Usually their own collection of some commonly used security audit command.
1.cat / var / log / secure
The main view external user tries to log connections, log information, more comprehensive
2.last
View user last logged in, very important
3. reproduced https://www.cnblogs.com/ssooking/p/5880976.html [ssooking]
Data analysis capinfos xxx.pcap capacity to see basic information packet log analysis the WHO / var / log / wtmp # view the logged-in user information hash check sha265 file name md5sum filename > hash.txt then hash.txt the source files in a folder md5sum - c # hash.txt the hash value of the source file hash.txt in contrast to common security command # uid to use to find the corresponding program: the Find / uid 0 Perm 4000 # where to look for have write access: the Find / O Perm = w file # Find the name contains spaces and point the Find / name " " Print the Find / name " .. " Print the Find/ Name " . " Print the Find / name " " Print # Find the file does not belong to anyone: the Find / nouser # finding unlinked files: lsof + L1 # the process of obtaining information about the ports open: lsof i # look at the ARP table: arp - a # view all accounts: the getent passwd # view all user groups: the getent group # enumerate all users crontabs # generate a random password CAT / dev / urandom | TR DC 'azAZ0 9 _ @ # $% ^ & * ()! {+} _ |:? <> = '| fold W 12 is | head n- . 4 # So that the file can not be modified: the chattr + i filename # find all files can not be modified: the Find . | Xargs the I File the lsattr A File 2 > / dev / null | grep '^ .... i' prohibited ssh as root administrator Telnet # vi / etc / SSH / sshd_config modify: PermitRootLogin yes to: PermitRootLogin NO #service sshd restart // restart sshd service Linux users prohibit non-WHEEL SU command general users "by executing the su - " command, enter the correct root password , you can log in as root in order to strengthen security, the establishment of a group administrator, and only allows the user to perform the group " su -"Command to log in as root under UNIX and Linux, the name of this group is usually" wheel " Step: # the usermod - G wheel dongee the average user dongee added to the Administrators group wheel group # vi /etc/pam.d / su #auth required / lib / Security / $ the ISA / pam_wheel.so use_uid ← find this line, remove the first line of "#" # echo "SU_WHEEL_ONLY yes" >> / etc / the Login .defs code audit checks to match the metadata and header information string: strings filename view the file's information: file filename view the file header's information: head file name strings filename output ASCII characters strings -n length filename | Sort -u | less # - n-matching parameters The minimum length xxd filename # converts files to a hexadecimal (available under Vim: only the changes hex part are used to display text on the right portion. changes negligible.!% Xxd The) 0000000 : 1f8b 0808 39d7 173b 0203 7474 002B .... 4e49 . 9 ..; .. TT +. The NI 0000010 : 4b2c the 8660 eb9c ECAC c462 eb94 345e 2e30 K, B .. ..... .` . 4 . ^ 0 0.00002 million : 373b 2731 0b22 0ca6 c1a2 D669 1035 39d9 . 7 ; ' ... 1 "..... i.59 after Vim used to read and edit the text: % xxd the -! R & lt command to convert it back : % ! xxd -g 1 switch to hexadecimal display mode if you need special command line hex editor, you can try hexedit. graphical interface hex editor can be used ghex2, bless Hex file can browse the hexdump -C < File > UPX - D filename #upx husking assembler / disassembler: objdump --disassemble (-d) filename> HuiBian.txt generated assembler instructions # objdump -a filename # What .o files (permissions + see libevent.a contains format) nasm - f ELF hello.asm # generate assembly code LD -s - O to call the Hello hello.o # linker to produce an executable program . / the Hello program execution # NASM command Note: NASM full name the Netwide assembler, is based on a compilation of language compiler 80 × 86 and x8664 platform that was designed in order to achieve cross-platform compiler program and modular features. nasm f bin o payload .bin payload .asm F ELF payload .asm NASM; LD O .o payload payload; D payload objdump Assemble compile the code $ F NASM ELF32 simple32.asm O simple32.o $ LD m elf_i386 simple32.o simple32 $ F NASM ELF64 simple.asm O simple.o $ LD simple.o O Simple compilation process precompiled (process) (Prepressing): .i file generation document processing beginning with # and contains a pre-compiler directives, expand the macro definitions, delete notes, add line numbers, retained #pragma compiler directive compiler (compilation): lexical, syntactic, semantic analysis and optimization compilation (Assembly): the assembly code into machine executable instructions link (linking): the target and library files linked into an executable file precompiled: GCC -E hello.c -o hello.i or CPP hello.c> hello.i compiled : GCC -S hello.i -o hello.s or GCC -S hello.c -hello.s O compilation: as hello.s-o hello.o or gcc -c hello.s (hello.c) - O hello.o Links: LD - O the Hello hello.c gcc compiler and debugger hello.c: gcc -ggdb -mpreferred-Stack-boundary = 2 -fno-stack-Protector - O Hello hello.c - ggdb: generating additional debug information is useful when using GDB -mpreferred-boundary-stack = 2 : DWORD size stack using compiler, simplifies the debugging process -fno- stack- Protector: disable stack protection - z execstack: enable executable stack (gcc4.1 disabled by default) gcc -static - O the Hello hello.c gdb debugging generate assembly code: (gdb) disass _ filename # set breakpoints: b function name (without parentheses) # runs: (GDB) R & lt GDB -Hello Q (GDB) SET Disassembly -flavor <Intel / ATT> # in Intel (NASM) & and the AT T format switch (gdb) disassemble # disassembly function name specified function APK reverse classes.dex: Android Dalvik virtual machine included in the system program code executed apktool d output folder name test_apk dex2jar - V # classes.dex converting dex jar file to file the unzip classes -d-dex2jar.jar JAVA_CLASS
4.linux syslog service / var / log / syslog