Skip to content
This repository has been archived by the owner on Mar 21, 2024. It is now read-only.
/ firstview Public archive

A Linux based Live Response/Incident Response automation tool.

License

Notifications You must be signed in to change notification settings

leandrofroes/firstview

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

30 Commits
 
 
 
 
 
 

Repository files navigation

fIRstview

fIRstview is a Live Response/Incident Response automation tool that collects several information from a Linux based system. Since it's written in Shell the script has no dependencies and the report is generated automatically.

Features

All module

  • Uptime
  • Disk usage
  • Partitions
  • Memory usage
  • OS and Kernel version
  • Environment variables
  • Hostname
  • IP Address
  • Route Table
  • ARP
  • Interfaces
  • DNS info
  • Network info
  • Iptables listing
  • USB info
  • Kernel modules
  • Online Users
  • Last logins
  • Privileged Users
  • Non-System Users
  • Crontabs
  • Temp directory
  • Daemons
  • Running services
  • Processes
  • Jobs
  • Open files
  • Open Connections
  • Fstab
  • Mounts
  • Unusual authorized keys location
  • 0 bytes log files
  • Files/directories with no user or no group
  • Immutable files/directories
  • Pipe files

User module

  • ID
  • General info (id, shell, home directory, etc)
  • Groups
  • Last login
  • If the user is online
  • Crontab
  • Open files
  • User config files (bashrc, profile, bash_logout)
  • History
  • Known hosts
  • User processes
  • User connections

File module

  • General info (permissions, creator, size, etc)
  • MAC info (modification, access, creation)
  • If the file is open
  • MD5
  • SHA1
  • ELF information

Process module

  • Process information (name, pid, ppid, time, command, etc)
  • Files opened by the process
  • Process command line
  • Process command
  • Process binary
  • Process working directory
  • Process environment
  • Process connections

Logs module

  • dmesg
  • auth.log
  • secure
  • dpkg.log
  • kern.log
  • lastlog
  • syslog
  • alternative.log
  • cron.log
  • messages
  • debug
  • daemon.log
  • boot.log
  • user.log
  • apache2/httpd access.log

Options

    -u,--user USER
          Specify the user which you want to investigate and generate a report.
    -p,--pid PID
          Specify the process which you want to investigate and generate a report.
    -f,--file FILE
          Specify a file which you want to investigate and generate a report.
    -l, --logs
        Dump several system logs.
    -a,--all
          Generate a full report with no filter.
    -h,--help
          Display this help menu.

Installation

git clone https://github.com/leandrofroes/firstview
cd firstview
chmod +x fIRstview.sh

Example

sudo ./fIRstview.sh -u <username>

Version 0.3 new features:

  • New log collection module
  • Removed timestamp from the report file name
  • The report now is generated in an output directory created by the script

All module:

  • Now it has the log collection module embedded

Version 0.2 new features:

All module:

  • Unusual authorized keys location
  • 0 bytes log files
  • Files/directories with no user or no group
  • Immutable files/directories
  • Pipe files
  • Add CPU usage to ps command

Process module:

  • Process command
  • Process binary
  • Process working directory
  • Process environment
  • Add CPU usage to ps command

File module:

  • Add -p option to file command to preserve timestamp.

General:

  • The commands now are organized in a logical way, making easier to analyse them.
  • Fix EUID checking logic

License

The fIRstview is published under the GPL v3 License. Please refer to the file named LICENSE for more information.

About

A Linux based Live Response/Incident Response automation tool.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages