checks (#150)

Author: kaplanelad

Cargo.lock

@@ -23,7 +23,6 @@ serde_yaml = "0.9"
 serde_derive = "1.0"
 serde_regex = "1.1"
 regex = "1.12"
-rayon = "1.11"
 rand = "0.10"
 tracing = "0.1"
 tracing-subscriber = { version = "0.3", features = ["env-filter"] }

shellfirm/Cargo.toml

@@ -6,7 +6,7 @@
   alternative: "aws s3 ls s3://<bucket>"
   alternative_info: "List bucket contents first to verify what would be deleted."
 - from: aws
-  test: aws\s+s3\s+rm\s+s3://.*--recursive
+  test: aws\s+(?:--\S+\s+\S+\s+)*s3\s+rm\s+.*s3://.*--recursive|aws\s+(?:--\S+\s+\S+\s+)*s3\s+rm\s+--recursive\s+s3://
   description: "Recursively deleting all objects in an S3 bucket."
   id: aws:s3_recursive_delete
   severity: High
@@ -52,3 +52,43 @@
   description: "Deleting a Lambda function removes it permanently."
   id: aws:lambda_delete
   severity: High
+- from: aws
+  test: aws\s+dynamodb\s+delete-table
+  description: "Deleting a DynamoDB table permanently destroys all its data."
+  id: aws:dynamodb_delete_table
+  severity: High
+- from: aws
+  test: aws\s+sqs\s+delete-queue
+  description: "Deleting an SQS queue loses all queued messages."
+  id: aws:sqs_delete_queue
+  severity: High
+- from: aws
+  test: aws\s+sns\s+delete-topic
+  description: "Deleting an SNS topic breaks all subscriptions."
+  id: aws:sns_delete_topic
+  severity: High
+- from: aws
+  test: aws\s+ecr\s+delete-repository
+  description: "Deleting an ECR repository removes all container images."
+  id: aws:ecr_delete_repository
+  severity: High
+- from: aws
+  test: aws\s+secretsmanager\s+delete-secret
+  description: "Deleting a secret can break applications depending on it."
+  id: aws:secretsmanager_delete
+  severity: High
+- from: aws
+  test: aws\s+elasticache\s+delete-cache-cluster
+  description: "Deleting an ElastiCache cluster destroys all cached data."
+  id: aws:elasticache_delete_cluster
+  severity: High
+- from: aws
+  test: aws\s+logs\s+delete-log-group
+  description: "Deleting a CloudWatch log group permanently loses all log data."
+  id: aws:logs_delete_log_group
+  severity: High
+- from: aws
+  test: aws\s+ecs\s+delete-(service|cluster)
+  description: "Deleting an ECS service or cluster stops all running containers."
+  id: aws:ecs_delete
+  severity: High

shellfirm/checks/aws.yaml

@@ -35,3 +35,18 @@
   description: "Deleting an Azure AD application or service principal can break authentication."
   id: azure:delete_ad_app
   severity: High
+- from: azure
+  test: az\s+functionapp\s+delete
+  description: "Deleting an Azure Function App removes it permanently."
+  id: azure:delete_functionapp
+  severity: High
+- from: azure
+  test: az\s+webapp\s+delete
+  description: "Deleting a web app removes it and all deployed code."
+  id: azure:delete_webapp
+  severity: High
+- from: azure
+  test: az\s+cosmosdb\s+delete
+  description: "Deleting a Cosmos DB account destroys all databases and data."
+  id: azure:delete_cosmosdb
+  severity: High

