Protection Coverage
Filesystem
Protection patterns for filesystem operations including rm, chmod, mkfs, and dd
shellfirm provides two groups of filesystem checks: fs (standard) for clearly dangerous operations and fs-strict for broader coverage.
Standard filesystem checks (fs)
Recursive delete
| |
|---|
| ID | fs:recursively_delete |
| Severity | Critical |
| Pattern | rm with flags like -rf, -Rf, -fr, --force targeting *, ., or / |
| Filter | PathExists -- only fires if the target path exists on disk |
| Alternative | trash <path> -- moves to trash instead of permanent deletion |
| Blast radius | File count + total size at target path |
# Triggers
rm -rf /
rm -rf .
rm -Rf *
# Does not trigger (path doesn't exist)
rm -rf /nonexistent/path
Move to /dev/null
| |
|---|
| ID | fs:move_to_dev_null |
| Severity | Critical |
| Filter | PathExists |
# Triggers
mv important-file.txt /dev/null
mv --force data.db /dev/null
Flush file content
| |
|---|
| ID | fs:flush_file_content |
| Severity | High |
| Filter | PathExists |
Detects the > file redirect pattern that empties a file.
Recursive chmod
| |
|---|
| ID | fs:recursively_chmod |
| Severity | Critical |
| Blast radius | Counts files affected by recursive permission change |
# Triggers
chmod -R 777 /
chmod --recursive 755 *
Find with -delete
| |
|---|
| ID | fs:delete_find_files |
| Severity | Critical |
| Alternative | find <path> -name '<pattern>' -print -- preview what would be deleted first |
| Blast radius | Counts files under the search path |
# Triggers
find . -delete
find /var/log -name "*.log" -delete
Block device writes (dd)
| |
|---|
| ID | fs:dd_block_device |
| Severity | Critical |
# Triggers
dd if=/dev/zero of=/dev/sda
dd if=image.iso of=/dev/mmcblk0
| |
|---|
| ID | fs:mkfs_format |
| Severity | Critical |
# Triggers
mkfs.ext4 /dev/sda1
mkfs -t xfs /dev/sdb
mkfs.btrfs /dev/mmcblk0p1
| ID | Tool | Severity |
|---|
fs:parted_disk_modify | parted | Critical |
fs:fdisk_disk_modify | fdisk | Critical |
fs:sfdisk_disk_modify | sfdisk | Critical |
fs:gdisk_disk_modify | gdisk (GPT) | Critical |
fs:dd_advanced_disk_write | dd with conv=notrunc/seek/skip | Critical |
Other disk and volume operations
| ID | Description | Severity |
|---|
fs:partprobe_disk_update | partprobe -- inform OS of partition changes | High |
fs:blockdev_disk_modify | blockdev -- modify block device parameters | High |
fs:mount_operations | mount a block device | High |
fs:lvm_operations | lvremove, pvremove, vgremove -- delete logical volumes | Critical |
fs:filesystem_backup | dump/restore operations on block devices | High |
fs:encryption_operations | cryptsetup -- encrypt/decrypt devices | Critical |
Strict filesystem checks (fs-strict)
These patterns provide broader coverage for teams that want more visibility into file operations. They are enabled by default but can be disabled if they create too much noise.
Any file permission change
| |
|---|
| ID | fs-strict:change_permissions |
| Severity | Medium |
# Triggers
chmod 644 file.txt
chmod +x script.sh
Any deletion
| |
|---|
| ID | fs-strict:any_deletion |
| Severity | Medium |
| Filter | PathExists |
| Blast radius | File count + size for directories, file size for single files |
# Triggers
rm file.txt
rm -r directory/
sudo rm -rf old-backups/
Directory deletion
| |
|---|
| ID | fs-strict:folder_deletion |
| Severity | Medium |
| Filter | PathExists |
| Blast radius | File count + size |
# Triggers
rmdir empty-directory/
rmdir old-build/