51 lines
1.6 KiB
Bash
Executable File
51 lines
1.6 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# Secret Guard — Poka-yoke for world-readable credentials
|
|
set -euo pipefail
|
|
|
|
ALERT_LOG="/var/log/bezalel_secret_guard.log"
|
|
QUARANTINE_DIR="/root/wizards/bezalel/home/quarantine"
|
|
|
|
mkdir -p "$QUARANTINE_DIR"
|
|
|
|
log() {
|
|
echo "[$(date -Iseconds)] $1" | tee -a "$ALERT_LOG"
|
|
}
|
|
|
|
# Scan for world-readable files with sensitive keywords in /root, /home, /etc, /tmp, /var/log
|
|
# Exclude binary files, large files (>1MB), and known safe paths
|
|
BAD_FILES=$(find /root /home /etc /tmp /var/log -maxdepth 4 -type f -perm /o+r 2>/dev/null \
|
|
! -path "*/.git/*" \
|
|
! -path "*/node_modules/*" \
|
|
! -path "*/venv/*" \
|
|
! -path "*/.venv/*" \
|
|
! -path "*/__pycache__/*" \
|
|
! -path "*/.pyc" \
|
|
! -size +1M \
|
|
-exec grep -l -i -E 'password|token|secret|nsec|api_key|private_key|aws_access_key_id|aws_secret_access_key' {} + 2>/dev/null | head -50)
|
|
|
|
VIOLATIONS=0
|
|
for file in $BAD_FILES; do
|
|
# Skip if already quarantined
|
|
if [[ "$file" == "$QUARANTINE_DIR"* ]]; then
|
|
continue
|
|
fi
|
|
# Skip log files that are expected to be world-readable
|
|
if [[ "$file" == /var/log/* ]]; then
|
|
continue
|
|
fi
|
|
|
|
VIOLATIONS=$((VIOLATIONS + 1))
|
|
basename=$(basename "$file")
|
|
quarantine_path="${QUARANTINE_DIR}/${basename}.$(date +%s)"
|
|
cp "$file" "$quarantine_path"
|
|
chmod 600 "$quarantine_path"
|
|
chmod 600 "$file"
|
|
log "QUARANTINED: $file -> $quarantine_path (permissions fixed to 600)"
|
|
done
|
|
|
|
if [[ $VIOLATIONS -gt 0 ]]; then
|
|
log "ALERT: $VIOLATIONS world-readable secret file(s) detected and quarantined."
|
|
else
|
|
log "OK: No world-readable secret files found."
|
|
fi
|