pentesty-agent 0.1.0__tar.gz

pentesty_agent-0.1.0/PKG-INFO

@@ -0,0 +1,10 @@
+Metadata-Version: 2.4
+Name: pentesty-agent
+Version: 0.1.0
+Summary: Pentesty security monitoring agent
+Requires-Python: >=3.11
+Requires-Dist: psutil>=6.0.0
+Requires-Dist: httpx>=0.27.0
+Requires-Dist: pydantic>=2.0.0
+Requires-Dist: watchdog>=4.0.0
+Requires-Dist: tomli>=2.0.0; python_version < "3.11"

pentesty_agent-0.1.0/pentesty_agent/__init__.py

@@ -0,0 +1 @@
+from __future__ import annotations

pentesty_agent-0.1.0/pentesty_agent/__main__.py

@@ -0,0 +1,3 @@
+from pentesty_agent.main import main
+
+main()

pentesty_agent-0.1.0/pentesty_agent/collectors/_patterns.py

@@ -0,0 +1,22 @@
+from __future__ import annotations
+
+import re
+
+ATTACK_PATTERNS: dict[str, re.Pattern] = {
+    "sqli": re.compile(
+        r"UNION\s+SELECT|'[\s]*OR[\s]*[\d']+\s*=|--[\s]*$|sleep\s*\(|benchmark\s*\(",
+        re.IGNORECASE,
+    ),
+    "lfi": re.compile(
+        r"\.\.(?:/|%2f).*\.\.(?:/|%2f)|/etc/passwd|/proc/self",
+        re.IGNORECASE,
+    ),
+    "xss": re.compile(
+        r"<script|javascript:|onerror\s*=|onload\s*=",
+        re.IGNORECASE,
+    ),
+    "path_traversal": re.compile(
+        r"%2e%2e|\.\.%252f",
+        re.IGNORECASE,
+    ),
+}

pentesty_agent-0.1.0/pentesty_agent/collectors/base.py

@@ -0,0 +1,10 @@
+from __future__ import annotations
+
+from abc import ABC, abstractmethod
+
+from pentesty_agent.models import AgentEvent
+
+
+class Collector(ABC):
+    @abstractmethod
+    def collect(self) -> list[AgentEvent]: ...

pentesty_agent-0.1.0/pentesty_agent/collectors/docker/app_logs.py

@@ -0,0 +1,66 @@
+from __future__ import annotations
+
+import re
+from dataclasses import dataclass, field
+from pathlib import Path
+
+from pentesty_agent.collectors._patterns import ATTACK_PATTERNS
+from pentesty_agent.collectors.base import Collector
+from pentesty_agent.models import AgentEvent, Severity
+from pentesty_agent.state import AgentState
+
+_APP_LOG_PATH = Path("/proc/1/fd/1")
+_STATE_KEY_OFFSET = "app_logs_offset"
+_STATE_KEY_ERRORS = "app_error_count"
+_ERROR_RE = re.compile(r"\b(ERROR|Exception|Traceback)\b")
+_ERROR_SPIKE_THRESHOLD = 5
+_MAX_LINES_PER_CYCLE = 10_000
+
+
+@dataclass
+class AppLogsCollector(Collector):
+    log_path: Path = field(default_factory=lambda: _APP_LOG_PATH)
+    state: AgentState = field(default_factory=AgentState)
+
+    def collect(self) -> list[AgentEvent]:
+        try:
+            with self.log_path.open("rb") as fh:
+                offset = self.state.get(_STATE_KEY_OFFSET, 0)
+                fh.seek(offset)
+                lines: list[str] = []
+                for raw in fh:
+                    lines.append(raw.decode("utf-8", errors="replace"))
+                    if len(lines) >= _MAX_LINES_PER_CYCLE:
+                        break
+                self.state.set(_STATE_KEY_OFFSET, fh.tell())
+        except (PermissionError, OSError):
+            return []
+
+        events: list[AgentEvent] = []
+        error_count: int = self.state.get(_STATE_KEY_ERRORS, 0)
+
+        for line in lines:
+            if _ERROR_RE.search(line):
+                error_count += 1
+                if error_count >= _ERROR_SPIKE_THRESHOLD:
+                    events.append(AgentEvent(
+                        event_type="app_error_spike",
+                        severity=Severity.medium,
+                        payload={
+                            "count": error_count,
+                            "threshold": _ERROR_SPIKE_THRESHOLD,
+                        },
+                    ))
+                    error_count = 0
+
+            for attack_type, pattern in ATTACK_PATTERNS.items():
+                if pattern.search(line):
+                    events.append(AgentEvent(
+                        event_type="web_attack_attempt",
+                        severity=Severity.medium,
+                        payload={"attack_type": attack_type, "raw": line.strip()[:300]},
+                    ))
+                    break
+
+        self.state.set(_STATE_KEY_ERRORS, error_count)
+        return events

