R-CSIRT Linux Triage tool
Linux Server Triage tool written in Shell Script.
Linux Server Triage tool for CSIRT.
- Collect not only 'log files' but also 'config file' and "web server's script files"
- Find Suspicious Script and Binary on Web Server.
- Include : Backup function of Web Server All Contents on DOCUMENT_ROOT
- [2018.06.20] AUTO Web server's DOCUMENT_ROOT and WEB CONFIG Directories. ( httpd,apache2,nginx support checked)
- [2018.06.20] LOG Archive SCOPE: Automatically from 1 year ago to TODAY when this executed.
Operation Check :
Linux : Ubuntu 14.04, 16.04, Ubuntu Server, CentOS 7.0, 7.5
Set the rcsirt-linux_triage.sh and options folder in the same directory which Linux server you want to do triage in.
Check configs(const variable) on shell script top.
Edit and Add it in ./options/excludes.txt
Last LF(\n) doesn't need.
$ sudo bash rcsirt-linux_triage.sh
Pull tar.gz file created.
Output files : Please See source code in detail.
ERROR LOG => 0_SCRIPT-ERRORS.txt
Output files tree LOG => 1_OUTPUT-TREE.txt
Recruit-CSIRT does not assume any responsibility about using this tool.
you can take advantage on Self-responsibility
Refer Other Triage Tools and Thanks
And Others some tools. /options/backdoorscan.php was got from Internet, We didn't develop it by ourselves.