cybersentinel-cli 1.0.0

package/bin/index.js

@@ -0,0 +1,540 @@
+#!/usr/bin/env node
+
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+const https = require('https');
+const axios = require('axios');
+const chalk = require('chalk');
+const { program } = require('commander');
+const inquirer = require('inquirer');
+const ora = require('ora');
+const forge = require('node-forge');
+const crypto = require('crypto');
+
+const CONFIG_DIR = path.join(os.homedir(), '.cybersentinel');
+const CONFIG_FILE = path.join(CONFIG_DIR, 'config.json');
+const CLIENT_KEY = path.join(CONFIG_DIR, 'client.key');
+const CLIENT_CRT = path.join(CONFIG_DIR, 'client.crt');
+const CA_CRT = path.join(CONFIG_DIR, 'ca.crt');
+const CLIENT_P12 = path.join(CONFIG_DIR, 'client.p12');
+
+function decryptResponse(data) {
+  if (data && data.encrypted === true) {
+    try {
+      const keyString = 'CyberSentinelSuperSecureAESKey2026';
+      const key = crypto.createHash('sha256').update(keyString).digest();
+      
+      const iv = Buffer.from(data.iv, 'hex');
+      const ciphertext = Buffer.from(data.content, 'hex');
+      const tag = Buffer.from(data.tag, 'hex');
+
+      const decipher = crypto.createDecipheriv('aes-256-gcm', key, iv);
+      decipher.setAuthTag(tag);
+
+      let decrypted = decipher.update(ciphertext, undefined, 'utf8');
+      decrypted += decipher.final('utf8');
+      return JSON.parse(decrypted);
+    } catch (err) {
+      console.error(chalk.red('\n[Crypto Error] Failed to decrypt server response payload.'));
+      throw err;
+    }
+  }
+  return data;
+}
+
+
+const VIPER_BANNER = `
+${chalk.green(`  c.          _.._`)}
+${chalk.green(`  ::       .-'    \`-.`)}
+${chalk.green(`  \`:.    .'  .---.   \\`)}
+${chalk.green(`    \`::. \\  /     \\   |`)}   ${chalk.green.bold('CYBERSENTINEL')}
+${chalk.green(`      \`:::..|     |   |`)}   ${chalk.green('Audit Platform CLI v1.0')}
+${chalk.green(`         \`'' \\   /   /`)}
+${chalk.green(`             |\`-.-'-'|`)}    ${chalk.gray("Type: 'cybersentinel --help'")}
+${chalk.green(`             |   |   |`)}
+`;
+
+const SNAKE_SPINNER = {
+  interval: 100,
+  frames: ['⠏', '⠋', '⠙', '⠹', '⠸', '⠼', '⠴', '⠦', '⠧', '⠇'].map(f => chalk.green(f))
+};
+
+// Ensure configuration directory exists
+function ensureConfigDir() {
+  if (!fs.existsSync(CONFIG_DIR)) {
+    fs.mkdirSync(CONFIG_DIR, { recursive: true });
+  }
+}
+
+// Check if credentials/certificate exist
+function hasCertificates() {
+  return (
+    fs.existsSync(CLIENT_KEY) &&
+    fs.existsSync(CLIENT_CRT) &&
+    fs.existsSync(CA_CRT) &&
+    fs.existsSync(CONFIG_FILE)
+  );
+}
+
+// Load CLI Config
+function loadConfig() {
+  if (!fs.existsSync(CONFIG_FILE)) {
+    throw new Error('Configuration file not found. Please register first.');
+  }
+  return JSON.parse(fs.readFileSync(CONFIG_FILE, 'utf8'));
+}
+
+// Create Axios client with mTLS certificates
+function getMtlsClient(config) {
+  const agent = new https.Agent({
+    cert: fs.readFileSync(CLIENT_CRT),
+    key: fs.readFileSync(CLIENT_KEY),
+    ca: fs.readFileSync(CA_CRT),
+    rejectUnauthorized: false // since we are using localhost self-signed certs
+  });
+
+  return axios.create({
+    baseURL: config.apiUrl,
+    httpsAgent: agent,
+    headers: {
+      'x-api-key': config.apiKey || 'CyberSentinelSecretAPIKey2026!'
+    }
+  });
+}
+
+// Print startup banner
+console.log(VIPER_BANNER);
+
+program
+  .name('cybersentinel')
+  .description('Interactive audit checklist and device certification tool')
+  .version('1.0.0');
+
+// Command: register
+program
+  .command('register')
+  .description('Register this device and request signed client certificate')
+  .option('-d, --device-name <name>', 'Custom device name for certificate common name')
+  .action(async (options) => {
+    ensureConfigDir();
+
+    const questions = [
+      {
+        type: 'input',
+        name: 'apiUrl',
+        message: 'Enter CyberSentinel Base API URL:',
+        default: 'https://localhost:3002/api'
+      },
+      {
+        type: 'input',
+        name: 'username',
+        message: 'Enter Username:',
+        default: 'cybersentinel-admin'
+      },
+      {
+        type: 'password',
+        name: 'password',
+        message: 'Enter Password:',
+        mask: '*'
+      },
+      {
+        type: 'input',
+        name: 'deviceName',
+        message: 'Enter Device Name (Common Name):',
+        default: options.deviceName || os.hostname() || 'Auditor-Terminal',
+        when: !options.deviceName
+      }
+    ];
+
+    const answers = await inquirer.prompt(questions);
+    const deviceName = options.deviceName || answers.deviceName;
+    const apiUrl = answers.apiUrl.replace(/\/$/, ''); // strip trailing slash
+
+    const spinner = ora({
+      text: 'Generating 2048-bit RSA keypair locally...',
+      spinner: SNAKE_SPINNER
+    }).start();
+
+    try {
+      // 1. Generate local keypair
+      const pki = forge.pki;
+      const keys = pki.rsa.generateKeyPair(2048);
+      const privateKeyPem = pki.privateKeyToPem(keys.privateKey);
+      
+      // 2. Generate local CSR
+      spinner.text = 'Generating Certification Request (CSR)...';
+      const csr = pki.createCertificationRequest();
+      csr.publicKey = keys.publicKey;
+      csr.setSubject([
+        { name: 'commonName', value: deviceName },
+        { name: 'organizationName', value: 'CyberSentinel' }
+      ]);
+      csr.sign(keys.privateKey, forge.md.sha256.create());
+      const csrPem = pki.certificationRequestToPem(csr);
+
+      // 3. Register to backend
+      spinner.text = 'Submitting CSR to CyberSentinel Portal...';
+      const nonMtlsAgent = new https.Agent({ rejectUnauthorized: false });
+      
+      const response = await axios.post(`${apiUrl}/devices/register`, {
+        username: answers.username,
+        password: answers.password,
+        deviceName: deviceName,
+        csr: csrPem
+      }, {
+        httpsAgent: nonMtlsAgent,
+        headers: {
+          'x-api-key': 'CyberSentinelSecretAPIKey2026!'
+        }
+      });
+
+      spinner.succeed(chalk.green('Server signature obtained successfully!'));
+
+      const decryptedData = decryptResponse(response.data);
+      const { certificate, caCertificate, serial, fingerprint } = decryptedData;
+
+      // 4. Save certs locally
+      fs.writeFileSync(CLIENT_KEY, privateKeyPem, 'utf8');
+      fs.writeFileSync(CLIENT_CRT, certificate, 'utf8');
+      fs.writeFileSync(CA_CRT, caCertificate, 'utf8');
+
+      const configData = {
+        apiUrl,
+        deviceName,
+        serial,
+        fingerprint,
+        apiKey: 'CyberSentinelSecretAPIKey2026!'
