sysvex 0.1.0__tar.gz

sysvex-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 PuRiToX
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

sysvex-0.1.0/MANIFEST.in

@@ -0,0 +1,11 @@
+include README.md
+include LICENSE
+include pyproject.toml
+recursive-include src/sysvex *.py
+recursive-exclude * __pycache__
+recursive-exclude * *.py[co]
+exclude .gitignore
+exclude .git
+exclude venv
+exclude .venv
+exclude *.egg-info

sysvex-0.1.0/PKG-INFO

@@ -0,0 +1,27 @@
+Metadata-Version: 2.4
+Name: sysvex
+Version: 0.1.0
+Summary: Modular system security auditing toolkit
+Author: PuRIToX
+License-Expression: MIT
+Project-URL: Homepage, https://github.com/PuRiToX/sysvex
+Project-URL: Repository, https://github.com/PuRiToX/sysvex
+Project-URL: Documentation, https://github.com/PuRiToX/sysvex#readme
+Project-URL: Bug Tracker, https://github.com/PuRiToX/sysvex/issues
+Keywords: security,auditing,system,forensics,cross-platform
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: System Administrators
+Classifier: Intended Audience :: Information Technology
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Security
+Classifier: Topic :: System :: Systems Administration
+Classifier: Topic :: System :: Monitoring
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: psutil
+Dynamic: license-file

sysvex-0.1.0/pyproject.toml

@@ -0,0 +1,40 @@
+[project]
+name = "sysvex"
+version = "0.1.0"
+description = "Modular system security auditing toolkit"
+authors = [
+    { name = "PuRIToX" }
+]
+readme = "README.md"
+license = "MIT"
+requires-python = ">=3.10"
+dependencies = [
+    "psutil"
+]
+keywords = ["security", "auditing", "system", "forensics", "cross-platform"]
+classifiers = [
+    "Development Status :: 4 - Beta",
+    "Intended Audience :: System Administrators",
+    "Intended Audience :: Information Technology",
+    "Operating System :: OS Independent",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.10",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Topic :: Security",
+    "Topic :: System :: Systems Administration",
+    "Topic :: System :: Monitoring"
+]
+
+[project.urls]
+Homepage = "https://github.com/PuRiToX/sysvex"
+Repository = "https://github.com/PuRiToX/sysvex"
+Documentation = "https://github.com/PuRiToX/sysvex#readme"
+"Bug Tracker" = "https://github.com/PuRiToX/sysvex/issues"
+
+[project.scripts]
+sysvex = "sysvex.cli:main"
+
+[build-system]
+requires = ["setuptools", "wheel"]
+build-backend = "setuptools.build_meta"

sysvex-0.1.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

sysvex-0.1.0/src/sysvex/cli.py

@@ -0,0 +1,21 @@
+import argparse
+from sysvex.engine.loader import load_modules
+from sysvex.engine.runner import run_modules
+from sysvex.reporting.console import print_report
+
+DEFAULT_MODULES = ["filesystem", "network", "processes"]
+
+def main():
+    parser = argparse.ArgumentParser(description="Sysvex Security Auditor")
+    parser.add_argument("--modules", help="Comma-separated modules")
+
+    args = parser.parse_args()
+
+    module_names = (
+        args.modules.split(",") if args.modules else DEFAULT_MODULES
+    )
+
+    modules = load_modules(module_names)
+    findings = run_modules(modules)
+
+    print_report(findings)

sysvex-0.1.0/src/sysvex/engine/loader.py

@@ -0,0 +1,10 @@
+import importlib
+
+def load_modules(module_names):
+    modules = []
+
+    for name in module_names:
+        module = importlib.import_module(f"sysvex.modules.{name}")
+        modules.append(module.Module())
+
+    return modules

sysvex-0.1.0/src/sysvex/engine/models.py

@@ -0,0 +1,13 @@
+class Finding:
+    def __init__(self, finding_id, title, severity, description,
+    evidence=None, recommendation=None, source_module=None):
+        self.id = finding_id
+        self.title = title
+        self.severity = severity
+        self.description = description
+        self.evidence = evidence
+        self.recommendation = recommendation
+        self.source_module = source_module
+
+    def to_dict(self):
+        return self.__dict__

sysvex-0.1.0/src/sysvex/engine/runner.py

@@ -0,0 +1,11 @@
+def run_modules(modules, context=None):
+    findings = []
+
+    for module in modules:
+        try:
+            results = module.run(context)
+            findings.extend(results)
+        except (NotImplementedError, AttributeError, ValueError, RuntimeError) as e:
+            print(f"[ERROR] Module {module.name} failed: {e}")
+
+    return findings

sysvex-0.1.0/src/sysvex/modules/base.py

@@ -0,0 +1,5 @@
+class BaseModule:
+    name = "base"
+
+    def run(self, context=None):
+        raise NotImplementedError

