Linux Threat Mitigation and Incident Remediation (Hardened Edition)
This skill provides a structured, forensically-aware framework for analyzing and securing a Linux host during or after a security event.
It emphasizes:
- Non-destructive evidence collection
- Accurate threat detection
- Firewall-aware containment
- Integrity verification
- Controlled, reversible remediation
- Distribution-aware command usage
Environment Context
Supported Systems
- Debian / Ubuntu
- RHEL / CentOS / Rocky / Alma
- Fedora
- Arch Linux (limited package guidance)
Execution Assumptions
- Shell:
bashor POSIXsh - Privilege: Root or sudo
- Host-level access (NOT container-restricted environments)
- systemd-based systems preferred
⚠️ If running inside Docker, Kubernetes, LXC, or other containers, firewall, audit, and service commands may not reflect the host system.
Firewall Architecture Awareness
Modern Linux systems may use:
iptables-legacyiptables-nft(compatibility wrapper)- Native
nftables firewalld(RHEL-family default)
Identify Firewall Backend
iptables --version
which nft
systemctl status firewalld
If nftables is active:
nft list ruleset
Do NOT assume iptables -L represents the full firewall state.
Logging Differences by Distribution
| Distribution | Primary Log File |
|---|---|
| Ubuntu/Debian | /var/log/syslog |
| RHEL/CentOS/Fedora | /var/log/messages |
| All modern systemd | journalctl |
Always prefer:
journalctl -xe
Operational Toolkit (Hardened)
1. Network Inspection
Listening Services
ss -tulpn
Active Connections
ss -antp | grep ESTABLISHED
Firewall State
iptables
iptables -L -n -v --line-numbers
iptables -S
nftables
nft list ruleset
Local Service Enumeration (Low Noise)
ss -lntup
Avoid unnecessary full scans of localhost unless required.
Conservative Network Scan
nmap -sV -T3 -p- localhost
Packet Capture (Short Snapshot)
tcpdump -i any -nn -c 100
2. Process & Runtime Analysis
Process Tree
ps auxww --forest
High CPU / Memory
top
Open File Handles
lsof -p <PID>
System Call Trace (Caution: Alters Timing)
strace -p <PID>
⚠️
stracemay change process behavior. Use carefully during live compromise.
Kernel Modules
lsmod
Kernel Messages
dmesg | tail -50
3. Rootkit & Malware Scanning
Rootkit Scanners
rkhunter --check
chkrootkit
May produce false positives. Validate findings manually.
Antivirus Scan (Targeted)
clamscan -r /home
Use selectively; large scans increase I/O and may alter access timestamps.
Lynis System Audit
lynis audit system
4. File Integrity & Package Verification
AIDE (After Initialization)
Install:
apt install aide
# or
dnf install aide
Initialize:
aideinit
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
Run Check:
aide --check
RHEL Package Verification
rpm -Va
Debian Package Verification
apt install debsums
debsums -s
5. Forensic Analysis (Didier Stevens Suite)
Install:
sudo mkdir -p /opt/forensics
sudo wget -P /opt/forensics https://raw.githubusercontent.com/DidierStevens/DidierStevensSuite/master/base64dump.py
sudo wget -P /opt/forensics https://raw.githubusercontent.com/DidierStevens/DidierStevensSuite/master/re-search.py
sudo wget -P /opt/forensics https://raw.githubusercontent.com/DidierStevens/DidierStevensSuite/master/zipdump.py
sudo wget -P /opt/forensics https://raw.githubusercontent.com/DidierStevens/DidierStevensSuite/master/1768.py
sudo wget -P /opt/forensics https://raw.githubusercontent.com/DidierStevens/DidierStevensSuite/master/pdf-parser.py
sudo wget -P /opt/forensics https://raw.githubusercontent.com/DidierStevens/DidierStevensSuite/master/oledump.py
sudo chmod +x /opt/forensics/*.py
Decode Base64
python3 /opt/forensics/base64dump.py file.txt
IOC Search
python3 /opt/forensics/re-search.py -n ipv4 logfile
Inspect ZIP (No Extraction)
python3 /opt/forensics/zipdump.py suspicious.zip
Extract Cobalt Strike Beacon Config
python3 /opt/forensics/1768.py payload.bin
Inspect Office/PDF Documents
python3 /opt/forensics/pdf-parser.py file.pdf
python3 /opt/forensics/oledump.py file.doc
Static inspection only. Never execute suspicious files.
6. Authentication & User Activity
Current Sessions
who -a
Login History
last -a
Failed SSH Logins
Ubuntu/Debian:
journalctl -u ssh.service | grep "Failed password"
RHEL/Fedora:
journalctl -u sshd.service | grep "Failed password"
Sudo Activity
journalctl _COMM=sudo
Audit Logs
ausearch -m USER_AUTH,USER_LOGIN,USER_CHAUTHTOK
Controlled Remediation
Blocking an IP
iptables (Immediate)
iptables -I INPUT 1 -s <IP> -j DROP
nftables
nft add rule inet filter input ip saddr <IP> drop
If firewalld is active:
firewall-cmd --add-rich-rule='rule family="ipv4" source address="<IP>" drop'
Persisting Firewall Rules
iptables (Debian):
netfilter-persistent save
iptables (manual save):
iptables-save > /etc/iptables/rules.v4
firewalld:
firewall-cmd --runtime-to-permanent
nftables:
nft list ruleset > /etc/nftables.conf
Process Containment Strategy
Preferred escalation:
- Observe
kill -TERM <PID>- If required:
kill -STOP <PID>for analysis - Use
kill -KILL <PID>only if necessary
Avoid killall or broad pkill.