pentesty_agent-0.1.0/pentesty_agent/collectors/docker/env_vars.py

@@ -0,0 +1,37 @@
+from __future__ import annotations
+
+import re
+from dataclasses import dataclass, field
+from pathlib import Path
+
+from pentesty_agent.collectors.base import Collector
+from pentesty_agent.models import AgentEvent, Severity
+from pentesty_agent.state import AgentState
+
+_ENVIRON_PATH = Path("/proc/1/environ")
+_SECRET_RE = re.compile(r"(SECRET|KEY|TOKEN|PASSWORD|PRIVATE)", re.IGNORECASE)
+
+
+@dataclass
+class EnvVarsCollector(Collector):
+    environ_path: Path = field(default_factory=lambda: _ENVIRON_PATH)
+    state: AgentState = field(default_factory=AgentState)
+
+    def collect(self) -> list[AgentEvent]:
+        try:
+            raw = self.environ_path.read_bytes()
+        except (PermissionError, OSError):
+            return []
+
+        events: list[AgentEvent] = []
+        for entry in raw.split(b"\x00"):
+            if b"=" not in entry:
+                continue
+            name = entry.split(b"=", 1)[0].decode("utf-8", errors="replace")
+            if _SECRET_RE.search(name):
+                events.append(AgentEvent(
+                    event_type="secret_in_env",
+                    severity=Severity.medium,
+                    payload={"var_name": name},
+                ))
+        return events

pentesty_agent-0.1.0/pentesty_agent/collectors/docker/network.py

@@ -0,0 +1,111 @@
+from __future__ import annotations
+
+import ipaddress
+import logging
+import socket
+import struct
+from dataclasses import dataclass, field
+from pathlib import Path
+
+from pentesty_agent.collectors.base import Collector
+from pentesty_agent.models import AgentEvent, Severity
+from pentesty_agent.state import AgentState
+
+logger = logging.getLogger(__name__)
+
+_ALLOWED_PORTS = {80, 443, 5432, 6379, 27017}
+
+_RFC1918_V4 = [
+    ipaddress.ip_network("10.0.0.0/8"),
+    ipaddress.ip_network("172.16.0.0/12"),
+    ipaddress.ip_network("192.168.0.0/16"),
+    ipaddress.ip_network("127.0.0.0/8"),
+    ipaddress.ip_network("0.0.0.0/8"),
+    ipaddress.ip_network("169.254.0.0/16"),
+]
+
+_RFC1918_V6 = [
+    ipaddress.ip_network("::1/128"),
+    ipaddress.ip_network("fc00::/7"),
+    ipaddress.ip_network("fe80::/10"),
+    ipaddress.ip_network("::ffff:0:0/96"),
+]
+
+
+def _is_private(ip: str) -> bool:
+    try:
+        addr = ipaddress.ip_address(ip)
+        if isinstance(addr, ipaddress.IPv4Address):
+            return any(addr in net for net in _RFC1918_V4)
+        return any(addr in net for net in _RFC1918_V6)
+    except ValueError:
+        return True
+
+
+def _hex_to_ip(hex_str: str) -> str:
+    if len(hex_str) == 8:
+        packed = struct.pack("<I", int(hex_str, 16))
+        return socket.inet_ntoa(packed)
+    if len(hex_str) == 32:
+        # IPv4-mapped: first 24 chars are zeros + FFFF prefix
+        if hex_str[:24].upper() in ("00000000000000000000FFFF",):
+            packed = struct.pack("<I", int(hex_str[24:], 16))
+            return socket.inet_ntoa(packed)
+        # Native IPv6: 4 LE 32-bit words
+        parts = [hex_str[i:i + 8] for i in range(0, 32, 8)]
+        packed = b"".join(struct.pack("<I", int(p, 16)) for p in parts)
+        return socket.inet_ntop(socket.AF_INET6, packed)
+    raise ValueError(f"unexpected hex IP length: {len(hex_str)}")
+
+
+def _parse_proc_net_tcp(path: Path) -> list[tuple[str, int, int]]:
+    """Returns (remote_ip, remote_port, local_port) for ESTABLISHED connections."""
+    results = []
+    try:
+        lines = path.read_text().splitlines()[1:]
+    except OSError:
+        return results
+    for line in lines:
+        parts = line.split()
+        if len(parts) < 4:
+            continue
+        try:
+            state = int(parts[3], 16)
+            if state != 1:  # 1 = ESTABLISHED
+                continue
+            local_hex, local_port_hex = parts[1].rsplit(":", 1)
+            remote_hex, remote_port_hex = parts[2].rsplit(":", 1)
+            local_port = int(local_port_hex, 16)
+            remote_port = int(remote_port_hex, 16)
+            remote_ip = _hex_to_ip(remote_hex)
+            results.append((remote_ip, remote_port, local_port))
+        except (ValueError, IndexError, struct.error):
+            continue
+    return results
+
+
+@dataclass
+class NetworkCollector(Collector):
+    state: AgentState = field(default_factory=AgentState)
+
+    def collect(self) -> list[AgentEvent]:
+        connections: list[tuple[str, int, int]] = []
+        for proc_file in [Path("/proc/net/tcp"), Path("/proc/net/tcp6")]:
+            connections.extend(_parse_proc_net_tcp(proc_file))
+
+        events: list[AgentEvent] = []
+        for remote_ip, remote_port, local_port in connections:
+            if remote_port in _ALLOWED_PORTS:
+                continue
+            if _is_private(remote_ip):
+                continue
+            events.append(AgentEvent(
+                event_type="suspicious_outbound",
+                severity=Severity.high,
+                payload={
+                    "remote_ip": remote_ip,
+                    "remote_port": remote_port,
+                    "local_port": local_port,
+                },
+            ))
+        return events

