General Program for collecting evidence in linux

General Program for collecting evidence using linux-general Linux technology-Linux programming and kernel information. The following is a detailed description. In the redhat linux family

Step 1 determine the system: cat/etc/redhat-release

Red Hat Enterprise Linux AS release 4 (Nahant Update 4)

Step 2 determine the host name, IP address, and other network settings

[Root @ localhost t] # cat etc/hosts
127.0.0.1 apollo. honeyp.edu apollo localhost. localdomain localhost
[Root @ localhost t] #

[Root @ localhost t] # cat etc/sysconfig/network
NETWORKING = yes
HOSTNAME = apollo.honeyp.edu
GATEWAY = 172.16.1.254
DEVICE = eth0
BOOTPROTO = static
BROADCAST = 172.16.1.255
IPADDR = 172.16.1.107
NETMASK = 255.255.255.0
NETWORK = 172.16.1.0
ONBOOT = yes

Step 3: Check who has logged on to the system.

[Root @ localhost t] # last-f var/log/wtmp
Root tty1 Thu Nov 9 10:37 gone-no logout

Wtmp begins Wed Nov 8 22:59:52 2000
[Root @ localhost t] #

The inner has cleared the traces.

Step 4: Check who has logged in and where it came from

[Root @ localhost t] # cat var/log/secure
Nov 5 10:54:49 apollo in. telnetd [680]: connect from 207.239.115.11
Nov 6 02:59:23 apollo in. ftpd [973]: connect from 128.121.247.126
Nov 8 00:08:40 apollo in. telnetd [2077]: connect from 216.216.74.2
Nov 8 00:08:40 apollo in. telnetd [2078]: connect from 216.216.74.2
[Root @ localhost t] #

Part 5 check the program startup and shutdown processes

[Root @ localhost t] # cat var/log/messages