6.2.1. Information collection

6.2.1.1. Obtaining kernel, operating system and device information

  • Version Information

    • uname -a all versions

    • uname -r Kernel version information

    • uname -n system hostname

    • uname -m Linux Kernel Architecture

  • kernel information cat /proc/version

  • CPU information cat /proc/cpuinfo

  • release news

    • cat /etc/*-release

    • cat /etc/issue

  • host name hostname

  • File system df -a

  • kernel log dmesg / /var/log/dmesg

6.2.1.2. Users and Groups

  • List all users of the system cat /etc/passwd

  • List all groups in the system cat /etc/group

  • List all users hash(root)``cat /etc/shadow``

  • user

    • Query user’s basic information finger

    • currently logged in user users who -a /var/log/utmp

    • Query passwordless users grep 'x:0:' /etc/passwd

  • currently logged in user w

  • logged in user information last / /var/log/wtmp

  • Display the latest login information of all users in the system lastlog / /var/log/lastlog

  • Login success log /var/log/secure

  • Login failure log /var/log/faillog

  • View Privileged Users grep :0 /etc/passwd

  • View passwd last modification time ls -l /etc/passwd

  • Check if there is an empty password user awk -F: 'length($2)==0 {print $1}' /etc/shadow

  • View remote login accounts awk '/\$1|\$6/{print $1}' /etc/shadow

  • View users with sudo privileges

    • cat /etc/sudoers | grep -v "^#\|^$" | grep "ALL=(ALL)"

6.2.1.3. User and Privilege Information

  • Current user whoami

  • current user information id

  • A user that can be elevated to root using sudo cat /etc/sudoers

  • List current user executable and non-executable commands sudo -l

6.2.1.4. Environmental Information

  • print system environment information env

  • print system environment information set

  • Path information in environment variables echo  $PATH

  • print history command history / ~/.bash_history

  • show current path pwd

  • Show default system traversal cat /etc/profile

  • show available shell cat /etc/shells

6.2.1.5. Process Information

  • View process information ps aux

  • resource occupancy top -c

  • View process association files lsof -c $PID

  • full command line information /proc/$PID/cmdline

  • process command name /proc/$PID/comm

  • A symbolic link to the current working directory of the process /proc/$PID/cwd

  • Symbolic link to run the program /proc/$PID/exe

  • Process environment variables /proc/$PID/environ

  • When a process opens a file /proc/$PID/fd

6.2.1.6. Service Information

  • List of services managed by inetd cat /etc/inetd.conf

  • List of services managed by xinetd cat /etc/xinetd.conf

  • nfs server configuration cat /etc/exports

  • mail message /var/log/mailog

  • ssh configuration sshd_config

6.2.1.7. Scheduled tasks

  • Displays scheduled jobs for the specified user (root) crontab -l -u %user%

  • Scheduled Tasks

    • /var/spool/cron/*

    • /var/spool/anacron/*

    • /etc/crontab

    • /etc/anacrontab

    • /etc/cron.*

    • /etc/anacrontab

  • Startup items

    • /etc/rc.d/init.d/

6.2.1.8. Networking, Routing and Communication

  • list network interface information /sbin/ifconfig -a / ip addr show

  • List network interface information cat /etc/network/interfaces

  • View system arp table arp -a

  • print routing info route / ip ro show

  • View dns configuration information cat /etc/resolv.conf

  • Print local port open information netstat -an

  • List iptable configuration rule iptables -L

  • View port service mapping cat /etc/services

  • Hostname hostname -f

  • View process port status netstat -anltp | grep $PID

6.2.1.9. Installed Programs

  • rpm -qa --last Redhat

  • yum list | grep installed CentOS

  • ls -l /etc/yum.repos.d/

  • dpkg -l Debian

  • cat /etc/apt/sources.list Debian APT

  • pkg_info xBSD

  • pkginfo Solaris

  • pacman -Q Arch Linux

  • emerge Gentoo

6.2.1.10. File

  • Files from the last five days find / -ctime +1 -ctime -5

  • file system details debugfs

6.2.1.11. Public and private key information

  • ~/.ssh

  • /etc/ssh

6.2.1.12. Logs

  • /var/log/boot.log

  • /var/log/cron

  • /var/log/faillog

  • /var/log/lastlog

  • /var/log/messages

  • /var/log/secure

  • /var/log/syslog

  • /var/log/syslog

  • /var/log/wtmp

  • /var/log/wtmp

  • /var/run/utmp

6.2.1.13. Virtual Environment Detection

  • lsmod | grep -i "vboxsf\|vboxguest"

  • lsmod | grep -i "vmw_baloon\|vmxnet"

  • lsmod | grep -i "xen-vbd\|xen-vnif"

  • lsmod | grep -i "virtio_pci\|virtio_net"

  • lsmod | grep -i "hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc"

6.2.1.14. Container Information Collection

  • capsh --print

  • cat /proc/1/cgroup

  • env | grep KUBE

  • ls -l .dockerenv

  • ls -l /run/secrets/Kubernetes.io/

  • mount

  • ps aux