Implementing Linux specific checks

In this section, we will describe how to implement some integrity checks to support the finding signs of system manipulation in Linux and similar (for example, BSD) systems.

These checks include the following:

Searching for anomalies in the local user management
Understanding and analyzing file metadata for special permissions and privileges
Using clustering algorithms on file metadata to get indicators on where to look deeper

Checking the integrity of local user credentials

The information about local users in Linux is mostly stored in two files: /etc/passwd and /etc/shadow. The latter is optional and all the information about local users—including the hashed password—was originally stored in /etc/passwd. Soon, it ...

Get Mastering Python Forensics now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Mastering Python Forensics by Dr. Michael Spreitzenbarth, Dr. Johann Uhrmann

Implementing Linux specific checks

Checking the integrity of local user credentials

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly