Commit b5ba97a4 authored by SBassett's avatar SBassett
Browse files

GitMonitor.sh

A security tool to monitor recent changes to a git repository via
git log and match patterns for potentially dangerous commits

Bug: T218743
Change-Id: I30e3c372264fa3f5f324a60ccce9b0136a22e075
parent ff529875
export GM_REPO_URL="https://gerrit.wikimedia.org/r/path/to/repo"
export GM_REPO_FILE="path/to/file.yaml"
export GM_REPO_BRANCH="master"
export GM_REPO_DIFF="https://gerrit.wikimedia.org/r/plugins/gitiles/"
export GM_SINCE="1 day ago"
export GM_GREP_PAT="pattern1\|pattern2"
export GM_SENDMAIL="/usr/sbin/sendmail"
export GM_MAIL_TO="test@exmaple.com"
export GM_DEBUG=
#/usr/bin/env bash
################################################################################
# Author: sbassett@wikimedia.org
# License: Apache 2 <https://opensource.org/licenses/Apache-2.0>
# Usage:
# Searches recent logs for simple grep patterns
# Env variables:
# GM_REPO_URL = gerrit repo url to clone and search (no .git at end)
# GM_REPO_FILE = a specific file within the repo that we care about
# GM_REPO_BRANCH = master or whatever
# GM_REPO_DIFF = gitiles
# GM_SINCE = since time passed to --date=""
# GM_GREP_PAT = a text pattern for grep to search git show commit data
# GM_SENDMAIL = path to sendmail bin
# GM_MAIL_TO = email to send report
# GM_DEBUG = if true, outputs sendmail report string
# (with set -u, script will exit if the above are not defined)
################################################################################
set -euo pipefail
# check binary dependencies
bins=("cd" "git" "grep" "printf" "cut" "date" "hostname" "basename")
for bin in "${bins[@]}"; do
if [[ -z $(which $bin) ]]; then
printf "dependency '$bin' does not appear to be installed - exiting.\n"
exit 1
fi
done
# clone repo locally
GM_REPO_PATH=${GM_REPO_URL##*/}
if [[ -d $GM_REPO_PATH ]]; then
cd $GM_REPO_PATH && git checkout $GM_REPO_BRANCH && git pull && cd ..
else
git clone -b $GM_REPO_BRANCH $GM_REPO_URL
fi
# format SINCE
GM_SINCE=$(date --date="$GM_SINCE" "+%Y-%m-%d %H:%M:%S")
# build report
cd $GM_REPO_PATH
report_body=""
for git_hash in $(git log --since="$GM_SINCE" --pretty="%H" $GM_REPO_FILE)
do
repo_diff_url=""
if [[ -n "$GM_REPO_DIFF" ]]; then
repo_path_for_url=${GM_REPO_URL#*://*/*/}
repo_diff_url="<$GM_REPO_DIFF$repo_path_for_url/+/$git_hash%%5E%%21/#F0>\n"
fi
commit_marker=$(printf "\n" &&
printf -- '*%.0s' {1..10} &&
printf "\nCOMMIT ID: $git_hash\n\n" &&
printf '%s' "$repo_diff_url" &&
printf -- '*%.0s' {1..10})
git_show=$(git show $git_hash | cut -c -80 | grep -C 3 "$GM_GREP_PAT" || true)
if [[ -n "$git_show" ]]; then
report_body="$report_body $commit_marker\n$git_show\n"
fi
done
# send report, if necessary
if [[ -n "$report_body" ]]; then
script_name=$(basename "$0")
script_name=${script_name%%.*}
from=${script_name##*/}"@"$(hostname -A)
subject="Interesting git activity in: ${GM_REPO_URL#*://*/*/}"
if [[ -n "$GM_DEBUG" ]]; then
printf "Subject: $subject\n\n$report_body | $GM_SENDMAIL -f \
$from $GM_MAIL_TO\n"
else
printf "Subject: $subject\n\n$report_body" | $GM_SENDMAIL -f \
$from $GM_MAIL_TO
fi
fi
# GitMonitor.sh
Some quick-and-dirty bash to monitor string patterns within the commits to a git repo. Designed to be run via cron - see Usage.
## Prerequisites
```
* plain old bash
* cd
* git
* printf
* cut
* date
* hostname
* basename
* grep
* sendmail (as an env var)
```
*n.b. built and tested against Debian Stretch - tools like ```date``` and ```hostname``` may differ across platforms.*
## Installing
1. ```git clone https://gerrit.wikimedia.org/r/wikimedia/security/tooling```
2. Configure various environment variables - see comments within ```GitMonitor.sh``` header or [sample file provided](GM_env.sh).
3. Set proper execute perms and go!
## Usage
1. Simply configure the relevant environment variables and run ```./GitMonitor.sh```
2. Set up as a cron (e.g. every 2 minutes):
```bash
PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin
SHELL=/bin/bash
*/2 * * * * cd /path/to/wikimedia/security/tooling/gitmonitor && source GM_env.sh && ./GitMonitor.sh
```
## Authors
* **Scott Bassett** [sbassett@wikimedia.org]
## License
This project is licensed under the Apache 2.0 License - see the [LICENSE](https://opensource.org/licenses/Apache-2.0) file for details.
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment