ai_root_shield 0.4.0 → 1.0.0

data/examples/device_logs/ios_jailbroken_device.json

@@ -0,0 +1,172 @@
+{
+  "platform": "ios",
+  "timestamp": 1640995200,
+  "device_info": {
+    "model": "iPhone 13 Pro",
+    "manufacturer": "Apple",
+    "os_version": "15.6.1",
+    "device_identifier": "iPhone14,3"
+  },
+  "code_signing": {
+    "mainBundleSigned": false,
+    "embeddedProvisioning": true,
+    "teamIdentifier": "ABCD123456",
+    "codeDirectoryHash": "sha256:1234567890abcdef...",
+    "entitlementsValid": false,
+    "signatureVersion": 2,
+    "certificateChainValid": false,
+    "certificate": {
+      "isDevelopment": true,
+      "isDistribution": false,
+      "isEnterprise": false,
+      "isAdhoc": false,
+      "expirationDate": "2024-12-31T23:59:59Z",
+      "issuer": "Apple Development"
+    }
+  },
+  "sandbox": {
+    "containerIntegrity": false,
+    "fileAccessViolations": [
+      "/private/var/mobile/Library/Preferences",
+      "/Applications/Cydia.app"
+    ],
+    "networkAccessViolations": [],
+    "ipcViolations": ["com.apple.springboard"],
+    "entitlementViolations": ["get-task-allow"],
+    "sandboxProfileValid": false
+  },
+  "dyld": {
+    "loadedLibraries": [
+      "/usr/lib/libSystem.B.dylib",
+      "/Library/MobileSubstrate/MobileSubstrate.dylib",
+      "/Library/MobileSubstrate/DynamicLibraries/PreferenceLoader.dylib",
+      "/usr/lib/substitute-inserter.dylib"
+    ],
+    "injectedLibraries": [
+      "/Library/MobileSubstrate/MobileSubstrate.dylib",
+      "/usr/lib/substitute-inserter.dylib"
+    ],
+    "runtimeModifications": [
+      {
+        "library": "MobileSubstrate",
+        "function": "MSHookFunction",
+        "target": "objc_msgSend"
+      }
+    ],
+    "methodSwizzling": {
+      "detected": true,
+      "swizzledMethods": [
+        "UIApplication.openURL:",
+        "NSFileManager.fileExistsAtPath:"
+      ]
+    }
+  },
+  "hardware_security": {
+    "secureEnclaveAvailable": true,
+    "touchIdAvailable": true,
+    "faceIdAvailable": false,
+    "processorType": "A15 Bionic",
+    "secureBootChain": true,
+    "uidAvailable": true,
+    "gidAvailable": true,
+    "biometricKeysProtected": true,
+    "keychainHardwareProtection": true,
+    "sepFirmwareVersion": "4.0.0",
+    "biometrics": {
+      "touchIdEnrolled": true,
+      "faceIdEnrolled": false,
+      "biometricChangesDetected": false,
+      "hardwareTamperDetected": false
+    }
+  },
+  "system_integrity": {
+    "systemVersionAuthentic": false,
+    "kernelIntegrity": false,
+    "amfiEnabled": false,
+    "sipEnabled": false,
+    "codeInjectionProtection": false,
+    "libraryValidation": false,
+    "runtimeProtections": []
+  },
+  "file_system": {
+    "files": [
+      {
+        "path": "/Applications/Cydia.app",
+        "exists": true,
+        "permissions": "755"
+      },
+      {
+        "path": "/Library/MobileSubstrate/MobileSubstrate.dylib",
+        "exists": true,
+        "permissions": "755"
+      },
+      {
+        "path": "/usr/bin/ssh",
+        "exists": true,
+        "permissions": "755"
+      },
+      {
+        "path": "/private/var/lib/cydia",
+        "exists": true,
+        "permissions": "755"
+      },
+      {
+        "path": "/bin/bash",
+        "exists": true,
+        "permissions": "755"
+      }
+    ]
+  },
+  "url_schemes": [
+    "cydia://",
+    "sileo://",
+    "zbra://",
+    "filza://",
+    "activator://"
+  ],
+  "symbolic_links": [
+    {
+      "source": "/Applications",
+      "target": "/var/stash/Applications"
+    },
+    {
+      "source": "/usr/include",
+      "target": "/var/stash/usr/include"
+    }
+  ],
+  "fork_test": {
+    "forkAllowed": true
+  },
+  "system_calls": {
+    "ptraceDetected": true,
+    "sysctlBypass": true,
+    "dlopenHooking": true
+  },
+  "runtime_manipulation": {
+    "methodSwizzlingDetected": true,
+    "classDumpDetected": true,
+    "runtimeInjection": true
+  },
+  "network": {
+    "proxy_enabled": false,
+    "vpn_active": false,
+    "custom_certificates": [],
+    "tls_version": "1.3"
+  },
+  "risk_score": 85,
+  "factors": [
+    "IOS_JAILBREAK_FILES_DETECTED",
+    "IOS_JAILBREAK_URL_SCHEMES_DETECTED", 
+    "IOS_JAILBREAK_LIBRARIES_DETECTED",
+    "IOS_SANDBOX_VIOLATIONS_DETECTED",
+    "IOS_FORK_RESTRICTIONS_BYPASSED",
+    "IOS_MAIN_BUNDLE_NOT_SIGNED",
+    "IOS_INVALID_CERTIFICATE_CHAIN",
+    "IOS_DEVELOPMENT_CERTIFICATE",
+    "IOS_DYLD_INJECTION_DETECTED",
+    "IOS_HOOKING_FRAMEWORKS_DETECTED",
+    "IOS_AMFI_DISABLED",
+    "IOS_SIP_DISABLED",
+    "IOS_LIBRARY_VALIDATION_DISABLED"
+  ]
+}

