Native Linux Incident Response: Evidence Collection Without Third-Party Tools
 is analyzing a server for vulnerabilities. The analyst is sitting at a desk, l.webp)
Background: That being said, the incident response subprocess, from the perspective of budgeting and complexity, is not necessarily easy. However, today's tooling and built-in tools provide us with capabilities that reduce the need for significant spending on tool purchases. This is largely due to community contributors continuously creating numerous out-of-the-box tools, in addition to the components already available within operating systems. For example, Linux OS offers a variety of built-in tools for log collection while ensuring minimal impact on asset availability. Relying on third-party tools can sometimes create conflicts with antivirus software and other configurations, which may ultimately affect asset availability.
Journalctl - can help to work over SYSLOG and via pipe you can send it to any external server journalctl -xe | curl -T ftp://***
ps - will help to understand running processes and tree over ps aux --forest
tcpdump - will help to catch all the ongoing network connection and send them to third party place
crontab - will help to detect persistance over services
dmesg - will help to get kernel logs
By connecting all the components into a unified ecosystem, logs will be collected without impacting the availability of your environment. Secondly, the integrity of the ecosystem will remain intact. Lastly, there will be no need for any third-party, untested tools.