mining-host-troubleshooter
Use when a Linux host may be compromised, running a miner, hiding persistence, or showing signs of local privilege escalation. Supports read-only evidence collection, distro-aware triage, deleted-log fallback review, detailed evidence correlation, and evidence-bound reporting. Default to read-only investigation only, keep state-changing actions out of scope unless the user explicitly approves them as a separate step, and never fabricate findings or attribution.
