0% found this document useful (0 votes)
251 views18 pagesLinux Incident Response
Linux incident response document for all details who i terested in cyber defence forensics analyst
Ease review for your reference.
Uploaded by
Vinay TiwariCopyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF or read online on Scribd
0% found this document useful (0 votes)
251 views18 pagesLinux Incident Response
Linux incident response document for all details who i terested in cyber defence forensics analyst
Ease review for your reference.
Uploaded by
Vinay TiwariCopyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF or read online on Scribd
/ 18
Linux
Incident Response
What is Incident Response?
Incident Response can be defined as a course of action that is taken whenever a computer or network
security incident occurs. As an Incident Responder, you should always be aware of what should be and
should not be present in your systems.
The security incidents that could be overcome by:
+ By examining the running processes
* By having insights into the contents of physical memory.
* By gathering details on the hostname, IP address, operating systems etc
* Gathering information on system services.
* By identifying all the known and unknown users logged onto the system.
* By inspecting network connections, open ports and any network activity.
* By determining the various files present
User Accounts
‘As an Incident Responder, itis very important to investigate the user account's activity. It helps you
understand the logged-in users, the existing users, usual or unusual logins, failed login attempts,
permissions, access by sudo etc.
The various commands to check the user account activity:
To identify whether there is an account entry in your system that may seem suspicious. This command
usually fetches all the information about the user account. To do so, type
cat /etc/passwd
peer
ireseererereaar
Perey
Sere tyr
The ‘Setuid’ option in Linux is unique file permission. So, on a Linux system when a user wants to make
the change of password, they can run the ‘passwd’ command. As the root account is marked as setuid,
you can get temporary permission.
feasts ree ee meee
GC MIELE a
root@ubuntu:~# ff
Grep is used for searching plain- text for lines that match a regular expression. -0: is used to display
‘UID O' files in /ete/passwd file
grep :0: /etc/passwd
Peete eet
Piya
| 10 Identify and display whether an attacker created any temporary user to perform an attack, type
find / -nouser -print
root@ubuntu:~# find / -nouser -print
pa Ree tyes ECC eae en
POEL Cy ea ee cs
Rec ater arte
Re ey enact gee
Reena ane eet urd ac ANTE
Relies con ir Ane eee a
‘The /etc/shadow contains the encrypted password, details about the passwords and is only
accessible by the root users.
fee mee ese eer
roast re ECE Cag
daemon: *:18375:0:99999:7:
eaeceeeCers
frakeret el
breeteree)
Paowree ee eeee cia
8375:0:99999:
ry)
Gee
systend-network:*:2
Bea eet
ee astra CELE
cect
Streets)
eststy
poser sas
uuidd:*:1837:
peer eeeteres
Brett
jusbmux
Cree peer ee
tresses ern
Peeters en
avahi:*:1837:
Pomreeeeerier rre
Beas!
hpltp:*: 18375:
Gite
Cre CELer reer ey
Pecaceare cere
| The group file displays the information of the groups used by the user. To view the details, type
cat /etc/group
root@ubuntu:~# cat /etc/group
eee
CECE ee
Ceraes
eneeet
Floppy :x:25:
poe
Eat ee eee es
gnats:x:41:
Bireenrete 4
| If you want to view information about user and group privileges to be displayed, the/ etc/sudoers
file can be viewed
root@ubuntu:~# cat /etc/sudoers
CCRC eM eC ORs Tac me CMe eC eC a
PR Ce ae LL Me LS a SET te
Chess aaa eee
Cee Un Ce eR eRe eet aa
Serer. rT)
preety Ce
Peerigs Cae oe
Peete Paes ee gare Une AR ca
Pa ae ata tat)
Petey ete tet atl)
Pee RGR state iaC ly
# User privilege specification
ix a eed GEL
Ca eee GO i ee ae ne
Pe LT nen ne
# Allow members of group sudo to execute any conmand
ot eee CRE VE
Pa a eo TS al Le ot ad
#includedir /etc/sudoers.d
Log Entries
>
| To view the reports of the most recent login of a particular user or all the users Inthe Linux system,
you can type,
ore meee)
eee as acy eye
oct en Cuma
Ceoua) Sahar ae
Pony **Never Logged
er en eUm rer
eis cc
Feuer See
man Seam]
eC
eee
Sts
SC Rt
mC
eect TC)
Pea a eT)
list eC)
To identify any curious SSH & telnet logins or authentication in the system, you can go to /var/log/
directory and then type
ae eT)
13 fairer te aera
19 Promises Tercera Grenn
as panna reer Rrra ie
b Sar cater)
3 Sarre Career
13 ran ene
y rare
carat
cart
crate)
eens ese] seer
ear eace CN ec Ea Say
ubuntu pan_untx(sshd:s at
rene ROTiZLDI it
Pres Ree
coi couldn't open
ren ori ncn
BEC Pram
PEO PSO
To view the history of commands that the user has typed, you can type history with less or can even
mention up to the number of commands you typed last. To view history, you can type
history| less
ir Pao
raj
aren)
el
capa
Pd cape
i cde
ci este
grep :12: /etc/passwd
at eee a
cena)
Pyaar Renee
Seat
Paes
ers
System Resources
‘System resources can tell you a lot about system logging information, uptime of the system, the
memory space and utilisation of the system etc.
