creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-12 06:04:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
ccce7d4e068efecc2f98c385c8e5c01d969fc9bc
Anthropic-Cybersecurity-Skills/skills/configuring-host-based-intrusion-detection/scripts/agent.py
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

141 lines
5.0 KiB
Python
Raw Blame History

#!/usr/bin/env python3
"""Host-based intrusion detection agent using OSSEC/Wazuh API and osquery."""
import json
import sys
import argparse
import subprocess
from datetime import datetime
try:
import requests
requests.packages.urllib3.disable_warnings()
except ImportError:
print("Install: pip install requests")
sys.exit(1)
class WazuhClient:
"""Wazuh API client for HIDS management."""
def __init__(self, base_url, username, password):
self.url = base_url.rstrip("/")
self.token = self._authenticate(username, password)
def _authenticate(self, username, password):
resp = requests.post(f"{self.url}/security/user/authenticate",
auth=(username, password), verify=False)
resp.raise_for_status()
return resp.json()["data"]["token"]
def _get(self, endpoint, params=None):
resp = requests.get(f"{self.url}/{endpoint}",
headers={"Authorization": f"Bearer {self.token}"},
params=params, verify=False)
resp.raise_for_status()
return resp.json()
def list_agents(self, status=None):
params = {}
if status:
params["status"] = status
return self._get("agents", params)
def get_agent_alerts(self, agent_id, limit=20):
return self._get(f"alerts", {"agent.id": agent_id, "limit": limit})
def get_sca_results(self, agent_id):
return self._get(f"sca/{agent_id}")
def get_rootcheck(self, agent_id):
return self._get(f"rootcheck/{agent_id}")
def run_osquery_check(query):
"""Execute osquery for host inspection."""
cmd = ["osqueryi", "--json", query]
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
return json.loads(result.stdout) if result.stdout.strip() else []
except (FileNotFoundError, json.JSONDecodeError):
return [{"error": "osquery not available"}]
def check_file_integrity(paths):
"""Check file integrity for key system files."""
checks = []
import hashlib, os
for path in paths:
if os.path.exists(path):
with open(path, "rb") as f:
sha256 = hashlib.sha256(f.read()).hexdigest()
stat = os.stat(path)
checks.append({
"path": path,
"sha256": sha256,
"size": stat.st_size,
"modified": datetime.fromtimestamp(stat.st_mtime).isoformat(),
"status": "present",
})
else:
checks.append({"path": path, "status": "missing", "severity": "HIGH"})
return checks
def run_audit(wazuh_url=None, username=None, password=None, agent_id=None):
"""Execute HIDS audit."""
print(f"\n{'='*60}")
print(f" HOST-BASED INTRUSION DETECTION AUDIT")
print(f" Generated: {datetime.utcnow().isoformat()} UTC")
print(f"{'='*60}\n")
if wazuh_url and username and password:
client = WazuhClient(wazuh_url, username, password)
agents = client.list_agents()
data = agents.get("data", {})
items = data.get("affected_items", [])
print(f"--- WAZUH AGENTS ({data.get('total_affected_items', 0)}) ---")
for a in items[:10]:
print(f" {a.get('name', 'N/A')} ({a.get('id', '')}): {a.get('status', '')}")
if agent_id:
sca = client.get_sca_results(agent_id)
sca_data = sca.get("data", {}).get("affected_items", [])
print(f"\n--- SCA RESULTS (agent {agent_id}) ---")
for s in sca_data[:5]:
print(f" {s.get('name', '')}: pass={s.get('pass', 0)} fail={s.get('fail', 0)}")
system_files = ["/etc/passwd", "/etc/shadow", "/etc/sudoers", "/etc/ssh/sshd_config"]
integrity = check_file_integrity(system_files)
print(f"\n--- FILE INTEGRITY CHECK ---")
for f in integrity:
print(f" {f['path']}: {f['status']}")
processes = run_osquery_check("SELECT name, pid, uid FROM processes WHERE uid = 0")
print(f"\n--- ROOT PROCESSES ({len(processes)}) ---")
for p in processes[:10]:
if "error" not in p:
print(f" PID {p.get('pid', '')}: {p.get('name', '')}")
return {"integrity": integrity, "processes": processes}
def main():
parser = argparse.ArgumentParser(description="HIDS Audit Agent")
parser.add_argument("--wazuh-url", help="Wazuh API URL (https://host:55000)")
parser.add_argument("--username", help="Wazuh API username")
parser.add_argument("--password", help="Wazuh API password")
parser.add_argument("--agent-id", help="Specific agent ID to audit")
parser.add_argument("--output", help="Save report to JSON file")
args = parser.parse_args()
report = run_audit(args.wazuh_url, args.username, args.password, args.agent_id)
if args.output:
with open(args.output, "w") as f:
json.dump(report, f, indent=2, default=str)
print(f"\n[+] Report saved to {args.output}")
if __name__ == "__main__":
main()
Reference in New Issue View Git Blame Copy Permalink