LSMS – Linux Security And Monitoring Scripts
These are a collection of security and monitoring scripts you can use to monitor your Linux installation for security-related events or for an investigation. Each script works on its own and is independent of other scripts. The scripts can be set up to either print out their results, send them to you via mail, or using AlertR as notification channel.
Monitoring
If you want to use the scripts to monitor your Linux system constantly, you have to perform the following steps:
- Set up a notification channel that is supported by the scripts (currently printing out, mail, or AlertR).
- Configure the scripts that you want to run using the configuration files in the directory.
scripts/config/ - Execute with the argument to initialize the scripts with the prefix and let them establish a state of your system. However, this assumes that your system is currently uncompromised. If you are unsure of this, you should verify its current state.
start_search.py--initmonitor_ - Set up a cron job as user that executes (e.g., to start the search hourly).
rootstart_search.py0 * * * * root /opt/LSMS/start_search.py
List of Scripts
| Name | Script |
|---|---|
| Monitoring cron files | monitor_cron.py |
| Monitoring /etc/hosts file | monitor_hosts_file.py |
| Monitoring /etc/ld.so.preload file | monitor_ld_preload.py |
| Monitoring /etc/passwd file | monitor_passwd.py |
| Monitoring modules | monitor_modules.py |
| Monitoring SSH authorized_keys files | monitor_ssh_authorized_keys.py |
| Monitoring systemd unit files | monitor_systemd_units.py |
| Search executables in /dev/shm | search_dev_shm.py |
| Search fileless programs (memfd_create) | search_memfd_create.py |
| Search hidden ELF files | search_hidden_exe.py |
| Search immutable files | search_immutable_files.py |
| Search kernel thread impersonations | search_non_kthreads.py |
| Search processes that were started by a now disconnected SSH session | search_ssh_leftover_processes.py |
| Search running deleted programs | search_deleted_exe.py |
| Test script to check if alerting works | test_alert.py |
| Verify integrity of installed .deb packages | verify_deb_packages.py |