Service Isolation
systemctl stop <service>
systemctl disable <service>
systemctl mask <service>
Persistence & Backdoor Checks
Cron Jobs
crontab -l
ls -lah /etc/cron*
Systemd Persistence
ls -lah /etc/systemd/system/
Startup Scripts
cat /etc/rc.local
SELinux Awareness (RHEL/Fedora)
Check status:
getenforce
Review denials:
ausearch -m AVC
Forensic Hygiene
- Never execute suspicious binaries.
- Preserve evidence before deletion:
sha256sum file
mkdir -p /root/quarantine
mv file /root/quarantine/file.vir
- Log every remediation step:
date -u
Document:
- Timestamp
- Command executed
- Observed outcome
Usage Examples
Routine Audit
- Run
lynis audit system - Verify no unknown listening services
- Check for modified system binaries
Active Threat
- Identify high CPU process
- Capture short
tcpdump - Extract file hash
- Contain IP via firewall
- Preserve malicious artifact
Suspicious File
- Use
zipdump - Extract hash
- Move to quarantine
- Search logs for execution attempts
Safety Guardrails
These guardrails are mandatory and apply to all remediation activity. Their purpose is to prevent self-inflicted outages, preserve forensic integrity, and ensure reversible, controlled incident response.
1. State Verification (Pre- and Post-Change Validation)
Before executing any remediation command:
-
Record timestamp (UTC):
date -u -
Run a discovery command to capture current state:
- Network:
ss -tulpn - Active connections:
ss -antp - Firewall (iptables):
iptables -L -n -v - Firewall (nftables):
nft list ruleset - firewalld:
firewall-cmd --list-all
- Network:
After remediation:
- Re-run the same discovery command.
- Compare state change and confirm:
- Intended effect achieved
- No unintended service disruption
- No management lockout (e.g., SSH access intact)
Never assume a command succeeded without verifying its effect.
2. No Wildcards or Broad Termination
To prevent catastrophic system damage:
-
NEVER use:
rm -rf *rm -rf /killall- Broad
pkillpatterns - Unbounded globbing in sensitive directories
-
Always:
- Use absolute file paths (e.g.,
/tmp/malware.bin) - Target explicit PIDs (
kill -TERM <PID>) - Confirm file existence with
ls -lah <file> - Hash suspicious files before modification:
sha256sum <file>
- Use absolute file paths (e.g.,
Wildcard deletions and pattern-based termination are prohibited during incident response.
3. Persistence & Re-Spawn Inspection
After containment of a malicious process or service, immediately inspect for persistence mechanisms.
Check:
Cron Jobs
crontab -l
ls -lah /etc/cron*
systemd Services & Timers
systemctl list-unit-files --type=service
systemctl list-timers --all
ls -lah /etc/systemd/system/
Init Scripts
ls -lah /etc/init.d/
cat /etc/rc.local
User-Level Persistence
ls -lah ~/.config/systemd/user/
SSH Backdoors
cat ~/.ssh/authorized_keys
After removal of malicious artifacts:
- Run integrity verification:
aide --check - On RHEL-based systems:
rpm -Va - On Debian-based systems:
debsums -s
Do not consider a threat eradicated until persistence mechanisms are eliminated.
4. Firewall Rule Safety & Persistence
A. Anti-Lockout Requirement
Before modifying firewall rules:
-
Confirm SSH listening port:
ss -tulpn | grep ssh -
Confirm an explicit ACCEPT rule exists for:
- Current management IP
- SSH port
NEVER:
iptables -F
NEVER set a default DROP policy without verifying SSH access rule exists.
B. Immediate vs Persistent Rules
Firewall rule changes are runtime by default and may not survive reboot.
iptables (Debian/Ubuntu)
Runtime only until saved:
iptables-save > /etc/iptables/rules.v4
If using netfilter-persistent:
netfilter-persistent save
RHEL (legacy iptables service)
service iptables save
firewalld
Runtime-to-permanent:
firewall-cmd --runtime-to-permanent
nftables
Persist ruleset:
nft list ruleset > /etc/nftables.conf
Document:
- Whether rule is temporary or permanent
- Location of saved configuration
- Verification after reboot (if applicable)
5. Forensic Preservation Before Destruction
Before deleting or killing:
-
Hash the artifact:
sha256sum <file> -
Move to quarantine:
mkdir -p /root/quarantine mv <file> /root/quarantine/<file>.vir -
Record:
- Timestamp (UTC)
- Original path
- Hash value
- Reason for containment
Avoid kill -9 unless absolutely required. Prefer:
kill -TERM <PID>kill -STOP <PID>(if forensic inspection needed)kill -KILL <PID>only as last resort
6. Change Logging Requirement
Every remediation action must include:
date -u- Command executed
- Justification
- Observed outcome
- Updated risk level (if applicable)
Remediation without documentation is non-compliant.
7. Minimal-Impact Principle
All actions must follow:
- Smallest necessary change
- Reversible where possible
- No broad configuration resets
- No service restarts without justification
- No system-wide scans during active compromise unless scoped
Contain first. Eradicate methodically. Recover cautiously.