pentesty_agent-0.1.0/pentesty_agent/collectors/docker/processes.py

@@ -0,0 +1,11 @@
+from __future__ import annotations
+
+from dataclasses import dataclass, field
+
+from pentesty_agent.collectors.linux.processes import ProcessCollector as _LinuxProcessCollector
+from pentesty_agent.state import AgentState
+
+
+@dataclass
+class DockerProcessCollector(_LinuxProcessCollector):
+    state: AgentState = field(default_factory=AgentState)

pentesty_agent-0.1.0/pentesty_agent/collectors/linux/auth_log.py

@@ -0,0 +1,65 @@
+from __future__ import annotations
+
+import re
+from dataclasses import dataclass, field
+from pathlib import Path
+
+from pentesty_agent.collectors.base import Collector
+from pentesty_agent.models import AgentEvent, Severity
+from pentesty_agent.state import AgentState
+
+_SSH_RE    = re.compile(r"Failed password for .+ from (\S+) port")
+_SUDO_RE   = re.compile(r"sudo:.*FAILED")
+_USER_RE   = re.compile(r"useradd\[|new user:")
+_SUDO_USER = re.compile(r"sudo:\s+(\S+)\s+:")
+
+
+@dataclass
+class AuthLogCollector(Collector):
+    log_path: Path = field(default_factory=lambda: Path("/var/log/auth.log"))
+    state: AgentState = field(default_factory=AgentState)
+
+    _STATE_KEY = "auth_log_offset"
+
+    def collect(self) -> list[AgentEvent]:
+        if not self.log_path.exists():
+            return []
+
+        offset = self.state.get(self._STATE_KEY, 0)
+        events: list[AgentEvent] = []
+
+        with self.log_path.open("rb") as fh:
+            fh.seek(offset)
+            for raw in fh:
+                line = raw.decode("utf-8", errors="replace")
+                event = self._parse_line(line)
+                if event:
+                    events.append(event)
+            new_offset = fh.tell()
+
+        self.state.set(self._STATE_KEY, new_offset)
+        return events
+
+    def _parse_line(self, line: str) -> AgentEvent | None:
+        if m := _SSH_RE.search(line):
+            return AgentEvent(
+                event_type="ssh_brute_force",
+                severity=Severity.high,
+                payload={"source_ip": m.group(1), "raw": line.strip()},
+            )
+        if _SUDO_RE.search(line):
+            user = ""
+            if um := _SUDO_USER.search(line):
+                user = um.group(1)
+            return AgentEvent(
+                event_type="sudo_failure",
+                severity=Severity.medium,
+                payload={"user": user, "raw": line.strip()},
+            )
+        if _USER_RE.search(line):
+            return AgentEvent(
+                event_type="new_user_created",
+                severity=Severity.high,
+                payload={"raw": line.strip()},
+            )
+        return None

pentesty_agent-0.1.0/pentesty_agent/collectors/linux/fim.py

@@ -0,0 +1,72 @@
+from __future__ import annotations
+
+import hashlib
+from dataclasses import dataclass, field
+from pathlib import Path
+
+from pentesty_agent.collectors.base import Collector
+from pentesty_agent.models import AgentEvent, Severity
+from pentesty_agent.state import AgentState
+
+_DEFAULT_WATCH = [
+    Path("/etc/passwd"),
+    Path("/etc/shadow"),
+    Path("/etc/sudoers"),
+    Path.home() / ".ssh" / "authorized_keys",
+    Path("/etc/crontab"),
+    Path("/var/spool/cron"),
+]
+
+_STATE_KEY = "fim_hashes"
+
+
+def _sha256(path: Path) -> str | None:
+    try:
+        return hashlib.sha256(path.read_bytes()).hexdigest()
+    except (OSError, PermissionError):
+        return None
+
+
+def _expand_paths(paths: list[Path]) -> list[Path]:
+    result: list[Path] = []
+    for p in paths:
+        try:
+            if "*" in str(p):
+                result.extend(sorted(p.parent.glob(p.name)))
+            elif p.is_dir():
+                result.extend(sorted(p.iterdir()))
+            else:
+                result.append(p)
+        except (OSError, PermissionError):
+            pass
+    return result
+
+
+@dataclass
+class FimCollector(Collector):
+    watch_paths: list[Path] = field(default_factory=lambda: list(_DEFAULT_WATCH))
+    state: AgentState = field(default_factory=AgentState)
+
+    def collect(self) -> list[AgentEvent]:
+        stored: dict[str, str | None] = self.state.get(_STATE_KEY, {})
+        current: dict[str, str | None] = {}
+        events: list[AgentEvent] = []
+
+        for path in _expand_paths(self.watch_paths):
+            key = str(path)
+            new_hash = _sha256(path)
+            current[key] = new_hash
+
+            if new_hash is None:
+                continue
+
+            old_hash = stored.get(key)
+            if old_hash != new_hash:
+                events.append(AgentEvent(
+                    event_type="fim_change",
+                    severity=Severity.critical,
+                    payload={"file": key, "old_hash": old_hash, "new_hash": new_hash},
+                ))
+
+        self.state.set(_STATE_KEY, {k: v for k, v in current.items() if v is not None})
+        return events

