- from: fs
test: 'rm\s{1,}(?:-[rRfvV]+|--(?:force|recursive|verbose|preserve-root|no-preserve-root|one-file-system))(?:\s+(?:-[rRfvV]+|--(?:force|recursive|verbose|preserve-root|no-preserve-root|one-file-system)))*(?:\s+\S+)*?\s+(\*|\.{1,}|/)(?:\s|$)'
description: "You are going to delete everything in the path."
id: fs:recursively_delete
severity: Critical
filters:
- type: PathExists
value: 1
alternative: "trash <path>"
alternative_info: "Moves to trash instead of permanent deletion. Install: brew install trash (macOS) or trash-cli (Linux)."
- from: fs
test: mv\s+(?:-[a-zA-Z]+\s+)?(?:--[a-zA-Z-]+\s+)?([^\s]+)(?:\s+[^\s]+)*\s+/dev/null
description: "The files will be discarded and destroyed."
id: fs:move_to_dev_null
severity: Critical
filters:
- type: PathExists
value: 1
- from: fs
test: (?:^|[^>])>([^>].*)
description: "The above command is used to flush the content of a file."
id: fs:flush_file_content
severity: High
filters:
- type: PathExists
value: 1
- type: NotContains
value: ">/dev/null"
- from: fs
test: chmod\s{1,}(?:\S+\s+)*(?:-[a-zA-Z]*R[a-zA-Z]*|--recursive)\s+(?:\S+\s+)*(\*|\.{1,}|/)
description: "Change permission to all root files can brake your some thinks like SSH keys."
id: fs:recursively_chmod
severity: Critical
- from: fs
test: find\s.*\s-delete(\s|$)
description: "Did you -delete flag in the wrong order? find -delete going to delete all the file under your current path."
id: fs:delete_find_files
severity: Critical
alternative: "find <path> -name '<pattern>' -print"
alternative_info: "Preview what would be deleted with -print first, then add -delete when you're sure."
- from: fs
test: 'dd\s+.*of=/dev/([hs]d[a-z]|mmcblk[0-9]|nvme[0-9]+n[0-9]+)'
description: "Are you sure you want to write directly to a block device? This could overwrite your disk."
id: fs:dd_block_device
severity: Critical
- from: fs
test: 'mkfs(?:\.(?:ext[2-4]|fat|vfat|ntfs|xfs|btrfs))?\s+(?:-t\s+\w+\s+)?/dev/([hs]d[a-z][0-9]*|mmcblk[0-9]p?[0-9]*|nvme[0-9]+n[0-9]+(?:p[0-9]+)?)'
description: "Are you sure you want to format this device? This will erase all data on it."
id: fs:mkfs_format
severity: Critical
- from: fs
test: 'parted\s+.*(/dev/([hs]d[a-z]|mmcblk[0-9]|nvme[0-9]+n[0-9]+))'
description: "Are you sure you want to modify disk partitions? This could erase all data on the disk."
id: fs:parted_disk_modify
severity: Critical
- from: fs
test: 'fdisk\s+.*(/dev/([hs]d[a-z]|mmcblk[0-9]|nvme[0-9]+n[0-9]+))'
description: "Are you sure you want to modify disk partitions? This could erase all data on the disk."
id: fs:fdisk_disk_modify
severity: Critical
- from: fs
test: 'sfdisk\s+.*(/dev/([hs]d[a-z]|mmcblk[0-9]|nvme[0-9]+n[0-9]+))'
description: "Are you sure you want to modify disk partitions? This could erase all data on the disk."
id: fs:sfdisk_disk_modify
severity: Critical
- from: fs
test: 'dd\s+.*(?:conv=notrunc|seek=\d+|skip=\d+).*of=/dev/([hs]d[a-z]|mmcblk[0-9]|nvme[0-9]+n[0-9]+)'
description: "Are you sure you want to write to a specific sector of the disk? This could corrupt data."
id: fs:dd_advanced_disk_write
severity: Critical
- from: fs
test: 'gdisk\s+.*(/dev/([hs]d[a-z]|mmcblk[0-9]|nvme[0-9]+n[0-9]+))'
description: "Are you sure you want to modify GPT disk partitions? This could erase all data on the disk."
id: fs:gdisk_disk_modify
severity: Critical
- from: fs
test: 'partprobe\s+.*(/dev/([hs]d[a-z]|mmcblk[0-9]|nvme[0-9]+n[0-9]+))'
description: "Are you sure you want to inform the OS of partition table changes? This could affect mounted partitions."
id: fs:partprobe_disk_update
severity: High
- from: fs
test: 'blockdev\s+.*(/dev/([hs]d[a-z]|mmcblk[0-9]|nvme[0-9]+n[0-9]+))'
description: "Are you sure you want to modify block device parameters? This could affect disk operations."
id: fs:blockdev_disk_modify
severity: High
- from: fs
test: 'mount\s+.*(/dev/([hs]d[a-z]|mmcblk[0-9]|nvme[0-9]+n[0-9]+))'
description: "Are you sure you want to mount this device? This could affect system stability."
id: fs:mount_operations
severity: High
- from: fs
test: '(?:sudo\s+)?(?:lvremove|pvremove|vgremove)\s+(?:-[a-zA-Z]+\s+)?(?:--[a-zA-Z-]+\s+)?(?:/dev/(?:[hs]d[a-z]|mmcblk[0-9])|/dev/mapper/[^\s]+|[^\s]+)'
description: "Are you sure you want to remove this logical volume/volume group? This will delete all data."
id: fs:lvm_operations
severity: Critical
- from: fs
test: '(?:dump|restore)\s+.*(/dev/([hs]d[a-z]|mmcblk[0-9]|nvme[0-9]+n[0-9]+))'
description: "Are you sure you want to backup/restore this filesystem? This could affect system stability."
id: fs:filesystem_backup
severity: High
- from: fs
test: 'cryptsetup\s+.*(/dev/([hs]d[a-z]|mmcblk[0-9]|nvme[0-9]+n[0-9]+))'
description: "Are you sure you want to encrypt/decrypt this device? This could affect data accessibility."
id: fs:encryption_operations
severity: Critical
- from: fs
test: chmod\s
description: "Are you sure that you want to change permissions?"
id: fs-strict:change_permissions
severity: Medium
- from: fs
test: ^(?:sudo\s+)?rm\s{1,}(?:-Rf|-rf|-fR|-fr|-r|-R|-f)?\s*(.*)\r?
description: "Are you sure you want to continue with deletion?"
id: fs-strict:any_deletion
severity: Medium
filters:
- type: PathExists
value: 1
- from: fs
test: rmdir\s+(.*)\s*
description: "Are you sure you want to continue with deletion?"
id: fs-strict:folder_deletion
severity: Medium
filters:
- type: PathExists
value: 1
- from: fs
test: rsync\s+.*--delete
description: "Syncs with deletion — removes files at destination not present in source."
id: fs:rsync_delete
severity: High
alternative: "rsync --dry-run --delete ..."
alternative_info: "Preview what would be deleted with --dry-run first."
filters:
- type: NotContains
value: "--dry-run"
- type: NotContains
value: "-n"
- from: fs
test: chown\s{1,}(?:\S+\s+)*(?:-[a-zA-Z]*R[a-zA-Z]*|--recursive)\s+(?:\S+\s+)*(\*|\.{1,}|/)
description: "Recursive ownership change on root or wildcard can break system files and SSH keys."
id: fs:recursively_chown
severity: Critical