Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills

Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
This commit is contained in:
mukul975
2026-03-10 21:02:12 +01:00
parent c74d52fa30
commit 27c6414ca5
1390 changed files with 106806 additions and 0 deletions
@@ -0,0 +1,21 @@
MIT License
Copyright (c) 2025 Anthropic Agent Skills Contributors
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
@@ -0,0 +1,72 @@
# API Reference: Implementing Zero Trust in Cloud
## Libraries
### boto3 (AWS Zero Trust Checks)
- **Install**: `pip install boto3`
- IAM: `list_users()`, `list_mfa_devices()`, `get_account_summary()`
- EC2: `describe_instances()`, `describe_security_groups()`
- S3: `get_bucket_encryption()`, `get_public_access_block()`
- CloudTrail: `describe_trails()`, `get_trail_status()`
### azure-identity + azure-mgmt-authorization
- **Install**: `pip install azure-identity azure-mgmt-authorization`
- `AuthorizationManagementClient` -- RBAC role assignments
- `DefaultAzureCredential()` -- Auto-detect auth
### google-cloud-compute
- **Install**: `pip install google-cloud-compute`
- `FirewallsClient` -- VPC firewall rules audit
- `InstancesClient` -- VM network configuration
## Zero Trust Pillars (NIST SP 800-207)
| Pillar | Key Checks |
|--------|-----------|
| Identity | MFA enforcement, least privilege, conditional access |
| Device | Compliance policies, MDM, certificate identity |
| Network | Micro-segmentation, private endpoints, no public IPs |
| Application | OAuth2/OIDC, API gateway auth, no VPN dependency |
| Data | Encryption at rest/transit, DLP, classification |
| Visibility | Centralized logging, SIEM, UEBA, real-time alerts |
## AWS Zero Trust Services
| Service | Zero Trust Function |
|---------|-------------------|
| IAM Identity Center | Centralized identity and SSO |
| VPC PrivateLink | Private service connectivity |
| Verified Access | Identity-based application access |
| Security Hub | Continuous posture assessment |
| GuardDuty | Threat detection and monitoring |
| CloudTrail | API activity audit logging |
## Azure Zero Trust Services
| Service | Zero Trust Function |
|---------|-------------------|
| Entra ID Conditional Access | Policy-based access decisions |
| Azure Private Link | Private endpoint connectivity |
| Microsoft Defender for Cloud | CSPM and CWP |
| Azure Sentinel | SIEM and SOAR |
## GCP Zero Trust Services
| Service | Zero Trust Function |
|---------|-------------------|
| BeyondCorp Enterprise | Identity-Aware Proxy |
| VPC Service Controls | API-level perimeter |
| Binary Authorization | Container image trust |
| Security Command Center | Cloud posture management |
## Maturity Levels
- **Traditional**: Perimeter-based, VPN-dependent, implicit trust
- **Initial**: Some identity verification, partial segmentation
- **Advanced**: Continuous verification, micro-segmentation, encrypted everywhere
## External References
- NIST SP 800-207: https://csrc.nist.gov/pubs/sp/800/207/final
- Google BeyondCorp: https://cloud.google.com/beyondcorp
- AWS Verified Access: https://docs.aws.amazon.com/verified-access/
- Azure Zero Trust: https://learn.microsoft.com/en-us/security/zero-trust/
- CISA Zero Trust Maturity Model: https://www.cisa.gov/zero-trust-maturity-model
@@ -0,0 +1,231 @@
#!/usr/bin/env python3
"""Zero trust cloud architecture assessment agent using AWS, Azure, and GCP SDKs."""