sysvex-0.1.0/src/sysvex/modules/filesystem.py

@@ -0,0 +1,155 @@
+import os
+import time
+import stat
+from sysvex.engine.models import Finding
+from .base import BaseModule
+from sysvex.utils.platform import get_platform_config, get_default_scan_path, is_windows
+
+HIDDEN_FILE_DAYS = 7
+
+class Module(BaseModule):
+    name = "filesystem"
+
+    def run(self, context=None):
+        config = get_platform_config()
+        scan_path = context.get('scan_path', get_default_scan_path()) if context else get_default_scan_path()
+        findings = []
+
+        # Scan for sensitive file permissions
+        for sensitive_path in config['sensitive_paths']:
+            if os.path.exists(sensitive_path):
+                try:
+                    file_stat = os.stat(sensitive_path)
+                    mode = file_stat.st_mode
+                    
+                    # Check for world-readable sensitive files (Unix only)
+                    if not is_windows():
+                        if mode & stat.S_IROTH:
+                            findings.append(Finding(
+                                finding_id="FS-004",
+                                title="World-readable sensitive file",
+                                severity="HIGH",
+                                description=f"Sensitive file {sensitive_path} is readable by others",
+                                evidence=sensitive_path,
+                                recommendation="Restrict permissions: chmod o-r {sensitive_path}",
+                                source_module=self.name
+                            ))
+                        
+                        # Check for world-writable sensitive files (Unix only)
+                        if mode & stat.S_IWOTH:
+                            findings.append(Finding(
+                                finding_id="FS-005",
+                                title="World-writable sensitive file",
+                                severity="CRITICAL",
+                                description=f"Sensitive file {sensitive_path} is writable by others",
+                                evidence=sensitive_path,
+                                recommendation="Restrict permissions: chmod o-w {sensitive_path}",
+                                source_module=self.name
+                            ))
+                    else:
+                        # Windows: Check if sensitive file has weak permissions
+                        # This is a simplified check - in reality, Windows ACLs are more complex
+                        try:
+                            # Try to read the file - if we can, it might be too permissive
+                            with open(sensitive_path, 'r', encoding='utf-8') as f:
+                                f.read(1)  # Try to read first byte
+                            findings.append(Finding(
+                                finding_id="FS-004",
+                                title="Sensitive file with potentially weak permissions",
+                                severity="MEDIUM",
+                                description=f"Sensitive file {sensitive_path} may have overly permissive access",
+                                evidence=sensitive_path,
+                                recommendation="Review file permissions and ACLs",
+                                source_module=self.name
+                            ))
+                        except (PermissionError, OSError):
+                            # Good - file is properly protected
+                            pass
+                        
+                except (OSError, PermissionError, FileNotFoundError):
+                    continue
+
+        for root, _, files in os.walk(scan_path):
+            for f in files:
+                path = os.path.join(root, f)
+                try:
+                    file_stat = os.stat(path)
+                    mode = file_stat.st_mode
+                    
+                    # World-writable files (Unix only)
+                    if not is_windows():
+                        if mode & stat.S_IWOTH:
+                            findings.append(Finding(
+                                finding_id="FS-001",
+                                title="World-writable file",
+                                severity="HIGH",
+                                description="File is writable by others",
+                                evidence=path,
+                                recommendation="Restrict permissions: chmod o-w {path}",
+                                source_module=self.name
+                            ))
+
+                        # SUID/SGID files (Unix only)
+                        if mode & stat.S_ISUID:
+                            findings.append(Finding(
+                                finding_id="FS-006",
+                                title="SUID executable",
+                                severity="HIGH",
+                                description="File has SUID bit set - runs with owner privileges",
+                                evidence=path,
+                                recommendation="Verify SUID bit is necessary and file is secure",
+                                source_module=self.name
+                            ))
+                        
+                        if mode & stat.S_ISGID:
+                            findings.append(Finding(
+                                finding_id="FS-007",
+                                title="SGID executable",
+                                severity="MEDIUM",
+                                description="File has SGID bit set - runs with group privileges",
+                                evidence=path,
+                                recommendation="Verify SGID bit is necessary and file is secure",
+                                source_module=self.name
+                            ))
+                    else:
+                        # Windows: Check for files in suspicious locations
+                        if any(path.lower().startswith(temp_dir.lower()) for temp_dir in config['temp_dirs']):
+                            findings.append(Finding(
+                                finding_id="FS-001",
+                                title="File in temporary directory",
+                                severity="MEDIUM",
+                                description="File located in temporary directory",
+                                evidence=path,
+                                recommendation="Review file - temporary directories are common attack vectors",
+                                source_module=self.name
+                            ))
+
+                    # Hidden files (cross-platform)
+                    if f.startswith(".") or (is_windows() and f.startswith("$")):
+                        findings.append(Finding(
+                            finding_id="FS-002",
+                            title="Hidden file",
+                            severity="MEDIUM",
+                            description="Hidden file detected",
+                            evidence=path,
+                            recommendation="Review file contents",
+                            source_module=self.name
+                        ))
+
+                    # Recently modified files (cross-platform)
+                    mtime = os.path.getmtime(path)
+                    if (time.time() - mtime) < (HIDDEN_FILE_DAYS * 86400):
+                        findings.append(Finding(
+                            finding_id="FS-003",
+                            title="Recently modified file",
+                            severity="LOW",
+                            description=f"File modified in last {HIDDEN_FILE_DAYS} days",
+                            evidence=path,
+                            recommendation="Check if change is expected",
+                            source_module=self.name
+                        ))
+
+                except (OSError, PermissionError, FileNotFoundError):
+                    continue
+
+        return findings

