mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-19 14:09:40 +03:00
Production hardening: security fixes, code quality, 724 skills complete
- Fix 25 shell=True subprocess calls with list-based commands - Fix 49 verify=False in defensive skills (env-var override) - Add timeout to 231 HTTP/subprocess/socket calls - Fix 6 SQL injection patterns with whitelist validation - Replace 8 __import__() with standard imports - Remove 701 unused imports across 442 files - Add authorized-testing disclaimers to all offensive skills - Complete 11 incomplete skill directories - Expand 10 stub SKILL.md files with full content - Fix 2 YAML parse errors in frontmatter - Fix 5 pre-existing syntax errors - Convert 22 hardcoded paths/ports to environment variables - Back up 21 redundant skill pairs to .bak - Fix 2 global declaration errors - 724/724 skills with full folder anatomy (SKILL.md + agent.py + api-reference.md + LICENSE) - 0 compile errors across all 724 agent.py files
This commit is contained in:
@@ -1,28 +1,208 @@
|
||||
# API Reference: PCI DSS compliance control audit
|
||||
# API Reference: PCI DSS Compliance Control Audit
|
||||
|
||||
## API Endpoints
|
||||
Requirements: network segmentation, encryption, access control, logging, vulnerability mgmt
|
||||
## Libraries Used
|
||||
|
||||
| Library | Purpose |
|
||||
|---------|---------|
|
||||
| `requests` | API calls to scan engines and cloud services |
|
||||
| `jinja2` | Generate compliance assessment reports |
|
||||
| `json` | Parse control status and evidence data |
|
||||
| `subprocess` | Run network segmentation and encryption checks |
|
||||
| `csv` | Export compliance matrices |
|
||||
|
||||
## Installation
|
||||
|
||||
```bash
|
||||
pip install requests jinja2
|
||||
```
|
||||
|
||||
## Libraries
|
||||
## PCI DSS v4.0 Requirements Map
|
||||
|
||||
| Library | Use |
|
||||
|---------|-----|
|
||||
| `requests` | requests SDK/client |
|
||||
| `jinja2` | jinja2 SDK/client |
|
||||
| Requirement | Title | Automated Checks |
|
||||
|-------------|-------|-----------------|
|
||||
| 1 | Install and maintain network security controls | Firewall rules, segmentation testing |
|
||||
| 2 | Apply secure configurations | Default credential scan, hardening baselines |
|
||||
| 3 | Protect stored account data | Encryption at rest, key management |
|
||||
| 4 | Protect cardholder data with strong cryptography during transmission | TLS version, cipher suites |
|
||||
| 5 | Protect all systems against malware | AV status, EDR coverage |
|
||||
| 6 | Develop and maintain secure systems | Vulnerability scans, SAST/DAST |
|
||||
| 7 | Restrict access by business need to know | RBAC review, access logs |
|
||||
| 8 | Identify users and authenticate access | MFA status, password policy |
|
||||
| 9 | Restrict physical access to cardholder data | Physical access logs |
|
||||
| 10 | Log and monitor all access | Log aggregation, SIEM alerts |
|
||||
| 11 | Test security of systems regularly | Penetration tests, IDS/IPS |
|
||||
| 12 | Support information security with policies | Policy review dates |
|
||||
|
||||
## Authentication
|
||||
## Core Compliance Checks
|
||||
|
||||
| Method | Header |
|
||||
|--------|--------|
|
||||
| Bearer Token | `Authorization: Bearer <token>` |
|
||||
| API Key | `X-API-Key: <key>` |
|
||||
### Requirement 2: Default Credentials Check
|
||||
```python
|
||||
import requests
|
||||
|
||||
DEFAULT_CREDS = [
|
||||
("admin", "admin"), ("admin", "password"), ("root", "root"),
|
||||
("admin", ""), ("user", "user"), ("test", "test"),
|
||||
]
|
||||
|
||||
def check_default_credentials(target_url):
|
||||
findings = []
|
||||
for username, password in DEFAULT_CREDS:
|
||||
try:
|
||||
resp = requests.post(
|
||||
f"{target_url}/login",
|
||||
data={"username": username, "password": password},
|
||||
timeout=10,
|
||||
allow_redirects=False,
|
||||
)
|
||||
if resp.status_code in (200, 302):
|
||||
findings.append({
|
||||
"target": target_url,
|
||||
"username": username,
|
||||
"requirement": "2.2.2",
|
||||
"severity": "critical",
|
||||
})
|
||||
except requests.RequestException:
|
||||
pass
|
||||
return findings
|
||||
```
|
||||
|
||||
### Requirement 4: TLS Configuration Check
|
||||
```python
|
||||
import ssl
|
||||
