forensics and incident response on Linux systems

Last login

$ lastlog $ last

Users with login shells

$ cat /etc/passwd | grep sh$

List users’ cron

$ for user in $(cat /etc/passwd | cut -f1 -d: ); do echo $user; crontab -u $user -l; done

$ for user in $(cat /etc/passwd | grep sh$ | cut -f1 -d: ); do echo $user; crontab -u $user -l; done

SSH authorized keys

$ find / -type f -name authorized_keys

Show process tree with username, TTY, and wide output.

$ ps auxfww

Process details

$ lsof -p [pid]

Show all connections don’t resolve names (IP only)

$ lsof -i -n $ netstat -anp

$ netstat -antp $ ss -antp

List all services

$ service --status-all

List firewall rules

$ iptables --list-rules

List all timers

$ systemctl list-timers --all

Look to these file to see if the DNS has been poisoned.

/etc/hosts /etc/resolv.conf

Show list files and folder with nano timestamp, sort by modification time (newest).

$ ls --full-time -lt

List all files that were modified on a specific date/time.

$ find / -newermt "2021-06-16" -ls 2>/dev/null

$ find / -newermt "2021-05-01" ! -newermt "2021-05-10" -ls 2>/dev/null

$ find / -newermt "2021-05-01" ! -newermt "2021-05-10" -ls 2>/dev/null | grep -v 'filterone|filtertwo'

$ find / -newermt "2021-06-16 01:00:00" ! -newermt "2021-06-16 07:00:00" -ls 2>/dev/null

$ find / -atime 2 -ls 2>/dev/null

$ find / -mtime -2 -ls 2>/dev/null File inspection

$ stat [file] $ exiftool [file] Observe changes in files

$ find . -type f -exec md5sum {} ; | awk '{print $1}' | sort | uniq -c | grep ' 1 ' | awk '{print $2 }' Look for cap_setuid+ep in binary capabilities

$ getcap -r /usr/bin/ $ getcap -r /bin/ $ getcap -r / 2>/dev/null

SUID

$ find / -type f -perm -u=s 2>/dev/null

Log auditing

$ aureport --tty

Directories:

/etc/cron*/ /etc/incron.d/* /etc/init.d/* /etc/rc*.d/* /etc/systemd/system/* /etc/update.d/* /var/spool/cron/* /var/spool/incron/* /var/run/motd.d/*

Files:

/etc/passwd /etc/sudoers /home//.ssh/authorized_keys /home//.bashrc