Kernel Security Checker is a useful tool to locate attackers residing within a system by employing a direct analysis of the kernel through /dev/kmem and bypassing the hiding techniques of the intruder (kernel static recompilation or use of LKMs). It can find the modified syscalls from userspace, detect the promiscuous interfaces, and find the modifications applied to a protocol.
Netjail is a user-space mechanism for restricting the socket connection attempts that a process makes. This makes it very useful for studying and/or foiling spyware and other software that has covert "home-calling" features. It is implemented as a shared library which is preloaded when launching the suspect program (via the LD_PRELOAD mechanism available in most moderm Unix systems). This library intercepts socket() and connect() calls to the standard socket library and logs the attempts. Based on environment variables, detailed rules can be put in place about which addresses will be allowed to connect. Connections that are disallowed will return the ECONNREFUSED (Connection Refused) error, which is most likely to be gracefully handled by hidden spyware functionality.
stegnate is a program to hide data in BMPs or WAVs. stegnate-gtk is the GTK version. Under GTK versions later than 1.2, it may not compile, but it works from a command prompt and doesnt need GTK at all. At the moment, this software can only hide data in 8 or 16 bit BMPs and 8 or 16 bit WAVs.
Gircap is a set of tools to help you use the widely unknown "capabilities" that Linux has in place of conventional Unix superuser privilege. That means you can give programs and processes only as much privilege as they need and greatly limit your security exposure due to system bugs. A Linux kernel patch fixes some basically broken aspects of capabilities. setcap and getcap let you set and show capabilities of a running process. capexec runs a program with certain capabilities, UID, GID, and supplemental GIDs. It can be used to have init start a daemon with only a subset of init's privileges. binfmt_capx is an executable interpreter in the form of a loadable kernel module. It lets you do a setuid kind of thing for files, only with fine grained capabilities. This is a cheap substitute for real "file capabilities."
Systraq sends you a daily email listing the state of your system. If critical system files or user access files (e.g. ~/.ssh/authorized_keys) have changed, you'll get an email within a shorter notice. It consists of few very small shell scripts. It can help you implement a (not too strict) security policy.