data/exe/ai_root_shield

@@ -3,6 +3,7 @@
 
 require "optparse"
 require "json"
+require "fileutils"
 require_relative "../lib/ai_root_shield"
 
 # Command line interface for AI Root Shield
@@ -24,13 +25,37 @@ class AiRootShieldCLI
       enable_certificate_pinning: false,
       enable_proxy_detection: false,
       target_ip: nil,
-      target_url: nil
+      target_url: nil,
+      # v0.5.0 new options
+      platform: nil,
+      safetynet_api_key: nil,
+      package_name: nil,
+      ci_mode: false,
+      artifacts_path: './security_test_artifacts',
+      siem_platform: nil,
+      siem_endpoint: nil,
+      siem_token: nil,
+      start_dashboard: false,
+      dashboard_port: 4567,
+      generate_ci_config: nil,
+      enable_unified_reporting: false
     }
   end
 
   def run(args)
     parse_options(args)
     
+    # Handle special commands first
+    if @options[:start_dashboard]
+      start_dashboard
+      return
+    end
+    
+    if @options[:generate_ci_config]
+      generate_ci_config
+      return
+    end
+    
     if args.empty?
       puts "Error: Please provide a device logs file path"
       puts "Usage: ai_root_shield [options] <device_logs.json>"
@@ -45,6 +70,15 @@ class AiRootShieldCLI
     end
 
     begin
+      # Configure SIEM if provided
+      if @options[:siem_platform] && @options[:siem_endpoint] && @options[:siem_token]
+        puts "Configuring SIEM integration (#{@options[:siem_platform]})..." if @options[:verbose]
+        AiRootShield.configure_siem(@options[:siem_platform].to_sym, {
+          api_endpoint: @options[:siem_endpoint],
+          api_key: @options[:siem_token]
+        })
+      end
+      
       # Configure enterprise policy if provided
       if @options[:policy_file]
         puts "Loading enterprise policy from #{@options[:policy_file]}..." if @options[:verbose]
@@ -83,7 +117,23 @@ class AiRootShieldCLI
         sleep(@options[:rasp_monitoring_time])
       end
       
