creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 21:54:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/implementing-conduit-security-for-ot-remote-access/scripts/agent.py
T
mukul975 c47eed6a64 Production hardening: security fixes, code quality, 724 skills complete 
- Fix 25 shell=True subprocess calls with list-based commands
- Fix 49 verify=False in defensive skills (env-var override)
- Add timeout to 231 HTTP/subprocess/socket calls
- Fix 6 SQL injection patterns with whitelist validation
- Replace 8 __import__() with standard imports
- Remove 701 unused imports across 442 files
- Add authorized-testing disclaimers to all offensive skills
- Complete 11 incomplete skill directories
- Expand 10 stub SKILL.md files with full content
- Fix 2 YAML parse errors in frontmatter
- Fix 5 pre-existing syntax errors
- Convert 22 hardcoded paths/ports to environment variables
- Back up 21 redundant skill pairs to .bak
- Fix 2 global declaration errors
- 724/724 skills with full folder anatomy (SKILL.md + agent.py + api-reference.md + LICENSE)
- 0 compile errors across all 724 agent.py files
2026-03-19 13:26:49 +01:00

137 lines
5.2 KiB
Python
Raw Blame History

#!/usr/bin/env python3
"""OT remote access conduit security assessment agent for ICS/SCADA environments."""
import argparse
import json
import logging
import os
import socket
from datetime import datetime
from typing import Dict, List
logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s")
logger = logging.getLogger(__name__)
OT_PORTS = {
502: "Modbus TCP",
102: "S7comm (Siemens)",
44818: "EtherNet/IP",
20000: "DNP3",
4840: "OPC UA",
2222: "EtherNet/IP (implicit)",
47808: "BACnet",
1911: "Niagara Fox",
9600: "OMRON FINS",
}
CONDUIT_CHECKS = [
{"id": "C-01", "control": "Jump server required for OT access",
"category": "Access Control", "iec_ref": "IEC 62443-3-3 SR 5.1"},
{"id": "C-02", "control": "MFA enforced on conduit entry point",
"category": "Authentication", "iec_ref": "IEC 62443-3-3 SR 1.1"},
{"id": "C-03", "control": "Session recording enabled",
"category": "Monitoring", "iec_ref": "IEC 62443-3-3 SR 6.1"},
{"id": "C-04", "control": "Time-limited access windows",
"category": "Access Control", "iec_ref": "IEC 62443-3-3 SR 2.1"},
{"id": "C-05", "control": "Network segmentation between IT and OT",
"category": "Network", "iec_ref": "IEC 62443-3-3 SR 5.1"},
{"id": "C-06", "control": "Protocol-aware firewall at conduit boundary",
"category": "Network", "iec_ref": "IEC 62443-3-3 SR 5.2"},
{"id": "C-07", "control": "Encrypted tunnel for remote access",
"category": "Encryption", "iec_ref": "IEC 62443-3-3 SR 4.1"},
{"id": "C-08", "control": "Vendor access through separate conduit",
"category": "Access Control", "iec_ref": "IEC 62443-3-3 SR 1.13"},
]
def scan_ot_ports(target: str, timeout: int = 3) -> List[dict]:
"""Scan for exposed OT protocol ports on a target."""
results = []
for port, protocol in OT_PORTS.items():
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(timeout)
result = s.connect_ex((target, port))
if result == 0:
results.append({"port": port, "protocol": protocol, "status": "open"})
s.close()
except (socket.timeout, OSError):
continue
return results
def assess_conduit_controls(responses: Dict[str, bool]) -> List[dict]:
"""Assess conduit security controls against IEC 62443 requirements."""
results = []
for check in CONDUIT_CHECKS:
implemented = responses.get(check["id"], False)
results.append({
**check,
"implemented": implemented,
"severity": "CRITICAL" if not implemented and check["category"] in ("Access Control", "Network") else "HIGH" if not implemented else "OK",
})
return results
def compute_conduit_risk_score(control_results: List[dict], open_ports: List[dict]) -> dict:
"""Compute conduit risk score based on controls and exposed ports."""
max_score = len(CONDUIT_CHECKS) * 10
score = sum(10 for c in control_results if c["implemented"])
port_penalty = len(open_ports) * 5
final_score = max(0, score - port_penalty)
pct = (final_score / max_score * 100) if max_score else 0
if pct >= 80:
risk = "LOW"
elif pct >= 50:
risk = "MEDIUM"
else:
risk = "HIGH"
return {"score": final_score, "max_score": max_score,
"percentage": round(pct, 1), "risk_level": risk,
"exposed_ot_ports": len(open_ports)}
def generate_report(targets: List[str], responses: Dict[str, bool]) -> dict:
"""Generate OT conduit security assessment report."""
report = {"analysis_date": datetime.utcnow().isoformat(), "targets": []}
control_results = assess_conduit_controls(responses)
for target in targets:
open_ports = scan_ot_ports(target)
risk = compute_conduit_risk_score(control_results, open_ports)
report["targets"].append({
"host": target, "open_ot_ports": open_ports, "risk": risk,
})
report["conduit_controls"] = control_results
report["summary"] = {
"controls_implemented": sum(1 for c in control_results if c["implemented"]),
"controls_total": len(control_results),
"targets_scanned": len(targets),
}
return report
def main():
parser = argparse.ArgumentParser(description="OT Conduit Security Assessment Agent")
parser.add_argument("--targets", nargs="+", default=[], help="OT gateway hosts to scan")
parser.add_argument("--controls-data", default="", help="JSON file with control responses")
parser.add_argument("--output-dir", default=".")
parser.add_argument("--output", default="conduit_report.json")
args = parser.parse_args()
responses = {}
if args.controls_data and os.path.isfile(args.controls_data):
with open(args.controls_data) as f:
responses = json.load(f)
os.makedirs(args.output_dir, exist_ok=True)
report = generate_report(args.targets, responses)
out_path = os.path.join(args.output_dir, args.output)
with open(out_path, "w") as f:
json.dump(report, f, indent=2)
logger.info("Report saved to %s", out_path)
print(json.dumps(report["summary"], indent=2))
if __name__ == "__main__":
main()
Reference in New Issue View Git Blame Copy Permalink