getdoorman 1.0.0

package/src/rules/security/shell.js

@@ -0,0 +1,647 @@
+/**
+ * Shell Script Security Rules (SEC-SHELL-001 through SEC-SHELL-030)
+ */
+
+const isShell = (f) => /\.(?:sh|bash|zsh)$/.test(f);
+
+const SKIP_PATH = /[/\\](test|tests|__tests__|__mocks__|mocks|fixtures|__fixtures__|spec|__snapshots__|node_modules|vendor|dist|build)[/\\]/i;
+const COMMENT_LINE = /^\s*#/;
+
+function scanLines(content, regex, file, rule) {
+  const findings = [];
+  const lines = content.split('\n');
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (COMMENT_LINE.test(line)) continue;
+    if (regex.test(line)) {
+      findings.push({
+        ruleId: rule.id,
+        category: rule.category,
+        severity: rule.severity,
+        title: rule.title,
+        description: rule.description,
+        confidence: rule.confidence,
+        file,
+        line: i + 1,
+        fix: rule.fix || null,
+      });
+    }
+  }
+  return findings;
+}
+
+const rules = [
+  // SEC-SHELL-001: Unquoted variables
+  {
+    id: 'SEC-SHELL-001',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Unquoted Variable Expansion',
+    description: 'Unquoted variables are subject to word splitting and glob expansion, which can lead to unexpected behavior or injection.',
+    fix: { suggestion: 'Always quote variable expansions: use "$VAR" instead of $VAR.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:^|[\s;|&])(?:cp|mv|rm|cat|echo|cd|ls|mkdir|chmod|chown|touch)\s+(?:[^"']*\s)?\$\w+(?!\w)/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isShell(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SHELL-002: eval with user input
+  {
+    id: 'SEC-SHELL-002',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'eval with Variable Input',
+    description: 'eval executes arbitrary code and is dangerous when used with user-controlled input.',
+    fix: { suggestion: 'Avoid eval. Use arrays, case statements, or parameter expansion instead.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /\beval\s+.*\$/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isShell(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SHELL-003: curl | bash
+  {
+    id: 'SEC-SHELL-003',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Pipe to Shell (curl | bash)',
+    description: 'Piping downloaded content directly to a shell executes untrusted code without inspection.',
+    fix: { suggestion: 'Download the script first, inspect it, verify checksums, then execute.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:curl|wget)\s+.*\|\s*(?:bash|sh|zsh|sudo\s+(?:bash|sh))/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isShell(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SHELL-004: chmod 777
+  {
+    id: 'SEC-SHELL-004',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'World-Writable Permissions (chmod 777)',
+    description: 'chmod 777 gives read/write/execute to all users, allowing any user to modify the file.',
+    fix: { suggestion: 'Use the least permissive mode needed. For executables, use 755; for config files, 644 or 600.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /chmod\s+(?:777|a\+rwx|\+rwx)/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isShell(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SHELL-005: Hardcoded passwords
+  {
+    id: 'SEC-SHELL-005',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Hardcoded Password in Script',
+    description: 'Passwords hardcoded in shell scripts can be read by anyone with file access.',
+    fix: { suggestion: 'Use environment variables, secret managers (Vault, AWS SSM), or prompt for credentials at runtime.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:PASSWORD|PASSWD|SECRET|API_KEY|TOKEN)\s*=\s*['"][^$'"]+['"]/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isShell(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SHELL-006: Missing set -euo pipefail
+  {
+    id: 'SEC-SHELL-006',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Missing Strict Mode (set -euo pipefail)',
+    description: 'Without strict mode, scripts continue after errors, potentially executing in an inconsistent state.',
+    fix: { suggestion: 'Add "set -euo pipefail" near the top of the script for fail-fast behavior.' },
+    check({ files }) {
+      const findings = [];
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (!isShell(path)) continue;
+        if (content.length > 200 && !/set\s+-[euox]*e[uox]*/.test(content) && !/set\s+-euo\s+pipefail/.test(content)) {
+          findings.push({
+            ruleId: this.id,
+            category: this.category,
+            severity: this.severity,
+            title: this.title,
+            description: this.description,
+            confidence: this.confidence,
+            file: path,
+            line: 1,
+            fix: this.fix || null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SHELL-007: Temp file race condition
+  {
+    id: 'SEC-SHELL-007',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Insecure Temporary File Creation',
+    description: 'Using $$ or predictable names for temp files creates race condition vulnerabilities (symlink attacks).',
+    fix: { suggestion: 'Use mktemp to create temporary files securely: tmpfile=$(mktemp)' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /\/tmp\/.*\$\$|\/tmp\/\w+\.\w+(?!\s*=\s*\$\(mktemp)/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isShell(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SHELL-008: Insecure wget/curl (--no-check-certificate)
+  {
+    id: 'SEC-SHELL-008',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Disabled Certificate Verification',
+    description: 'Disabling certificate checks allows man-in-the-middle attacks during downloads.',
+    fix: { suggestion: 'Remove --no-check-certificate / --insecure flags. Fix certificate issues properly.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /--no-check-certificate|curl\s+.*--insecure|-k\s+https?:/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isShell(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SHELL-009: World-readable sensitive files
+  {
+    id: 'SEC-SHELL-009',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'World-Readable Sensitive File',
+    description: 'Creating sensitive files (keys, configs, credentials) without restricting permissions.',
