 
> and the security review report for me.
>
> I have working audit scripts currently for AIX, Debian 
> GNU/Linux, Red Hat, SuSE, HPUX, Solaris and Windows. But I'm 
> interested in comparing mine with others out there in order 
> to improve them and with a public release of those in mind.
>
> Regards
>
> Javier
>
>
>
> [1] Like Tiger in Unix systems, which I maintain currently (at
> http://savannah.nongnu.org/projects/tiger)
> [2] http://www.suse.de/~marc/audit/
> [3] http://www.boran.com/security/sp/solaris/audit_tool.html
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.0.3
>
> iQA/AwUBQigmNaO1I0N5hzVfEQIbLwCfe9fUv6GOkKoH5TU2Fw2zopoNn4AAoPQk
> 7/sChGpaQrMzuJx0473nSrGZ
> =g6vs
> -----END PGP SIGNATURE-----