Shulou(Shulou.com)06/02 Report--

This article mainly introduces what TuxResponse is a tool, has a certain reference value, interested friends can refer to, I hope you can learn a lot after reading this article, the following let the editor take you to understand it.

TuxResponse

TuxResponse is an event response script developed in Bash language specifically for the Linux system platform. It can perform a variety of event response tasks in an automated form on the Linux system to help security analysts quickly classify security emergencies in the system without affecting the final processing results. Of course, usually some security monitoring and control software is deployed in the company or enterprise system, but due to the existence of various non-standard images and other network components, TuxResponse arises at the historic moment. With the help of TuxResponse, researchers can type and test 10 commands at the click of a button.

The current version of TuxResponse has been tested on Ubuntu 14 + and CentOS 7 +.

Functional characteristics

1. Take advantage of Linux's built-in tools and various functions, including but not limited to dd, awk, grep, cat and netstat.

2. The number of commands required by the event response tool is reduced.

3. Realization of automation task.

In addition to Linux's built-in tools, functional components, TuxResponse introduces the following external toolkits:

-LiME

-Exif

-Chckrootkit

-Yara + Linux scanning rules

Tool download

The majority of users can directly use the following command to clone the project code locally:

The git clone https://github.com/la3ar0v/TuxResponse.git tool uses sample INSTALL LiMEfunction init_lime () {if [- f / usr/bin/yum]; then yum-y install make kernel-headers kernel-devel gcc elif [- f / usr/bin/apt-get] Then apt-add-repository universe apt-get-y install make linux-headers-$ (uname-r) gcc fi rm-f / tmp/v1.8.1.zip wget-P/tmp https://github.com/504ensicsLabs/LiME/archive/v1.8.1.zip unzip / tmp/v1.8.1.zip rm-f / tmp/v1.8.1.zip pushd LiME-1.8.1/src make mv lime-*.ko / tmp/lime.ko popd rm-rf LiME-1.8.1}

When dealing with an emergency response to a security incident, if you have to manually enter all the commands to install LiME, it will certainly take you a lot of time, which is very inefficient.

Function introduction 1. Real-time response

(1) footprint system

System info, IP, Date, Time, local TZ, last boot-'hostnamectl; who-b; uname-a; uptime; ifconfig; date; last reboot'

(2) File system tools

'df-hackers: check the loaded file system -' find / usr/bin-type f-exec file "{}"\ | | grep-I "elf" | cut-F1-d: | xargs-I "{}"-n 1 md5sum {}': executable hash (MD5) 'modified_files_period_select' (call the function in tuxresponse.sh): modify the file' find /-type d-name "\. *"': enumerate all hidden directories' find /\ (- nouser-o-nogroup\)-exec ls-l {}\ 2 > / dev/null': enumerates files / directories without user / group names' packaged_files_changed' (calling a function in tuxresponse.sh): modify files in the package

(3) YARA, CHKROOTKIT, EXIFTool

'chkrootkit': check rootkits' yara_select':Yara scan 'exiftool_select':EXIFTool

(4) processing and analysis tools

'ps-axu': enumeration running processes' ls-alR / proc/*/exe 2 > / dev/null | grep deleted': deletes the running code'ss-tunap | sed "s / [\ t]\ + / | / g"': active network connection-TCP or UDP'dump_process_select': exports process information'ls-alR / proc/*/cwd 2 > / dev/null according to PID | grep-E "tmp | dev"': run the process from / tmp or / dev

(5) Analysis of network connection.

'netstat-nalp; netstat-plant': enumerates all active network connections / meta sockets

(6) users

'w': enumerate the currently connected users

'getent passwd': uses passwords to get user information

(7) Bash

'cat ~ / .bash_history | nl': checks the Bash history file

(8) persistence traces

'list_all_crontab': enumerates all Cron tasks' list_all_onstartup': enumerates all self-starting programs

(9) Export all logs (/ var/log)

'cat_all_bash_history': exports the user's .bash_history'grep [[: cntrl:]] / var/log/*.log': to find the log 2, establish a connection, use SSH to transfer scripts and analyze the remote system

This option allows you to connect to a remote system, copy all scripts and tools, and analyze the system.

Export memory (LKM LiME)

This option allows us to compile LiME from the source code and dump the RAM memory out of the system, which is the easiest way. Because another way is to compile all major kernel versions from source code and insert LKM.

4. Obtain a disk image (DD)

This option helps us to use the famous tool-dd to get the full disk image of the target system. This function takes the source and destination addresses as arguments and inserts them into the following command:

'dd if=$ {image_in} pv | dd of='$ {image_OUT} 'bs=4K conv=noerror,sync'

If you are investigating and analyzing a remote system, the script will first replicate itself on the remote system. If you set the parameter ${TARGET_HOST}, the script will download the image to the analysis system using the following command

> "ssh-p$ {TARGET_PORT} ${TARGET_USER} @ ${TARGET_HOST}" dd if=$ {image_IN} bs=4K conv=noerror,sync' {pv | dd of='$ {image_OUT}'

Note: the use of pv can help us track progress.

5. Generate HTML report

All of our operational records and analysis results will be stored in a text file, so we can easily go back and view the output. The advantage of this is that we can upload it to any log analysis tool and parse it later. In addition, we can use this function to generate an analysis report in HTML format and view the event response results generated by the tool in a more readable form.

Thank you for reading this article carefully. I hope the article "what tool TuxResponse is" shared by the editor will be helpful to everyone. At the same time, I also hope you will support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.