shellfirm/checks/azure.yaml

@@ -23,3 +23,40 @@
   description: "You are going to shutdown your machine."
   id: base:shutdown_machine
   severity: High
+- from: base
+  test: kill\s+-9\s+
+  description: "SIGKILL gives no chance for graceful shutdown or cleanup."
+  id: process:kill_9
+  severity: Low
+  alternative: "kill <pid>"
+  alternative_info: "Send SIGTERM first to allow graceful shutdown, then kill -9 if needed."
+- from: base
+  test: killall\s+
+  description: "Kills ALL processes matching the name."
+  id: process:killall
+  severity: Medium
+- from: base
+  test: pkill\s+
+  description: "Kills processes matching a pattern — could match unintended processes."
+  id: process:pkill
+  severity: Medium
+- from: base
+  test: systemctl\s+(disable|mask)\s+
+  description: "Disabling or masking a service prevents it from starting on boot."
+  id: systemd:disable_service
+  severity: Medium
+- from: base
+  test: systemctl\s+stop\s+(docker|sshd|nginx|apache2|httpd|postgresql|mysql|redis)(\s|$)
+  description: "Stopping a critical system service can cause outages."
+  id: systemd:stop_critical_service
+  severity: High
+- from: base
+  test: ssh-add\s+-D
+  description: "Removes all SSH identities from the agent."
+  id: ssh:delete_all_identities
+  severity: Medium
+- from: base
+  test: ssh-keygen\s+-R\s+
+  description: "Removes a host from known_hosts — could enable MITM attacks."
+  id: ssh:remove_known_host
+  severity: Low

shellfirm/checks/base.yaml

@@ -35,3 +35,13 @@
       value: "WHERE"
     - type: NotContains
       value: "where"
+- from: database
+  test: (?i)DROP\s+(SCHEMA|ROLE|USER)
+  description: "Dropping a schema, role, or user is a destructive and often irreversible operation."
+  id: database:drop_schema_role_user
+  severity: High
+- from: database
+  test: (?i)ALTER\s+TABLE\s+\w+\s+DROP\s+COLUMN
+  description: "Dropping a column permanently removes data from all rows."
+  id: database:alter_drop_column
+  severity: High

shellfirm/checks/database.yaml

@@ -1,5 +1,5 @@
 - from: docker
-  test: docker\s+system\s+prune\s+(-a|--all)
+  test: docker\s+system\s+prune\s+.*(?:-[a-zA-Z]*a|--all)
   description: "This will remove all unused Docker data including stopped containers, networks, dangling images, and build cache."
   id: docker:system_prune_all
   severity: High
@@ -31,7 +31,7 @@
   id: docker:remove_network
   severity: Medium
 - from: docker
-  test: docker[\s-]compose\s+down\s+(-v|--volumes)
+  test: docker[\s-]compose\s+down\s+.*(-v|--volumes)
   description: "This will stop containers AND delete all associated volumes and data."
   id: docker:compose_down_volumes
   severity: High
@@ -42,3 +42,20 @@
   description: "Stopping all running Docker containers."
   id: docker:stop_all_containers
   severity: Medium
+- from: docker
+  test: docker\s+image\s+prune\s+.*(?:-[a-zA-Z]*a|--all)
+  description: "Removes ALL images, not just dangling ones."
+  id: docker:image_prune_all
+  severity: High
+  alternative: "docker image prune"
+  alternative_info: "Without -a, only dangling images are removed."
+- from: docker
+  test: docker\s+container\s+prune
+  description: "Removes all stopped containers."
+  id: docker:container_prune
+  severity: Medium
+- from: docker
+  test: docker\s+buildx\s+prune\s+.*--all
+  description: "Clears the entire Docker build cache."
+  id: docker:buildx_prune_all
+  severity: High

