mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 13:15:16 +03:00
Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
This commit is contained in:
@@ -0,0 +1,21 @@
|
||||
MIT License
|
||||
|
||||
Copyright (c) 2025 Anthropic Agent Skills Contributors
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
in the Software without restriction, including without limitation the rights
|
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
copies of the Software, and to permit persons to whom the Software is
|
||||
furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in all
|
||||
copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
SOFTWARE.
|
||||
@@ -0,0 +1,57 @@
|
||||
# API Reference: Implementing GCP VPC Firewall Rules
|
||||
|
||||
## Libraries
|
||||
|
||||
### google-cloud-compute
|
||||
- **Install**: `pip install google-cloud-compute`
|
||||
- **Docs**: https://cloud.google.com/python/docs/reference/compute/latest
|
||||
|
||||
### Key Classes and Methods
|
||||
|
||||
| Class | Method | Description |
|
||||
|-------|--------|-------------|
|
||||
| `FirewallsClient` | `list(project)` | List all firewall rules |
|
||||
| `FirewallsClient` | `get(project, firewall)` | Get rule details |
|
||||
| `FirewallsClient` | `insert(project, firewall_resource)` | Create rule |
|
||||
| `FirewallsClient` | `patch(project, firewall, firewall_resource)` | Update rule |
|
||||
| `FirewallsClient` | `delete(project, firewall)` | Delete rule |
|
||||
| `NetworksClient` | `list(project)` | List VPC networks |
|
||||
|
||||
### Firewall Rule Object Fields
|
||||
- `name` -- Rule name (unique per project)
|
||||
- `network` -- VPC network path
|
||||
- `direction` -- `INGRESS` or `EGRESS`
|
||||
- `priority` -- 0 (highest) to 65535 (lowest)
|
||||
- `allowed[]` -- Protocol and port combinations to allow
|
||||
- `denied[]` -- Protocol and port combinations to deny
|
||||
- `source_ranges[]` -- Source CIDR ranges for ingress
|
||||
- `destination_ranges[]` -- Destination CIDRs for egress
|
||||
- `target_tags[]` -- Network tags to apply rule to
|
||||
- `source_tags[]` -- Source instance tags
|
||||
- `disabled` -- Boolean to disable without deleting
|
||||
- `log_config.enable` -- Enable firewall rule logging
|
||||
|
||||
## Priority Ranges (Best Practice)
|
||||
- 0-999: Emergency/override rules
|
||||
- 1000-9999: Organization policies
|
||||
- 10000-49999: Application-specific rules
|
||||
- 50000-64999: Default deny rules
|
||||
- 65534: Implied allow egress (GCP default)
|
||||
- 65535: Implied deny ingress (GCP default)
|
||||
|
||||
## gcloud CLI Equivalents
|
||||
- `gcloud compute firewall-rules list`
|
||||
- `gcloud compute firewall-rules create NAME --allow tcp:22 --source-ranges 10.0.0.0/8`
|
||||
- `gcloud compute firewall-rules delete NAME`
|
||||
- `gcloud compute firewall-rules update NAME --disabled`
|
||||
|
||||
## Hierarchical Firewall Policies
|
||||
- Organization-level: `compute.firewallPolicies`
|
||||
- Folder-level: Applied via `compute.firewallPolicies.addAssociation`
|
||||
- Evaluation order: Organization > Folder > VPC rules
|
||||
|
||||
## External References
|
||||
- VPC Firewall Rules: https://cloud.google.com/vpc/docs/firewalls
|
||||
- Firewall Policies: https://cloud.google.com/vpc/docs/firewall-policies
|
||||
- VPC Flow Logs: https://cloud.google.com/vpc/docs/using-flow-logs
|
||||
- Cloud Armor WAF: https://cloud.google.com/armor/docs
|
||||
@@ -0,0 +1,190 @@
|
||||
#!/usr/bin/env python3
|
||||
"""GCP VPC firewall rules audit and management agent."""
|
||||
|
||||
import json
|
||||
import sys
|
||||
import argparse
|
||||
from datetime import datetime
|
||||
|
||||
try:
|
||||
from google.cloud import compute_v1
|
||||
from google.api_core.exceptions import GoogleAPIError
|
||||
except ImportError:
|
||||
print("Install: pip install google-cloud-compute")
|
||||
sys.exit(1)
|
||||
|
||||
|
||||
def get_firewall_client():
|
||||
"""Create GCP Compute Engine firewall client."""