import json
import sys
import argparse
from datetime import datetime
try:
import boto3
from botocore.exceptions import ClientError
except ImportError:
boto3 = None
try:
from azure.identity import DefaultAzureCredential
from azure.mgmt.authorization import AuthorizationManagementClient
HAS_AZURE = True
except ImportError:
HAS_AZURE = False
try:
from google.cloud import compute_v1
HAS_GCP = True
except ImportError:
HAS_GCP = False
ZERO_TRUST_PILLARS = [
{"pillar": "Identity", "description": "Verify every identity with strong auth",
"checks": ["MFA enforcement", "Conditional access policies", "Least privilege RBAC",
"Service account key rotation", "Passwordless authentication"]},
{"pillar": "Device", "description": "Validate device posture before granting access",
"checks": ["Device compliance policies", "MDM enrollment required",
"Certificate-based device identity", "OS patch level enforcement"]},
{"pillar": "Network", "description": "Micro-segment and encrypt all communications",
"checks": ["VPC/VNet segmentation", "Private endpoints for services",
"No public IPs on internal workloads", "TLS everywhere",
"Identity-Aware Proxy deployment"]},
{"pillar": "Application", "description": "Secure app access without network trust",
"checks": ["OAuth2/OIDC authentication", "API gateway with auth",
"No VPN-dependent access", "Runtime application self-protection"]},
{"pillar": "Data", "description": "Classify and protect data at all states",
"checks": ["Encryption at rest", "Encryption in transit",
"Data classification labels", "DLP policies active"]},
{"pillar": "Visibility", "description": "Continuous monitoring and analytics",
"checks": ["Centralized logging", "SIEM integration",
"User behavior analytics", "Real-time alerting"]},
]
def assess_aws_zero_trust(region="us-east-1"):
"""Assess AWS zero trust posture."""
if boto3 is None:
return {"error": "boto3 not installed"}
findings = []
iam = boto3.client("iam", region_name=region)
try:
summary = iam.get_account_summary()["SummaryMap"]
if summary.get("AccountMFAEnabled", 0) == 0:
findings.append({"pillar": "Identity", "check": "Root MFA",
"status": "FAIL", "severity": "CRITICAL",
"detail": "Root account MFA not enabled"})
else:
findings.append({"pillar": "Identity", "check": "Root MFA",
"status": "PASS", "detail": "Root MFA enabled"})
users = iam.list_users()["Users"]
for user in users[:20]:
mfa = iam.list_mfa_devices(UserName=user["UserName"])["MFADevices"]
if not mfa:
findings.append({"pillar": "Identity", "check": "User MFA",
"status": "FAIL", "severity": "HIGH",
"detail": f"User {user['UserName']} has no MFA"})
except ClientError as e:
findings.append({"pillar": "Identity", "check": "IAM", "status": "ERROR", "detail": str(e)})
ec2 = boto3.client("ec2", region_name=region)
try:
instances = ec2.describe_instances()
for reservation in instances.get("Reservations", []):
for inst in reservation.get("Instances", []):
if inst.get("PublicIpAddress"):
findings.append({"pillar": "Network", "check": "Public IP",
"status": "FAIL", "severity": "MEDIUM",
"detail": f"Instance {inst['InstanceId']} has public IP "
f"{inst['PublicIpAddress']}"})
except ClientError as e:
findings.append({"pillar": "Network", "status": "ERROR", "detail": str(e)})
try:
sgs = ec2.describe_security_groups()["SecurityGroups"]
for sg in sgs:
for rule in sg.get("IpPermissions", []):
for ip in rule.get("IpRanges", []):
if ip.get("CidrIp") == "0.0.0.0/0":
port = rule.get("FromPort", "all")
findings.append({"pillar": "Network", "check": "Security Group",
"status": "FAIL", "severity": "HIGH",
"detail": f"SG {sg['GroupId']} port {port} open to 0.0.0.0/0"})
except ClientError as e:
findings.append({"pillar": "Network", "status": "ERROR", "detail": str(e)})
s3 = boto3.client("s3", region_name=region)
try:
buckets = s3.list_buckets().get("Buckets", [])
for bucket in buckets[:20]:
try:
enc = s3.get_bucket_encryption(Bucket=bucket["Name"])
findings.append({"pillar": "Data", "check": "S3 Encryption",
"status": "PASS", "detail": f"{bucket['Name']} encrypted"})
except ClientError:
findings.append({"pillar": "Data", "check": "S3 Encryption",
"status": "FAIL", "severity": "HIGH",
"detail": f"Bucket {bucket['Name']} has no default encryption"})
except ClientError as e:
findings.append({"pillar": "Data", "status": "ERROR", "detail": str(e)})
ct = boto3.client("cloudtrail", region_name=region)
try:
trails = ct.describe_trails()["trailList"]
if trails:
findings.append({"pillar": "Visibility", "check": "CloudTrail",
"status": "PASS", "detail": f"{len(trails)} trail(s) configured"})
else:
findings.append({"pillar": "Visibility", "check": "CloudTrail",
"status": "FAIL", "severity": "CRITICAL",
"detail": "No CloudTrail trails configured"})
except ClientError as e:
findings.append({"pillar": "Visibility", "status": "ERROR", "detail": str(e)})
return findings
def generate_zero_trust_scorecard(findings):
"""Generate a zero trust maturity scorecard from findings."""
