29 lines
1.3 KiB
Bash
29 lines
1.3 KiB
Bash
#!/bin/bash
|
|
|
|
# Ignore Ansibilized templates.
|
|
saferegex='\s+}}"?\s*$'
|
|
# Ignore comments
|
|
saferegex="$saferegex"'|^[a-z,A-Z,0-9,_,-,/,.]+:\s*;|^[a-z,A-Z,0-9,_,-,/,.]+:\s*#|^[a-z,A-Z,0-9,_,-,/,.]+:\s*//'
|
|
# Ignore binary file matches.
|
|
saferegex="$saferegex"'|binary\ file\ matches'
|
|
# AniNIX Constructs
|
|
saferegex="$saferegex"'|password.aninix.net|aur.list'
|
|
# Web constructs
|
|
saferegex="$saferegex"'|.css:|.html:|.md:|htdocs|htpasswd'
|
|
# Ignore template text to set policy
|
|
saferegex="$saferegex"'|_LENGTH|Set new|attempt|pwdchange'
|
|
# haveibeenpwned is referenced in comments
|
|
saferegex="$saferegex"'|haveibeenpwned'
|
|
# Unset variables.
|
|
saferegex="$saferegex"'|\s+=\s*$|\s+yes$|\s+no$'
|
|
# Ignore LDAP attributes
|
|
saferegex="$saferegex"'|pwpolicies|pwdLastSuccess|pwdAttribute|pwdMaxAge|pwdExpireWarning|pwdInHistory|pwdCheckQuality|pwdMaxFailure|pwdLockout|pwdLockoutDuration|pwdGraceAuthNLimit|pwdFailureCountInterval|pwdMustChange|pwdMinLength|pwdAllowUserChange|pwdSafeModify|pwdChangedTime|pwdPolicy|last changed their password on|/root/.ldappass'
|
|
|
|
egrep -ir 'secret|password|pw|passphrase' roles/*/{files,templates} 2>&1 | egrep -v "$saferegex"
|
|
if [ $? -ne 1 ]; then
|
|
echo
|
|
echo If these are false positives, you need to add the signature to the whitelist in $0.
|
|
echo Otherwise, convert any files above to templates and encode the passphrase into your vault.
|
|
exit 1;
|
|
fi
|