+      };
+      fs.writeFileSync(CONFIG_FILE, JSON.stringify(configData, null, 2), 'utf8');
+
+      // 5. Package into PKCS12 .p12 file
+      const p12Answers = await inquirer.prompt([
+        {
+          type: 'password',
+          name: 'p12Password',
+          message: 'Set a password to protect your client.p12 bundle:',
+          mask: '*'
+        }
+      ]);
+
+      const clientCertObj = pki.certificateFromPem(certificate);
+      const p12Asn1 = forge.pkcs12.toPkcs12Asn1(
+        keys.privateKey,
+        [clientCertObj],
+        p12Answers.p12Password,
+        { algorithm: '3des' }
+      );
+      const p12Der = forge.asn1.toDer(p12Asn1).getBytes();
+      fs.writeFileSync(CLIENT_P12, p12Der, 'binary');
+
+      console.log('\n' + chalk.green.bold('✔ Registration Complete!'));
+      console.log(chalk.green(`Device Serial:   ${serial}`));
+      console.log(chalk.green(`Fingerprint:     ${fingerprint}`));
+      console.log(chalk.green(`Files saved to:  ${CONFIG_DIR}`));
+      console.log(chalk.green(`PKCS12 Container: client.p12 (encrypted)\n`));
+
+    } catch (error) {
+      spinner.fail(chalk.red('Registration failed!'));
+      if (error.response) {
+        console.error(chalk.red(`Error: ${error.response.status} - ${error.response.data.message || error.response.data.error}`));
+      } else {
+        console.error(chalk.red(`Error: ${error.message}`));
+      }
+    }
+  });
+
+// Command: init
+program
+  .command('init')
+  .description('Verify credential certificate files status')
+  .action(() => {
+    if (hasCertificates()) {
+      try {
+        const config = loadConfig();
+        console.log(chalk.green('✔ System keys and certificate verification: OK'));
+        console.log(chalk.green(`Registered Server:  ${config.apiUrl}`));
+        console.log(chalk.green(`Registered Device:  ${config.deviceName}`));
+        console.log(chalk.green(`Certificate Serial: ${config.serial}`));
+      } catch (err) {
+        console.error(chalk.red(`Error loading configuration: ${err.message}`));
+      }
+    } else {
+      console.log(chalk.yellow('⚠ No active client certificate found. Please run:'));
+      console.log(chalk.cyan('  cybersentinel register'));
+    }
+  });
+
+// Command: audit
+program
+  .command('audit')
+  .description('Perform security audit on a website and sync scores')
+  .requiredOption('-i, --id <assessmentId>', 'Prisma Database Assessment ID')
+  .requiredOption('-t, --target <url>', 'Website target URL for automated scan')
+  .action(async (options) => {
+    if (!hasCertificates()) {
+      console.error(chalk.red('Error: Local certificate files not found. Run "cybersentinel register" first.'));
+      process.exit(1);
+    }
+
+    let config;
+    try {
+      config = loadConfig();
+    } catch (err) {
+      console.error(chalk.red(err.message));
+      process.exit(1);
+    }
+
+    const client = getMtlsClient(config);
+    const assessmentId = parseInt(options.id, 10);
+    const targetUrl = options.target;
+
+    const fetchSpinner = ora({
+      text: `Connecting to ${config.apiUrl} via mTLS...`,
+      spinner: SNAKE_SPINNER
+    }).start();
+
+    let assessment;
+    try {
+      const response = await client.get(`/assessments/${assessmentId}`);
+      assessment = decryptResponse(response.data);
+      fetchSpinner.succeed(chalk.green(`mTLS connection verified. Active assessment: "${assessment.projectName}"`));
+    } catch (err) {
+      fetchSpinner.fail(chalk.red('mTLS authentication or fetch failed!'));
+      if (err.response) {
+        console.error(chalk.red(`Server error: ${err.response.status} - ${err.response.data.message || err.response.data.error}`));
+      } else {
+        console.error(chalk.red(`Connection error: ${err.message}`));
+      }
+      process.exit(1);
+    }
+
+    // STEP 1: AUTOMATED SCAN
+    console.log(chalk.green.bold('\n--- Phase 1: Automated Security Vulnerability Scan ---'));
+    const scanSpinner = ora({
+      text: `Auditing target: ${targetUrl}...`,
+      spinner: SNAKE_SPINNER
+    }).start();
+
+    const results = {
+      csp: { passed: false, value: 'None' },
+      hsts: { passed: false, value: 'None' },
+      xfo: { passed: false, value: 'None' },
+      cors: { passed: false, value: 'None', details: 'None' }
+    };
+
+    try {
+      const targetAgent = new https.Agent({ rejectUnauthorized: false });
