creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-12 06:04:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/analyzing-linux-audit-logs-for-intrusion/scripts/agent.py
T
mukul975 c47eed6a64 Production hardening: security fixes, code quality, 724 skills complete 
- Fix 25 shell=True subprocess calls with list-based commands
- Fix 49 verify=False in defensive skills (env-var override)
- Add timeout to 231 HTTP/subprocess/socket calls
- Fix 6 SQL injection patterns with whitelist validation
- Replace 8 __import__() with standard imports
- Remove 701 unused imports across 442 files
- Add authorized-testing disclaimers to all offensive skills
- Complete 11 incomplete skill directories
- Expand 10 stub SKILL.md files with full content
- Fix 2 YAML parse errors in frontmatter
- Fix 5 pre-existing syntax errors
- Convert 22 hardcoded paths/ports to environment variables
- Back up 21 redundant skill pairs to .bak
- Fix 2 global declaration errors
- 724/724 skills with full folder anatomy (SKILL.md + agent.py + api-reference.md + LICENSE)
- 0 compile errors across all 724 agent.py files
2026-03-19 13:26:49 +01:00

222 lines
7.9 KiB
Python
Raw Blame History

#!/usr/bin/env python3
"""Linux audit log analysis agent for intrusion detection.
Parses /var/log/audit/audit.log entries to detect privilege escalation,
unauthorized file access, suspicious syscalls, and process execution anomalies.
"""
import argparse
import json
import re
import sys
import datetime
import collections
import subprocess
SUSPICIOUS_SYSCALLS = {
"execve": "Program execution",
"connect": "Network connection",
"bind": "Port binding",
"ptrace": "Process tracing/debugging",
"init_module": "Kernel module loading",
"finit_module": "Kernel module loading",
"delete_module": "Kernel module unloading",
"mount": "Filesystem mount",
"umount2": "Filesystem unmount",
"setuid": "UID change",
"setgid": "GID change",
"sethostname": "Hostname change",
"open_by_handle_at": "File open by handle (container escape)",
}
SENSITIVE_PATHS = [
"/etc/passwd", "/etc/shadow", "/etc/sudoers",
"/etc/ssh/sshd_config", "/root/.ssh/authorized_keys",
"/etc/crontab", "/var/spool/cron",
]
SUSPICIOUS_COMMANDS = [
"curl", "wget", "nc", "ncat", "nmap", "tcpdump",
"python", "perl", "ruby", "gcc", "cc", "make",
"useradd", "usermod", "groupadd", "visudo",
"iptables", "ip6tables", "nft",
]
def parse_audit_log(log_path, max_lines=50000):
"""Parse raw audit.log file into structured events."""
events = []
current = {}
try:
with open(log_path, "r") as f:
for i, line in enumerate(f):
if i >= max_lines:
break
match = re.match(
r"type=(\S+)\s+msg=audit\((\d+\.\d+):(\d+)\):\s*(.*)", line
)
if not match:
continue
event_type = match.group(1)
timestamp = float(match.group(2))
event_id = match.group(3)
data_str = match.group(4)
fields = dict(re.findall(r'(\w+)=("[^"]*"|\S+)', data_str))
for k, v in fields.items():
fields[k] = v.strip('"')
event = {
"type": event_type,
"timestamp": datetime.datetime.fromtimestamp(timestamp).isoformat(),
"event_id": event_id,
**fields,
}
events.append(event)
except FileNotFoundError:
return {"error": f"Log file not found: {log_path}"}
return events
def detect_privilege_escalation(events):
"""Detect privilege escalation indicators in audit events."""
findings = []
for e in events:
if e.get("type") == "SYSCALL" and e.get("syscall_name") in ("setuid", "setgid", "execve"):
if e.get("uid") != "0" and e.get("euid") == "0":
findings.append({
"type": "privilege_escalation",
"detail": f"UID {e.get('uid')} escalated to eUID 0",
"command": e.get("comm", ""),
"exe": e.get("exe", ""),
"timestamp": e.get("timestamp"),
"severity": "CRITICAL",
})
if e.get("type") == "USER_CMD" and "sudo" in e.get("cmd", "").lower():
findings.append({
"type": "sudo_usage",
"user": e.get("acct", e.get("uid", "")),
"command": e.get("cmd", ""),
"timestamp": e.get("timestamp"),
"severity": "MEDIUM",
})
return findings
def detect_file_access(events):
"""Detect access to sensitive files."""
