Linux commands to view and find security events

Сollection of commands for auditing linux systems

w

who
whoami

last -f /var/log/btmp
lastb

/var/log/btmp — failed login attempts.
/var/run/utmp — current login sessions
/var/log/wtmp — list of all login sessions.

id
uname -a
pwd
ps -aux
pstree
ls -ltr
ls -lah | tee content
ls -la

Which files are used by processes:
lsof -i
lsof -c apache2 (which files were accessed by apache)

cat /proc/self/environ
netstat -nvp
netstat -anp
netstat -l
netstat -tulpn (view pid sudo)
netstat -apt
netstat -o 1 -tulpn
netstat -r

route -n
find / -mtime 1 (1 day)
find / -atime 1 (open one day)
find / -mtime +50 –mtime -100
find / -cmin 60
find / -name "proc"
find / -perm 777
find . -exec ls -ld {} \;
tail -100 /var/log/secure
tail -f -n 5 /var/log/secure | "128"

grep -r -w 1.2.3.4 /var/log/ > ~/ip.log (recursive search, whole) 
grep -r -i "\.php" /var/log/ > ~/php.log (recursive search, ignore case) 
grep -i "^user" /etc/passwd (starts with user, ignore case)
zgrep test /var/log/audit.log.*

less /var/log/secure | grep -i -C 1 "session" * print А - after B - before

exclude from output -v | grep -v "206"

128$ --- end of line 128
12. --- any character after 12
^May --- start of line May

cat /proc/self/environ

logwatch
find . -mount -type f -size +1G 2>/dev/null
find / -mount -type f -size +500M 2>/dev/null
cat /dev/null > json.log

Leave a Reply