creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 21:54:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
992dae80cf39edba8f90111d8ea072a38162467c
Anthropic-Cybersecurity-Skills/skills/analyzing-linux-system-artifacts/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

115 lines
3.4 KiB
Markdown
Raw Blame History

# API Reference: Linux Forensic Artifact Analysis Tools
## Key Artifact Locations
| Artifact | Path | Description |
|----------|------|-------------|
| Auth logs | `/var/log/auth.log` (Debian) `/var/log/secure` (RHEL) | Authentication events |
| Login history | `/var/log/wtmp` | Successful logins (binary, use `last`) |
| Failed logins | `/var/log/btmp` | Failed logins (binary, use `lastb`) |
| Bash history | `~/.bash_history` | Command history per user |
| SSH keys | `~/.ssh/authorized_keys` | Authorized public keys |
| Crontab | `/etc/crontab`, `/var/spool/cron/crontabs/` | Scheduled tasks |
| Systemd services | `/etc/systemd/system/` | Service definitions |
| LD_PRELOAD | `/etc/ld.so.preload` | Shared library preloading |
| SUID binaries | `find / -perm -4000` | Setuid executables |
## last / lastb - Login History
### Syntax
```bash
last -f /var/log/wtmp # Successful logins
lastb -f /var/log/btmp # Failed logins
last -i -f /var/log/wtmp # Show IP addresses
last -s 2024-01-15 -t 2024-01-20 # Date range filter
```
### Output Format
```
user pts/0 192.168.1.50 Mon Jan 15 09:00 still logged in
```
## chkrootkit - Rootkit Scanner
### Syntax
```bash
chkrootkit # Full scan
chkrootkit -r /mnt/evidence # Scan mounted evidence
chkrootkit -q # Quiet (infected only)
```
## rkhunter - Rootkit Hunter
### Syntax
```bash
rkhunter --check # Full system check
rkhunter --check --rootdir /mnt/ev # Check evidence root
rkhunter --list tests # List available tests
rkhunter --propupd # Update file properties DB
```
### Check Categories
| Check | Description |
|-------|-------------|
| `rootkits` | Known rootkit signatures |
| `trojans` | Trojanized system binaries |
| `properties` | File permission anomalies |
| `filesystem` | Hidden files and directories |
## auditd Log Parsing
### ausearch Syntax
```bash
ausearch -m execve -ts recent # Recent command execution
ausearch -m USER_AUTH -ts today # Authentication events
ausearch -k suspicious_activity # Custom audit rule key
ausearch -ua 0 -ts today # Root user actions
```
### aureport Syntax
```bash
aureport --auth # Authentication summary
aureport --login # Login summary
aureport --file # File access summary
aureport --summary # Overall summary
```
## osquery - SQL-based System Queries
### Syntax
```bash
osqueryi "SELECT * FROM users WHERE uid = 0"
osqueryi "SELECT * FROM crontab"
osqueryi "SELECT * FROM authorized_keys"
osqueryi "SELECT * FROM suid_bin"
osqueryi "SELECT * FROM process_open_sockets"
```
### Key Tables
| Table | Content |
|-------|---------|
| `users` | User account information |
| `crontab` | Cron job entries |
| `authorized_keys` | SSH authorized keys |
| `suid_bin` | SUID binaries |
| `process_open_sockets` | Network connections by process |
| `shell_history` | Command history entries |
## Plaso / log2timeline - Super Timeline
### Syntax
```bash
log2timeline.py /cases/timeline.plaso /mnt/evidence
psort.py -o l2tcsv /cases/timeline.plaso > timeline.csv
psort.py -o l2tcsv /cases/timeline.plaso "date > '2024-01-15'"
```
## AIDE - File Integrity
### Syntax
```bash
aide --init # Initialize database
aide --check # Check for changes
aide --compare # Compare databases
```
Reference in New Issue View Git Blame Copy Permalink