diff --git a/lib/include/audit_code.sh b/lib/include/audit_code.sh new file mode 100644 index 0000000..c6cc652 --- /dev/null +++ b/lib/include/audit_code.sh @@ -0,0 +1,71 @@ +#!/bin/bash + +function audit_wrn() { + echo -e "[${Yellow}code-audit${Reset}] $1" +} + +function audit_code_popen() { + local match + match="$(grep -rPn 'popen' src)" + if [ "$match" != "" ] + then + audit_wrn "$(tput bold)WARNING$(tput sgr0): found popen" + echo "$match" | awk '{ print "\t" $0}' + fi +} + +function audit_code_system() { + local match + match="$(grep -rPn '(system[\s]*$|system\()' src | grep -v '//.*system')" + if [ "$match" != "" ] + then + audit_wrn "$(tput bold)WARNING$(tput sgr0): found system call" + echo "$match" | awk '{ print "\t" $0}' + fi +} + +function audit_code_exec() { + local match + match="$(grep -Prn '(execl|execle|execlp|execv(?!e\(\))|execve(?!\(\))|execvp|fexecve)' src)" + if [ "$match" != "" ] + then + audit_wrn "$(tput bold)WARNING$(tput sgr0): found exec call" + echo "$match" | awk '{ print "\t" $0}' + fi +} + +function audit_code_shell() { + local match + match="$(grep -iErn '(bin/|env )(sh|bash|fish|zsh|csh)' src)" + if [ "$match" != "" ] + then + audit_wrn "$(tput bold)WARNING$(tput sgr0): found possible reverse shell" + echo "$match" | awk '{ print "\t" $0}' + fi +} + +function audit_code_rcon() { + local match + match="$(grep -iErn '(print|log|say|sendchat|broadcast).*config.*SvRconPassword' src)" + if [ "$match" != "" ] + then + audit_wrn "$(tput bold)WARNING$(tput sgr0): found possible rcon password leak" + echo "$match" | awk '{ print "\t" $0}' + fi +} + +function audit_code() { + if [ ! -d "$CFG_GIT_PATH_MOD" ] + then + return + fi + ( + cd "$CFG_GIT_PATH_MOD" || exit 1 + audit_code_rcon + audit_code_shell + audit_code_exec + audit_code_system + audit_code_popen + ) +} + diff --git a/lib/lib.sh b/lib/lib.sh index 0ac5e98..68522e3 100644 --- a/lib/lib.sh +++ b/lib/lib.sh @@ -15,6 +15,7 @@ source lib/include/settings.sh source lib/include/git.sh source lib/include/logs.sh source lib/include/screen.sh +source lib/include/audit_code.sh function get_player_ips() { if [ ! "$(command -v rg)" ] diff --git a/status.sh b/status.sh index 5c98ff4..e8db1f7 100755 --- a/status.sh +++ b/status.sh @@ -10,6 +10,7 @@ fi source lib/lib.sh check_warnings +audit_code if pgrep -f "$SERVER_UUID" > /dev/null then