TuxResponse – Linux Incident Response

TuxResponse is incident response script for linux systems written in bash. It can automate incident response activities on Linux systems and enable you to triage systems quickly, while not compromising with the results.

Usually corporate systems would have some kind of monitoring and control, but there are exceptions due to shadow IT and non-standard images deployed in corps. What amounts to typing of 10 commands with trial end testing, can be done in a press of a button.

TuxResponse - Linux Incident Response
TuxResponse – Linux Incident Response

Tested on:

  • Ubuntu 14+
  • CentOS 7+

Primary purpose:

  • Take advantage of built-in tools and functionality in Linux (tools like dd, awk, grep, cat, netstat, etc)
  • Reduce the amount of commands incident responder needs to remember/use in response scenario.
  • Automation

External tools in the package:

  • LiME
  • Exif
  • Chckrootkit
  • Yara + Linux scanning rules (needs network to fetch the repo)

Functionality of the framework include:

  1. Live Response (Footprint System , File System Tools , YARA, CHKROOTKIT, EXIFTool , Network Connections Analysis, List users connected to the system,Check bash history file ,Collect Evidence Of Persistence ,Dump All Logs (/var/log)).
  2. Connect To Target – use SSH to transfer script and analyze remote system.
  3. Take Memory Dump (LKM LiME)
  4. Take disk image (DD)
  5. Generate HTML Report
  6. Install Software Dependancies , Yara and rules, ExifTool, Init check, chckrootkit, LiME.

You can read more and download this tool over here: https://github.com/la3ar0v/TuxResponse

Notify of
Inline Feedbacks
View all comments