So can we start with step by step?
Don't be angry
Auditing simply means examining and adjusting. What, in what order and how you examine things depends roughly on the state of the box (distribution, release, maintenance history), the purpose or usage of the box (say shellserver versus database server) and the location (intranet, DMZ, publicly accessable).
Have a look at the LQ FAQ: Security references
, post #1 under "Compromise, breach of security, detection", this one: Intruder Detection Checklist (CERT)
. It's a good example of what to look for always.
Applying security measures should not stop at strenghtening security but also take care of leaving enough of an evidence trail to be able to audit a box and adjust where necessary (adjusting being the second half of auditing). Think system logging like performance counters and authentication and authorisation, process logging, users history (if any are allowed), anomalous network traffic. And for some boxen it would be "better" to configure syslogging to log to a remote host. Once logging is in place it's much easier to be proactive about it adding say file integrity, process and logfile checkers that can adjust and alert on certain conditions.
a) Is there any tool inside the RHEL AS 3.0 for auditing or i have install any third party software for auditing?
Yes and yes. But before you start you should ask yourself (any admins who used the box) if there's a cause for distrusting the box. If there is any, it would be safer to reboot the box with a Live CD whose tools you can trust to return the right information. In some cases you can also just mount the CD and use the tools from that location, you should judge if that's necessary based on information, reports or even rumours.
There's nearly always local tools for showing/checking info like:
- passwd (pwck) and group (grpck) consistency,
- who's logged in now (who), who logged in previously (last, lastb, lastlog),
- showing process and environment info (ps, pstree, procinfo, top, lsof, sa),
- network information (netstat, lsof),
- file information (lsof, fuser),
- installed files information (rpm),
- services (chkconfig).
Then there's local tools like "less" and "more" and text editors with which you can read configuration and logfiles (check /etc/syslog.conf for which ones should be used). Manually using available system tools and reading logs should be done to gain proficiency, because you don't have to introduce new tools and in some cases because there's no alternative for human knowledge and interpretation of signs. Using 3rd party apps still is a necessity IMHO because of their scope and to help speed up auditing and reporting (Tiger, Usat), because can provide you with checks you can't do easily otherwise (env_audit, unhide, check_sysmap) or because they provide checks that point to (possible) intrusions (Chkrootkit, Rootkit Hunter).
Like I already said there's no alternative for human knowledge and interpretation of signs, and there's also caveats which warrant human checking, for instance passwd and group information can have more root account users added, authentication logs can be tampered with or wiped, checking installed files information using "rpm" only covers files that where installed using rpm and services may be running from cron or at, locations like /etc/rc.d/rc.local or /etc/inittab or piggyback on other services.
b) If it is a third party where can i download it?
All the 3rd party tools I mentioned are mentioned on LQ before, are GNU GPL licensed and have homepages. It should not be hard for you to search LQ and teh intarweb to locate those.
c) if it is inside the box what is the command to run the audit tool?
All the "local" tools I mentioned have man and info pages. Read those. If you can't get it to work after reading, then ask.
d) Will it harm the system by running the audit tool?
No, not unless the box is already in a state of deterioration ;-p
Can i run the audit tool everyday?
Sure. In some cases that would be beneficial, in some cases unnecessary.
I think let me finish the auditing first. Then i will go for the next step.
Good. Reading, asking questions and being methodical about things is the best approach.
I'll keep an eye on this thread to see how things progress.