The purpose of this tool is to quickly gather and analyze Linux endpoint data to assess its security posture and check for evidence of malicious activity or compromise.
In this context, a baseline is a snapshot of the device's current running state and configurations. Regularly capturing a baseline of each device in a networked environment allows a security analyst or administator to track changes over time and investigate unexpected deviations when found.
This Linux baseline capability consists of three separate tools:
- baseline.sh - Standalone baseline script, written in BASH
- get-baseline.sh - Deployment script (uses SSH)
- parse-baseline.sh - Parsing/Comparison script that lets you compare output files
- Collects baseline data for Linux Hosts (supports ALL major flavors of Linux)
- Checks for common indicators of compromise
- Produces an output file which can be parsed with parse-baseline.sh script
- Some of the commands run in this script will only resolve in certain flavors of Linux
- Recommend commenting out any lines that are irrelevant, cause issues or do not resolve.
- Note: Should be executed with root privileges in order to gather all of the required data
- No longer required to edit interface name
- Redirects both STDOUT and STDERR to file
- Outputs location of results file when complete
- Removed redundant commands
- Removed deprecated commands (i.e. arp)
- Collects uptime, system environment variables
$ chmod +x baseline.sh
$ sudo ./baseline.sh
./<ip address>_YYYYMMSSDD_HHMMSSZ.txt
- Deploys the baseline.sh script to remote host
- Executes script on remote host
- Returns script to a local directory
- Removes artifacts from remote host
- Works best when shared SSH keys are utilized
- Note : For this to work, ensure that you have the correct IP in the field below, and ensure that baseline.sh is in your current working directory. If the device is not integrated into LDAP, you will have to change the $ip variable to @ip for it to work.
- First, modify line 48 of the script and set the IP(s) you want to collect data from. Multiple IP addresses should be separated by single space.
$ vi get-baseline.sh
# Once the file opens, type ':48' to place the cursor on line 48
# press 'i' to enter INSERT mode
# When finished editing, press ':wq' to save and quit
- Next, set the execute permission for the script and execute
$ chmod +x get-baseline.sh
$ .\get-baseline.sh
- The collected results will save to a folder in the local directory labeled results.
- Splits files created by 'baseline.sh' script by command
- If a second filename is supplied, compares two files
- Reduces analytical time by allowing you to quickly identify changes over time
$ chmod +x parse-baseline.sh
$ parse-baseline.sh file1
$ parse-baseline.sh file1 file2
./<ip address>/<date>/
./<ip address>/parse_baseline_YYYYMMDD_HHMMSSZ.txt
./<ip address>/parse_summary_YYYYMMDD_HHMMSSZ.txt