Сollection of commands for auditing linux systems
w who whoami last -f /var/log/btmp lastb /var/log/btmp — failed login attempts. /var/run/utmp — current login sessions /var/log/wtmp — list of all login sessions. id uname -a pwd ps -aux pstree ls -ltr ls -lah | tee content ls -la Which files are used by processes: lsof -i lsof -c apache2 (which files were accessed by apache) cat /proc/self/environ
netstat -nvp netstat -anp netstat -l netstat -tulpn (view pid sudo) netstat -apt netstat -o 1 -tulpn netstat -r route -n
find / -mtime 1 (1 day) find / -atime 1 (open one day) find / -mtime +50 –mtime -100 find / -cmin 60 find / -name "proc" find / -perm 777 find . -exec ls -ld {} \;
tail -100 /var/log/secure tail -f -n 5 /var/log/secure | "128" grep -r -w 1.2.3.4 /var/log/ > ~/ip.log (recursive search, whole) grep -r -i "\.php" /var/log/ > ~/php.log (recursive search, ignore case) grep -i "^user" /etc/passwd (starts with user, ignore case) zgrep test /var/log/audit.log.* less /var/log/secure | grep -i -C 1 "session" * print А - after B - before exclude from output -v | grep -v "206" 128$ --- end of line 128 12. --- any character after 12 ^May --- start of line May cat /proc/self/environ logwatch
find . -mount -type f -size +1G 2>/dev/null find / -mount -type f -size +500M 2>/dev/null cat /dev/null > json.log