pentesty_agent-0.1.0/pentesty_agent/collectors/linux/ports.py

@@ -0,0 +1,76 @@
+from __future__ import annotations
+
+import logging
+import re
+import subprocess
+from dataclasses import dataclass, field
+
+from pentesty_agent.collectors.base import Collector
+from pentesty_agent.models import AgentEvent, Severity
+from pentesty_agent.state import AgentState
+
+logger = logging.getLogger(__name__)
+
+_STATE_KEY = "ports_snapshot"
+
+
+def _parse_ss(output: bytes) -> dict[int, dict]:
+    ports: dict[int, dict] = {}
+    for line in output.decode("utf-8", errors="replace").splitlines():
+        if not line.startswith("tcp"):
+            continue
+        pid: int | None = None
+        name: str | None = None
+        pid_m = re.search(r"pid=(\d+)", line)
+        name_m = re.search(r'"([^"]+)"', line)
+        if pid_m:
+            pid = int(pid_m.group(1))
+        if name_m:
+            name = name_m.group(1)
+        parts = line.split()
+        for part in parts:
+            if ":" in part:
+                port_str = part.rsplit(":", 1)[-1]
+                if port_str.isdigit():
+                    port = int(port_str)
+                    if 1 <= port <= 65535:
+                        ports[port] = {"pid": pid, "process_name": name}
+                    break
+    return ports
+
+
+@dataclass
+class PortsCollector(Collector):
+    state: AgentState = field(default_factory=AgentState)
+
+    def collect(self) -> list[AgentEvent]:
+        try:
+            result = subprocess.run(
+                ["ss", "-tlnp"],
+                capture_output=True,
+                timeout=5,
+            )
+            current = _parse_ss(result.stdout)
+        except Exception as exc:
+            logger.warning("ss failed: %s", exc)
+            return []
+
+        previous: dict[str, dict] = self.state.get(_STATE_KEY, {})
+        prev_ports = {int(k) for k in previous}
+        new_ports = set(current) - prev_ports
+
+        self.state.set(_STATE_KEY, {str(p): v for p, v in current.items()})
+
+        events: list[AgentEvent] = []
+        for port in sorted(new_ports):
+            info = current[port]
+            events.append(AgentEvent(
+                event_type="new_port_open",
+                severity=Severity.high,
+                payload={
+                    "port": port,
+                    "pid": info["pid"],
+                    "process_name": info["process_name"],
+                },
+            ))
+        return events

pentesty_agent-0.1.0/pentesty_agent/collectors/linux/processes.py

@@ -0,0 +1,64 @@
+from __future__ import annotations
+
+import logging
+import re
+import subprocess
+from dataclasses import dataclass, field
+
+from pentesty_agent.collectors.base import Collector
+from pentesty_agent.models import AgentEvent, Severity
+from pentesty_agent.state import AgentState
+
+logger = logging.getLogger(__name__)
+
+_SUSPICIOUS_PATTERNS = [
+    re.compile(r"\bnc\b"),
+    re.compile(r"\bncat\b"),
+    re.compile(r"\bnmap\b"),
+    re.compile(r"python\s+-c\b"),
+    re.compile(r"bash\s+-i\b"),
+    re.compile(r"\bbase64\b"),
+    re.compile(r"curl\s+\S+\s*\|"),
+    re.compile(r"wget\s+\S+\s*\|"),
+    re.compile(r"perl\s+-e\b"),
+    re.compile(r"ruby\s+-e\b"),
+]
+
+
+@dataclass
+class ProcessCollector(Collector):
+    state: AgentState = field(default_factory=AgentState)
+
+    def collect(self) -> list[AgentEvent]:
+        try:
+            result = subprocess.run(
+                ["ps", "aux"],
+                capture_output=True,
+                timeout=5,
+            )
+            output = result.stdout.decode("utf-8", errors="replace")
+        except Exception as exc:
+            logger.warning("ps failed: %s", exc)
+            return []
+
+        events: list[AgentEvent] = []
+        for line in output.splitlines()[1:]:  # skip header
+            parts = line.split(None, 10)
+            if len(parts) < 11:
+                continue
+            pid_str = parts[1]
+            cmdline = parts[10][:200]
+
+            if not pid_str.isdigit():
+                continue
+
+            for pattern in _SUSPICIOUS_PATTERNS:
+                if pattern.search(cmdline):
+                    events.append(AgentEvent(
+                        event_type="suspicious_process",
+                        severity=Severity.high,
+                        payload={"pid": int(pid_str), "cmdline": cmdline},
+                    ))
+                    break
+
+        return events

