Scribd
Upload
1 views

Module 10 - Incident Response with Linux - LFCP

The document outlines various commands and directories used for incident response on Linux systems, including user accounts, password modifications, group information, and process management. It also details important log locations, network artifacts, firewall configurations, and cron jobs. Each section provides specific commands to retrieve or manipulate data relevant to system security and monitoring.

Uploaded by

goku
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
1 views

Module 10 - Incident Response with Linux - LFCP

The document outlines various commands and directories used for incident response on Linux systems, including user accounts, password modifications, group information, and process management. It also details important log locations, network artifacts, firewall configurations, and cron jobs. Each section provides specific commands to retrieve or manipulate data relevant to system security and monitoring.

Uploaded by

goku
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 17

3/3/2024

Module 10

Incident Response with Linux


Thu Ya

1
3/3/2024

User accounts:
Directory: /etc/passwd

Command to be used:

The below command uses ‘cat’ to go into the /etc/passwd and exports
the results to a ‘users.txt’ file.

cat /etc/passwd

Modifications to passwords
• Directory: /etc/shadow

• Command used:

• cat /etc/shadow

Information about groups:


• Directory: /etc/group

• Command used:

• cat /etc/group

2
3/3/2024

Information about sudo permissions:


• Directory: /etc/sudoers

• Command used:

• cat /etc/sudoers

Display list of all running processes:


• Command used:

• ps aux

Display specific user’s processes:


• Command used:

• ps -u username

3
3/3/2024

Display a process tree:


• Command used:

• pstree

Display a specific process by name:


• Command used:

• ps -ef | grep process_name

Display a specific process by PID (Process ID):


• Command used:

• ps -p PID

4
3/3/2024

Important log locations:

General Logs:
• Directory:/var/log/messages

• Command used :

• cat /var/log/messages

Authentication logs
• Directory:/var/log/auth.log

• Command used:

• cat /var/log/auth.log

5
3/3/2024

Kernel logs
• Directory: /var/log/kern.log

• Command used :

• cat /var/log/kern.log

Crond logs from cron jobs


• Directory: /var/log/cron.log

• Command used :

• cat /var/log/cron.log

Apache access logs directory


• Directory:/var/log/apache2

• Command used:

• cat /var/log/apache2/access.log
• cat /var/log/apache2/error.log
• cat /var/log/apache2/other_vhosts_access.log

6
3/3/2024

System boot log


• Directory: /var/log/boot.log

• Command used:

• cat /var/log/boot.log

Syslog
• Directory: /var/log/syslog

• Command used:

• cat /var/log/syslog

Socket statistics (ss) command:


https://www.sans.org/blog/linux-incident-response-using-ss-for-network-analysis/

7
3/3/2024

List udp sockets


• ss -u

list tcp sockets


• ss -t

list listening sockets


• ss -l

8
3/3/2024

List out suspicious connections


• ss -tp state established dport = :[port number in question]

• ss -tp state established dport = :443

This command will list all active connections.


• ss state established

Login information:

9
3/3/2024

Listing out command history:


• Command used:

• history

List of last logged in users:


• Command used:

• last -awx

List/print the current user logged in on an


endpoint:
• Command used:

• logname

10
3/3/2024

List of services

List all the active services on an endpoint:


• Command used:

• service --status-all | grep ‘service name'

List all the services on an endpoint:


• Command used:

• service --status-all

11
3/3/2024

Network Artifacts:

Processes running on listening port:


• Command used:

• lsof –i

Check for any unusual arp entries:


• Command used:

• arp –a

12
3/3/2024

Finding unknown files within the last 2 days with a


specific string and then parsing the output to a text
file.
• Commands used:

• Note: In this case, we were searching for the string — update.

• find / -mtime -2 -ls | grep 'update'

Examining IPtables and


UFW(Uncomplicated Firewall)

UFW — Block an IP address — blocking the


source address
• Command used:

• ufw deny from 95.156.72.34

13
3/3/2024

UFW —Block an IP address — blocking the


destination address.
• Command used:

• ufw deny to 95.156.72.34

IPtables — List all rules.


• Command used:

• iptables --list-rules

IPtables —Block an IP on IP Tables(INPUT


chain)
• Command used:

• Note : INPUT chain is responsible for handling incoming packets to


the local system. Basically, this is a command to drop packets from
external IP addresses to internal resources.

• iptables -A INPUT -s 95.156.72.34 -j DROP

14
3/3/2024

Allow an IP-on-IP Tables(INPUT chain)


• Command used:

• Note: INPUT chain is responsible for handling incoming packets to the


local system. Basically, this is a command to accept packets from
external IP addresses to internal resources.

• iptables -A INPUT -s 8.8.8.8 -j ACCEPT

IPtables — Block an IP on IP Tables(INPUT


chain)
• Command used:

• Note: OUTPUT chain is responsible for handling outgoing packets.

• iptables -A OUTPUT -s 95.156.72.34 -j DROP

IPtables — Allow an IP-on-IP Tables(INPUT


chain)
• Command used:

• Note: OUTPUT chain is responsible for handling outgoing packets

• iptables -A OUTPUT -s 8.8.8.8 -j ACCEPT

15
3/3/2024

CRON Jobs :

To list and examine all cron jobs:


• Command used:

• crontab -l

To list all cron jobs associated with a specific


user name
• In this case, we have used “root”

• Command used:

• crontab -l -u root

16
3/3/2024

Check cron jobs on the whole system:


• Directory: /etc/crontab

• Command used:

• cat /etc/crontab

Display a snapshot of currently mounted


filesystems on a Linux system.
• Directory : /proc/mounts

• Command used:

• cat /proc/mounts

Display config information for SSH keys :


• Directory — /etc/ssh

• Check for any config changes or new config files have been added in
this directory.

• cat /etc/ssh/sshconfig
• cat /etc/ssh/sshconfig.d

17

You might also like