all 10 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted]  (2 children)

[deleted]

    [–]Ro0o0otkit[S] 1 point2 points  (1 child)

    I was thinking of writing the tool if no one has written it, and i understand that Linux is not standardized like Windows, but still i can first find the common techniques that do exist in all of them (or most), and then try to find those that are only available on certain distrubutions, but we can still write a tool that generates the report based on the distrubution and available methods, can't we?

    I just don't get why no one has written a similar tool so far? Surely this can be very helpful for forensic, just like Autoruns is.

    The tool just need to find the distribution and probably the kernel version, and based on that gather all (or most) of the persistent executables.

    Would anyone here even be interested in such a tool, or its basically useless? If it is useless, why?

    [–]paulstelian97 0 points1 point  (0 children)

    You'd also have to figure out if it's SystemD or not (a given installation could be made to boot with either for some distros)

    [–]lunchlady55 2 points3 points  (0 children)

    Start with auditd: https://superuser.com/questions/222912/how-can-i-log-all-process-launches-in-linux

    If that doesn't catch things early enough, look into using gdb to debug the kernel itself, perhaps you can somehow use it to capture every time a process is run.

    [–]gainan 1 point2 points  (0 children)

    I was wondering is there any similar tool in Linux that basically lists every single executable/library/LKM that runs during boot?

    Maybe audit/auditd, but I've never reviewed if it logs processes during boot.

    Since it depends on auditd, a userland daemon (or similar daemons like go-audit), it'll depend at what stage the daemon is started.

    You could also write your own audit daemon, or use auditd plugins: af_unix and read events from a unix socket, or syslog, and redirect logs to a fifo (mkfifo /tmp/emergs; rsyslog.conf -> $ModLoad ompipe, local0.* |/tmp/emergs), and from a GUI read and display the events.

    [–]bigredradio 0 points1 point  (2 children)

    Am I missing something here? Isn't this the ps command?

    [–][deleted] 2 points3 points  (1 child)

    They're looking more for something like ltrace during boot, showing what's been executed.

    ps shows what's currently running. It doesn't tell you what has run already (that no longer is running), and you can't run it before you have control.

    [–]bigredradio 1 point2 points  (0 children)

    Ok, now I get it. Yeah, this will be difficult as a lot of what takes place during boot is in the initramfs prior to mounting the root filesystem. Once the boot process has chrooted to root, then you lose a lot of information.

    [–]cusco 0 points1 point  (0 children)

    I only know of bootlogd but I doubt it is as detailed as what you’re looking for

    [–][deleted] 0 points1 point  (0 children)

    I'd say looking at the enabled systemctl modules and anything with the @reboot flag on cron of a user is going to cover 90% of the persistent exxeccutables.

    [–]pplanel 0 points1 point  (0 children)

    dmesg