shellfirm/checks/docker.yaml

@@ -1,5 +1,5 @@
 - from: fs
-  test: 'rm\s{1,}(?:-R|-r|-f|-fR|-fr|-Rf|-rf|-v|--force|--verbose|--preserve-root)\s*(?:-R|-r|-f|-fR|-fr|-Rf|-rf|-v|--force|--verbose|--preserve-root)?\s*(\*|\.{1,}|/)\s*$'
+  test: 'rm\s{1,}(?:-[rRfvV]+|--(?:force|recursive|verbose|preserve-root|no-preserve-root|one-file-system))(?:\s+(?:-[rRfvV]+|--(?:force|recursive|verbose|preserve-root|no-preserve-root|one-file-system)))*(?:\s+\S+)*?\s+(\*|\.{1,}|/)(?:\s|$)'
   description: "You are going to delete everything in the path."
   id: fs:recursively_delete
   severity: Critical
@@ -25,7 +25,7 @@
     - type: PathExists
       value: 1
 - from: fs
-  test: chmod\s{1,}(-R|--recursive)\s+(?:\S+\s+)*(\*|\.{1,}|/)
+  test: chmod\s{1,}(?:\S+\s+)*(?:-[a-zA-Z]*R[a-zA-Z]*|--recursive)\s+(?:\S+\s+)*(\*|\.{1,}|/)
   description: "Change permission to all root files can brake your some thinks like SSH keys."
   id: fs:recursively_chmod
   severity: Critical
@@ -37,52 +37,52 @@
   alternative: "find <path> -name '<pattern>' -print"
   alternative_info: "Preview what would be deleted with -print first, then add -delete when you're sure."
 - from: fs
-  test: 'dd\s+.*of=/dev/([hs]d[a-z]|mmcblk[0-9])'
+  test: 'dd\s+.*of=/dev/([hs]d[a-z]|mmcblk[0-9]|nvme[0-9]+n[0-9]+)'
   description: "Are you sure you want to write directly to a block device? This could overwrite your disk."
   id: fs:dd_block_device
   severity: Critical
 - from: fs
-  test: 'mkfs(?:\.(?:ext[2-4]|fat|ntfs|xfs|btrfs))?\s+(?:-t\s+\w+\s+)?/dev/([hs]d[a-z][0-9]*|mmcblk[0-9]p?[0-9]*)'
+  test: 'mkfs(?:\.(?:ext[2-4]|fat|vfat|ntfs|xfs|btrfs))?\s+(?:-t\s+\w+\s+)?/dev/([hs]d[a-z][0-9]*|mmcblk[0-9]p?[0-9]*|nvme[0-9]+n[0-9]+(?:p[0-9]+)?)'
   description: "Are you sure you want to format this device? This will erase all data on it."
   id: fs:mkfs_format
   severity: Critical
 - from: fs
-  test: 'parted\s+.*(/dev/([hs]d[a-z]|mmcblk[0-9]))'
+  test: 'parted\s+.*(/dev/([hs]d[a-z]|mmcblk[0-9]|nvme[0-9]+n[0-9]+))'
   description: "Are you sure you want to modify disk partitions? This could erase all data on the disk."
   id: fs:parted_disk_modify
   severity: Critical
 - from: fs
-  test: 'fdisk\s+.*(/dev/([hs]d[a-z]|mmcblk[0-9]))'
+  test: 'fdisk\s+.*(/dev/([hs]d[a-z]|mmcblk[0-9]|nvme[0-9]+n[0-9]+))'
   description: "Are you sure you want to modify disk partitions? This could erase all data on the disk."
   id: fs:fdisk_disk_modify
   severity: Critical
 - from: fs
-  test: 'sfdisk\s+.*(/dev/([hs]d[a-z]|mmcblk[0-9]))'
+  test: 'sfdisk\s+.*(/dev/([hs]d[a-z]|mmcblk[0-9]|nvme[0-9]+n[0-9]+))'
   description: "Are you sure you want to modify disk partitions? This could erase all data on the disk."
   id: fs:sfdisk_disk_modify
   severity: Critical
 - from: fs
-  test: 'dd\s+.*(?:conv=notrunc|seek=\d+|skip=\d+).*of=/dev/([hs]d[a-z]|mmcblk[0-9])'
+  test: 'dd\s+.*(?:conv=notrunc|seek=\d+|skip=\d+).*of=/dev/([hs]d[a-z]|mmcblk[0-9]|nvme[0-9]+n[0-9]+)'
   description: "Are you sure you want to write to a specific sector of the disk? This could corrupt data."
   id: fs:dd_advanced_disk_write
   severity: Critical
 - from: fs
-  test: 'gdisk\s+.*(/dev/([hs]d[a-z]|mmcblk[0-9]))'
+  test: 'gdisk\s+.*(/dev/([hs]d[a-z]|mmcblk[0-9]|nvme[0-9]+n[0-9]+))'
   description: "Are you sure you want to modify GPT disk partitions? This could erase all data on the disk."
   id: fs:gdisk_disk_modify
   severity: Critical
 - from: fs
-  test: 'partprobe\s+.*(/dev/([hs]d[a-z]|mmcblk[0-9]))'
+  test: 'partprobe\s+.*(/dev/([hs]d[a-z]|mmcblk[0-9]|nvme[0-9]+n[0-9]+))'
   description: "Are you sure you want to inform the OS of partition table changes? This could affect mounted partitions."
   id: fs:partprobe_disk_update
   severity: High
 - from: fs
-  test: 'blockdev\s+.*(/dev/([hs]d[a-z]|mmcblk[0-9]))'
+  test: 'blockdev\s+.*(/dev/([hs]d[a-z]|mmcblk[0-9]|nvme[0-9]+n[0-9]+))'
   description: "Are you sure you want to modify block device parameters? This could affect disk operations."
   id: fs:blockdev_disk_modify
   severity: High
 - from: fs
-  test: 'mount\s+.*(/dev/([hs]d[a-z]|mmcblk[0-9]))'
+  test: 'mount\s+.*(/dev/([hs]d[a-z]|mmcblk[0-9]|nvme[0-9]+n[0-9]+))'
   description: "Are you sure you want to mount this device? This could affect system stability."
   id: fs:mount_operations
   severity: High
@@ -92,12 +92,12 @@
   id: fs:lvm_operations
   severity: Critical
 - from: fs
-  test: '(?:dump|restore)\s+.*(/dev/([hs]d[a-z]|mmcblk[0-9]))'
+  test: '(?:dump|restore)\s+.*(/dev/([hs]d[a-z]|mmcblk[0-9]|nvme[0-9]+n[0-9]+))'
   description: "Are you sure you want to backup/restore this filesystem? This could affect system stability."
   id: fs:filesystem_backup
   severity: High
 - from: fs
-  test: 'cryptsetup\s+.*(/dev/([hs]d[a-z]|mmcblk[0-9]))'
+  test: 'cryptsetup\s+.*(/dev/([hs]d[a-z]|mmcblk[0-9]|nvme[0-9]+n[0-9]+))'
   description: "Are you sure you want to encrypt/decrypt this device? This could affect data accessibility."
   id: fs:encryption_operations
   severity: Critical
@@ -122,3 +122,20 @@
   filters:
     - type: PathExists
       value: 1
+- from: fs
+  test: rsync\s+.*--delete
+  description: "Syncs with deletion — removes files at destination not present in source."
+  id: fs:rsync_delete
+  severity: High
+  alternative: "rsync --dry-run --delete ..."
+  alternative_info: "Preview what would be deleted with --dry-run first."
+  filters:
+    - type: NotContains
+      value: "--dry-run"
+    - type: NotContains
+      value: "-n"
+- from: fs
+  test: chown\s{1,}(?:\S+\s+)*(?:-[a-zA-Z]*R[a-zA-Z]*|--recursive)\s+(?:\S+\s+)*(\*|\.{1,}|/)
+  description: "Recursive ownership change on root or wildcard can break system files and SSH keys."
+  id: fs:recursively_chown
+  severity: Critical

