Shell Script Modification

ID

shell_script_modification

Severity

critical

Resource

Configuration

Description

A script file contains a sequence of commands, often used for deployment, installation or software updates.

Impact

Script files are obvious targets for bad actors. Many supply-chain attacks managed to tamper with a script file, like Codecov’s bash uploader script. Bad actors can add extra commands to exfiltrate sensitive data or run arbitrary commands to drop malware, lateral movement and attack persistence.

Any modification of these files without passing the proper configured checks is considered suspicious by the scanner.

Configuration

The detector has the following properties:

  • fileMatchers, which matches the several files analyzed by this detector.

    • fileTypes is used to specify the file types analyzed by this detector.

    • fileRegex is used to specify the path regular expression for these files to be matched.

    • enabled, which is true by default, is used to enable or disable a particular file matcher, while keeping the others enabled.

  • changeTypesToConsider, listing which change types to be considered, one or more characters from:

    • A for added files

    • M for modified files

    • D for deleted files

    • C for copied files

    • R for renamed files

    • T for changes in the file type/mode

    • * for any change.

Multiple values can be encoded, like AM for additions / modifications, or AMD for additions / modifications / deletions. The default is M to consider modifications only.

  • nonTrivialChangeChecker, which is a comma separated list of checkers used to discard trivial modifications. Available checkers are:

    • empty: Used for discarding changes involving empty lines or spaces.

    • comments: Used for discarding changes involving comments.

  • changeValidationChecker, which is a declarative expression used to define the validation checkers to be applied on each critical modification.
    Basically, it’s a logical expression between checker IDs with the AND & OR operators. Parenthesis can also be used to create groups of expressions.
    Available checkers are:

    • commit_signed: Checks that commit signature passed the verification (Not available for Azure Devops nor Bitbucket Cloud).

    • author_is_admin: Checks that commit author is an admin (Not available for GitLab).

    • author_in_group: Checks that commit author belong to a group. In example, by using author_in_group(sec_crew, other-random-group) we would be checking if the commit author belongs to sec_crew OR to other-random-group (Not available for GitLab).

    • pr_reviewed: Checks that the commit was reviewed in a Pull Request.

    • pr_reviewed_by_group: Checks that the commit was reviewed in a Pull Request by a reviewer from a specific group (or groups).

    • pr_reviewed_by_admin: Checks that the commit was reviewed in a Pull Request by an administrator.

    • pr_status_checks_passed: Checks if the given commit has passed the Pull Request checks.

Both nonTrivialChangeChecker and changeValidationChecker are used for the purpose of discarding False Positives, when changes do not require attention, or when they were properly reviewed/ authored.

Mitigation / Fix

Critical files modifications should pass several checks to ensure they don’t contain any malicious code that modifies the behaviour of the application. This could be achieved in several ways, like:

  • Ensuring a Pull Request review is required.

  • Ensuring Pull Request checks were passed.

  • Ensuring that commits are signed.

  • Ensuring that the commit author belongs to a specific group.

By default, pr_reviewed OR (commit_signed AND author_is_admin) is required.