+    fix: { suggestion: 'Set umask 077 before creating sensitive files, or chmod 600 immediately after creation.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = />\s*.*(?:\.pem|\.key|\.crt|\.env|credentials|\.secret|\.password|id_rsa)/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isShell(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SHELL-010: Missing input validation
+  {
+    id: 'SEC-SHELL-010',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Missing Input Validation',
+    description: 'Script arguments ($1, $2, etc.) used directly without validation can lead to injection.',
+    fix: { suggestion: 'Validate script arguments against expected patterns before using them in commands.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:rm|cp|mv|cat|chmod|chown|mkdir)\s+.*\$[1-9]/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isShell(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SHELL-011: SQL injection in shell
+  {
+    id: 'SEC-SHELL-011',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'SQL Injection in Shell Script',
+    description: 'Interpolating variables into SQL commands allows SQL injection.',
+    fix: { suggestion: 'Use parameterized queries or properly escape variables with database-specific escaping.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:mysql|psql|sqlite3)\s+.*(?:["'].*\$\{?[A-Z_a-z]|`.*\$)/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isShell(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SHELL-012: Command injection via backticks
+  {
+    id: 'SEC-SHELL-012',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Command Injection via Backticks with User Input',
+    description: 'Using backticks with user-controlled variables allows arbitrary command execution.',
+    fix: { suggestion: 'Use $() instead of backticks, and always quote variables. Prefer parameter expansion over command substitution with user data.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /`.*\$(?:\{?[1-9]|\{?(?:USER_INPUT|INPUT|ARG|PARAM))/i;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isShell(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SHELL-013: Insecure SSH
+  {
+    id: 'SEC-SHELL-013',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Disabled SSH Host Key Checking',
+    description: 'StrictHostKeyChecking=no disables SSH host verification, enabling MITM attacks.',
+    fix: { suggestion: 'Remove StrictHostKeyChecking=no and properly manage known_hosts file.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /StrictHostKeyChecking\s*=?\s*no|StrictHostKeyChecking\s*no|-o\s+StrictHostKeyChecking=no/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isShell(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SHELL-014: Storing secrets in history
+  {
+    id: 'SEC-SHELL-014',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Secrets Exposed in Shell History',
+    description: 'Commands with inline passwords or tokens are stored in shell history files.',
+    fix: { suggestion: 'Use environment variables or read from stdin. Prefix commands with a space to avoid history (requires HISTCONTROL=ignorespace).' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:mysql|psql|curl|wget)\s+.*(?:-p\s*\S+|--password[= ]\S+|Authorization:\s*Bearer\s+\S{10,})/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isShell(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SHELL-015: Running as root unnecessarily
+  {
+    id: 'SEC-SHELL-015',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Unnecessary Root Execution',
+    description: 'Running entire scripts as root increases the impact of any vulnerability.',
+    fix: { suggestion: 'Use sudo only for specific commands that need elevated privileges, not for the entire script.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /sudo\s+(?:bash|sh|zsh)\s|sudo\s+\.\/|#.*run\s+as\s+root/i;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isShell(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SHELL-016: SUID bit setting
+  {
+    id: 'SEC-SHELL-016',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'SUID/SGID Bit Setting',
+    description: 'Setting SUID/SGID bits on scripts or binaries can lead to privilege escalation.',
+    fix: { suggestion: 'Avoid SUID/SGID on shell scripts. Use sudo with fine-grained sudoers rules instead.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /chmod\s+[u+]*[46][0-7]{3}\b|chmod\s+[ug]\+s/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isShell(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SHELL-017: Insecure PATH manipulation
+  {
+    id: 'SEC-SHELL-017',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Insecure PATH Manipulation',
+    description: 'Adding writable directories (like .) to PATH allows execution of trojan commands.',
+    fix: { suggestion: 'Never add current directory (.) to PATH. Use absolute paths for commands in scripts.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /PATH\s*=.*(?:^|\:)\.(?:\:|$)|export\s+PATH.*\.\:/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isShell(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SHELL-018: Unprotected credentials file
+  {
+    id: 'SEC-SHELL-018',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Sourcing Credentials File Without Permission Check',
+    description: 'Sourcing a credentials file without verifying its permissions or ownership could load tampered data.',
+    fix: { suggestion: 'Check file ownership and permissions before sourcing: verify owner is current user and mode is 600.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:source|\.) .*(?:\.env|credentials|secrets|\.secret|\.password)/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isShell(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SHELL-019: Wildcard injection
+  {
+    id: 'SEC-SHELL-019',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Wildcard Injection Vulnerability',
+    description: 'Commands like tar, rsync, or chown with wildcards (*) can be exploited by creating specially named files.',
+    fix: { suggestion: 'Use -- to separate options from arguments, or use find -exec instead of wildcards.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:tar|rsync|chown|chmod|rm)\s+.*\*/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isShell(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SHELL-020: Insecure file download