|
||||
return compute_v1.FirewallsClient()
|
||||
|
||||
|
||||
def list_firewall_rules(project_id):
|
||||
"""List all VPC firewall rules in a project."""
|
||||
client = get_firewall_client()
|
||||
rules = []
|
||||
for rule in client.list(project=project_id):
|
||||
rules.append({
|
||||
"name": rule.name,
|
||||
"network": rule.network.split("/")[-1] if rule.network else "",
|
||||
"direction": rule.direction,
|
||||
"priority": rule.priority,
|
||||
"action": "ALLOW" if rule.allowed else "DENY",
|
||||
"source_ranges": list(rule.source_ranges) if rule.source_ranges else [],
|
||||
"destination_ranges": list(rule.destination_ranges) if rule.destination_ranges else [],
|
||||
"target_tags": list(rule.target_tags) if rule.target_tags else [],
|
||||
"allowed": [{"protocol": a.I_p_protocol,
|
||||
"ports": list(a.ports) if a.ports else ["all"]}
|
||||
for a in rule.allowed] if rule.allowed else [],
|
||||
"denied": [{"protocol": d.I_p_protocol,
|
||||
"ports": list(d.ports) if d.ports else ["all"]}
|
||||
for d in rule.denied] if rule.denied else [],
|
||||
"disabled": rule.disabled,
|
||||
"log_config_enabled": rule.log_config.enable if rule.log_config else False,
|
||||
})
|
||||
return sorted(rules, key=lambda r: r["priority"])
|
||||
|
||||
|
||||
def find_overly_permissive_rules(project_id):
|
||||
"""Identify firewall rules that are overly permissive (0.0.0.0/0)."""
|
||||
rules = list_firewall_rules(project_id)
|
||||
findings = []
|
||||
for rule in rules:
|
||||
if rule["disabled"]:
|
||||
continue
|
||||
if "0.0.0.0/0" in rule.get("source_ranges", []):
|
||||
for allowed in rule.get("allowed", []):
|
||||
ports = allowed.get("ports", ["all"])
|
||||
severity = "CRITICAL" if "all" in ports or "22" in ports or "3389" in ports \
|
||||
else "HIGH" if "80" in ports or "443" in ports else "MEDIUM"
|
||||
findings.append({
|
||||
"rule_name": rule["name"],
|
||||
"network": rule["network"],
|
||||
"severity": severity,
|
||||
"protocol": allowed["protocol"],
|
||||
"ports": ports,
|
||||
"issue": "Source range 0.0.0.0/0 allows traffic from any IP",
|
||||
"recommendation": "Restrict source ranges to specific CIDR blocks",
|
||||
})
|
||||
return findings
|
||||
|
||||
|
||||
def audit_default_rules(project_id):
|
||||
"""Audit default network firewall rules for security issues."""
|
||||
rules = list_firewall_rules(project_id)
|
||||
default_issues = []
|
||||
for rule in rules:
|
||||
if "default" in rule["name"].lower():
|
||||
if "0.0.0.0/0" in rule.get("source_ranges", []) and not rule["disabled"]:
|
||||
default_issues.append({
|
||||
"rule": rule["name"],
|
||||
"issue": "Default rule allows traffic from all sources",
|
||||
"action": "Disable or restrict default permissive rules",
|
||||
})
|
||||
return default_issues
|
||||
|
||||
|
||||
def create_firewall_rule(project_id, name, network, direction, priority,
|
||||
allowed_protocols, source_ranges, target_tags=None):
|
||||
"""Create a new VPC firewall rule."""
|
||||
client = get_firewall_client()
|
||||
allowed = []
|
||||
for proto, ports in allowed_protocols.items():
|
||||
entry = compute_v1.Allowed()
|
||||
entry.I_p_protocol = proto
|
||||
if ports:
|
||||
entry.ports = ports
|
||||
allowed.append(entry)
|
||||
rule = compute_v1.Firewall()
|
||||
rule.name = name
|
||||
rule.network = f"projects/{project_id}/global/networks/{network}"
|
||||
rule.direction = direction
|
||||
rule.priority = priority
|
||||
rule.allowed = allowed
|
||||
rule.source_ranges = source_ranges
|
||||
if target_tags:
|
||||
rule.target_tags = target_tags
|
||||
rule.log_config = compute_v1.FirewallLogConfig(enable=True)
|
||||
try:
|
||||
operation = client.insert(project=project_id, firewall_resource=rule)
|
||||
return {"name": name, "status": "creating", "operation": operation.name}
|
||||
except GoogleAPIError as e:
|
||||
return {"name": name, "status": "error", "message": str(e)}
|
||||
|
||||
|
||||
def delete_firewall_rule(project_id, rule_name):
|
||||
"""Delete a firewall rule by name."""