pentesty_agent-0.1.0/pentesty_agent/collectors/linux/web_logs.py

@@ -0,0 +1,74 @@
+from __future__ import annotations
+
+import re
+from dataclasses import dataclass, field
+from pathlib import Path
+
+from pentesty_agent.collectors._patterns import ATTACK_PATTERNS
+from pentesty_agent.collectors.base import Collector
+from pentesty_agent.models import AgentEvent, Severity
+from pentesty_agent.state import AgentState
+
+_DEFAULT_LOGS = [
+    Path("/var/log/nginx/access.log"),
+    Path("/var/log/apache2/access.log"),
+]
+
+_LOG_RE = re.compile(
+    r'^(\S+)\s+\S+\s+\S+\s+\[[^\]]+\]\s+"(\w+)\s+(.*?)\s+HTTP/[\d.]+"\s+(\d+)',
+)
+
+
+@dataclass
+class WebLogsCollector(Collector):
+    log_paths: list[Path] = field(default_factory=lambda: list(_DEFAULT_LOGS))
+    state: AgentState = field(default_factory=AgentState)
+
+    def collect(self) -> list[AgentEvent]:
+        events: list[AgentEvent] = []
+        for log_path in self.log_paths:
+            events.extend(self._collect_one(log_path))
+        return events
+
+    def _collect_one(self, log_path: Path) -> list[AgentEvent]:
+        if not log_path.exists():
+            return []
+
+        state_key = f"web_log_offset:{log_path}"
+        offset = self.state.get(state_key, 0)
+        events: list[AgentEvent] = []
+
+        try:
+            with log_path.open("rb") as fh:
+                fh.seek(offset)
+                for raw in fh:
+                    line = raw.decode("utf-8", errors="replace")
+                    event = self._parse_line(line)
+                    if event:
+                        events.append(event)
+                self.state.set(state_key, fh.tell())
+        except OSError:
+            pass
+
+        return events
+
+    def _parse_line(self, line: str) -> AgentEvent | None:
+        m = _LOG_RE.match(line)
+        if not m:
+            return None
+        source_ip, method, path, status_code = m.group(1), m.group(2), m.group(3), int(m.group(4))
+
+        for attack_type, pattern in ATTACK_PATTERNS.items():
+            if pattern.search(path):
+                return AgentEvent(
+                    event_type="web_attack_attempt",
+                    severity=Severity.medium,
+                    payload={
+                        "source_ip": source_ip,
+                        "method": method,
+                        "path": path[:500],
+                        "attack_type": attack_type,
+                        "status_code": status_code,
+                    },
+                )
+        return None

pentesty_agent-0.1.0/pentesty_agent/config.py

@@ -0,0 +1,42 @@
+from __future__ import annotations
+
+import os
+import sys
+from dataclasses import dataclass, field
+from pathlib import Path
+
+if sys.version_info >= (3, 11):
+    import tomllib
+else:
+    import tomli as tomllib  # type: ignore[no-reuse-def]
+
+_CONFIG_PATH = Path("/etc/pentesty-agent/config.toml")
+
+
+@dataclass
+class AgentConfig:
+    token: str
+    backend_url: str = "https://api.pentesty.co"
+    interval_secs: int = 30
+    server_id: str = ""
+
+    @classmethod
+    def load(cls, config_path: Path = _CONFIG_PATH) -> AgentConfig:
+        """Load from TOML file, then override with env vars (env wins)."""
+        data: dict = {}
+        if config_path.exists():
+            with open(config_path, "rb") as f:
+                raw = tomllib.load(f)
+            data = raw.get("agent", {})
+
+        token = os.environ.get("PENTESTY_TOKEN") or data.get("token", "")
+        backend_url = os.environ.get("PENTESTY_BACKEND_URL") or data.get("backend_url", "https://api.pentesty.co")
+        interval_secs = int(os.environ.get("PENTESTY_INTERVAL", data.get("interval_secs", 30)))
+        server_id = os.environ.get("PENTESTY_SERVER_ID") or data.get("server_id", "")
+
+        return cls(
+            token=token,
+            backend_url=backend_url,
+            interval_secs=interval_secs,
+            server_id=server_id,
+        )

