Linux Incident Management Scripts This repository contains basic Incident Response Investigation scripts. This scripts are mainly runs on Bash shell. These scripts are only tested on Debian based distros.
- Users Management Commands
- Network Settings Management Commands
- System Resources Commands
- Processes & Services Commands
- Logs Entries Management
commands for investigating linux users activities, permissions and information.
cat /etc/passwd- List of Users Accounts/etc/bash.bashrc- user profile setting/etc/profile- also user profileegrep -e '/bin/(ba)?sh' /etc/passwd- Lists of users who have shell accesscat /etc/group- List of User Groupscat /etc/sudoers- Sudoers Accountslastlog- Most Recent Loginslast -f /var/log/wtmp- failed loginslast- Last Login Userswho- Current Login Usersw- Currently Logged in Users & Activitiessudo -l- Displays list of permitted commandscat ~/.bash_history- Bash history informationcat ~/.viminfo- Information about who accessed vim
commands to see netwrok configurations
ifconfig -a- All Network Interfacescat /etc/network/interfaces- Netwrok interfacescat /etc/hostname- Check the system hostnamecat /etc/timezone- Check the timezone of the systemmore /etc/resolv.conf- DNS Informationmore /etc/hosts- DNS Informationnetstat -antup- Active Network Connectionsiptables -L -n -v- Show All Iptables Rulesroute -n- Show Routing Table in numeric formss -tuln- Listening Ports & Connectionsarp -vn- to see the ARP table
commands to see linux system resources
top- Linux System Tasksuptime- System uptimeps aux- Currently Running Processesfree -m- Memory Usage in MBcat /proc/mounts- Display mounted File Systemdf -h- free disk space(Hard Disk) on all the file systemsvmstat -a- statistics for system processes, memory, swap, I/O, and the CPUlsof- list of all the open files and processesls /etc/rc*- lists of bootup servicescat /etc/*release- Displays Os version details
commands for linux system processes & services
ps -ef- All Running Processespstree -p- Process Tree with PIDsps -axjf- Show Running Processes in a Tree-like Formattop -n 1- Top Processesls /etc/init.d- startup processservice --status-all- List of all serviceschkconfig --list- List of all services & current statesystemctl list-units --type=service- List of running servicesjobs- list of background jobscat /etc/crontab- Displays running cron jobsls -la /etc/cron.d- Displays software package used for specified cron job
commands for logs entries
cat /var/log/messages- System Messages Logscat /var/log/auth.log- Users Authentication Logscat /var/log/auth.log* | grep -i COMMAND- sudo command executioncat /var/log/boot.log- System Boot Logscat /var/log/dmesg- Kernel Ring Buffer Logscat /var/log/kern.log- kernel logs/var/log/syslog- Syslogs messages
This script performs a series of checks to ensure the system is secure and compliant with security best practices. It checks for:
- Firewall configuration
- System updates and patches
- SSH configuration
- SELinux configuration
- System logs
- Network configuration
- System users and groups
- File system permissions
sys-sec.sh -script name
Note that this script is just a starting point and may need to be modified to fit the specific needs of your system and security requirements.
make sure the required permissions for this script is given & add execution permissions for this script. Do following steps after downloading the scripts.
chmod +x irscript.sh
./irscript.sh
This incident response scripts are basic form of investigations and can modify based on scenario. Do more Practice and Expert it!.
3/15/2024
Contributed By - Jord@n