pillar_scores = {}
for f in findings:
pillar = f.get("pillar", "Unknown")
if pillar not in pillar_scores:
pillar_scores[pillar] = {"pass": 0, "fail": 0, "error": 0}
status = f.get("status", "ERROR")
if status == "PASS":
pillar_scores[pillar]["pass"] += 1
elif status == "FAIL":
pillar_scores[pillar]["fail"] += 1
else:
pillar_scores[pillar]["error"] += 1
scorecard = {}
for pillar, counts in pillar_scores.items():
total = counts["pass"] + counts["fail"]
score = round(counts["pass"] / max(total, 1) * 100, 1)
maturity = "Advanced" if score >= 80 else "Initial" if score >= 50 else "Traditional"
scorecard[pillar] = {"score": score, "maturity": maturity,
"passed": counts["pass"], "failed": counts["fail"]}
return scorecard
def run_zero_trust_assessment(region="us-east-1"):
"""Run comprehensive zero trust assessment."""
print(f"\n{'='*60}")
print(f" ZERO TRUST CLOUD ARCHITECTURE ASSESSMENT")
print(f" Generated: {datetime.utcnow().strftime('%Y-%m-%d %H:%M:%S')} UTC")
print(f"{'='*60}\n")
print(f"--- ZERO TRUST PILLARS ---")
for p in ZERO_TRUST_PILLARS:
print(f" {p['pillar']}: {p['description']}")
for c in p["checks"]:
print(f" - {c}")
print(f"\n--- AWS ASSESSMENT (region: {region}) ---")
findings = assess_aws_zero_trust(region)
pass_count = sum(1 for f in findings if f.get("status") == "PASS")
fail_count = sum(1 for f in findings if f.get("status") == "FAIL")
print(f" Total checks: {len(findings)}")
print(f" Passed: {pass_count} | Failed: {fail_count}")
critical = [f for f in findings if f.get("severity") == "CRITICAL"]
high = [f for f in findings if f.get("severity") == "HIGH"]
if critical:
print(f"\n CRITICAL FINDINGS ({len(critical)}):")
for f in critical:
print(f" [{f['pillar']}] {f.get('check', 'N/A')}: {f['detail']}")
if high:
print(f"\n HIGH FINDINGS ({len(high)}):")
for f in high[:10]:
print(f" [{f['pillar']}] {f.get('check', 'N/A')}: {f['detail']}")
scorecard = generate_zero_trust_scorecard(findings)
print(f"\n--- ZERO TRUST SCORECARD ---")
for pillar, scores in scorecard.items():
bar = "#" * int(scores["score"] / 5)
print(f" {pillar:<15} {scores['score']:>5.1f}% [{scores['maturity']}] {bar}")
overall = round(sum(s["score"] for s in scorecard.values()) / max(len(scorecard), 1), 1)
print(f"\n OVERALL ZERO TRUST MATURITY: {overall}%")
maturity = "Advanced" if overall >= 80 else "Initial" if overall >= 50 else "Traditional"
print(f" Maturity Level: {maturity}")
print(f"\n{'='*60}\n")
return {"findings": findings, "scorecard": scorecard, "overall_score": overall}
def main():
parser = argparse.ArgumentParser(description="Zero Trust Cloud Architecture Agent")
parser.add_argument("--region", default="us-east-1", help="AWS region")
parser.add_argument("--assess", action="store_true", help="Run zero trust assessment")
parser.add_argument("--pillars", action="store_true", help="Show zero trust pillars")
parser.add_argument("--output", help="Save report to JSON")
args = parser.parse_args()
if args.pillars:
for p in ZERO_TRUST_PILLARS:
print(f"\n{p['pillar']}: {p['description']}")
for c in p["checks"]:
print(f" - {c}")
elif args.assess:
report = run_zero_trust_assessment(args.region)
if args.output:
with open(args.output, "w") as f:
json.dump(report, f, indent=2, default=str)
print(f"[+] Report saved to {args.output}")
else:
parser.print_help()
if __name__ == "__main__":
main()