+      const targetResponse = await axios.get(targetUrl, {
+        httpsAgent: targetAgent,
+        timeout: 10000,
+        headers: { 'User-Agent': 'CyberSentinel-Auditor-CLI/1.0' }
+      });
+
+      const headers = targetResponse.headers;
+      
+      // HSTS Check
+      if (headers['strict-transport-security']) {
+        results.hsts.passed = true;
+        results.hsts.value = headers['strict-transport-security'];
+      }
+      // CSP Check
+      if (headers['content-security-policy']) {
+        results.csp.passed = true;
+        results.csp.value = headers['content-security-policy'].substring(0, 50) + '...';
+      }
+      // XFO Check
+      if (headers['x-frame-options']) {
+        results.xfo.passed = true;
+        results.xfo.value = headers['x-frame-options'];
+      }
+      // CORS Check
+      if (headers['access-control-allow-origin']) {
+        results.cors.value = headers['access-control-allow-origin'];
+        if (results.cors.value === '*') {
+          results.cors.passed = false;
+          results.cors.details = 'Wildcard "*" origin allows global access';
+        } else {
+          results.cors.passed = true;
+          results.cors.details = 'Safe origin control configured';
+        }
+      } else {
+        results.cors.passed = true;
+        results.cors.details = 'No cross-origin sharing headers exposed';
+      }
+
+      scanSpinner.succeed(chalk.green('Automated scan completed!'));
+    } catch (err) {
+      scanSpinner.warn(chalk.yellow(`Automated scan incomplete (Target request failed: ${err.message}). Defaulting results.`));
+    }
+
+    console.log(chalk.green('\nAutomated Headers Check Report:'));
+    console.log(`- Strict-Transport-Security (HSTS): ${results.hsts.passed ? chalk.green('FOUND') : chalk.red('MISSING')} [${results.hsts.value}]`);
+    console.log(`- Content-Security-Policy (CSP):    ${results.csp.passed ? chalk.green('FOUND') : chalk.red('MISSING')} [${results.csp.value}]`);
+    console.log(`- X-Frame-Options (Clickjacking):   ${results.xfo.passed ? chalk.green('FOUND') : chalk.red('MISSING')} [${results.xfo.value}]`);
+    console.log(`- Access-Control-Allow-Origin:      ${results.cors.value === '*' ? chalk.red('WILDCARD DETECTED') : chalk.green('SAFE/NONE')} [${results.cors.value}]`);
+
+    // Sync automated findings
+    const scores = JSON.parse(assessment.scores || '{}');
+    
+    // Map CSP to item 7.1
+    scores['7.1'] = {
+      rating: results.csp.passed ? '5' : '1',
+      notes: `[Automated CLI Scan] Content-Security-Policy header is ${results.csp.passed ? 'configured' : 'missing'}.`
+    };
+    // Map HSTS to item 7.2
+    scores['7.2'] = {
+      rating: results.hsts.passed ? '5' : '1',
+      notes: `[Automated CLI Scan] Strict-Transport-Security is ${results.hsts.passed ? 'configured' : 'missing'}.`
+    };
+    // Map XFO to item 8.1
+    scores['8.1'] = {
+      rating: results.xfo.passed ? '5' : '1',
+      notes: `[Automated CLI Scan] Clickjacking protection via X-Frame-Options is ${results.xfo.passed ? 'configured' : 'missing'}.`
+    };
+    // Map CORS to item 10.1
+    scores['10.1'] = {
+      rating: results.cors.value === '*' ? '2' : '5',
+      notes: `[Automated CLI Scan] CORS verification results: ${results.cors.details}.`
+    };
+
+    const syncSpinner = ora({
+      text: 'Synchronizing automated scores to CyberSentinel platform...',
+      spinner: SNAKE_SPINNER
+    }).start();
+
+    try {
+      await client.patch(`/assessments/${assessmentId}`, {
+        scores: JSON.stringify(scores)
+      });
+      syncSpinner.succeed(chalk.green('Automated scan ratings synchronized!'));
+    } catch (err) {
+      syncSpinner.fail(chalk.red('Failed to synchronize automated ratings.'));
+    }
+
+    // STEP 2: MANUAL AUDIT
+    console.log(chalk.green.bold('\n--- Phase 2: Manual Audit Control Walkthrough ---'));
+    let template;
+    try {
+      const response = await client.get('/assessments/template');
+      template = decryptResponse(response.data);
+    } catch (err) {
+      console.error(chalk.red(`Failed to fetch checklist template: ${err.message}`));
+      process.exit(1);
+    }
+
+    // Let user choose a category to audit
+    const catChoice = await inquirer.prompt([
+      {
+        type: 'list',
+        name: 'categoryId',
+        message: 'Select checklist category to audit:',
