GitMonitor.sh

A security tool to monitor recent changes to a git repository via git log and match patterns for potentially dangerous commits Bug: T218743 Change-Id: I30e3c372264fa3f5f324a60ccce9b0136a22e075

GitMonitor.sh
A security tool to monitor recent changes to a git repository via git log and match patterns for potentially dangerous commits Bug: T218743 Change-Id: I30e3c372264fa3f5f324a60ccce9b0136a22e075
b5ba97a4 · SBassett · ff529875 · b5ba97a4 · b5ba97a4 · b5ba97a4
Commit b5ba97a4 authored Mar 20, 2019 by SBassett
--- a/gitmonitor/GM_env.sh
+++ b/gitmonitor/GM_env.sh
+export GM_REPO_URL="https://gerrit.wikimedia.org/r/path/to/repo"
+export GM_REPO_FILE="path/to/file.yaml"
+export GM_REPO_BRANCH="master"
+export GM_REPO_DIFF="https://gerrit.wikimedia.org/r/plugins/gitiles/"
+export GM_SINCE="1 day ago"
+export GM_GREP_PAT="pattern1\|pattern2"
+export GM_SENDMAIL="/usr/sbin/sendmail"
+export GM_MAIL_TO="test@exmaple.com"
+export GM_DEBUG=
--- a/gitmonitor/GitMonitor.sh
+++ b/gitmonitor/GitMonitor.sh
+#/usr/bin/env bash
+################################################################################
+# Author: sbassett@wikimedia.org
+# License: Apache 2 <https://opensource.org/licenses/Apache-2.0>
+# Usage:
+#   Searches recent logs for simple grep patterns
+#   Env variables:
+#     GM_REPO_URL    = gerrit repo url to clone and search (no .git at end)
+#     GM_REPO_FILE   = a specific file within the repo that we care about
+#     GM_REPO_BRANCH = master or whatever
+#     GM_REPO_DIFF   = gitiles
+#     GM_SINCE       = since time passed to --date=""
+#     GM_GREP_PAT    = a text pattern for grep to search git show commit data
+#     GM_SENDMAIL    = path to sendmail bin
+#     GM_MAIL_TO     = email to send report
+#     GM_DEBUG       = if true, outputs sendmail report string
+#   (with set -u, script will exit if the above are not defined)
+################################################################################
+set -euo pipefail
+
+# check binary dependencies
+bins=("cd" "git" "grep" "printf" "cut" "date" "hostname" "basename")
+for bin in "${bins[@]}"; do
+    if [[ -z $(which $bin) ]]; then
+        printf "dependency '$bin' does not appear to be installed - exiting.\n"
+        exit 1
+    fi
+done
+
+# clone repo locally
+GM_REPO_PATH=${GM_REPO_URL##*/}
+if [[ -d $GM_REPO_PATH ]]; then
+    cd $GM_REPO_PATH && git checkout $GM_REPO_BRANCH && git pull && cd ..
+else
+    git clone -b $GM_REPO_BRANCH $GM_REPO_URL
+fi
+
+# format SINCE
+GM_SINCE=$(date --date="$GM_SINCE" "+%Y-%m-%d %H:%M:%S")
+
+# build report
+cd $GM_REPO_PATH
+
+report_body=""
+for git_hash in $(git log --since="$GM_SINCE" --pretty="%H" $GM_REPO_FILE)
+do
+    repo_diff_url=""
+    if [[ -n "$GM_REPO_DIFF" ]]; then
+        repo_path_for_url=${GM_REPO_URL#*://*/*/}
+        repo_diff_url="<$GM_REPO_DIFF$repo_path_for_url/+/$git_hash%%5E%%21/#F0>\n"
+    fi
+    commit_marker=$(printf "\n" &&
+        printf -- '*%.0s' {1..10} &&
+        printf "\nCOMMIT ID: $git_hash\n\n" &&
+        printf '%s' "$repo_diff_url" &&
+        printf -- '*%.0s' {1..10})
+    git_show=$(git show $git_hash | cut -c -80 | grep -C 3 "$GM_GREP_PAT" || true)
+    if [[ -n "$git_show" ]]; then
+        report_body="$report_body $commit_marker\n$git_show\n"
+    fi
+done
+
+# send report, if necessary
+if [[ -n "$report_body" ]]; then
+    script_name=$(basename "$0")
+    script_name=${script_name%%.*}
+    from=${script_name##*/}"@"$(hostname -A)
+    subject="Interesting git activity in: ${GM_REPO_URL#*://*/*/}"
+    if [[ -n "$GM_DEBUG" ]]; then
+        printf "Subject: $subject\n\n$report_body | $GM_SENDMAIL -f \
+            $from $GM_MAIL_TO\n"
+    else
+        printf "Subject: $subject\n\n$report_body" | $GM_SENDMAIL -f \
+            $from $GM_MAIL_TO
+    fi
+fi
--- a/gitmonitor/README.md
+++ b/gitmonitor/README.md
+# GitMonitor.sh
+
+Some quick-and-dirty bash to monitor string patterns within the commits to a git repo.  Designed to be run via cron - see Usage.
+
+## Prerequisites
+
+```
+* plain old bash
+* cd
+* git
+* printf
+* cut
+* date
+* hostname
+* basename
+* grep
+* sendmail (as an env var)
+```
+
+*n.b. built and tested against Debian Stretch - tools like ```date``` and ```hostname``` may differ across platforms.*
+
+## Installing
+
+1. ```git clone https://gerrit.wikimedia.org/r/wikimedia/security/tooling```
+2. Configure various environment variables - see comments within ```GitMonitor.sh``` header or [sample file provided](GM_env.sh).
+3. Set proper execute perms and go!
+
+## Usage
+
+1. Simply configure the relevant environment variables and run ```./GitMonitor.sh```
+2. Set up as a cron (e.g. every 2 minutes):
+```bash
+PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin
+SHELL=/bin/bash
+*/2 * * * * cd /path/to/wikimedia/security/tooling/gitmonitor && source GM_env.sh && ./GitMonitor.sh
+```
+
+## Authors
+
+* **Scott Bassett** [sbassett@wikimedia.org]
+
+## License
+
+This project is licensed under the Apache 2.0 License - see the [LICENSE](https://opensource.org/licenses/Apache-2.0) file for details.