findings = []
for e in events:
if e.get("type") in ("PATH", "SYSCALL"):
path = e.get("name", e.get("exe", ""))
for sensitive in SENSITIVE_PATHS:
if sensitive in path:
findings.append({
"type": "sensitive_file_access",
"path": path,
"syscall": e.get("syscall_name", e.get("syscall", "")),
"user": e.get("uid", ""),
"timestamp": e.get("timestamp"),
"severity": "HIGH",
})
break
return findings
def detect_suspicious_commands(events):
"""Detect execution of suspicious commands."""
findings = []
for e in events:
if e.get("type") in ("EXECVE", "SYSCALL"):
comm = e.get("comm", "").lower()
exe = e.get("exe", "").lower()
for cmd in SUSPICIOUS_COMMANDS:
if cmd in comm or cmd in exe:
findings.append({
"type": "suspicious_command",
"command": comm,
"exe": exe,
"user": e.get("uid", ""),
"timestamp": e.get("timestamp"),
"severity": "MEDIUM",
})
break
return findings
def run_ausearch(key=None, message_type=None, success=None):
"""Run ausearch command and return results."""
cmd = ["ausearch"]
if key:
cmd.extend(["-k", key])
if message_type:
cmd.extend(["-m", message_type])
if success is not None:
cmd.extend(["--success", "yes" if success else "no"])
cmd.extend(["--format", "csv"])
try:
result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
return {"output": result.stdout[:5000], "exit_code": result.returncode}
except (FileNotFoundError, subprocess.TimeoutExpired) as e:
return {"error": str(e)}
def generate_summary(events, findings):
"""Generate audit log analysis summary."""
event_types = collections.Counter(e.get("type") for e in events)
finding_types = collections.Counter(f.get("type") for f in findings)
severity_counts = collections.Counter(f.get("severity") for f in findings)
return {
"total_events": len(events),
"event_types": dict(event_types.most_common(10)),
"total_findings": len(findings),
"finding_types": dict(finding_types),
"by_severity": dict(severity_counts),
}
def main():
parser = argparse.ArgumentParser(description="Linux audit log intrusion detection agent")
parser.add_argument("log_file", nargs="?", default="/var/log/audit/audit.log",
help="Path to audit.log (default: /var/log/audit/audit.log)")
parser.add_argument("--max-lines", type=int, default=50000, help="Max log lines to parse")
parser.add_argument("--ausearch-key", help="Run ausearch with this key")
parser.add_argument("--output", "-o", help="Output JSON report path")
args = parser.parse_args()
print("[*] Linux Audit Log Intrusion Detection Agent")
if args.ausearch_key:
result = run_ausearch(key=args.ausearch_key)
print(json.dumps(result, indent=2))
sys.exit(0)
events = parse_audit_log(args.log_file, args.max_lines)
if isinstance(events, dict) and "error" in events:
print(f"[!] {events['error']}")
print("[DEMO] Specify a valid audit.log path or run on a Linux system")
print(json.dumps({"demo": True, "monitored_syscalls": len(SUSPICIOUS_SYSCALLS)}, indent=2))
sys.exit(0)
findings = []
findings.extend(detect_privilege_escalation(events))
findings.extend(detect_file_access(events))
findings.extend(detect_suspicious_commands(events))
summary = generate_summary(events, findings)
print(f"[*] Events parsed: {summary['total_events']}")
print(f"[*] Findings: {summary['total_findings']}")
print(f" By severity: {summary['by_severity']}")
for f in findings[:15]:
print(f" [{f['severity']}] {f['type']}: {f.get('command', f.get('path', ''))}")
if args.output:
report = {"summary": summary, "findings": findings}
with open(args.output, "w") as f:
json.dump(report, f, indent=2, default=str)
print(json.dumps(summary, indent=2))
if __name__ == "__main__":
main()
Reference in New Issue View Git Blame Copy Permalink