{"id":9330,"date":"2026-02-28T13:45:07","date_gmt":"2026-02-28T14:45:07","guid":{"rendered":"https:\/\/hadess.io\/?p=9330"},"modified":"2026-04-06T18:30:21","modified_gmt":"2026-04-06T18:30:21","slug":"bash-scripting-security","status":"publish","type":"post","link":"https:\/\/hadess.io\/bash-scripting-security\/","title":{"rendered":"Bash Scripting for Security: Log Parsing, Automation, and Recon"},"content":{"rendered":"

Bash Scripting for Security: Log Parsing, Automation, and Recon<\/h1>\n
\n

Part of the Cybersecurity Skills Guide<\/a><\/strong> \u2014 This article is one deep-dive in our complete guide series.<\/p>\n<\/blockquote>\n

By HADESS Team | February 28, 2026 | Updated: February 28, 2026 | 5 min read<\/em><\/p>\n

Bash is the lingua franca of Linux systems, and most security work happens on Linux. Whether you are parsing logs during an incident, automating reconnaissance, or chaining tools together during a pentest, Bash scripting gets results fast. You do not need to be a Bash expert, but you need enough proficiency to build useful tools quickly.<\/p>\n

Log Parsing<\/h2>\n

Security analysts spend significant time in logs. Bash’s text processing tools \u2014 grep<\/code>, awk<\/code>, sed<\/code>, sort<\/code>, uniq<\/code>, cut<\/code> \u2014 handle most log analysis tasks without loading data into a SIEM<\/a>.<\/p>\n

Find failed SSH logins and count by source IP:<\/p>\n

bash grep \"Failed password\" \/var\/log\/auth.log | \\ awk '{print $(NF-3)}' | \\ sort | uniq -c | sort -rn | head -20 <\/code>`<\/p>\n

Extract all unique IP addresses from an Apache access log:<\/p>\n

<\/code>`bash
\nawk '{print $1}' \/var\/log\/apache2\/access.log | sort -u
\n<\/code>`<\/p>\n

Find all 4xx and 5xx HTTP responses with timestamps:<\/p>\n

<\/code>`bash
\nawk '$9 ~ \/^[45]\/ {print $4, $7, $9}' \/var\/log\/apache2\/access.log
\n<\/code>`<\/p>\n

For JSON-structured logs, use <\/code>jq:<\/p>\n

<\/code>`bash
\ncat application.log | jq -r 'select(.level == \"ERROR\") | \"\\(.timestamp) \\(.message)\"'
\n<\/code>`<\/p>\n

Automation Scripts<\/h2>\n

Automate repetitive security tasks to eliminate manual errors and save time.<\/p>\n

File integrity check<\/strong> using checksums:<\/p>\n

<\/code>`bash
\n#!\/bin\/bash
\nBASELINE=\"\/var\/security\/baseline_hashes.txt\"
\nfind \/etc -type f -exec sha256sum {} \\; > \/tmp\/current_hashes.txt
\ndiff \"$BASELINE\" \/tmp\/current_hashes.txt | grep \"^[<>]\"
\n<\/code>`<\/p>\n

Certificate expiration monitor:<\/strong><\/p>\n

<\/code>`bash
\n#!\/bin\/bash
\nDOMAINS=(\"example.com\" \"api.example.com\" \"admin.example.com\")
\nWARN_DAYS=30<\/p>\n

for domain in \"${DOMAINS[@]}\"; do expiry=$(echo | openssl s_client -servername \"$domain\" -connect \"$domain:443\" 2>\/dev\/null | \\ openssl x509 -noout -enddate | cut -d= -f2) exp_epoch=$(date -d \"$expiry\" +%s) now_epoch=$(date +%s) days_left=$(( (exp_epoch - now_epoch) \/ 86400 )) if [ \"$days_left\" -lt \"$WARN_DAYS\" ]; then echo \"WARNING: $domain expires in $days_left days\" fi done <\/code>`<\/p>\n

Recon Scripts<\/h2>\n

During penetration tests, Bash scripts chain tools together for efficient reconnaissance:<\/p>\n

Subdomain enumeration and live host detection:<\/strong><\/p>\n

<\/code>`bash
\n#!\/bin\/bash
\nTARGET=\"$1\"<\/p>\n

Gather subdomains from multiple sources<\/h1>\n

subfinder -d \"$TARGET\" -silent > subs.txt
\namass enum -passive -d \"$TARGET\" -o amass_subs.txt 2>\/dev\/null
\ncat subs.txt amass_subs.txt | sort -u > all_subs.txt<\/p>\n

Check which are alive<\/h1>\n

httpx -l all_subs.txt -silent -o live_hosts.txt
\necho \"Found $(wc -l < live_hosts.txt) live hosts\"\n<\/code>`<\/p>\n

Port scan result processor:<\/strong><\/p>\n

<\/code>`bash
\n#!\/bin\/bash<\/p>\n

Parse nmap XML output for open ports<\/h1>\n

xmllint --xpath '\/\/port[@protocol=\"tcp\"]\/state[@state=\"open\"]\/..' nmap_output.xml | \\
\n grep -oP 'portid=\"\\K[^\"]+' | sort -n
\n<\/code>`<\/p>\n

Tool Chaining<\/h2>\n

The real power of Bash in security is piping output between tools. Feed Nmap results into Nikto, parse Burp exports with <\/code>jq, or correlate firewall logs with threat intelligence feeds using <\/code>comm and <\/code>join.<\/p>\n

Write your scripts with error handling. Check return codes, validate inputs, and handle missing files:<\/p>\n

<\/code>`bash
\n#!\/bin\/bash
\nset -euo pipefail
\nif [ $# -ne 1 ]; then
\n echo \"Usage: $0 \" >&2
\n exit 1
\nfi
\n<\/code>`<\/p>\n

<\/code>set -e exits on errors, <\/code>set -u catches undefined variables, <\/code>set -o pipefail` catches failures in pipes. These three flags prevent silent failures that lead to incorrect results.<\/p>\n

Related Career Paths<\/h2>\n

Bash scripting proficiency maps to SOC Analyst and Penetration Tester career paths<\/a>. Both roles use Bash daily for log analysis, automation, and tool orchestration.<\/p>\n

Next Steps<\/h2>\n