Linux Server Triage tool written in Shell Script.
Linux Server Triage tool for CSIRT.
- Collect not only 'log files' but also 'config file' and "web server's script files"
- Find Suspicious Script and Binary on Web Server.
- Include : Backup function of Web Server All Contents on DOCUMENT_ROOT
- [2018.06.20] AUTO Web server's DOCUMENT_ROOT and WEB CONFIG Directories. ( httpd,apache2,nginx support checked)
- [2018.06.20] LOG Archive SCOPE: Automatically from 1 year ago to TODAY when this executed.
Operation Check :
Linux : Ubuntu 14.04, 16.04, Ubuntu Server, CentOS 7.0, 7.5
No Requirement for Default Usage.
If you use ClamAV and RKhunter scan,
Please put these installers into option directory.
clamav-0.99.2 and rkhunter-1.4.4 had already set.
## Usage
-
Set the rcsirt-linux_triage.sh and options folder in the same directory which Linux server you want to do triage in.
-
Check configs(const variable) on shell script top.
-
Excluded Folders
Edit and Add it in ./options/excludes.txt
Last LF(\n) doesn't need. -
Execute
$ sudo bash rcsirt-linux_triage.sh -
Pull tar.gz file created.
Output files : Please See source code in detail.
ERROR LOG => 0_SCRIPT-ERRORS.txt
Output files tree LOG => 1_OUTPUT-TREE.txt
Recruit-CSIRT does not assume any responsibility about using this tool.
you can take advantage on Self-responsibility
MIT
Tatsuya Ichida (icchida)
Ref: r-csirt (r-csirt)
And Others some tools. /options/backdoorscan.php was got from Internet, We didn't develop it by ourselves.