mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-12 14:14:56 +03:00
mukul975
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
1.6 KiB
1.6 KiB
API Reference: Analyzing Kubernetes Audit Logs
Audit Log Format (JSON Lines)
{
"kind": "Event",
"apiVersion": "audit.k8s.io/v1",
"level": "RequestResponse",
"verb": "create",
"user": {"username": "admin", "groups": ["system:masters"]},
"sourceIPs": ["10.0.0.5"],
"objectRef": {
"resource": "pods",
"subresource": "exec",
"namespace": "default",
"name": "web-pod"
},
"responseStatus": {"code": 200},
"requestReceivedTimestamp": "2025-03-15T14:00:00Z"
}
Security-Critical Audit Events
| Event | objectRef | Severity |
|---|---|---|
| Pod exec | resource: pods, subresource: exec |
HIGH |
| Secret access | resource: secrets, verb: get/list |
HIGH |
| RBAC change | resource: clusterrolebindings |
CRITICAL |
| Privileged pod | requestObject.spec.containers[].securityContext.privileged |
CRITICAL |
| Anonymous access | user.username: system:anonymous |
CRITICAL |
Audit Policy Levels
| Level | Captures |
|---|---|
| None | No logging |
| Metadata | Timestamp, user, verb, resource |
| Request | Metadata + request body |
| RequestResponse | Request + response body |
Python Parsing
import json
with open("audit.log") as f:
for line in f:
event = json.loads(line)
print(event["verb"], event["objectRef"]["resource"])
References
- K8s Auditing: https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/
- Audit policy: https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
- Datadog k8s audit: https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/