mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-19 22:19:39 +03:00
Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal
- Add scripts/agent.py and references/api-reference.md to all remaining skills - Update all 648 LICENSE files: copyright now reads 'Mahipal' - Add implementing-security-monitoring-with-datadog (new skill with full anatomy) - All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
This commit is contained in:
@@ -0,0 +1,44 @@
|
||||
# API Reference — Performing Linux Log Forensics Investigation
|
||||
|
||||
## Libraries Used
|
||||
- **re**: Pattern matching for log entries (IPs, users, timestamps, suspicious commands)
|
||||
- **gzip**: Read compressed log files (.gz)
|
||||
- **pathlib**: File system operations
|
||||
- **collections.Counter**: Aggregate brute force IPs, command tags
|
||||
|
||||
## CLI Interface
|
||||
```
|
||||
python agent.py auth --file /var/log/auth.log
|
||||
python agent.py syslog --file /var/log/syslog
|
||||
python agent.py history --file /home/user/.bash_history
|
||||
python agent.py timeline --files /var/log/auth.log /var/log/syslog /var/log/kern.log
|
||||
```
|
||||
|
||||
## Core Functions
|
||||
|
||||
### `analyze_auth_log(log_file)` — Authentication log analysis
|
||||
Detects: failed logins, successful logins, sudo commands, SSH events.
|
||||
Identifies brute force suspects (>=5 failed attempts from same IP).
|
||||
|
||||
### `analyze_syslog(log_file)` — System log anomaly detection
|
||||
Flags: errors/critical messages, kernel anomalies (segfault, OOM, panic), cron jobs.
|
||||
|
||||
### `analyze_command_history(history_file)` — Suspicious command detection
|
||||
12 patterns: remote code execution (curl|sh), reverse shells, base64 decode,
|
||||
crontab modification, firewall flush, history clearing, destructive commands.
|
||||
|
||||
### `timeline_analysis(log_files)` — Multi-source timeline reconstruction
|
||||
Merges events from multiple log files sorted by timestamp.
|
||||
Supports syslog format (Mon DD HH:MM:SS) and ISO 8601.
|
||||
|
||||
## Suspicious Command Tags
|
||||
| Tag | Pattern |
|
||||
|-----|---------|
|
||||
| REMOTE_CODE_EXECUTION | curl/wget piped to sh/bash |
|
||||
| BASH_REVERSE_SHELL | /dev/tcp/ usage |
|
||||
| NETCAT_LISTENER | nc -e/-l/-p |
|
||||
| HISTORY_CLEAR | history -c |
|
||||
| DESTRUCTIVE_COMMAND | rm -rf / |
|
||||
|
||||
## Dependencies
|
||||
No external packages — Python standard library only.
|
||||
Reference in New Issue
Block a user