Essential Linux Security Checklist: 11 Steps to Detect Compromise

1. Check Accounts

# less /etc/passwd

# grep :0: /etc/passwd

# ls -l /etc/passwd

# awk -F: '$3==0 {print $1}' /etc/passwd

# awk -F: 'length($2)==0 {print $1}' /etc/shadow

2. Check Logs # last Note: look for "entered promiscuous mode", error messages, and RPC logs with unusually long or garbled entries.

3. Check Processes

# ps -aux

# lsof -p <pid>

# cat /etc/inetd.conf | grep -v '^#'

Check for hidden processes:

# ps -ef | awk '{print $1}' | sort -n | uniq >1

# ls /proc | sort -n | uniq >2

# diff 1 2

4. Check Files

# find / -uid 0 -perm -4000 -print

# find / -size +10000k -print

# find / -name "*" -print

Watch for SUID files, large (>10 MB) or oddly named files, and core dumps: # find / -name core -exec ls -l {} \; Verify package ownership:

# rpm -qf /bin/ls

# rpm -qf /bin/login

Compute checksums:

# md5sum -b <filename>

# md5sum -t <filename>

5. Check RPM Integrity # rpm -Va Output flags:

S – file size differs

M – mode (permissions) differs

5 – MD5 sum differs

D – device number mismatch

L – readlink path mismatch

U – user ownership differs

G – group ownership differs

T – modification time differs

Pay special attention to binaries in /sbin, /bin, /usr/sbin, and /usr/bin.

6. Check Network

# ip link | grep PROMISC

# lsof -i

# netstat -nap

# arp -a

7. Check Scheduled Tasks

Watch for root or UID‑0 cron jobs:

# crontab -u root -l

# cat /etc/crontab

# ls /etc/cron.*

8. Check Backdoors

# cat /etc/crontab

# ls /var/spool/cron/

# cat /etc/rc.d/rc.local

# ls /etc/rc.d

# ls /etc/rc3.d

# find / -type f -perm 4000

9. Check Kernel Modules # lsmod 10. Check System Services

# chkconfig

# rpcinfo -p

11. Check for Rootkits

# rkhunter -c

# chkrootkit -q