creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 13:44:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/implementing-network-access-control-with-cisco-ise/scripts/agent.py
T
mukul975 c47eed6a64 Production hardening: security fixes, code quality, 724 skills complete 
- Fix 25 shell=True subprocess calls with list-based commands
- Fix 49 verify=False in defensive skills (env-var override)
- Add timeout to 231 HTTP/subprocess/socket calls
- Fix 6 SQL injection patterns with whitelist validation
- Replace 8 __import__() with standard imports
- Remove 701 unused imports across 442 files
- Add authorized-testing disclaimers to all offensive skills
- Complete 11 incomplete skill directories
- Expand 10 stub SKILL.md files with full content
- Fix 2 YAML parse errors in frontmatter
- Fix 5 pre-existing syntax errors
- Convert 22 hardcoded paths/ports to environment variables
- Back up 21 redundant skill pairs to .bak
- Fix 2 global declaration errors
- 724/724 skills with full folder anatomy (SKILL.md + agent.py + api-reference.md + LICENSE)
- 0 compile errors across all 724 agent.py files
2026-03-19 13:26:49 +01:00

123 lines
4.7 KiB
Python
Raw Blame History

#!/usr/bin/env python3
"""Cisco ISE NAC Agent - audits ISE policies, endpoint posture, and 802.1X configuration."""
import json
import argparse
import logging
import subprocess
from collections import defaultdict
from datetime import datetime
logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s")
logger = logging.getLogger(__name__)
def ise_request(base_url, username, password, endpoint):
"""Execute Cisco ISE ERS API request."""
cmd = ["curl", "-s", "-k", "-u", f"{username}:{password}",
"-H", "Accept: application/json",
f"{base_url}/ers/config{endpoint}"]
result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
return json.loads(result.stdout) if result.stdout else {}
def get_network_devices(base_url, user, pw):
return ise_request(base_url, user, pw, "/networkdevice?size=100")
def get_endpoint_groups(base_url, user, pw):
return ise_request(base_url, user, pw, "/endpointgroup")
def get_authorization_policies(base_url, user, pw):
return ise_request(base_url, user, pw, "/authorizationprofile?size=100")
def get_active_sessions(base_url, user, pw):
"""Get active RADIUS sessions via MnT API."""
cmd = ["curl", "-s", "-k", "-u", f"{user}:{pw}",
"-H", "Accept: application/json",
f"{base_url}/admin/API/mnt/Session/ActiveList"]
result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
return json.loads(result.stdout) if result.stdout else {}
def audit_authorization_profiles(profiles):
"""Audit authorization profiles for security best practices."""
findings = []
for profile in profiles.get("SearchResult", {}).get("resources", []):
name = profile.get("name", "")
if "permit" in name.lower() and "all" in name.lower():
findings.append({"profile": name, "issue": "overly_permissive_profile", "severity": "high"})
return findings
def analyze_session_data(sessions):
"""Analyze active session posture and authentication methods."""
auth_methods = defaultdict(int)
posture_status = defaultdict(int)
failed_auths = 0
for session in sessions:
method = session.get("authentication_method", "unknown")
auth_methods[method] += 1
posture = session.get("posture_status", "unknown")
posture_status[posture] += 1
if session.get("authentication_status") == "failed":
failed_auths += 1
return {
"total_sessions": len(sessions),
"auth_methods": dict(auth_methods),
"posture_distribution": dict(posture_status),
"failed_authentications": failed_auths,
}
def check_dot1x_compliance(devices):
"""Check 802.1X deployment across network devices."""
device_list = devices.get("SearchResult", {}).get("resources", [])
dot1x_enabled = sum(1 for d in device_list if d.get("NetworkDeviceIPList"))
return {
"total_devices": len(device_list),
"dot1x_capable": dot1x_enabled,
"coverage_percent": round(dot1x_enabled / max(len(device_list), 1) * 100, 1),
}
def generate_report(devices, profiles, sessions, base_url):
profile_audit = audit_authorization_profiles(profiles)
session_analysis = analyze_session_data(sessions)
dot1x = check_dot1x_compliance(devices)
report = {
"timestamp": datetime.utcnow().isoformat(),
"ise_url": base_url,
"dot1x_deployment": dot1x,
"session_analysis": session_analysis,
"authorization_profile_findings": profile_audit,
"total_findings": len(profile_audit),
}
return report
def main():
parser = argparse.ArgumentParser(description="Cisco ISE NAC Audit Agent")
parser.add_argument("--ise-url", required=True, help="ISE admin URL (https://ise.example.com:9060)")
parser.add_argument("--username", required=True, help="ISE ERS API username")
parser.add_argument("--password", required=True, help="ISE ERS API password")
parser.add_argument("--output", default="ise_nac_report.json")
args = parser.parse_args()
devices = get_network_devices(args.ise_url, args.username, args.password)
profiles = get_authorization_policies(args.ise_url, args.username, args.password)
sessions = get_active_sessions(args.ise_url, args.username, args.password)
report = generate_report(devices, profiles, sessions, args.ise_url)
with open(args.output, "w") as f:
json.dump(report, f, indent=2, default=str)
logger.info("ISE audit: 802.1X coverage %.1f%%, %d active sessions, %d findings",
report["dot1x_deployment"]["coverage_percent"],
report["session_analysis"]["total_sessions"], report["total_findings"])
print(json.dumps(report, indent=2, default=str))
if __name__ == "__main__":
main()
Reference in New Issue View Git Blame Copy Permalink