shellfirm/checks/fs.yaml

@@ -21,7 +21,7 @@
   id: gcp:delete_gke_cluster
   severity: High
 - from: gcp
-  test: gsutil\s+rm\s+-r\s+gs://
+  test: gsutil\s+(?:-\S+\s+)*rm\s+(?:-r\s+gs://|gs://\S+\s+-r)
   description: "Recursively deleting all objects in a GCS bucket."
   id: gcp:gcs_recursive_delete
   severity: High
@@ -37,3 +37,23 @@
   description: "Deleting a service account can break applications using it."
   id: gcp:delete_service_account
   severity: High
+- from: gcp
+  test: gcloud\s+functions\s+delete
+  description: "Deleting a Cloud Function removes it permanently."
+  id: gcp:delete_function
+  severity: High
+- from: gcp
+  test: gcloud\s+run\s+services\s+delete
+  description: "Deleting a Cloud Run service stops serving traffic."
+  id: gcp:delete_cloud_run
+  severity: High
+- from: gcp
+  test: gcloud\s+pubsub\s+topics\s+delete
+  description: "Deleting a Pub/Sub topic breaks all connected subscriptions."
+  id: gcp:delete_pubsub_topic
+  severity: High
+- from: gcp
+  test: gcloud\s+secrets\s+delete
+  description: "Deleting a secret can break applications depending on it."
+  id: gcp:delete_secret
+  severity: High