+  {
+    id: 'SEC-SHELL-020',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Insecure File Download Without Verification',
+    description: 'Downloading files without verifying checksums or signatures allows tampered content.',
+    fix: { suggestion: 'Verify downloaded files with sha256sum or gpg signature verification.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:curl|wget)\s+.*-[oO]\s+.*&&\s*(?:chmod|bash|sh|\.\/)/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isShell(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SHELL-021: Unsafe string comparison
+  {
+    id: 'SEC-SHELL-021',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Unsafe String Comparison',
+    description: 'Using [ instead of [[ for string comparison is vulnerable to word splitting and glob expansion.',
+    fix: { suggestion: 'Use [[ ]] for string comparisons in bash scripts to avoid word splitting issues.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /\[\s+\$\w+\s*[!=]/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isShell(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SHELL-022: Exposed AWS credentials
+  {
+    id: 'SEC-SHELL-022',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Exposed AWS Credentials',
+    description: 'AWS access keys hardcoded in shell scripts can be used to compromise cloud resources.',
+    fix: { suggestion: 'Use IAM roles, AWS SSO, or environment variables from a secrets manager.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /AWS_(?:ACCESS_KEY_ID|SECRET_ACCESS_KEY)\s*=\s*['"][A-Za-z0-9\/+=]{16,}/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isShell(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SHELL-023: Insecure network daemon
+  {
+    id: 'SEC-SHELL-023',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Insecure Network Listener',
+    description: 'Using nc/netcat or socat to create network listeners can expose the system to attacks.',
+    fix: { suggestion: 'Use proper services with authentication and encryption. Bind to localhost if only local access is needed.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:nc|netcat|ncat)\s+.*-l|socat\s+.*TCP-LISTEN/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isShell(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SHELL-024: Disabling firewall
+  {
+    id: 'SEC-SHELL-024',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Firewall Disabled',
+    description: 'Disabling firewall rules removes a critical security layer.',
+    fix: { suggestion: 'Add specific firewall rules instead of disabling the entire firewall.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /ufw\s+disable|iptables\s+-F|firewall-cmd\s+.*--disable|systemctl\s+stop\s+firewalld/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isShell(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SHELL-025: Disabling SELinux
+  {
+    id: 'SEC-SHELL-025',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'SELinux/AppArmor Disabled',
+    description: 'Disabling mandatory access control removes an important security boundary.',
+    fix: { suggestion: 'Create proper SELinux policies instead of disabling it. Use semanage/audit2allow.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /setenforce\s+0|SELINUX\s*=\s*disabled|aa-disable|apparmor_parser\s+-R/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isShell(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SHELL-026: Base64 decoded execution
+  {
+    id: 'SEC-SHELL-026',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Obfuscated Command Execution',
+    description: 'Decoding base64 and piping to shell is a common technique to hide malicious commands.',
+    fix: { suggestion: 'Avoid base64-encoding commands. Use clear, readable scripts that can be audited.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /base64\s+(?:-d|--decode).*\|\s*(?:bash|sh|eval)/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isShell(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SHELL-027: Insecure cron job
+  {
+    id: 'SEC-SHELL-027',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'suggestion',
+    title: 'Insecure Cron Job Setup',
+    description: 'Adding cron jobs with world-writable scripts or without proper path restrictions.',
+    fix: { suggestion: 'Ensure cron scripts are owned by root and not world-writable. Use full paths in cron entries.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /crontab|\/etc\/cron/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isShell(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SHELL-028: Insecure umask
+  {
+    id: 'SEC-SHELL-028',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Permissive Umask',
+    description: 'umask 000 or 002 creates files readable/writable by other users.',
+    fix: { suggestion: 'Use umask 077 for sensitive operations to create files only accessible by the owner.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /umask\s+00[0-2]/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isShell(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SHELL-029: Insecure SSH key generation
+  {
+    id: 'SEC-SHELL-029',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Weak SSH Key Generation',
+    description: 'Generating SSH keys with weak algorithms (DSA, RSA < 2048) or without passphrase.',
+    fix: { suggestion: 'Use ssh-keygen -t ed25519 or -t rsa -b 4096 with a passphrase.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /ssh-keygen.*(?:-t\s+dsa|-b\s+(?:512|1024)\b|-N\s*['"]?['"]?\s)/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isShell(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SHELL-030: Writable by others in /etc
+  {
+    id: 'SEC-SHELL-030',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Writing to System Configuration Without Backup',
+    description: 'Modifying files in /etc/ without creating backups or verifying content integrity.',
+    fix: { suggestion: 'Create backups before modifying system files. Use configuration management tools (Ansible, Chef) instead.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:echo|cat|tee|sed\s+-i)\s+.*>.*\/etc\//;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isShell(path)) findings.push(...scanLines(content, pattern, path, this));
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;