pdm/security-tools
Public Access
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add npm sudo config audit script

Browse Source 
Checks npm prefix ownership, PATH wiring, cache ownership, shell history
for sudo npm usage, and n/nvm version manager config. Runs daily at 08:10
via cron and on initial setup.sh run.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
pdm
2026-04-18 08:47:32 +00:00
parent dc299e4262
commit 080073a7d7
2 changed files with 209 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
setup.sh
View File

@@ -31,6 +31,7 @@ fi
# ── Make scripts executable ────────────────────────────────────────────────────
chmod +x "$SCRIPT_DIR/npm-security-check.sh"
chmod +x "$SCRIPT_DIR/check-nextjs-rce.sh"
chmod +x "$SCRIPT_DIR/check-npm-sudo-config.sh"
# ── Create logs directory ──────────────────────────────────────────────────────
mkdir -p "$SCRIPT_DIR/logs"
@@ -38,7 +39,8 @@ mkdir -p "$SCRIPT_DIR/logs"
# ── Cron jobs ──────────────────────────────────────────────────────────────────
CRON_1="0 8 * * * $SCRIPT_DIR/npm-security-check.sh >> $SCRIPT_DIR/logs/npm-security-check-\$(date +\%Y\%m\%d).log 2>&1"
CRON_2="5 8 * * * $SCRIPT_DIR/check-nextjs-rce.sh >> $SCRIPT_DIR/logs/check-nextjs-rce-\$(date +\%Y\%m\%d).log 2>&1"
CRON_3="0 9 * * * find $SCRIPT_DIR/logs -name '*.log' -mtime +60 -delete"
CRON_3="10 8 * * * $SCRIPT_DIR/check-npm-sudo-config.sh >> $SCRIPT_DIR/logs/check-npm-sudo-config-\$(date +\%Y\%m\%d).log 2>&1"
CRON_4="0 9 * * * find $SCRIPT_DIR/logs -name '*.log' -mtime +60 -delete"
EXISTING=$(crontab -l 2>/dev/null || true)
@@ -56,10 +58,17 @@ else
echo "Cron job registered: check-nextjs-rce.sh daily at 08:05."
fi
if echo "$EXISTING" | grep -qF "check-npm-sudo-config.sh"; then
echo "Cron job for check-npm-sudo-config.sh already registered — skipping."
else
(crontab -l 2>/dev/null; echo "$CRON_3") | crontab -
echo "Cron job registered: check-npm-sudo-config.sh daily at 08:10."
fi
if echo "$EXISTING" | grep -qF "logs -name '*.log'"; then
echo "Log cleanup cron already registered — skipping."
else
(crontab -l 2>/dev/null; echo "$CRON_3") | crontab -
(crontab -l 2>/dev/null; echo "$CRON_4") | crontab -
echo "Cron job registered: log cleanup daily at 09:00 (60 day retention)."
fi
@@ -90,5 +99,6 @@ echo ""
echo "Running initial security scan..."
bash "$SCRIPT_DIR/npm-security-check.sh" >> "$SCRIPT_DIR/logs/npm-security-check-$(date +%Y%m%d).log" 2>&1 && echo "npm-security-check: done." || echo "npm-security-check: issues found — check Telegram."
bash "$SCRIPT_DIR/check-nextjs-rce.sh" >> "$SCRIPT_DIR/logs/check-nextjs-rce-$(date +%Y%m%d).log" 2>&1 && echo "check-nextjs-rce: done." || echo "check-nextjs-rce: issues found — check Telegram."
bash "$SCRIPT_DIR/check-npm-sudo-config.sh" >> "$SCRIPT_DIR/logs/check-npm-sudo-config-$(date +%Y%m%d).log" 2>&1 && echo "check-npm-sudo-config: done." || echo "check-npm-sudo-config: issues found — check Telegram."
echo ""
echo "Initial scan complete. Check Telegram for any alerts."