pentesty_agent-0.1.0/pentesty_agent/main.py

@@ -0,0 +1,129 @@
+from __future__ import annotations
+
+import argparse
+import logging
+import sys
+import time
+from pathlib import Path
+from typing import Literal
+
+from pentesty_agent.collectors.base import Collector
+from pentesty_agent.config import AgentConfig
+from pentesty_agent.models import EventBatch
+from pentesty_agent.shipper import Shipper
+from pentesty_agent.state import AgentState
+
+logger = logging.getLogger("pentesty_agent")
+
+
+def _parse_args() -> argparse.Namespace:
+    p = argparse.ArgumentParser(description="Pentesty security monitoring agent")
+    p.add_argument("--token", default="", help="Agent token (overrides config/env)")
+    p.add_argument("--backend", default="", help="Backend URL (overrides config/env)")
+    p.add_argument("--dry-run", action="store_true", help="Log events without sending")
+    p.add_argument("--once", action="store_true", help="Run one collection cycle and exit")
+    return p.parse_args()
+
+
+def _detect_environment() -> Literal["linux", "docker", "generic"]:
+    if Path("/.dockerenv").exists():
+        return "docker"
+    if Path("/var/log/auth.log").exists() or Path("/run/systemd").exists():
+        return "linux"
+    return "generic"
+
+
+def _build_collectors(env: str, state: AgentState) -> list[Collector]:
+    if env == "linux":
+        from pentesty_agent.collectors.linux.auth_log import AuthLogCollector
+        from pentesty_agent.collectors.linux.fim import FimCollector
+        from pentesty_agent.collectors.linux.ports import PortsCollector
+        from pentesty_agent.collectors.linux.processes import ProcessCollector
+        from pentesty_agent.collectors.linux.web_logs import WebLogsCollector
+        return [
+            AuthLogCollector(state=state),
+            FimCollector(state=state),
+            PortsCollector(state=state),
+            ProcessCollector(state=state),
+            WebLogsCollector(state=state),
+        ]
+    if env == "docker":
+        from pentesty_agent.collectors.docker.app_logs import AppLogsCollector
+        from pentesty_agent.collectors.docker.env_vars import EnvVarsCollector
+        from pentesty_agent.collectors.docker.network import NetworkCollector
+        from pentesty_agent.collectors.docker.processes import DockerProcessCollector
+        return [
+            AppLogsCollector(state=state),
+            DockerProcessCollector(state=state),
+            NetworkCollector(state=state),
+            EnvVarsCollector(state=state),
+        ]
+    return []
+
+
+def _collect_events(collectors: list[Collector]) -> EventBatch:
+    events = []
+    for collector in collectors:
+        try:
+            events.extend(collector.collect())
+        except Exception as exc:
+            logger.error("collector %s failed: %s", type(collector).__name__, exc)
+    return EventBatch(events=events)
+
+
+def main() -> None:
+    logging.basicConfig(
+        level=logging.INFO,
+        format="%(asctime)s %(levelname)s %(name)s %(message)s",
+    )
+    args = _parse_args()
+
+    config = AgentConfig.load()
+    if args.token:
+        config.token = args.token
+    if args.backend:
+        config.backend_url = args.backend
+
+    if not config.token and not args.dry_run:
+        logger.error("No token configured. Set PENTESTY_TOKEN or pass --token.")
+        sys.exit(1)
+
+    shipper = Shipper(config, dry_run=args.dry_run)
+    env = _detect_environment()
+    state = AgentState()
+    collectors = _build_collectors(env, state)
+
+    logger.info(
+        "Pentesty agent starting (env=%s collectors=%d backend=%s dry_run=%s)",
+        env, len(collectors), config.backend_url, args.dry_run,
+    )
+
+    _run_loop(shipper, collectors, config, once=args.once)
+
+
+def _run_loop(
+    shipper: Shipper,
+    collectors: list[Collector],
+    config: AgentConfig,
+    *,
+    once: bool,
+) -> None:
+    while True:
+        try:
+            shipper.send_heartbeat()
+            batch = _collect_events(collectors)
+            if batch.events:
+                shipper.send_events(batch)
+                logger.info("sent %d events", len(batch.events))
+        except Exception as exc:
+            logger.error("loop iteration failed: %s", exc)
+
+        if once:
+            logger.info("--once flag set, exiting")
+            return
+
+        time.sleep(config.interval_secs)
+
+
+if __name__ == "__main__":
+    main()

pentesty_agent-0.1.0/pentesty_agent/models.py

@@ -0,0 +1,47 @@
+from __future__ import annotations
+
+import enum
+from datetime import datetime, timezone
+from typing import Any
+
+from pydantic import BaseModel, Field, model_validator
+
+
+class Severity(str, enum.Enum):
+    info     = "info"
+    low      = "low"
+    medium   = "medium"
+    high     = "high"
+    critical = "critical"
+
+
+class AgentEvent(BaseModel):
+    event_type: str
+    severity:   Severity
+    payload:    dict[str, Any]
+    timestamp:  datetime = Field(default_factory=lambda: datetime.now(timezone.utc))
+
+    @model_validator(mode="after")
+    def _no_secrets_in_payload(self) -> AgentEvent:
+        forbidden = {"password", "secret", "token"}
+        for key in self.payload:
+            if key.lower() in forbidden:
+                raise ValueError(f"payload must not contain field '{key}'")
+        return self
+
+
+class EventBatch(BaseModel):
+    events: list[AgentEvent]
+
+    def model_dump_for_api(self) -> dict[str, Any]:
+        return {
+            "events": [
+                {
+                    "event_type": e.event_type,
+                    "severity": e.severity.value,
+                    "payload": e.payload,
+                    "timestamp": e.timestamp.isoformat(),
+                }
+                for e in self.events
+            ]
+        }