-      result = AiRootShield.scan_device_with_config(device_logs_path, @options)
+      # Run analysis based on mode
+      if @options[:ci_mode]
+        result = run_ci_cd_analysis(device_logs_path)
+      elsif @options[:platform]
+        result = run_platform_specific_analysis(device_logs_path)
+      else
+        result = AiRootShield.scan_device_with_config(device_logs_path, @options)
+      end
+      
+      # Send to SIEM if configured
+      if @options[:siem_platform]
+        puts "Sending results to SIEM..." if @options[:verbose]
+        AiRootShield.send_to_siem(result, {
+          cli_version: AiRootShield::VERSION,
+          scan_timestamp: Time.now.utc.iso8601
+        })
+      end
       
       # Add RASP status to result if enabled
       if @options[:enable_rasp_protection] && AiRootShield.rasp_active?
@@ -184,6 +234,70 @@ class AiRootShieldCLI
         @options[:target_url] = url
       end
 
+      # v0.5.0 Platform-specific options
+      opts.separator ""
+      opts.separator "Platform-specific Analysis (v0.5.0):"
+
+      opts.on("--platform PLATFORM", ["android", "ios"], "Platform-specific analysis (android, ios)") do |platform|
+        @options[:platform] = platform
+      end
+
+      opts.on("--safetynet-key KEY", "Google SafetyNet API key for Android analysis") do |key|
+        @options[:safetynet_api_key] = key
+      end
+
+      opts.on("--package-name NAME", "Android package name for analysis") do |name|
+        @options[:package_name] = name
+      end
+
+      opts.on("--unified-report", "Generate unified cross-platform report") do
+        @options[:enable_unified_reporting] = true
+      end
+
+      # CI/CD Integration options
+      opts.separator ""
+      opts.separator "CI/CD Integration (v0.5.0):"
+
+      opts.on("--ci-mode", "Run in CI/CD mode with test artifacts") do
+        @options[:ci_mode] = true
+      end
+
+      opts.on("--artifacts-path PATH", "Path for CI/CD test artifacts (default: ./security_test_artifacts)") do |path|
+        @options[:artifacts_path] = path
+      end
+
+      opts.on("--generate-ci-config PLATFORM", ["github", "gitlab", "jenkins", "azure"], "Generate CI config for platform") do |platform|
+        @options[:generate_ci_config] = platform
+      end
+
+      # SIEM Integration options
+      opts.separator ""
+      opts.separator "SIEM Integration (v0.5.0):"
+
+      opts.on("--siem-platform PLATFORM", ["splunk", "elastic", "qradar", "sentinel", "datadog", "chronicle", "arcsight"], "SIEM platform") do |platform|
+        @options[:siem_platform] = platform
+      end
+
+      opts.on("--siem-endpoint URL", "SIEM API endpoint URL") do |url|
+        @options[:siem_endpoint] = url
+      end
+
+      opts.on("--siem-token TOKEN", "SIEM API authentication token") do |token|
+        @options[:siem_token] = token
+      end
+
+      # Dashboard options
+      opts.separator ""
+      opts.separator "Dashboard (v0.5.0):"
+
+      opts.on("--start-dashboard", "Start web dashboard server") do
+        @options[:start_dashboard] = true
+      end
+
+      opts.on("--dashboard-port PORT", Integer, "Dashboard port (default: 4567)") do |port|
+        @options[:dashboard_port] = port
+      end
+
       opts.on("-h", "--help", "Show this help message") do
         puts opts
         exit
@@ -280,14 +394,113 @@ class AiRootShieldCLI
   end
 
