Linux Host Forensics
CommunityUncover Linux persistence, credentials, and tampering.
Authorrjonhaas
Version1.0.0
Installs0
System Documentation
What problem does it solve?
Helps incident responders rapidly identify persistence, privilege-escalation vectors, and evidence of compromise on live or imaged Linux/Unix endpoints, even when attackers attempt anti-forensics such as clearing command history.
Core Features & Use Cases
- Local account and authentication triage: Reviews
/etc/passwd,/etc/shadow, and SSH/auth logs to surface suspicious UID-0 accounts, weak or altered password data, and successful/failed login patterns. - Persistence and execution trace discovery: Enumerates cron, systemd units,
rc.local, and user shell profiles, then correlates them with bash history patterns for download/execute chains. - Host compromise indicators and escalation paths: Checks for staged malware in
/tmp,/dev/shm,/var/tmp, validates SUID/SGID binaries, inspects kernel modules, and optionally mines auditd for privilege escalation and sensitive access.
Quick Start
Use the skill with your mounted case evidence by setting CASE_ROOT to the Linux evidence root path and running the skill’s execution workflow to generate the analysis outputs under ./analysis/linux.
Dependency Matrix
Required Modules
None requiredComponents
Standard package💻 Claude Code Installation
Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.
Please help me install this Skill: Name: Linux Host Forensics Download link: https://github.com/rjonhaas/SIFTics/archive/main.zip#linux-host-forensics Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
Agent Skills Search Helper
Install a tiny helper to your Agent, search and equip skill from 471,000+ vetted skills library on demand.