Comprehensive Linux Intrusion Detection Checklist: Accounts, Logs, Processes, and Files

Check Accounts

Inspect the system for newly created users, accounts with UID or GID 0 (root privileges), and users with empty passwords. Identify which accounts have root rights and examine the modification dates of user files.

Check Logs

System logs are crucial for security auditing; they record daily events and can reveal error causes or attacker footprints. Use them to audit and monitor system status, trace intrusions, and verify recent activity.

View the last 10 lines of relevant logs.

Check recent updates and system events.

List all open ports.

Review recent user login times.

Check failed login attempts.

Inspect the previous login record of each user.

Check Processes

List all running processes, paying special attention to those with UID 0.

Examine files opened by a specific process using its PID (e.g., lsof -p PID).

Inspect files associated with daemon processes.

Check startup processes that run at boot.

Check System Files

Identify modified or suspicious files on the system. Compromised servers often have altered files; compare creation times, integrity hashes, and file paths.

Search for files owned by the root user.

Locate files larger than 10 MB, which may indicate hidden payloads.

Check Scheduled Tasks

Review root's cron jobs and other scheduled tasks for suspicious entries.

Inspect the configuration files of scheduled tasks.

Check Command History

Examine each user's .bash_history file or use the history command to uncover previously executed commands that may indicate malicious activity.