Created
May 8, 2013 18:28
-
-
Save ptasker/5542489 to your computer and use it in GitHub Desktop.
CentOS security scan
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| * Chrootkit && rkhunter -> To search for known trojans and common linux | |
| malware. | |
| * unhide (http://www.unhide-forensics.info/) -> to check for hidden | |
| processes and tcp sockets | |
| * rpm -Va -> To check binary integrity against installed rpms | |
| * If netstat binary looks to be sane, check listening sockets | |
| * If ps binary looks to be sane, check shown running processes | |
| * Check console connections with "last" and "lastb" commands | |
| * Tcpdump on network interfaces avoiding traffic for known running | |
| services (80, 25, 21, etc... depending on the role of the machine) to | |
| check for the weird traffic | |
| * grep -i segfault /var/log/* -> to check for buffer overflows in logs | |
| * grep -i auth /var/log/* |grep -i failed -> to check authentication | |
| failed tries. | |
| * lsmod -> to check loaded kernel modules (it is ver difficult to find | |
| out something wrong here, but just to be sure nothing weird appears). | |
| * lsof -> to check opened current files | |
| * Check xinetd -> to find out if someone has added some new "service" | |
| * have a look to /tmp, /opt, /usr/bin, /usr/local/bin, /usr/sbin and | |
| .bash_history... | |
| * check /etc/passwd and verify created users are licit to be there. | |
| * check crontab for every user to avoid any process to be programmed | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment