Linux Cyber Security Incident Response Script
The purpose of this script is to preserve and collect notable Linux artefacts. Once dropped onto the target system, the script will utilise a series of internal commands to query information from the host and retrieve data, which it stores in a temporary folder. Once all data has been collected, all files are hashed with the MD5 algorithm and the hash values are retained in a log file. Finally, the collection is archived into a TAR/GZIP file and the temporary store is deleted. The TAR/GZIP file can then be retrieved by the analyst for subsequent analysis offline. The script should be used during fast-time collection and preservation of artefacts during a cyber security incident. Frequent progress updates are provided in English and German languages via the terminal, whilst the script is active. A log of the terminal activities is also created and retained in the archive collection.
Memory:
- Processes
- Memory Information
- Memory Statistics
- Loaded Modules
- Open Files
Accounts:
- Bash History
- Bash Profile
- Bash Logout
- Bash RC
- ZSH History
- ZSH RC
- Python History
- Most Recently Used
- User Accounts
- Password Hashes
- User Groups
- User Permissions
- Active Users
- Users Most Recent Logon
- UTMP Activity
- WTMP Activity
- BTMP Activity
Configuration:
- Hostname
- System Date/Time/Zone
- Uptime
- DNS Resolver
- Host
- Name Switch Service
- Kernel Information
- Operating System Information
- Disk Management
- Disk Partition Table
- Disk Usage
- File System Information
- USB Devices
- PCI Devices
- Crontab Listing
- Crontab Files
- Service Status
- init Files
- init.d Files
- rc.local Files
- rc.local.d Files
Network:
- Netstat
- Socket Statistics
- Host IP Address
- DHCP
- Hosts
- Hosts Allow
- Hosts Deny
- Routing Table
- ARP Table
- IP Configuration
- Port Status
- IP Tables Filter Rules
- IP Tables NAT Rules
- SSH Configuration
- Users SSH Known Hosts
- Users SSH Authorized Keys
Logs:
- Log Configuration
- SSHD Journal Events
- /var/log/*
- /var/run/ UTMP log
Programs:
- Installed Packages
- Installed Modules
- Installed Binary Hashes
File System:
- Trash Bin File Entries
- Trash Bin Raw Metadata
- Trash Bin File Hashes
- Root Temporary File Hashes
- Downloads File Hashes
- tmp File Collection
- tmp File Hashes
- tmp Directory Listing
- etc Directory Listing
- Potential Webshell File Hashes
Internet:
- Firefox History
- Firefox Cookie
- Firefox Forms
Step 1: Copy LINTri.sh to the root of the target host file system via your preferred method i.e., SCP.
Step 2: Set script permissions to execute:
chmod +x ./LINTri.sh
Step 3: Execute script with Superuser privileges:
sudo ./LINTri.sh
Step 4: Download resultant (*.tar.gz) archive file via your preferred method i.e., SCP.
Step 5: Delete script and archive file from host:
rm ./LINTri.sh
rm ./LINTri_<hostname>_<date>_<time>.tar.gz
- Script must be run with Superuser privileges.
- Several standard built-in Linux tools are leveraged. No third-party tools are required.
- As the script interacts with sensitive Linux credential files, configure an exclusion path and add hash value to a whitelist on any AV/EDR tools, to allow the script to execute fully.