Managed by Dan Farmer, this is a long established suite of shell scripts which forms an extensive security testing system; There is a rudimentary password cracker, and routines to check the filestore for suspicious changes in setuid programs, others to check permissions of essential system and user files, and still more to see whether any system software behaves in a way which could cause problems.
The software comes in two versions - one written in Perl and one (largely equivalent) written in shell scripts. The latest version is very up-to-date on Unix Security holes.
Written by Alec Muffett, this is a program written with one purpose in mind: to break insecure passwords. It is probably the most efficent and friendly password cracker that is publically available, with the ability to let the user to specify precisely how to form the words to use as guesses at users passwords.
It also has an inbuilt networking capability, allowing the load of cracking to be spread over as many machines as are available on a network, and it is supplied with an optimised version of the Unix crypt() algorithm.
An even faster version of the crypt() algorithm, "UFC" by Michael Glad, is freely available on the network, and the latest versions of UFC and Crack are compatible and can be easily hooked together.
These programs are written to redress the balance in the password cracking war. They provide replacements for the standard "passwd" command, but prevent a user from selecting passwords which are easily compromised by programs like Crack.
Several versions of these programs are available on the network, hacked about to varying degrees in order to provide compatibility for System V based systems, NIS/YP, shadow password schemes, etc. The usual term for this type of program is a 'fascist' password program.
This program suite (by John F Haugh II) is a set of program and function replacements (compatible with most Unixes) which implements shadow passwords, ie: a system where the plaintext of the password file is hidden from all users except root, hopefully stopping all password cracking attempts at source. In combination with a fascist passwd frontend, it should provide a good degree of password file robustness.
Shadow does much more than hide passwords. It also provides for terminal access control, user and group administration, and a few other things which I've forgotten. There are a dozen or more commands in the suite, plus a whole slew of library functions.
These are programs which provide a front-end filter to many of the network services which Unix provides by default. If installed, they can curb otherwise unrestricted access to potential dangers like incoming FTP/TFTP, Telnet, etc, and can provide extra logging information, which may be of use if it appears that someone is trying to break in.
You may want to add a mention of securelib, a security enhancer available for SunOS version 4.1 and higher.
Securelib contains replacement routines for three kernel calls: accept(), recvfrom(), recvmsg(). These replacements are compatible with the originals, with the additional functionality that they check the Internet address of the machine initiating the connection to make sure that it is "allowed" to connect. A configuration file defines what hosts are allowed for a given program. Once these replacement routines are compiled, they can be used when building a new shared libc library. The resulting libc.so can then be put in a special place. Any program that should be protected can then be started with an alternate LD_LIBRARY_PATH.
Sites connected with the Department of Energy and some military organizations may also have access to the SPI package. Interested (and qualified) users should contact the CIAC at LLNL for details.
SPI is a screen-based administrator's tool that checks configuration options, includes a file-change (integrity) checker to monitor for backdoors and viruses, and various other security checks. Future versions will probably integrate COPS into the package. It is not available to the general public, but it is available to US Dept of Energy contractors and sites and to some US military sites. A version does or will exist for VMS, too. Further information on availabilty can be had from the folks at the DoE CIAC.