搜索

此内容没有您所选择的语言版本。

10.4.2. Gathering Post-Breach Information

download PDF
The topic of digital forensics and analysis itself is quite broad, yet the tools are mostly architecture specific and cannot be applied generically. However, incident response, analysis, and recovery are important topics. With proper knowledge and experience, Red Hat Enterprise Linux can be an excellent platform for performing these types of analysis, as it includes several utilities for performing post-breach response and restoration.
Table 10.1, “File Auditing Tools” details some commands for file auditing and management. It also lists some examples that can be used to properly identify files and file attributes (such as permissions and access dates) to allow the collection of further evidence or items for analysis. These tools, when combined with intrusion detection systems, firewalls, hardened services, and other security measures, can help reduce the amount of potential damage when an attack occurs.

Note

For detailed information about each tool, refer to their respective man pages.
Table 10.1. File Auditing Tools
Command Function Example
dd Creates a bit-image copy (or disk dump) of files and partitions. Combined with a check of the md5sums of each image, administrators can compare a pre-breach image of a partition or file with a breached system to see if the sums match. dd if=/bin/ls of=ls.dd |md5sum ls.dd >ls-sum.txt
grep Finds useful string (text) information inside files and directories as well as reveals permissions, script changes, file attributes, and more. Used mostly as a piped command of for commands like ls, ps, or ifconfig. ps auxw |grep /bin
strings Prints the strings of printable characters within a file. It is most useful for auditing executables for anomalies such as mail commands to unknown addresses or logging to a non-standard log file. strings /bin/ps |grep 'mail'
file Determines the characteristics of files based on format, encoding, linked-libraries (if any), and file type (binary, text, and more). It is useful for determining whether an executable such as /bin/ls has been modified using static libraries, which is a sure sign that the executable has been replaced with one installed by a malicious user. file /bin/ls
find Searches directories for particular files. It is a useful tool for searching the directory structure by keyword, date and time of access, permissions, and more. It can also be useful for administrators that perform general system audits of particular directories or files. find -atime +12 -name *log* -perm u+rw
stat Displays file status information, including time last accessed, permissions, UID and GID bit settings, and more. It can be useful for checking when a breached system executable was last used or modified. stat /bin/netstat
md5sum Calculates the 128-bit checksum using the md5 hash algorithm. Use this command to create a text file that lists all crucial executables that are often modified or replaced in a security compromise. Redirect the sums to a file to create a simple database of checksums and then copy the file onto a read-only medium such as CD-ROM. md5sum /usr/bin/gdm >>md5sum.txt
Red Hat logoGithubRedditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

© 2024 Red Hat, Inc.