Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills

Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
2026-06-13 06:34:57 +03:00 · 2026-03-10 21:02:12 +01:00
parent c74d52fa30
commit 27c6414ca5
1390 changed files with 106806 additions and 0 deletions
@@ -0,0 +1,114 @@
+# API Reference: Linux Forensic Artifact Analysis Tools
+
+## Key Artifact Locations
+
+| Artifact | Path | Description |
+|----------|------|-------------|
+| Auth logs | `/var/log/auth.log` (Debian) `/var/log/secure` (RHEL) | Authentication events |
+| Login history | `/var/log/wtmp` | Successful logins (binary, use `last`) |
+| Failed logins | `/var/log/btmp` | Failed logins (binary, use `lastb`) |
+| Bash history | `~/.bash_history` | Command history per user |
+| SSH keys | `~/.ssh/authorized_keys` | Authorized public keys |
+| Crontab | `/etc/crontab`, `/var/spool/cron/crontabs/` | Scheduled tasks |
+| Systemd services | `/etc/systemd/system/` | Service definitions |
+| LD_PRELOAD | `/etc/ld.so.preload` | Shared library preloading |
+| SUID binaries | `find / -perm -4000` | Setuid executables |
+
+## last / lastb - Login History
+
+### Syntax
+```bash
+last -f /var/log/wtmp              # Successful logins
+lastb -f /var/log/btmp             # Failed logins
+last -i -f /var/log/wtmp           # Show IP addresses
+last -s 2024-01-15 -t 2024-01-20  # Date range filter
+```
+
+### Output Format
+```
+user     pts/0   192.168.1.50  Mon Jan 15 09:00  still logged in
+```
+
+## chkrootkit - Rootkit Scanner
+
+### Syntax
+```bash
+chkrootkit                    # Full scan
+chkrootkit -r /mnt/evidence   # Scan mounted evidence
+chkrootkit -q                 # Quiet (infected only)
+```
+
+## rkhunter - Rootkit Hunter
+
+### Syntax
+```bash
+rkhunter --check                    # Full system check
+rkhunter --check --rootdir /mnt/ev  # Check evidence root
+rkhunter --list tests               # List available tests
+rkhunter --propupd                  # Update file properties DB
+```
+
+### Check Categories
+| Check | Description |
+|-------|-------------|
+| `rootkits` | Known rootkit signatures |
+| `trojans` | Trojanized system binaries |
+| `properties` | File permission anomalies |
+| `filesystem` | Hidden files and directories |
+
+## auditd Log Parsing
+
+### ausearch Syntax
+```bash
+ausearch -m execve -ts recent         # Recent command execution
+ausearch -m USER_AUTH -ts today        # Authentication events
+ausearch -k suspicious_activity       # Custom audit rule key
+ausearch -ua 0 -ts today              # Root user actions
+```
+
+### aureport Syntax
+```bash
+aureport --auth                       # Authentication summary
+aureport --login                      # Login summary
+aureport --file                       # File access summary
+aureport --summary                    # Overall summary
+```
+
+## osquery - SQL-based System Queries
+
+### Syntax
+```bash
+osqueryi "SELECT * FROM users WHERE uid = 0"
+osqueryi "SELECT * FROM crontab"
+osqueryi "SELECT * FROM authorized_keys"
+osqueryi "SELECT * FROM suid_bin"
+osqueryi "SELECT * FROM process_open_sockets"
+```
+
+### Key Tables
+| Table | Content |
+|-------|---------|
+| `users` | User account information |
+| `crontab` | Cron job entries |
+| `authorized_keys` | SSH authorized keys |
+| `suid_bin` | SUID binaries |
+| `process_open_sockets` | Network connections by process |
+| `shell_history` | Command history entries |
+
+## Plaso / log2timeline - Super Timeline
+
+### Syntax
+```bash
+log2timeline.py /cases/timeline.plaso /mnt/evidence
+psort.py -o l2tcsv /cases/timeline.plaso > timeline.csv
+psort.py -o l2tcsv /cases/timeline.plaso "date > '2024-01-15'"
+```
+
+## AIDE - File Integrity
+
+### Syntax
+```bash
+aide --init                    # Initialize database
+aide --check                   # Check for changes
+aide --compare                 # Compare databases
+```