Linux

Essential Linux incident response tactics including filesystem considerations, user management, logging practices, service and cron job monitoring, access methods, backdoored libraries detection, and network traffic analysis. Enhance your organization's security posture with insights on Linux vs. Windows incident response approaches

• Linux Security
• Incident Response
• Cybersecurity
• Best Practices
• Network Traffic

amayara Follow

Uploaded on Mar 05, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

Presentation Transcript

1. Linux Incident Response

2. Linux vs Windows So far, mostly Windows Many organizations primarily use Windows With some Linux server Similarities when thinking about IR Proper defense Selinux Logging enabled Host based is slightly more difficult No sysmon Incident Response 2

3. Filesystem Different than Windows Setuid binaries If a user can run a setuid binary that changes permissions to root Setguid binaries Setting group of a user to the root user groups Hidden files Windows has this too Anywhere that s world writable /tmp Incident Response 3

4. Users No Active Directory to worry about .. usually Make sure there aren t any extra users Linux has a list of extra users by default Correct groups Sudoers File declares who is allowed to use sudo Bash history for all users Incident Response Modified passwords? 4

5. Logging All logs in one place /var/log Auth.log Successful/Failed authentications Attempts to sudo Application specific logging Apache2 Access & error Incident Response 5

6. Services & cron jobs Services Similar to Windows Services Services sometimes run with elevated permissions Webserver and www-data Cron jobs Similar to Windows Scheduled Tasks Can be from multiple user contexts Incident Response 6

7. Access Methods SSH Most common way of accessing a linux system Attacker installs SSH keys into authorized users Changes sshd config VNC/Remote Desktop Typically not enabled Incident Response 7

8. Backdoored Libraries/Rootkits Persistence mechanism passwd pamd sshd What if system binaries are altered as well? Example: ls won t list the files netstat doesn t show the network connections cat command doesn t show the username anywhere Incident Response 8

9. Network traffic Still applicable Correlate with weird processes What if you don t have Wireshark Tcpdump Incident Response 9