local on the system, no matter which unix:
- rkhunter or chkrootkit
(os-specific stuff depends on the OS, like port-vulnerabilities for various BSD's, scripts for AIX/HP-UX and Baseline Security Analizer for Windows ;))
- tripwire
external to the system:
-nmap
-nessus
it would be possible to 'diff' i.e. the results of netstat -na, nmap and filter rules, also of installed software, but at the moment this is too much effort, mostly because I'm coding very slow :)
I'm maintaining this environment for ~5 years now and have found the easiest way for assessment and fixing of vulnerabilities is three parts:
- run not the bleeding edge, but be absolutely uptodate on production versions of the code I use.
- for critical daemons/services (think httpd, firewalls, ...) there's always a preconfigured replacement active and running.
i.e. on my firewall there's a thttpd running You'll never see because the website is pointing to a regular apache server. if there's a really critical exploit to the apache server, I remove the NAT rule until apache can be updated.
- if this is not possible for an application, then chroot it at least. (this, unfortunately won't protect Your data, but at least You can still trust the data's backup.)
yesterday I stood at the edge. Today I'm one step ahead.
