The open-source community has provided numerous valuable tools that an auditor can take advantage of to increase both the accuracy and efficiency of his or her work. Some of the most commonly used tools for auditing *nix systems are listed below with a few tips on their use.
The Nessus network vulnerability scanner written by Renaud Deraison first appeared in 1998 and was arguably the most advanced and most popular open-source network vulnerability-assessment tool. Beginning with version 3.0, Nessus is now closed-source and is owned by Tenable Security. Version 3.0 is still free to use, but registration/payment will get you faster access to the latest plugins and vulnerability checks. The source to the 2.x stream is still open, and others have already picked up on its development. In a nutshell, Nessus operates by looking for open ports on the target host, trying to identify the services running on those ports, and then testing those services for specific vulnerabilities. The server operates on Unix/Linux only, but there are clients to control the server that are also available for Windows.
NMAP can be a handy way to check for open ports on a server without running an all-out vulnerability scanner such as Nessus, perhaps to test the rules of a host-based firewall. NMAP affords the user many options, and the "man" page is a must-read to understand them all.
Chkrootkit is designed to identify both known rootkits running on a system and "suspicious" files or processes. It can be run in the course of an audit to check for possible compromises and also is suggested to the sysadmin as a tool that could be run on a regular basis for security monitoring. Its effectiveness is enhanced if run from a read-only file system with trusted, statically linked binaries.
http://www.netadmintools.com/art279.html (the author used the instructions on this site, with a few minor tweaks in the build process probably owing to differing versions, to successfully create static binaries for a trusted chkrootkit package)
If checking the strength of user-chosen passwords is part of your audit scope, you'll want to take a look at these two tools. Alec Muffett's Crack dates back to the early 1990s and is very widely known and distributed. John the Ripper, however, generally is faster and more full-featured. Either probably will get the job done in most cases. Consider adding additional wordlists to the dictionaries of these tools, including non-English wordlists, to enhance their efficacy.
While not a tool in the same sense as the others, much can be done in the *nix shell, especially with the help of additional tools such as awk or sed, which can chop up and process text output from commands. Much of the required information to perform the steps in this audit program could be obtained by the use of a shell script. This script can be provided to the sysadmin, who would run it as "root," providing the output to the auditor. Using logical operations to test the values returned even can automate the evaluation process, returning a simple pass/fail grade for some of the steps. A simple example is found in step 2, where the passwd file is checked for duplicate UIDs.