fIRstview is a Live Response/Incident Response automation tool that collects several information from a Linux based system. Since it's written in Shell the script has no dependencies and the report is generated automatically.
- Uptime
- Disk usage
- Partitions
- Memory usage
- OS and Kernel version
- Environment variables
- Hostname
- IP Address
- Route Table
- ARP
- Interfaces
- DNS info
- Network info
- Iptables listing
- USB info
- Kernel modules
- Online Users
- Last logins
- Privileged Users
- Non-System Users
- Crontabs
- Temp directory
- Daemons
- Running services
- Processes
- Jobs
- Open files
- Open Connections
- Fstab
- Mounts
- Unusual authorized keys location
- 0 bytes log files
- Files/directories with no user or no group
- Immutable files/directories
- Pipe files
- ID
- General info (id, shell, home directory, etc)
- Groups
- Last login
- If the user is online
- Crontab
- Open files
- User config files (bashrc, profile, bash_logout)
- History
- Known hosts
- User processes
- User connections
- General info (permissions, creator, size, etc)
- MAC info (modification, access, creation)
- If the file is open
- MD5
- SHA1
- ELF information
- Process information (name, pid, ppid, time, command, etc)
- Files opened by the process
- Process command line
- Process command
- Process binary
- Process working directory
- Process environment
- Process connections
- dmesg
- auth.log
- secure
- dpkg.log
- kern.log
- lastlog
- syslog
- alternative.log
- cron.log
- messages
- debug
- daemon.log
- boot.log
- user.log
- apache2/httpd access.log
-u,--user USER
Specify the user which you want to investigate and generate a report.
-p,--pid PID
Specify the process which you want to investigate and generate a report.
-f,--file FILE
Specify a file which you want to investigate and generate a report.
-l, --logs
Dump several system logs.
-a,--all
Generate a full report with no filter.
-h,--help
Display this help menu.
git clone https://github.com/leandrofroes/firstview
cd firstview
chmod +x fIRstview.sh
sudo ./fIRstview.sh -u <username>
- New log collection module
- Removed timestamp from the report file name
- The report now is generated in an output directory created by the script
- Now it has the log collection module embedded
- Unusual authorized keys location
- 0 bytes log files
- Files/directories with no user or no group
- Immutable files/directories
- Pipe files
- Add CPU usage to ps command
- Process command
- Process binary
- Process working directory
- Process environment
- Add CPU usage to ps command
- Add -p option to file command to preserve timestamp.
- The commands now are organized in a logical way, making easier to analyse them.
- Fix EUID checking logic
The fIRstview is published under the GPL v3 License. Please refer to the file named LICENSE for more information.