Skip to content
R-CSIRT Linux Triage tool
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
options
Readme.md
rcsirt-linux_triage.sh

Readme.md

R-CSIRT Linux Triage tool


Linux Server Triage tool written in Shell Script.

Description

Linux Server Triage tool for CSIRT.

  • Collect not only 'log files' but also 'config file' and "web server's script files"
  • Find Suspicious Script and Binary on Web Server.
  • Include : Backup function of Web Server All Contents on DOCUMENT_ROOT
  • [2018.06.20] AUTO Web server's DOCUMENT_ROOT and WEB CONFIG Directories. ( httpd,apache2,nginx support checked)
  • [2018.06.20] LOG Archive SCOPE: Automatically from 1 year ago to TODAY when this executed.

Operation Check :
Linux : Ubuntu 14.04, 16.04, Ubuntu Server, CentOS 7.0, 7.5

Requirements

No Requirement for Default Usage.
If you use ClamAV and RKhunter scan,
Please put these installers into option directory.
clamav-0.99.2 and rkhunter-1.4.4 had already set.

 ## Usage

  1. Set the rcsirt-linux_triage.sh and options folder in the same directory which Linux server you want to do triage in.
           

  2. Check configs(const variable) on shell script top.

  3. Excluded Folders
    Edit and Add it in ./options/excludes.txt
    Last LF(\n) doesn't need.

  4. Execute
    $ sudo bash rcsirt-linux_triage.sh

  5. Pull tar.gz file created.
    Output files : Please See source code in detail.
    ERROR LOG => 0_SCRIPT-ERRORS.txt
    Output files tree LOG => 1_OUTPUT-TREE.txt

Recruit-CSIRT does not assume any responsibility about using this tool.
you can take advantage on Self-responsibility

Licence

MIT

Author

Tatsuya Ichida (icchida)
Ref: r-csirt (r-csirt)

Refer Other Triage Tools and Thanks

And Others some tools. /options/backdoorscan.php was got from Internet, We didn't develop it by ourselves.

You can’t perform that action at this time.