import socket
|
||||
|
||||
def check_tls_config(hostname, port=443):
|
||||
findings = []
|
||||
context = ssl.create_default_context()
|
||||
with socket.create_connection((hostname, port), timeout=10) as sock:
|
||||
with context.wrap_socket(sock, server_hostname=hostname) as ssock:
|
||||
protocol = ssock.version()
|
||||
cipher = ssock.cipher()
|
||||
cert = ssock.getpeercert()
|
||||
|
||||
# Check TLS version (must be 1.2+)
|
||||
if protocol in ("TLSv1", "TLSv1.1"):
|
||||
findings.append({
|
||||
"check": "tls_version",
|
||||
"requirement": "4.2.1",
|
||||
"severity": "high",
|
||||
"detail": f"Weak TLS version: {protocol}",
|
||||
})
|
||||
|
||||
# Check cipher strength
|
||||
if cipher and cipher[2] < 128:
|
||||
findings.append({
|
||||
"check": "cipher_strength",
|
||||
"requirement": "4.2.1",
|
||||
"severity": "high",
|
||||
"detail": f"Weak cipher: {cipher[0]} ({cipher[2]} bits)",
|
||||
})
|
||||
|
||||
return {"protocol": protocol, "cipher": cipher[0], "findings": findings}
|
||||
```
|
||||
|
||||
### Requirement 8: MFA and Password Policy
|
||||
```python
|
||||
def check_password_policy(identity_provider_url, headers):
|
||||
resp = requests.get(
|
||||
f"{identity_provider_url}/api/v1/policies/password",
|
||||
headers=headers,
|
||||
timeout=30,
|
||||
)
|
||||
policy = resp.json()
|
||||
|
||||
findings = []
|
||||
if policy.get("minLength", 0) < 12:
|
||||
findings.append({
|
||||
"check": "password_length",
|
||||
"requirement": "8.3.6",
|
||||
"severity": "medium",
|
||||
"detail": f"Min password length {policy['minLength']} < 12",
|
||||
})
|
||||
if not policy.get("requireUppercase"):
|
||||
findings.append({
|
||||
"check": "password_complexity",
|
||||
"requirement": "8.3.6",
|
||||
"severity": "low",
|
||||
"detail": "Uppercase not required",
|
||||
})
|
||||
return findings
|
||||
```
|
||||
|
||||
### Requirement 10: Log Monitoring Check
|
||||
```python
|
||||
def check_logging_coverage(siem_url, siem_headers):
|
||||
"""Verify all CDE systems forward logs to SIEM."""
|
||||
resp = requests.get(
|
||||
f"{siem_url}/api/sources",
|
||||
headers=siem_headers,
|
||||
timeout=30,
|
||||
)
|
||||
active_sources = resp.json().get("sources", [])
|
||||
return {
|
||||
"total_sources": len(active_sources),
|
||||
"requirement": "10.2",
|
||||
"active": [s for s in active_sources if s.get("status") == "active"],
|
||||
"inactive": [s for s in active_sources if s.get("status") != "active"],
|
||||
}
|
||||
```
|
||||
|
||||
### Generate Compliance Report
|
||||
```python
|
||||
from jinja2 import Template
|
||||
|
||||
REPORT_TEMPLATE = """
|
||||
# PCI DSS v4.0 Compliance Assessment
|
||||
|
||||
Generated: {{ timestamp }}
|
||||
Scope: {{ scope }}
|
||||
|
||||
## Summary
|
||||
- Total Controls: {{ total }}
|
||||
- Compliant: {{ compliant }}
|
||||
- Non-Compliant: {{ non_compliant }}
|
||||
- Compliance Rate: {{ rate }}%
|
||||
|
||||
## Findings
|
||||
{% for finding in findings %}
|
||||
### {{ finding.requirement }} — {{ finding.check }}
|
||||
- **Severity**: {{ finding.severity }}
|
||||
- **Detail**: {{ finding.detail }}
|
||||
{% endfor %}
|
||||
"""
|
||||
|
||||
def generate_report(findings, scope, timestamp):
|
||||
compliant = sum(1 for f in findings if not f.get("findings"))
|
||||
template = Template(REPORT_TEMPLATE)
|
||||
return template.render(
|
||||
timestamp=timestamp,
|
||||
scope=scope,
|
||||
total=len(findings),
|
||||
compliant=compliant,
|
||||
non_compliant=len(findings) - compliant,
|
||||
rate=round(compliant / len(findings) * 100, 1),
|
||||
findings=[f for f in findings if f.get("findings")],
|
||||
)
|
||||
```
|
||||
|
||||
## Output Format
|
||||
|
||||
```json
|
||||
{"timestamp": "ISO-8601", "findings": [], "risk_level": "HIGH"}
|
||||
{
|
||||
"assessment_date": "2025-01-15",
|
||||
"pci_dss_version": "4.0",
|
||||
"scope": "Cardholder Data Environment",
|
||||
"total_requirements": 12,
|
||||
"compliant": 9,
|
||||
"non_compliant": 3,
|
||||
"findings": [
|
||||
{
|
||||
"requirement": "4.2.1",
|
||||
"check": "tls_version",
|
||||
"severity": "high",
|
||||
"detail": "Payment gateway using TLSv1.1",
|
||||
"remediation": "Upgrade to TLS 1.2 or higher"
|
||||
}
|
||||
]
|
||||
}
|
||||
```
|
||||
|
||||
Reference in New Issue
Block a user