Via digininja’s Twitter account, I have found this blog post  that describes a set of Metasploit Linux Post Exploitation modules.

I think the list of executed commands is more or less complete, but I would also add the following :

Currently logged users and server uptime.

$ w

all opened connections (TCP,UDP and Unix sockets) and the r espective PID/UID

$ netstat -pan

same as before but only TCP and UDP

$ lsof -nn | egrep "TCP| UDP"

The mount command only displays the currently mounted devices. We may find a commented line or a device that is not automatically mounted

$ cat /etc/fstab

Is the server exporing NFS volumes?

$ cat /etc/exports

tree view of all the processes

$ ps faxu

last users that logged to the system. The -a flag puts the complete remote hostname on the last column

$ last -a

similar to the previous one

$ lastlog

quick view of the log policy in the computer. The default is 4 weeks worth of logs.

$ ls -lat /var/log

Are they sending logs to a centralized system?

$ cat /etc/syslog.conf