Linux based survey

Situational Awarness

• date
• date -u
• id
• ifconfig -a
• w
• last
• ps -elf

Network Triage

• hostname
• netstat -anP tcp
• netstat -anP udp
• pfiles [pids of listening processes]
• netstat -nr
• ls -1 /proc | xargs pfiles | egrep '^[0-9]|AF_INET'
• arp -an
• cat /etc/resolv.conf

0. On Disk network config

   • ifconfig -a # interface names via driver names
   • cat /etc/hostname.<interface name> # hostname for ip-address association
   • cat /etc/hosts # match hostname to ip
   • ls -l /etc/inet/ipnodes
   • cat /etc/nodename # canonical hostname
   • cat /etc/netmasks # netmasks for each network
   • cat /etc/defaultrouter # default gateway
   • cat /etc/gateways # mulit-network gateways / routes
   • cat /etc/inet/static_routes # static routes
   • ls /etc/notrouter # router / not router

1. TODO: solaris filewall

System Profiling

• vmstat
• uptime
• hostid
• uname -a
• who -r runlevel
• psrinfo -v
• modinfo -c
• prtpicl
• df -h

Startup / Running

• history
• cat /etc/inittab
• TODO: list running and config’d to run services
• ls -latr /etc/rc.d/rc3.d/
• ls -latr /etc/cron*
• ls -latr /var/spool/*

Disk / User Triage

show the contents of all directories which have ‘bin’ in them

• find / -maxdepth 3 -name *bin -type d 2>/dev/null | xargs ls -l
• cat /etc/passwd
• ls -latr /root
• ls -latr /home/*
• ls -latr /export/home/*
• ls -latr /tmp
• cat <FILE> with FILE:
  • /.bash_history
  • /.history
  • /export/home/<USER>/.bash_history
  • /export/home/<USER>/.history
• ls -latr /var/log
• ls -latr /var/adm