d9b4592c50
Use tee -a instead of redirect + cat, so only the current run's output is shown rather than the entire accumulated daily log. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
109 lines
5.0 KiB
Bash
Executable File
109 lines
5.0 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# setup.sh
|
|
# Run once after cloning on any VM where you want security scanning active.
|
|
|
|
set -euo pipefail
|
|
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
|
|
echo "=== Security Tools Setup ==="
|
|
echo ""
|
|
|
|
# ── Telegram credentials ───────────────────────────────────────────────────────
|
|
if [[ -f "$SCRIPT_DIR/config.sh" ]]; then
|
|
echo "config.sh already exists — skipping credential setup."
|
|
else
|
|
echo "Enter your Telegram bot token:"
|
|
read -r BOT_TOKEN
|
|
echo "Enter your Telegram chat ID:"
|
|
read -r CHAT_ID
|
|
|
|
cat > "$SCRIPT_DIR/config.sh" <<EOF
|
|
#!/usr/bin/env bash
|
|
# Telegram notification config
|
|
TELEGRAM_BOT_TOKEN="${BOT_TOKEN}"
|
|
TELEGRAM_CHAT_ID="${CHAT_ID}"
|
|
EOF
|
|
chmod 600 "$SCRIPT_DIR/config.sh"
|
|
echo "config.sh created."
|
|
fi
|
|
|
|
# ── Make scripts executable ────────────────────────────────────────────────────
|
|
chmod +x "$SCRIPT_DIR/npm-security-check.sh"
|
|
chmod +x "$SCRIPT_DIR/check-nextjs-rce.sh"
|
|
chmod +x "$SCRIPT_DIR/check-npm-sudo-config.sh"
|
|
|
|
# ── Create logs directory ──────────────────────────────────────────────────────
|
|
mkdir -p "$SCRIPT_DIR/logs"
|
|
|
|
# ── Cron jobs ──────────────────────────────────────────────────────────────────
|
|
CRON_1="0 8 * * * $SCRIPT_DIR/npm-security-check.sh >> $SCRIPT_DIR/logs/npm-security-check-\$(date +\%Y\%m\%d).log 2>&1"
|
|
CRON_2="5 8 * * * $SCRIPT_DIR/check-nextjs-rce.sh >> $SCRIPT_DIR/logs/check-nextjs-rce-\$(date +\%Y\%m\%d).log 2>&1"
|
|
CRON_3="10 8 * * * $SCRIPT_DIR/check-npm-sudo-config.sh >> $SCRIPT_DIR/logs/check-npm-sudo-config-\$(date +\%Y\%m\%d).log 2>&1"
|
|
CRON_4="0 9 * * * find $SCRIPT_DIR/logs -name '*.log' -mtime +60 -delete"
|
|
|
|
EXISTING=$(crontab -l 2>/dev/null || true)
|
|
|
|
if echo "$EXISTING" | grep -qF "npm-security-check.sh"; then
|
|
echo "Cron job for npm-security-check.sh already registered — skipping."
|
|
else
|
|
(echo "$EXISTING"; echo "$CRON_1") | crontab -
|
|
echo "Cron job registered: npm-security-check.sh daily at 08:00."
|
|
fi
|
|
|
|
if echo "$EXISTING" | grep -qF "check-nextjs-rce.sh"; then
|
|
echo "Cron job for check-nextjs-rce.sh already registered — skipping."
|
|
else
|
|
(crontab -l 2>/dev/null; echo "$CRON_2") | crontab -
|
|
echo "Cron job registered: check-nextjs-rce.sh daily at 08:05."
|
|
fi
|
|
|
|
if echo "$EXISTING" | grep -qF "check-npm-sudo-config.sh"; then
|
|
echo "Cron job for check-npm-sudo-config.sh already registered — skipping."
|
|
else
|
|
(crontab -l 2>/dev/null; echo "$CRON_3") | crontab -
|
|
echo "Cron job registered: check-npm-sudo-config.sh daily at 08:10."
|
|
fi
|
|
|
|
if echo "$EXISTING" | grep -qF "logs -name '*.log'"; then
|
|
echo "Log cleanup cron already registered — skipping."
|
|
else
|
|
(crontab -l 2>/dev/null; echo "$CRON_4") | crontab -
|
|
echo "Cron job registered: log cleanup daily at 09:00 (60 day retention)."
|
|
fi
|
|
|
|
# ── Test Telegram ──────────────────────────────────────────────────────────────
|
|
source "$SCRIPT_DIR/config.sh"
|
|
HOSTNAME=$(hostname)
|
|
|
|
echo ""
|
|
echo "Sending test Telegram message..."
|
|
RESPONSE=$(curl -s -X POST "https://api.telegram.org/bot${TELEGRAM_BOT_TOKEN}/sendMessage" \
|
|
-d chat_id="${TELEGRAM_CHAT_ID}" \
|
|
-d text="✅ <b>Security Tools Active</b>
|
|
Host: <code>${HOSTNAME}</code>
|
|
Scripts registered and running daily at 08:00." \
|
|
-d parse_mode="HTML")
|
|
|
|
if echo "$RESPONSE" | grep -q '"ok":true'; then
|
|
echo "Test message sent to Telegram."
|
|
else
|
|
echo "Warning: Telegram message failed. Check your token and chat ID in config.sh."
|
|
fi
|
|
|
|
echo ""
|
|
echo "Setup complete. Security scans will run daily at 08:00 on ${HOSTNAME}."
|
|
|
|
# ── Initial scan ───────────────────────────────────────────────────────────────
|
|
echo ""
|
|
echo "Running initial security scan..."
|
|
bash "$SCRIPT_DIR/npm-security-check.sh" >> "$SCRIPT_DIR/logs/npm-security-check-$(date +%Y%m%d).log" 2>&1 && echo "npm-security-check: done." || echo "npm-security-check: issues found — check Telegram."
|
|
bash "$SCRIPT_DIR/check-nextjs-rce.sh" >> "$SCRIPT_DIR/logs/check-nextjs-rce-$(date +%Y%m%d).log" 2>&1 && echo "check-nextjs-rce: done." || echo "check-nextjs-rce: issues found — check Telegram."
|
|
NPM_SUDO_LOG="$SCRIPT_DIR/logs/check-npm-sudo-config-$(date +%Y%m%d).log"
|
|
echo ""
|
|
echo "--- npm sudo config audit results ---"
|
|
bash "$SCRIPT_DIR/check-npm-sudo-config.sh" 2>&1 | tee -a "$NPM_SUDO_LOG"
|
|
echo "-------------------------------------"
|
|
echo ""
|
|
echo "Initial scan complete. Check Telegram for any alerts."
|