+        choices: [
+          ...template.map(c => ({ name: `${c.id}. ${c.name}`, value: c.id })),
+          { name: chalk.yellow('Exit Audit Session'), value: -1 }
+        ]
+      }
+    ]);
+
+    if (catChoice.categoryId === -1) {
+      console.log(chalk.yellow('Audit session exited.'));
+      process.exit(0);
+    }
+
+    const selectedCategory = template.find(c => c.id === catChoice.categoryId);
+    console.log(chalk.green.bold(`\nAuditing Category: ${selectedCategory.id}. ${selectedCategory.name}\n`));
+
+    for (const item of selectedCategory.items) {
+      console.log(chalk.white(`--------------------------------------------------`));
+      console.log(chalk.green.bold(`Item ID:   ${item.id}`));
+      console.log(chalk.green(`Criteria:  ${item.criteria}`));
+      
+      const currentVal = scores[item.id] || { rating: '', notes: '' };
+      if (currentVal.rating) {
+        console.log(chalk.gray(`Current:   Rating: ${currentVal.rating} | Notes: ${currentVal.notes}`));
+      }
+
+      const itemAnswers = await inquirer.prompt([
+        {
+          type: 'list',
+          name: 'rating',
+          message: 'Rate implementing control quality:',
+          choices: ['5', '4', '3', '2', '1', 'N/A'],
+          default: currentVal.rating || '5'
+        },
+        {
+          type: 'input',
+          name: 'notes',
+          message: 'Add auditor notes / findings / evidence:',
+          default: currentVal.notes || ''
+        },
+        {
+          type: 'confirm',
+          name: 'hasEvidence',
+          message: 'Do you want to upload a local evidence file (image/pdf)?',
+          default: false
+        },
+        {
+          type: 'input',
+          name: 'evidencePath',
+          message: 'Enter absolute path to the evidence file:',
+          validate: (val) => fs.existsSync(val) ? true : 'File does not exist at path!',
+          when: (ans) => ans.hasEvidence
+        }
+      ]);
+
+      let finalNotes = itemAnswers.notes;
+
+      // Handle Evidence Upload
+      if (itemAnswers.hasEvidence && itemAnswers.evidencePath) {
+        const uploadSpinner = ora({
+          text: 'Uploading evidence file to Supabase storage...',
+          spinner: SNAKE_SPINNER
+        }).start();
+
+        try {
+          const FormData = require('form-data');
+          const form = new FormData();
+          form.append('file', fs.createReadStream(itemAnswers.evidencePath));
+
+          const uploadResponse = await client.post(`/assessments/${assessmentId}/evidence`, form, {
+            headers: {
+              ...form.getHeaders()
+            }
+          });
+
+          const decryptedUpload = decryptResponse(uploadResponse.data);
+          uploadSpinner.succeed(chalk.green('Evidence file uploaded successfully!'));
+          const fileRef = `[Evidence Reference: ${decryptedUpload.filePath}]`;
+          finalNotes = finalNotes ? `${finalNotes} ${fileRef}` : fileRef;
+        } catch (uploadErr) {
+          uploadSpinner.fail(chalk.red('Failed to upload evidence file.'));
+          console.error(chalk.red(`Upload error: ${uploadErr.message}`));
+        }
+      }
+
+      // Update and Sync
+      scores[item.id] = {
+        rating: itemAnswers.rating,
+        notes: finalNotes
+      };
+
+      const itemSyncSpinner = ora({
+        text: 'Saving item state...',
+        spinner: SNAKE_SPINNER
+      }).start();
+
+      try {
+        await client.patch(`/assessments/${assessmentId}`, {
+          scores: JSON.stringify(scores)
+        });
+        itemSyncSpinner.succeed(chalk.green('Item state synchronized.'));
+      } catch (err) {
+        itemSyncSpinner.fail(chalk.red('Failed to save item.'));
+      }
+    }
+
+    console.log(chalk.green.bold(`\n✔ Completed Category ${selectedCategory.id} Audit!\n`));
+  });
+
+program.parse(process.argv);

package/package.json

@@ -0,0 +1,22 @@
+{
+  "name": "cybersentinel-cli",
+  "version": "1.0.0",
+  "description": "CyberSentinel Cybersecurity Auditor CLI Tool",
+  "main": "bin/index.js",
+  "type": "commonjs",
+  "bin": {
+    "cybersentinel": "bin/index.js"
+  },
+  "scripts": {
+    "start": "node bin/index.js"
+  },
+  "dependencies": {
+    "axios": "^1.6.8",
+    "chalk": "^4.1.2",
+    "commander": "^12.0.0",
+    "form-data": "^4.0.0",
+    "inquirer": "^8.2.6",
+    "node-forge": "^1.3.1",
+    "ora": "^5.4.1"
+  }
+}