{"id":20455994,"url":"https://github.com/vm32/linux-incident-response","last_synced_at":"2025-04-06T01:08:37.562Z","repository":{"id":214302050,"uuid":"736190720","full_name":"vm32/Linux-Incident-Response","owner":"vm32","description":"practical toolkit for cybersecurity and IT professionals. It features a detailed Linux cheatsheet for incident response ","archived":false,"fork":false,"pushed_at":"2023-12-29T18:00:32.000Z","size":25,"stargazers_count":397,"open_issues_count":0,"forks_count":57,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-03-29T23:11:12.377Z","etag":null,"topics":["digital-forensics","digital-forensics-incident-response","incident-response","ir","linux"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/vm32.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2023-12-27T08:19:57.000Z","updated_at":"2025-03-29T05:00:08.000Z","dependencies_parsed_at":"2023-12-29T19:21:17.929Z","dependency_job_id":null,"html_url":"https://github.com/vm32/Linux-Incident-Response","commit_stats":null,"previous_names":["vm32/linux-incident-response"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vm32%2FLinux-Incident-Response","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vm32%2FLinux-Incident-Response/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vm32%2FLinux-Incident-Response/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vm32%2FLinux-Incident-Response/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/vm32","download_url":"https://codeload.github.com/vm32/Linux-Incident-Response/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247419860,"owners_count":20936012,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["digital-forensics","digital-forensics-incident-response","incident-response","ir","linux"],"created_at":"2024-11-15T11:20:39.195Z","updated_at":"2025-04-06T01:08:37.541Z","avatar_url":"https://github.com/vm32.png","language":"Shell","readme":"\n# Incident Response Linux \n\n## Overview\nThis repository contains a comprehensive cheatsheet for incident response and live forensics in Linux environments. It's designed to help system administrators, security professionals, and IT staff quickly reference commands and procedures during an incident.\n\n## How to Use\nNavigate through the sections to find relevant commands for different aspects of incident response. Each command is accompanied by a brief description of its purpose and usage.\n\n## Table of Contents\n- [User Accounts](#user-accounts)\n- [Log Entries](#log-entries)\n- [System Resources](#system-resources)\n- [Processes](#processes)\n- [Services](#services)\n- [Files](#files)\n- [Network Settings](#network-settings)\n\n### User Accounts\nCommands for investigating user activities, permissions, and unusual activities.\n- `cat /etc/passwd` - List user accounts.\n- `passwd -S [User_Name]` - Check password status for a user.\n- `lastlog` - Show the most recent logins.\n- `last` - Show last logged in users.\n- `who` - Show who is logged on.\n- `w` - Show who is logged on and what they are doing.\n\n### Log Entries\nCommands for reviewing system and application logs.\n- `cat /var/log/messages` - Show system messages.\n- `cat /var/log/auth.log` - Show user authentication logs.\n- `cat /var/log/secure` - Show authentication log for Red Hat based systems.\n- `cat /var/log/boot.log` - Show system boot log.\n- `cat /var/log/dmesg` - Show kernel ring buffer log.\n- `cat /var/log/kern.log` - Show kernel log.\n\n### System Resources\nCommands to check system performance and resource usage.\n- `top` - Display Linux tasks.\n- `htop` - Interactive process viewer.\n- `uptime` - Show system uptime.\n- `ps aux` - Show currently running processes.\n- `pstree` - Show running processes as a tree.\n- `free -m` - Show memory usage in MB.\n\n### Processes\nCommands for investigating running processes.\n- `ps -ef` - Display all the currently running processes on the system.\n- `pstree -p` - Display processes in a tree format with PIDs.\n- `top -n 1` - Display top processes.\n- `ps -eo pid,tt,user,fname,rsz` - Show processes in custom format.\n- `lsof -i` - List open files associated with network connections.\n\n### Services\nCommands to inspect services running on the system.\n- `chkconfig --list` - List all services and their current states.\n- `service --status-all` - Show status of all services.\n- `systemctl list-units --type=service` - List running services (systemd).\n\n### Files\nCommands for file investigation.\n- `ls -alh` - Show all files in human-readable format.\n- `find / -name [filename]` - Find a specific file.\n- `find / -mtime -[N]` - Find files modified in the last N days.\n- `find / -atime -[N]` - Find files accessed in the last N days.\n- `find / -size +[N]c` - Find files larger than N bytes.\n\n### Network Settings\nCommands for reviewing network configurations and connections.\n- `ifconfig -a` - Show all network interfaces.\n- `netstat -antup` - Show active network connections.\n- `iptables -L -n -v` - Show all iptables rules.\n- `route -n` - Show routing table.\n- `ss -tuln` - Show listening ports and established connections.\n\n### Additional Commands\n- `grep :0: /etc/passwd` - Find root accounts.\n- `find / -nouser -print` - Find files with no user.\n- `cat /etc/shadow` - View encrypted passwords and account expiration information.\n- `cat /etc/group` - View group information.\n- `cat /etc/sudoers` - View sudoers file.\n- `tail /var/log/auth.log` - View the last few entries in the authentication log.\n- `history | less` - View command history.\n- `cat /proc/meminfo` - Display memory information.\n- `cat /proc/mounts` - Display mounted filesystems.\n- `lsof -p [pid]` - List open files for a process (use a specific PID).\n- `service --status-all` - List all services and their status.\n- `cat /etc/crontab` - View the cron table for scheduled tasks.\n- `more /etc/resolv.conf` - View DNS settings.\n- `more /etc/hosts` - View host file entries.\n- `iptables -L -n` - List all iptables rules without resolving IP addresses.\n- `find /home/ -type f -size +512k -exec ls -lh {} \\;` - Find files larger than 512KB in home directories.\n- `find /etc/ -readable -type f 2\u003e/dev/null` - Find readable files in the etc directory.\n- `find / -mtime -2 -ls` - Find files modified in the last 2 days.\n- `netstat -nap` - Show network connections and associated programs.\n- `arp -a` - View the ARP table.\n- `echo $PATH` - Display the PATH environment variable.\n\n## Running the Script\n\nTo run the Incident Response Linux script, follow these steps:\n\n1. Download the script from the repository.\n2. Give the script executable permissions:\n   ```\n   chmod +x IRLinux_Script.sh\n   ```\n3. Execute the script with appropriate permissions (root permissions may be required for some commands):\n   ```\n   sudo ./IRLinux_Script.sh\n   ```\n4. Once the script completes its execution, the output will be saved in `/tmp/IRLinux.txt`.\n5. You can view the output with a text editor or using a command like `cat` or `less`:\n   ```\n   less /tmp/IRLinux.txt\n   ```\n\nNote: Ensure that the script is run in a safe environment as it accesses system files and configurations. Modify the script as needed for your specific use case.\n\n### Output \n![Screenshot_49](https://github.com/vm32/Linux-Incident-Response/assets/21219411/28efc8f1-925d-4aa9-8916-259613ec0a5b)\n\n## Star History\n[![Star History Chart](https://api.star-history.com/svg?repos=vm32/Linux-Incident-Response\u0026type=Date)](https://star-history.com/#vm32/Linux-Incident-Response\u0026Date)\n\n\n\n## Contribution\nContributions to this cheatsheet are welcome. Please submit a pull request or open an issue for suggestions.\n\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvm32%2Flinux-incident-response","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvm32%2Flinux-incident-response","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvm32%2Flinux-incident-response/lists"}