   def output_summary_format(result)
-    risk_level = AiRootShield::RiskCalculator.risk_level_description(result[:risk_score])
+    # Handle unified report format
+    if result[:executive_summary]
+      risk_level = result[:executive_summary][:overall_risk_level]
+      security_score = result[:executive_summary][:security_posture_score]
+      threat_count = result[:executive_summary][:critical_findings]&.length || 0
+      
+      puts "Risk Level: #{risk_level} (Security Score: #{security_score}/100)"
+      puts "Threats: #{threat_count} critical findings detected"
+      
+      if result[:executive_summary][:key_recommendations]&.any?
+        puts "Primary Concerns: #{result[:executive_summary][:key_recommendations].first(3).join(', ')}"
+      end
+    else
+      # Handle regular analysis format
+      risk_level = AiRootShield::RiskCalculator.risk_level_description(result[:risk_score])
+      
+      puts "Risk Level: #{risk_level} (#{result[:risk_score]}/100)"
+      puts "Threats: #{result[:factors]&.length || 0} detected"
+      
+      if result[:factors]&.any?
+        puts "Primary Concerns: #{result[:factors].first(3).join(', ')}"
+      end
+    end
+  end
+
+  # v0.5.0 New Methods
+  def run_platform_specific_analysis(device_logs_path)
+    puts "Running #{@options[:platform]} platform-specific analysis..." if @options[:verbose]
     
-    puts "Risk Level: #{risk_level} (#{result[:risk_score]}/100)"
-    puts "Threats: #{result[:factors].length} detected"
+    case @options[:platform]
+    when 'android'
+      config = {}
+      config[:safetynet_api_key] = @options[:safetynet_api_key] if @options[:safetynet_api_key]
+      config[:package_name] = @options[:package_name] if @options[:package_name]
+      
+      result = AiRootShield.analyze_android_device(device_logs_path, config)
+    when 'ios'
+      result = AiRootShield.analyze_ios_device(device_logs_path)
+    else
+      raise "Unsupported platform: #{@options[:platform]}"
+    end
     
-    if result[:factors].any?
-      puts "Primary Concerns: #{result[:factors].first(3).join(', ')}"
+    if @options[:enable_unified_reporting]
+      puts "Generating unified cross-platform report..." if @options[:verbose]
+      case @options[:platform]
+      when 'android'
+        unified_result = AiRootShield.generate_unified_report(android_results: result)
+      when 'ios'
+        unified_result = AiRootShield.generate_unified_report(ios_results: result)
+      end
+      return unified_result
     end
+    
+    result
+  end
+
+  def run_ci_cd_analysis(device_logs_path)
+    puts "Running CI/CD security analysis..." if @options[:verbose]
+    
+    # Create artifacts directory
+    Dir.mkdir(@options[:artifacts_path]) unless Dir.exist?(@options[:artifacts_path])
+    
+    # Run CI/CD tests
+    result = AiRootShield.run_ci_cd_tests(device_logs_path, {
+      artifacts_path: @options[:artifacts_path],
+      verbose: @options[:verbose]
+    })
+    
+    puts "CI/CD test artifacts saved to: #{@options[:artifacts_path]}" if @options[:verbose]
+    result
+  end
+
+  def start_dashboard
+    puts "Starting AI Root Shield Dashboard on port #{@options[:dashboard_port]}..."
+    puts "Dashboard will be available at: http://localhost:#{@options[:dashboard_port]}"
+    puts "Press Ctrl+C to stop the dashboard"
+    
+    begin
+      AiRootShield.start_dashboard(@options[:dashboard_port])
+    rescue Interrupt
+      puts "\nDashboard stopped."
+    end
+  end
+
+  def generate_ci_config
+    puts "Generating CI/CD configuration for #{@options[:generate_ci_config]}..."
+    
+    config_content = AiRootShield.generate_ci_config(@options[:generate_ci_config].to_sym)
+    
+    filename = case @options[:generate_ci_config]
+    when 'github'
+      '.github/workflows/security-scan.yml'
+    when 'gitlab'
+      '.gitlab-ci.yml'
+    when 'jenkins'
+      'Jenkinsfile'
+    when 'azure'
+      'azure-pipelines.yml'
+    end
+    
+    # Create directory if needed
+    dir = File.dirname(filename)
+    FileUtils.mkdir_p(dir) unless Dir.exist?(dir) || dir == '.'
+    
+    File.write(filename, config_content)
+    puts "CI/CD configuration saved to: #{filename}"
+    puts "Please review and customize the configuration as needed."
   end
 end