Quote:
Originally Posted by dlol
(..) what is the best way to analyze this server - the software that is installed and prevent possible issues?
|
I'll give you some questions to ponder like I would inspect a "suspect" machine, but IMHO the single most efficient way ultimately is having it combed over manually by a seasoned admin, period.
- Where does the machine reside ownership, network, monitoring and IDS-wise?
- What's the type (phys. HW, VM, other).
- What's the role of this machine?
- What's this machines relationship with adjacent machines (as you should never assume those are clean too).
- Is the machine subject to any form of monitoring / auditing and what do those log entries say?
- Are there any documented past problems?
- What's the system and daemon log retention?
- Same for backups?
- What's the Linux release and Update version?
- What's the last time updates were installed?
- Which kernel, kernel modules, subsystems, files are not part of RPM?
Answering those questions in detail may help paint a picture of how much effort should be invested. If you post detailed information here I'm sure we can help suggest a course of action.
Depending on what's installed and running, log retention, availability of backups etcetera I'd at least run '/bin/rpm --nodeps --noscripts --notriggers -Vva 2>&1|/bin/grep -v "\.\{8\}";' # (You may want to first run 'rpm -V' on init, procutils, openssh-server and such before continuing.) Run all system and daemon logs through Logwatch with the "--detail High --service All --range All --archives --numeric --save /path/to/logwatch.log" args. (If the first rpm command made you suspicious by all means siphon all logs off of the system and continue on a known clean machine.) And some std commands like:
/bin/ps axfwwwe -opid,ppid,gid,uid,args
/usr/sbin/lsof -Pwln
/bin/netstat -anTpe
/usr/bin/lastlog
/usr/bin/last -wai
/usr/bin/who -a
/sbin/iptables-save
Next to Logwatch you could, depending on machine role, exposure, suspicion and where applicable also run LMD (Linux Malware Detect), Rootkit Hunter and other tools.
Quote:
Originally Posted by dlol
Is there a tool that can scan the server and give you an overview of the linux server?
|
There is no single tool that will efficiently provide you with all-encompassing nfo you seek. I emphasise the single most efficient way ultimately is having it combed over manually by a seasoned admin.