droberson/linux-collect-volatile-data.sh

## linux-collect-volatile-data.sh
#!/bin/sh

LOGFILE="volatile.log"

exectee () {
        echo "[+] $@" | tee -a $LOGFILE
        $@ | tee -a $LOGFILE
        echo | tee -a $LOGFILE
}

date | tee $LOGFILE
echo | tee -a $LOGFILE

exectee uname -a
exectee id
exectee "cat /etc/*release*"

exectee ps faux
exectee service --status-all
exectee systemctl list-unit-files

exectee ifconfig -a
exectee netstat -anp
exectee iptables -L

exectee lsmod

exectee lsof

exectee w
exectee lastlog

exectee find /root/ /home/ -name authorized_keys -exec ls -l {} \; -exec cat {} \;

if [ -e /usr/bin/dpkg ]; then
        exectee dpkg -l

        echo "[+] Verifying .deb packages" | tee -a $LOGFILE
        for pkg in $(dpkg -l |awk {'print $2'}); do
                dpkg -V $pkg 2>/dev/null | tee -a $LOGFILE
        done
fi

if [ -e /usr/bin/rpm ]; then
        exectee rpm -qa

        echo "[+] Verifying .rpm packages" |tee -a $LOGFILE
        for pkg in $(rpm -qa); do
                rpm -V $pkg | tee -a $LOGFILE
        done
fi
	#!/bin/sh

	LOGFILE="volatile.log"

	exectee () {
	echo "[+] $@" \| tee -a $LOGFILE
	$@ \| tee -a $LOGFILE
	echo \| tee -a $LOGFILE
	}

	date \| tee $LOGFILE
	echo \| tee -a $LOGFILE

	exectee uname -a
	exectee id
	exectee "cat /etc/release"

	exectee ps faux
	exectee service --status-all
	exectee systemctl list-unit-files

	exectee ifconfig -a
	exectee netstat -anp
	exectee iptables -L

	exectee lsmod

	exectee lsof

	exectee w
	exectee lastlog

	exectee find /root/ /home/ -name authorized_keys -exec ls -l {} \; -exec cat {} \;

	if [ -e /usr/bin/dpkg ]; then
	exectee dpkg -l

	echo "[+] Verifying .deb packages" \| tee -a $LOGFILE
	for pkg in $(dpkg -l \|awk {'print $2'}); do
	dpkg -V $pkg 2>/dev/null \| tee -a $LOGFILE
	done
	fi

	if [ -e /usr/bin/rpm ]; then
	exectee rpm -qa

	echo "[+] Verifying .rpm packages" \|tee -a $LOGFILE
	for pkg in $(rpm -qa); do
	rpm -V $pkg \| tee -a $LOGFILE
	done
	fi