|
||||
client = get_firewall_client()
|
||||
try:
|
||||
operation = client.delete(project=project_id, firewall=rule_name)
|
||||
return {"name": rule_name, "status": "deleting", "operation": operation.name}
|
||||
except GoogleAPIError as e:
|
||||
return {"name": rule_name, "status": "error", "message": str(e)}
|
||||
|
||||
|
||||
def check_logging_status(project_id):
|
||||
"""Check which firewall rules have logging enabled."""
|
||||
rules = list_firewall_rules(project_id)
|
||||
unlogged = [r for r in rules if not r["log_config_enabled"] and not r["disabled"]]
|
||||
logged = [r for r in rules if r["log_config_enabled"]]
|
||||
return {"logged": len(logged), "unlogged": len(unlogged),
|
||||
"unlogged_rules": [r["name"] for r in unlogged]}
|
||||
|
||||
|
||||
def run_firewall_audit(project_id):
|
||||
"""Run a comprehensive firewall audit."""
|
||||
print(f"\n{'='*60}")
|
||||
print(f" GCP VPC FIREWALL AUDIT")
|
||||
print(f" Project: {project_id}")
|
||||
print(f" Generated: {datetime.utcnow().strftime('%Y-%m-%d %H:%M:%S')} UTC")
|
||||
print(f"{'='*60}\n")
|
||||
|
||||
rules = list_firewall_rules(project_id)
|
||||
print(f"--- ALL RULES ({len(rules)}) ---")
|
||||
for r in rules:
|
||||
status = "DISABLED" if r["disabled"] else "ACTIVE"
|
||||
print(f" [{r['priority']:5d}] {r['name']} ({status}) -> {r['network']}")
|
||||
|
||||
findings = find_overly_permissive_rules(project_id)
|
||||
print(f"\n--- OVERLY PERMISSIVE RULES ({len(findings)}) ---")
|
||||
for f in findings:
|
||||
print(f" [{f['severity']}] {f['rule_name']}: {f['protocol']} ports {f['ports']}")
|
||||
print(f" {f['recommendation']}")
|
||||
|
||||
default_issues = audit_default_rules(project_id)
|
||||
print(f"\n--- DEFAULT RULE ISSUES ({len(default_issues)}) ---")
|
||||
for d in default_issues:
|
||||
print(f" {d['rule']}: {d['issue']}")
|
||||
|
||||
logging = check_logging_status(project_id)
|
||||
print(f"\n--- LOGGING STATUS ---")
|
||||
print(f" Rules with logging: {logging['logged']}")
|
||||
print(f" Rules without logging: {logging['unlogged']}")
|
||||
|
||||
print(f"\n{'='*60}\n")
|
||||
return {"total_rules": len(rules), "permissive_findings": len(findings),
|
||||
"logging": logging}
|
||||
|
||||
|
||||
def main():
|
||||
parser = argparse.ArgumentParser(description="GCP VPC Firewall Rules Agent")
|
||||
parser.add_argument("--project", required=True, help="GCP project ID")
|
||||
parser.add_argument("--audit", action="store_true", help="Run firewall audit")
|
||||
parser.add_argument("--list", action="store_true", help="List all rules")
|
||||
parser.add_argument("--output", help="Save report to JSON")
|
||||
args = parser.parse_args()
|
||||
|
||||
if args.audit:
|
||||
report = run_firewall_audit(args.project)
|
||||
if args.output:
|
||||
with open(args.output, "w") as f:
|
||||
json.dump(report, f, indent=2, default=str)
|
||||
elif args.list:
|
||||
rules = list_firewall_rules(args.project)
|
||||
print(json.dumps(rules, indent=2))
|
||||
else:
|
||||
parser.print_help()
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
Reference in New Issue
Block a user