To know whether your Linux system has been running overtime or to see how long the server has
been running for, the current time in the system, how many users have currently logged on, and the load
averages of the system, then you can type:
Perec nem aur
08:26:34 up 21 min, 1 user, load average: 0.14, 0.13, 0.09
root@ubuntu:~# If
To view the memory utilisation by the system in Linux, the used physical and swap memory in the
system, as well as the buffers used by the kernel, you can type,
ees
cor Se yet ead
PLCECe rt
coy ee Ei ee
buffers and swap on the system, you can type
CA Salo b test
ee tee ieee
orien Pa
eae stan
| As an incident responder to check the detail information of the ram, memory space available,
aac! ed
PMc Pera
are) Pear)
Breck one)
‘As an incident responder, it’s your responsibility to check if there is an unknown mount on your
system, to check the mount present on your system, you can type
[Ep ateP ported
Ro a recs
arene aaa)
eres reat
ae eat
ta esorerer
‘As an incident responder, you should be always curious when you are looking through the output,
generated by your system. Your curiosity should compel you to view the programs that are currently
running in the system, if they necessary to run and if they should be running, and usage of the CPU
usage by these processes etc.
To get a dynamic and a real-time visual of all the processes running in the Linux system, a summary
of the information of the system and the list of processes and their ID numbers or threads managed
by Linux Kernel, you can make use of
top
CORR e Ee eee Ce en
Arcee erecta Rees)
5 Onan CnCaa eaarCrmer ier
Peat ee ae ea
PRON
To see the process status of your Linux and the currently running processes system and the PID. To
identify abnormal processes that could indicate any malicious activity in the Linux system, you can
use
Tee
poe START
eee
ease
ary)
ga]
ear te|
care
[ksorttrad70]
ee
freseyi}
ieelemenet
eyo}
viel
ecieaese
To display more details on a particular process, you can use,
Pare semen
eee ene ee ie eee ry
Crean rise 2 e.
Pec stares
Presser erste aa
Seca ae a
Coe eee)
Eee nss
Prenat 3
eemn errr
een: ar
een EVAR}
ag anu/libt
em i! gnu/tibn
error rer) wir e Piatt
een re x EVAN)
www-data men peor permgtes
ea
peer
oa
ee)
Services
‘The services in the Linux system can be classified into system and network services. System services
include the status of services, cron, etc and network services include file transfer, domain name
resolution, firewalls, etc. As an incident responder, you identify if there is an anomaly in the services.
To find any abnormally running services, you can use
ET Sao kel Fh Catt or wee
Tne)
Peat)
Pecenaney
Pretty
Pree eee atcny
ead
Peis
Eta
Stee ee)
cists
The incident responder should look for any suspicious scheduled tasks and jobs. To find the
scheduled tasks, you can use,
rae state
eee ae ene eee eee ease
Recon ereaiod
Dereon
ECC a ecsCLy
rey)
Ce acme)
month (1 - 12) OR jan,feb,mar,apr
ae Cnet ean area
* user-nane comand to be execute
Sa er woo ay
ewe rune We ee)
ern as We eer)
eee reer
To resolve DNS configuration issues and to avail a list of keywords with values that provide the
various types of resolver information, you can use
Peete ey eee er ees
mse eS eR ern. een ee eects
Cee CR Lt eC str Ce Oy
POS ane aes ee esc eh ee LEI
ona Recon Cortes
OC oe oe eC ee te ee a ee
seer
ae eee eee Se ey
Beara re manage man:resolv.conf(5) in a different way
Fa
r
*
#
F
#
#
#
#
#
3
TEA Aa ey
To check file that translates hostnames or domain names to IP addresses, which is useful for testing
changes to the website or the SSL setup, you can use
BSN p ta)
root@ubuntu:~# more /etc/hosts |
crane cereyies
127.0.1.1 ubuntu
# The following lines are desirable for IPv6 capable hosts
o Sree esa eter}
Po Pam ener nts
tected
pee gt
Ree aac
To check and manage the IPv4 packet filtering and NAT in Linux systems, you can use iptables and
can make use of a variety of commands like:
iptables -L -n
root@ubuntu:~# iptables -L -n
You might also like