pentesty_agent-0.1.0/pentesty_agent/shipper.py

@@ -0,0 +1,56 @@
+from __future__ import annotations
+
+import logging
+from typing import Any
+
+import httpx
+
+from pentesty_agent.config import AgentConfig
+from pentesty_agent.models import EventBatch
+
+logger = logging.getLogger(__name__)
+
+_TIMEOUT = 15.0
+
+
+class Shipper:
+    def __init__(self, config: AgentConfig, dry_run: bool = False) -> None:
+        self._config = config
+        self._dry_run = dry_run
+        self._headers = {"Agent-Token": config.token}
+
+    def send_heartbeat(self) -> bool:
+        if self._dry_run:
+            logger.info("[dry-run] heartbeat sent")
+            return True
+        url = f"{self._config.backend_url}/api/v1/agent/heartbeat"
+        try:
+            resp = httpx.post(url, headers=self._headers, timeout=_TIMEOUT)
+            resp.raise_for_status()
+            logger.debug("heartbeat sent (status=%s)", resp.status_code)
+            return True
+        except Exception as exc:
+            logger.warning("heartbeat failed: %s", exc)
+            return False
+
+    def send_events(self, batch: EventBatch) -> bool:
+        if not batch.events:
+            return True
+        if self._dry_run:
+            for e in batch.events:
+                logger.info("[dry-run] event: %s severity=%s payload=%s", e.event_type, e.severity.value, e.payload)
+            return True
+        url = f"{self._config.backend_url}/api/v1/agent/events"
+        try:
+            resp = httpx.post(
+                url,
+                json=batch.model_dump_for_api(),
+                headers=self._headers,
+                timeout=_TIMEOUT,
+            )
+            resp.raise_for_status()
+            logger.debug("sent %d events (status=%s)", len(batch.events), resp.status_code)
+            return True
+        except Exception as exc:
+            logger.warning("send_events failed: %s", exc)
+            return False

pentesty_agent-0.1.0/pentesty_agent/state.py

@@ -0,0 +1,43 @@
+from __future__ import annotations
+
+import json
+import logging
+import os
+from pathlib import Path
+from typing import Any
+
+logger = logging.getLogger(__name__)
+
+
+def _default_state_path() -> Path:
+    if os.geteuid() == 0:
+        return Path("/var/lib/pentesty-agent/state.json")
+    return Path.home() / ".pentesty-agent" / "state.json"
+
+
+class AgentState:
+    def __init__(self, path: Path | None = None) -> None:
+        self._path = path or _default_state_path()
+        self._data: dict[str, Any] = self._load()
+
+    def _load(self) -> dict[str, Any]:
+        try:
+            if self._path.exists():
+                return json.loads(self._path.read_text(encoding="utf-8"))
+        except Exception as exc:
+            logger.warning("failed to load state from %s: %s", self._path, exc)
+        return {}
+
+    def _save(self) -> None:
+        try:
+            self._path.parent.mkdir(parents=True, exist_ok=True)
+            self._path.write_text(json.dumps(self._data), encoding="utf-8")
+        except Exception as exc:
+            logger.warning("failed to save state to %s: %s", self._path, exc)
+
+    def get(self, key: str, default: Any = None) -> Any:
+        return self._data.get(key, default)
+
+    def set(self, key: str, value: Any) -> None:
+        self._data[key] = value
+        self._save()

pentesty_agent-0.1.0/pentesty_agent.egg-info/PKG-INFO

@@ -0,0 +1,10 @@
+Metadata-Version: 2.4
+Name: pentesty-agent
+Version: 0.1.0
+Summary: Pentesty security monitoring agent
+Requires-Python: >=3.11
+Requires-Dist: psutil>=6.0.0
+Requires-Dist: httpx>=0.27.0
+Requires-Dist: pydantic>=2.0.0
+Requires-Dist: watchdog>=4.0.0
+Requires-Dist: tomli>=2.0.0; python_version < "3.11"

pentesty_agent-0.1.0/pentesty_agent.egg-info/SOURCES.txt

@@ -0,0 +1,29 @@
+pyproject.toml
+pentesty_agent/__init__.py
+pentesty_agent/__main__.py
+pentesty_agent/config.py
+pentesty_agent/main.py
+pentesty_agent/models.py
+pentesty_agent/shipper.py
+pentesty_agent/state.py
+pentesty_agent.egg-info/PKG-INFO
+pentesty_agent.egg-info/SOURCES.txt
+pentesty_agent.egg-info/dependency_links.txt
+pentesty_agent.egg-info/entry_points.txt
+pentesty_agent.egg-info/requires.txt
+pentesty_agent.egg-info/top_level.txt
+pentesty_agent/collectors/__init__.py
+pentesty_agent/collectors/_patterns.py
+pentesty_agent/collectors/base.py
+pentesty_agent/collectors/docker/__init__.py
+pentesty_agent/collectors/docker/app_logs.py
+pentesty_agent/collectors/docker/env_vars.py
+pentesty_agent/collectors/docker/network.py
+pentesty_agent/collectors/docker/processes.py
+pentesty_agent/collectors/linux/__init__.py
+pentesty_agent/collectors/linux/auth_log.py
+pentesty_agent/collectors/linux/fim.py
+pentesty_agent/collectors/linux/ports.py
+pentesty_agent/collectors/linux/processes.py
+pentesty_agent/collectors/linux/web_logs.py
+tests/test_agent_smoke.py

pentesty_agent-0.1.0/pentesty_agent.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

pentesty_agent-0.1.0/pentesty_agent.egg-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+pentesty-agent = pentesty_agent.main:main

