By Charles Joseph | Cybersecurity Researcher
Published on
January 21st, 2024
This post was updated on February 29th, 2024
Table of Contents
show
This incident response for Linux cheat sheet is based on vm32’s Linux-Incident-Response repository on GitHub. It’s a valuable resource designed to assist system administrators, security professionals, and IT staff in responding to security incidents within Linux systems. I wanted to help extend its reach by offering it on Threat Picture.
This cheat sheet includes a wide range of commands and procedures structured to provide quick and easy reference during critical response situations.
Stay One Step Ahead of Cyber Threats
Want to Be the Smartest Guy in the Room? Get the Latest Cybersecurity News and Insights.
1. User Accounts
| Command | Description |
|---|---|
cat /etc/passwd | List user accounts. |
passwd -S [user_name] | Check password status for a user. |
lastlog | Show the most recent logins. |
last | Show last logged-in users. |
who | Show who is logged on. |
w | Show who is logged on and what they are doing. |
2. Log Entries
| Command | Description |
|---|---|
cat /var/log/messages | Show system messages. |
cat /var/log/auth.log | Show user authentication logs. |
cat /var/log/secure | Show authentication log for Red Hat-based systems. |
cat /var/log/boot.log | Show system boot log. |
cat /var/log/dmesg | Show kernel ring buffer log. |
cat /var/log/kern.log | Show kernel log. |
3. System Resources
| Command | Description |
|---|---|
top | Display Linux tasks. |
htop | Interactive process viewer. |
uptime | Show system uptime. |
ps aux | Show currently running processes. |
pstree | Show running processes as a tree. |
free -m | Show memory usage in MB. |
4. Processes
| Command | Description |
|---|---|
ps -ef | Display all currently running processes. |
pstree -p | Display processes in a tree format with PIDs. |
top -n 1 | Display top processes. |
ps -eo pid,tt,user,fname,rsz | Show processes in custom format. |
lsof -i | List open files associated with network connections. |
5. Services
| Command | Description |
|---|---|
chkconfig --list | List all services and their states. |
service --status-all | Show status of all services. |
systemctl list-units --type=service | List running services (systemd). |
6. Files
| Command | Description |
|---|---|
ls -alh | Show all files in human-readable format. |
find / -name [filename] | Find a specific file. |
find / -mtime -[N] | Find files modified in the last N days. |
find / -atime -[N] | Find files accessed in the last N days. |
find / -size +[N]c | Find files larger than N bytes. |
7. Network Settings
| Command | Description |
|---|---|
ifconfig -a | Show all network interfaces. |
netstat -antup | Show active network connections. |
iptables -L -n -v | Show all iptables rules. |
route -n | Show routing table. |
ss -tuln | Show listening ports and established connections. |
8. Additional Commands
| Command | Description |
|---|---|
grep :0: /etc/passwd | Find root accounts. |
find / -nouser -print | Find files with no user. |
cat /etc/shadow | View encrypted passwords and account expiration info. |
cat /etc/group | View group information. |
cat /etc/sudoers | View sudoers file. |
tail /var/log/auth.log | View the last few entries in the authentication log. |
history | less | View command history. |
cat /proc/meminfo | Display memory information. |
cat /proc/mounts | Display mounted filesystems. |
lsof -p [pid] | List open files for a process (specific PID). |
service --status-all | List all services and their status. |
cat /etc/crontab | View the cron table for scheduled tasks. |
more /etc/resolv.conf | View DNS settings. |
more /etc/hosts | View host file entries. |
iptables -L -n | List all iptables rules without resolving IP addresses. |
find /home/ -type f -size +512k -exec ls -lh {} \; | Find files larger than 512KB in home directories. |
find /etc/ -readable -type f 2>/dev/null | Find readable files in the etc directory. |
find / -mtime -2 -ls | Find files modified in the last 2 days. |
netstat -nap | Show network connections and associated programs. |
arp -a | View the ARP table. |
echo $PATH | Display the PATH environment variable. |
QUOTE:
"Amateurs hack systems, professionals hack people."
-- Bruce Schneier, a renown computer security professional
"Amateurs hack systems, professionals hack people."
-- Bruce Schneier, a renown computer security professional
