bureado/build-exec-monitors.sh

## build-exec-monitors.sh
#!/bin/bash

# Also see: https://gist.github.com/bureado/16df777c1f9883ef919a5cc0c30eaba3

case "$1" in
 init)
    # Install dependencies
    sudo apt update && sudo apt install jq auditd -y
    # Start auditd
    sudo systemctl start auditd.service
    ;;
 pre)
    # Setup auditd rules
    sudo auditctl -a always,exit -F arch=b32 -S execve,execveat
    sudo auditctl -a always,exit -F arch=b64 -S execve,execveat
    ;;
 post)
    journalctl -t audit -o json-pretty _AUDIT_TYPE_NAME=EXECVE | jq -r .MESSAGE

<< 'COMMENT'
// some ideas for inspiration of what to do with the output of the previous command
my @interests = qw/apt aptitude apt-get docker wget curl git/;

while (<>) {
  next unless m#^EXECVE#;
  (my @args) = m#a\d+="([^"]+)"#g;
  next unless grep { /$args[0]$/ } @interests;

  if ($args[0] =~ /git/ and grep { /clone/ } @args) {
    // here you can store the remote ref
    // you can also do things like:
    my $jqf = '.metrics[]|select(.key=="openssf.scorecard.raw.vulnerabilities", .key=="openssf.criticality.raw.criticality_score", .key=="openssf.scorecard.raw.maintained")';
    system ("curl --silent -f https://metrics.openssf.org/api/1/get-project?package_url=pkg:github/$org/$repo | jq -r " . shell_quote($jqf));
  }

  if ($args[0] =~ /curl/ or $args[0] =~ /wget/) {
    // here you can store the uri, hash the file as it's in disk
  }

  if ($args[0] =~ /apt/ and grep { /install/ } @args) {
    // here you might want to look at sources.list, apt-key list
    // also parse apt logs, tokenize package name and version, assemble a purl
    // you can run an nvd query, link to Debian systems such as tracker, udd, etc.
    // or https://gist.github.com/bureado/90dde9dea76462c71c921fbbff6132c4
  }

  if ($args[0] =~ /docker/ and grep { /build/ } @args) {
    // here you might want to look for `-f` and `-t` in `cmdline`, run a linter, extract base images
COMMENT

esac
	#!/bin/bash

	# Also see: https://gist.github.com/bureado/16df777c1f9883ef919a5cc0c30eaba3

	case "$1" in
	init)
	# Install dependencies
	sudo apt update && sudo apt install jq auditd -y
	# Start auditd
	sudo systemctl start auditd.service
	;;
	pre)
	# Setup auditd rules
	sudo auditctl -a always,exit -F arch=b32 -S execve,execveat
	sudo auditctl -a always,exit -F arch=b64 -S execve,execveat
	;;
	post)
	journalctl -t audit -o json-pretty _AUDIT_TYPE_NAME=EXECVE \| jq -r .MESSAGE

	<< 'COMMENT'
	// some ideas for inspiration of what to do with the output of the previous command
	my @interests = qw/apt aptitude apt-get docker wget curl git/;

	while (<>) {
	next unless m#^EXECVE#;
	(my @args) = m#a\d+="([^"]+)"#g;
	next unless grep { /$args[0]$/ } @interests;

	if ($args[0] =~ /git/ and grep { /clone/ } @args) {
	// here you can store the remote ref
	// you can also do things like:
	my $jqf = '.metrics[]\|select(.key=="openssf.scorecard.raw.vulnerabilities", .key=="openssf.criticality.raw.criticality_score", .key=="openssf.scorecard.raw.maintained")';
	system ("curl --silent -f https://metrics.openssf.org/api/1/get-project?package_url=pkg:github/$org/$repo \| jq -r " . shell_quote($jqf));
	}

	if ($args[0] =~ /curl/ or $args[0] =~ /wget/) {
	// here you can store the uri, hash the file as it's in disk
	}

	if ($args[0] =~ /apt/ and grep { /install/ } @args) {
	// here you might want to look at sources.list, apt-key list
	// also parse apt logs, tokenize package name and version, assemble a purl
	// you can run an nvd query, link to Debian systems such as tracker, udd, etc.
	// or https://gist.github.com/bureado/90dde9dea76462c71c921fbbff6132c4
	}

	if ($args[0] =~ /docker/ and grep { /build/ } @args) {
	// here you might want to look for `-f` and `-t` in `cmdline`, run a linter, extract base images
	COMMENT

	esac