Filesystem

shellfirm provides two groups of filesystem checks: fs (standard) for clearly dangerous operations and fs-strict for broader coverage.

Standard filesystem checks (fs)

Recursive delete


ID	`fs:recursively_delete`
Severity	Critical
Pattern	`rm` with flags like `-rf`, `-Rf`, `-fr`, `--force` targeting `*`, `.`, or `/`
Filter	PathExists -- only fires if the target path exists on disk
Alternative	`trash <path>` -- moves to trash instead of permanent deletion
Blast radius	File count + total size at target path

# Triggers
rm -rf /
rm -rf .
rm -Rf *

# Does not trigger (path doesn't exist)
rm -rf /nonexistent/path

Move to /dev/null


ID	`fs:move_to_dev_null`
Severity	Critical
Filter	PathExists

# Triggers
mv important-file.txt /dev/null
mv --force data.db /dev/null

Flush file content


ID	`fs:flush_file_content`
Severity	High
Filter	PathExists

Detects the > file redirect pattern that empties a file.

Recursive chmod


ID	`fs:recursively_chmod`
Severity	Critical
Blast radius	Counts files affected by recursive permission change

# Triggers
chmod -R 777 /
chmod --recursive 755 *

Rsync with delete


ID	`fs:rsync_delete`
Severity	High
Filters	NotContains `--dry-run`, NotContains `-n`
Alternative	`rsync --dry-run --delete ...` -- preview what would be deleted first

# Triggers
rsync -avz --delete /src/ /dest/

# Does NOT trigger
rsync --dry-run --delete /src/ /dest/
rsync -n --delete /src/ /dest/

Recursive chown


ID	`fs:recursively_chown`
Severity	Critical

# Triggers
chown -R root:root /
chown --recursive user:group *

Shred (irrecoverable delete)


ID	`fs:shred`
Severity	High
Alternative	`rm <file>` -- regular rm only unlinks the file, data may be recoverable

# Triggers
shred secret.txt
shred -vfz credentials.key

Truncate to zero


ID	`fs:truncate_zero`
Severity	High

# Triggers
truncate -s 0 file.txt
truncate -s0 important.log

Find with -delete


ID	`fs:delete_find_files`
Severity	Critical
Alternative	`find <path> -name '<pattern>' -print` -- preview what would be deleted first
Blast radius	Counts files under the search path

# Triggers
find . -delete
find /var/log -name "*.log" -delete

Block device writes (dd)


ID	`fs:dd_block_device`
Severity	Critical

# Triggers
dd if=/dev/zero of=/dev/sda
dd if=image.iso of=/dev/mmcblk0

Filesystem formatting (mkfs)


ID	`fs:mkfs_format`
Severity	Critical

# Triggers
mkfs.ext4 /dev/sda1
mkfs -t xfs /dev/sdb
mkfs.btrfs /dev/mmcblk0p1

Disk partition tools

ID	Tool	Severity
`fs:parted_disk_modify`	`parted`	Critical
`fs:fdisk_disk_modify`	`fdisk`	Critical
`fs:sfdisk_disk_modify`	`sfdisk`	Critical
`fs:gdisk_disk_modify`	`gdisk` (GPT)	Critical
`fs:dd_advanced_disk_write`	`dd` with `conv=notrunc`/`seek`/`skip`	Critical

Other disk and volume operations

ID	Description	Severity
`fs:partprobe_disk_update`	`partprobe` -- inform OS of partition changes	High
`fs:blockdev_disk_modify`	`blockdev` -- modify block device parameters	High
`fs:mount_operations`	`mount` a block device	High
`fs:lvm_operations`	`lvremove`, `pvremove`, `vgremove` -- delete logical volumes	Critical
`fs:filesystem_backup`	`dump`/`restore` operations on block devices	High
`fs:encryption_operations`	`cryptsetup` -- encrypt/decrypt devices	Critical

Strict filesystem checks (fs-strict)

These patterns provide broader coverage for teams that want more visibility into file operations. They are enabled by default but can be disabled if they create too much noise.

Any file permission change


ID	`fs-strict:change_permissions`
Severity	Medium

# Triggers
chmod 644 file.txt
chmod +x script.sh

Any deletion


ID	`fs-strict:any_deletion`
Severity	Medium
Filter	PathExists
Blast radius	File count + size for directories, file size for single files

# Triggers
rm file.txt
rm -r directory/
sudo rm -rf old-backups/

Directory deletion


ID	`fs-strict:folder_deletion`
Severity	Medium
Filter	PathExists
Blast radius	File count + size

# Triggers
rmdir empty-directory/
rmdir old-build/