-
Notifications
You must be signed in to change notification settings - Fork 56
/
IRLinux_Script.sh
162 lines (148 loc) · 4.5 KB
/
IRLinux_Script.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
#!/bin/bash
# Redirecting output to IRLinux.txt in /tmp/ directory
exec > /tmp/IRLinux.txt 2>&1
echo "Incident Response Linux Investigation"
echo "--------------------------------------"
echo "Date and Time of Report: $(date)"
echo "--------------------------------------"
# Function to print section headers
print_section() {
echo ""
echo "======================================"
echo "$1"
echo "======================================"
}
# User Accounts
print_section "User Accounts Information"
echo "Listing user accounts..."
cat /etc/passwd
echo "Checking password status for a user (Placeholder)..."
passwd -S [User_Name]
echo "Showing the most recent logins..."
lastlog
echo "Showing last logged in users..."
last
echo "Showing who is logged on..."
who
echo "Showing who is logged on and what they are doing..."
w
# Additional User Account Commands
print_section "Additional User Account Commands"
echo "Finding root accounts..."
grep :0: /etc/passwd
echo "Finding files with no user..."
find / -nouser -print
echo "Viewing encrypted passwords and account expiration information..."
cat /etc/shadow
echo "Viewing group information..."
cat /etc/group
echo "Viewing sudoers file..."
cat /etc/sudoers
# Log Entries
print_section "Log Entries"
echo "Showing system messages..."
cat /var/log/messages
echo "Showing user authentication logs..."
cat /var/log/auth.log
echo "Showing authentication log for Red Hat based systems..."
cat /var/log/secure
echo "Showing system boot log..."
cat /var/log/boot.log
echo "Showing kernel ring buffer log..."
cat /var/log/dmesg
echo "Showing kernel log..."
cat /var/log/kern.log
echo "Viewing the last few entries in the authentication log..."
tail /var/log/auth.log
echo "Viewing command history..."
history | less
# System Resources
print_section "System Resources"
echo "Displaying Linux tasks..."
top -b -n 1
echo "Interactive process viewer..."
htop -n 1
echo "Showing system uptime..."
uptime
echo "Showing currently running processes..."
ps aux
echo "Showing running processes as a tree..."
pstree
echo "Displaying memory usage..."
free -m
echo "Displaying memory information..."
cat /proc/meminfo
echo "Displaying mounted filesystems..."
cat /proc/mounts
# Processes
print_section "Processes"
echo "Displaying all the currently running processes on the system..."
ps -ef
echo "Displaying processes in a tree format with PIDs..."
pstree -p
echo "Displaying top processes..."
top -b -n 1
echo "Showing processes in custom format..."
ps -eo pid,tt,user,fname,rsz
echo "Listing open files associated with network connections..."
lsof -i
echo "Listing open files for a process (Placeholder)..."
lsof -p [pid]
# Services
print_section "Services"
echo "Listing all services and their current states..."
chkconfig --list
echo "Showing status of all services..."
service --status-all
echo "Listing running services (systemd)..."
systemctl list-units --type=service
echo "Listing all services and their status..."
service --status-all
# Files
print_section "Files"
echo "Showing all files in human-readable format..."
ls -alh
echo "Finding a specific file (Placeholder)..."
find / -name [filename]
echo "Finding files modified in the last N days (Placeholder)..."
find / -mtime -[N]
echo "Finding files accessed in the last N days (Placeholder)..."
find / -atime -[N]
echo "Finding files larger than N bytes (Placeholder)..."
find / -size +[N]c
# Network Settings
print_section "Network Settings"
echo "Showing all network interfaces..."
ifconfig -a
echo "Showing active network connections..."
netstat -antup
echo "Showing all iptables rules..."
iptables -L -n -v
echo "Showing routing table..."
route -n
echo "Showing listening ports and established connections..."
ss -tuln
# Additional Commands
print_section "Additional Investigation Commands"
echo "Viewing the cron table for scheduled tasks..."
cat /etc/crontab
echo "Viewing DNS settings..."
more /etc/resolv.conf
echo "Viewing host file entries..."
more /etc/hosts
echo "Listing all iptables rules without resolving IP addresses..."
iptables -L -n
echo "Finding files larger than 512KB in home directories..."
find /home/ -type f -size +512k -exec ls -lh {} \;
echo "Finding readable files in the etc directory..."
find /etc/ -readable -type f 2>/dev/null
echo "Finding files modified in the last 2 days..."
find / -mtime -2 -ls
echo "Showing network connections and associated programs..."
netstat -nap
echo "Viewing the ARP table..."
arp -a
echo "Displaying the PATH environment variable..."
echo $PATH
echo "--------------------------------------"
echo "Script execution completed."