Article 37500 of alt.security:
Dan Farmer and Wietse Venema gave a conference on doing a security audit.

Under Technical Investigation, they list:

Run static tools (COPS, Crack, etc)
Check system logs
Check system against known vuls (CERT, bugtraq, CIAC advisories, etc.)
Check static items (config files, etc.)
Search for privledged programs (SUID, SGID, run as root)
Examine all trust
Check extra network services (NFS, news, httpd, etc)
Check for replacement programs (wu-ftpd, TCP wrappers, etc.)
Code review "home grown" programs (CGI's, finger FIFO's, etc)
Run dynamic tools (ps, netstat, lsof, etc)
Actively test defenses (packet filters, TCP wrappers, etc)

Don
-- 
<don@cs.byu.edu> http://students.cs.byu.edu/~don  PGP 0x994B8F39  fRee cRyPTo!
  "It is not worth an intelligent man's time to be in the majority.  By 
  definition, there are already enough people to do that." - G. H. Hardy
** This user insured by the Smith, Wesson, & Zimmermann insurance company **