pentesty_agent-0.1.0/pentesty_agent.egg-info/requires.txt

@@ -0,0 +1,7 @@
+psutil>=6.0.0
+httpx>=0.27.0
+pydantic>=2.0.0
+watchdog>=4.0.0
+
+[:python_version < "3.11"]
+tomli>=2.0.0

pentesty_agent-0.1.0/pentesty_agent.egg-info/top_level.txt

@@ -0,0 +1 @@
+pentesty_agent

pentesty_agent-0.1.0/pyproject.toml

@@ -0,0 +1,19 @@
+[project]
+name = "pentesty-agent"
+version = "0.1.0"
+description = "Pentesty security monitoring agent"
+requires-python = ">=3.11"
+dependencies = [
+    "psutil>=6.0.0",
+    "httpx>=0.27.0",
+    "pydantic>=2.0.0",
+    "watchdog>=4.0.0",
+    "tomli>=2.0.0; python_version < '3.11'",
+]
+
+[project.scripts]
+pentesty-agent = "pentesty_agent.main:main"
+
+[build-system]
+requires = ["setuptools>=68", "wheel"]
+build-backend = "setuptools.build_meta"

pentesty_agent-0.1.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

pentesty_agent-0.1.0/tests/test_agent_smoke.py

@@ -0,0 +1,86 @@
+from __future__ import annotations
+
+import pytest
+from unittest.mock import MagicMock, patch
+
+from pentesty_agent.config import AgentConfig
+from pentesty_agent.models import AgentEvent, EventBatch, Severity
+from pentesty_agent.shipper import Shipper
+
+
+# ── AgentConfig ───────────────────────────────────────────────────────────────
+
+def test_config_load_from_env(monkeypatch, tmp_path):
+    monkeypatch.setenv("PENTESTY_TOKEN", "tok-from-env")
+    monkeypatch.setenv("PENTESTY_BACKEND_URL", "http://custom:9000")
+    cfg = AgentConfig.load(config_path=tmp_path / "missing.toml")
+    assert cfg.token == "tok-from-env"
+    assert cfg.backend_url == "http://custom:9000"
+
+
+def test_config_env_overrides_toml(tmp_path, monkeypatch):
+    monkeypatch.setenv("PENTESTY_TOKEN", "env-wins")
+    toml = tmp_path / "config.toml"
+    toml.write_text('[agent]\ntoken = "toml-token"\n')
+    cfg = AgentConfig.load(config_path=toml)
+    assert cfg.token == "env-wins"
+
+
+def test_config_loads_toml_when_no_env(tmp_path, monkeypatch):
+    monkeypatch.delenv("PENTESTY_TOKEN", raising=False)
+    monkeypatch.delenv("PENTESTY_BACKEND_URL", raising=False)
+    toml = tmp_path / "config.toml"
+    toml.write_text('[agent]\ntoken = "from-toml"\nbackend_url = "http://toml:8000"\n')
+    cfg = AgentConfig.load(config_path=toml)
+    assert cfg.token == "from-toml"
+    assert cfg.backend_url == "http://toml:8000"
+
+
+# ── AgentEvent validation ─────────────────────────────────────────────────────
+
+def test_agent_event_rejects_secret_in_payload():
+    with pytest.raises(ValueError, match="secret"):
+        AgentEvent(event_type="test", severity=Severity.low, payload={"secret": "oops"})
+
+
+def test_agent_event_valid_payload():
+    e = AgentEvent(event_type="ssh_brute_force", severity=Severity.high, payload={"source_ip": "1.2.3.4"})
+    assert e.event_type == "ssh_brute_force"
+
+
+# ── Shipper dry-run ───────────────────────────────────────────────────────────
+
+def test_shipper_dry_run_heartbeat_does_not_call_http():
+    cfg = AgentConfig(token="tok", backend_url="http://localhost")
+    shipper = Shipper(cfg, dry_run=True)
+    result = shipper.send_heartbeat()
+    assert result is True
+
+
+def test_shipper_dry_run_send_events_logs_without_http():
+    cfg = AgentConfig(token="tok", backend_url="http://localhost")
+    shipper = Shipper(cfg, dry_run=True)
+    batch = EventBatch(events=[
+        AgentEvent(event_type="fim_change", severity=Severity.critical, payload={"file": "/etc/passwd"}),
+    ])
+    result = shipper.send_events(batch)
+    assert result is True
+
+
+def test_shipper_network_failure_returns_false_not_exception():
+    cfg = AgentConfig(token="tok", backend_url="http://127.0.0.1:1")  # nothing listening
+    shipper = Shipper(cfg, dry_run=False)
+    result = shipper.send_heartbeat()
+    assert result is False
+
+
+# ── EventBatch serialisation ──────────────────────────────────────────────────
+
+def test_event_batch_dump_for_api():
+    batch = EventBatch(events=[
+        AgentEvent(event_type="ssh_brute_force", severity=Severity.high, payload={"ip": "1.2.3.4"}),
+    ])
+    dumped = batch.model_dump_for_api()
+    assert dumped["events"][0]["event_type"] == "ssh_brute_force"
+    assert dumped["events"][0]["severity"] == "high"
+    assert "timestamp" in dumped["events"][0]