Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills

Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
This commit is contained in:
mukul975
2026-03-10 21:02:12 +01:00
parent c74d52fa30
commit 27c6414ca5
1390 changed files with 106806 additions and 0 deletions
@@ -0,0 +1,21 @@
MIT License
Copyright (c) 2025 Anthropic Agent Skills Contributors
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
@@ -0,0 +1,82 @@
# API Reference: Detecting Container Drift at Runtime
## Docker SDK for Python
```python
import docker
client = docker.from_env()
# List running containers
containers = client.containers.list()
# Get container details
container = client.containers.get("container_id")
container.attrs # full inspection dict
container.image.id # image SHA256
container.image.tags # ['app:v1.0']
# Filesystem diff (vs original image)
diff = container.diff()
# Returns: [{"Path": "/tmp/new_file", "Kind": 1}]
# Kind: 0=Modified, 1=Added, 2=Deleted
# Container inspection fields
container.attrs["HostConfig"]["Privileged"] # bool
container.attrs["HostConfig"]["ReadonlyRootfs"] # bool
container.attrs["Config"]["Image"] # image reference
```
## Docker CLI Commands
```bash
# Filesystem changes since creation
docker diff <container> # A=Added, C=Changed, D=Deleted
# Running processes
docker top <container> -eo pid,user,comm,args
# Image digest verification
docker inspect --format='{{.Image}}' <container>
```
## Falco Drift Detection Rules
```yaml
# Detect binary not in original image
condition: spawned_process and container and proc.is_exe_upper_layer = true
# Detect package manager usage
condition: spawned_process and container and proc.name in (apt, yum, pip, npm)
# Detect shell spawn
condition: spawned_process and container and proc.name in (bash, sh, dash)
```
## Kubernetes Security Context
```yaml
securityContext:
readOnlyRootFilesystem: true # prevent drift
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop: ["ALL"]
```
## Drift Severity Classification
| Indicator | Severity |
|-----------|----------|
| Privileged container | CRITICAL |
| Sensitive file modified (/etc/shadow) | CRITICAL |
| Binary added to system path | HIGH |
| Package manager executed | HIGH |
| Root shell active | MEDIUM |
| Mutable root filesystem | MEDIUM |
## CLI Usage
```bash
python agent.py --container my-app-container
python agent.py --container abc123 --all
```
@@ -0,0 +1,159 @@
#!/usr/bin/env python3
"""Container drift detection agent using Docker SDK.
Compares running container filesystem against the original image to detect
binary drift, file modifications, and package installations.
"""
import argparse
import json
import subprocess
import sys
from datetime import datetime
try:
import docker
except ImportError:
print("Install docker SDK: pip install docker")
sys.exit(1)
PACKAGE_MANAGERS = {"apt", "apt-get", "yum", "dnf", "apk", "pip", "pip3", "npm", "gem"}
SHELLS = {"bash", "sh", "dash", "zsh", "csh", "ash"}
SUSPICIOUS_BINARIES = {"curl", "wget", "nc", "ncat", "netcat", "socat", "python",
"perl", "gcc", "cc", "make", "nmap", "tcpdump"}
def get_container_diff(client, container_id):
container = client.containers.get(container_id)
try:
diff = container.diff()
except docker.errors.APIError:
diff = []
changes = {"added": [], "modified": [], "deleted": []}
for entry in diff or []:
path = entry.get("Path", "")
kind = entry.get("Kind", 0)
if kind == 0:
changes["modified"].append(path)
elif kind == 1:
changes["added"].append(path)
elif kind == 2:
changes["deleted"].append(path)
return changes
def get_running_processes(container_id):
try:
result = subprocess.run(
["docker", "top", container_id, "-eo", "pid,user,comm,args"],
capture_output=True, text=True, timeout=10)
if result.returncode != 0:
return []
lines = result.stdout.strip().split("\n")[1:]
processes = []
for line in lines:
parts = line.split(None, 3)
if len(parts) >= 3:
processes.append({
"pid": parts[0], "user": parts[1],
"command": parts[2], "args": parts[3] if len(parts) > 3 else ""
})
return processes
except (subprocess.TimeoutExpired, FileNotFoundError):
return []
def detect_drift_indicators(changes, processes):
findings = []
for path in changes.get("added", []):
basename = path.rsplit("/", 1)[-1]
if basename in SUSPICIOUS_BINARIES:
findings.append({"type": "suspicious_binary_added", "path": path,
"severity": "HIGH"})
if path.startswith("/usr/bin/") or path.startswith("/usr/sbin/"):
findings.append({"type": "binary_added_to_system_path", "path": path,
"severity": "HIGH"})
for path in changes.get("modified", []):
if path in ("/etc/passwd", "/etc/shadow", "/etc/sudoers"):
findings.append({"type": "sensitive_file_modified", "path": path,
"severity": "CRITICAL"})
if path.startswith("/etc/cron"):
findings.append({"type": "cron_modified", "path": path, "severity": "HIGH"})
for proc in processes:
cmd = proc.get("command", "")
if cmd in PACKAGE_MANAGERS:
findings.append({"type": "package_manager_running", "process": cmd,
"severity": "HIGH"})
if cmd in SHELLS and proc.get("user") == "root":
findings.append({"type": "root_shell_active", "process": cmd,
"severity": "MEDIUM"})
return findings
def check_image_digest(client, container_id):
container = client.containers.get(container_id)
image_id = container.image.id
image_tags = container.image.tags
attrs = container.attrs
config_image = attrs.get("Config", {}).get("Image", "")
uses_digest = "@sha256:" in config_image
return {
"image_id": image_id[:19],
"image_tags": image_tags,
"config_image": config_image,
"uses_immutable_digest": uses_digest,
"privileged": attrs.get("HostConfig", {}).get("Privileged", False),
"read_only_rootfs": attrs.get("HostConfig", {}).get("ReadonlyRootfs", False),
}
def audit_container(client, container_id):
changes = get_container_diff(client, container_id)
processes = get_running_processes(container_id)
findings = detect_drift_indicators(changes, processes)
image_info = check_image_digest(client, container_id)
if not image_info.get("read_only_rootfs"):
findings.append({"type": "mutable_rootfs", "severity": "MEDIUM",
"detail": "readOnlyRootFilesystem not enabled"})
if image_info.get("privileged"):
findings.append({"type": "privileged_container", "severity": "CRITICAL",
"detail": "Container running in privileged mode"})
total_changes = sum(len(v) for v in changes.values())
risk = "CRITICAL" if any(f["severity"] == "CRITICAL" for f in findings) else \
"HIGH" if total_changes > 20 or any(f["severity"] == "HIGH" for f in findings) else \
"MEDIUM" if total_changes > 5 else "LOW"
return {
"container_id": container_id,
"timestamp": datetime.utcnow().isoformat() + "Z",
"filesystem_changes": changes,
"total_changes": total_changes,
"running_processes": processes,
"image_info": image_info,
"findings": findings,
"risk_level": risk,
}
def main():
parser = argparse.ArgumentParser(description="Container Drift Detector")
parser.add_argument("--container", required=True, help="Container ID or name")
parser.add_argument("--all", action="store_true", help="Audit all running containers")
args = parser.parse_args()
client = docker.from_env()
results = []
if args.all:
for c in client.containers.list():
results.append(audit_container(client, c.id))
else:
results.append(audit_container(client, args.container))
print(json.dumps(results, indent=2))
if __name__ == "__main__":
main()