sysvex-0.1.0/src/sysvex/modules/network.py

@@ -0,0 +1,115 @@
+import psutil
+import ipaddress
+from sysvex.engine.models import Finding
+from .base import BaseModule
+
+# Common public service ports
+PUBLIC_SERVICES = {
+    20: "FTP Data", 21: "FTP Control", 22: "SSH", 23: "Telnet", 25: "SMTP",
+    53: "DNS", 80: "HTTP", 110: "POP3", 143: "IMAP", 443: "HTTPS",
+    993: "IMAPS", 995: "POP3S", 3389: "RDP", 5432: "PostgreSQL", 3306: "MySQL"
+}
+
+# Suspicious remote ports (commonly used in attacks)
+SUSPICIOUS_PORTS = {
+    4444: "Metasploit", 5555: "Android Debug", 6667: "IRC", 8080: "Proxy",
+    8443: "Alternative HTTPS", 9000: "Alternative HTTP", 12345: "NetBus",
+    31337: "Back Orifice", 5900: "VNC"
+}
+
+class Module(BaseModule):
+    name = "network"
+
+    def run(self, context=None):
+        findings = []
+        
+        # Get listening ports
+        listening_ports = {}
+        for conn in psutil.net_connections(kind='inet'):
+            if conn.status == "LISTEN" and conn.laddr:
+                listening_ports[conn.laddr.port] = conn
+        
+        # Get all current network connections
+        for conn in psutil.net_connections(kind='inet'):
+            laddr = f"{conn.laddr.ip}:{conn.laddr.port}" if conn.laddr else "N/A"
+            raddr = f"{conn.raddr.ip}:{conn.raddr.port}" if conn.raddr else "N/A"
+            status = conn.status
+
+            # High severity: listening on all interfaces for public services
+            if conn.status == "LISTEN" and conn.laddr and conn.laddr.ip == "0.0.0.0":
+                service_name = PUBLIC_SERVICES.get(conn.laddr.port, "Unknown service")
+                findings.append(Finding(
+                    finding_id="NET-001",
+                    title="Public service listening on all interfaces",
+                    severity="HIGH",
+                    description=f"{service_name} listening on 0.0.0.0:{conn.laddr.port}",
+                    evidence=f"Local: {laddr}, Service: {service_name}",
+                    recommendation="Bind service to specific IP or firewall if not intended for public",
+                    source_module=self.name
+                ))
+
+            # Medium severity: unknown public services
+            if conn.status == "LISTEN" and conn.laddr and conn.laddr.port in PUBLIC_SERVICES:
+                service_name = PUBLIC_SERVICES[conn.laddr.port]
+                findings.append(Finding(
+                    finding_id="NET-003",
+                    title="Known public service detected",
+                    severity="MEDIUM",
+                    description=f"{service_name} service is running",
+                    evidence=f"Local: {laddr}, Service: {service_name}",
+                    recommendation="Ensure service is properly configured and secured",
+                    source_module=self.name
+                ))
+
+            # High severity: connections to suspicious ports
+            if conn.status == "ESTABLISHED" and conn.raddr and conn.raddr.port in SUSPICIOUS_PORTS:
+                suspicious_service = SUSPICIOUS_PORTS[conn.raddr.port]
+                findings.append(Finding(
+                    finding_id="NET-004",
+                    title="Connection to suspicious port",
+                    severity="HIGH",
+                    description=f"Connection to {suspicious_service} service on port {conn.raddr.port}",
+                    evidence=f"Local: {laddr}, Remote: {raddr}, Service: {suspicious_service}",
+                    recommendation="Investigate potential malicious activity",
+                    source_module=self.name
+                ))
+
+            # Medium severity: established connections to unknown remote addresses
+            if conn.status == "ESTABLISHED" and conn.raddr:
+                # Check if remote IP is public (not private)
+                if not self._is_private_ip(conn.raddr.ip):
+                    findings.append(Finding(
+                        finding_id="NET-002",
+                        title="Established external connection",
+                        severity="MEDIUM",
+                        description="Connection established to remote host",
+                        evidence=f"Local: {laddr}, Remote: {raddr}, Status: {status}",
+                        recommendation="Verify connection is expected and authorized",
+                        source_module=self.name
+                    ))
+
+            # Low severity: unusual outbound connection patterns
+            if conn.status == "ESTABLISHED" and conn.raddr and conn.raddr.port > 1024:
+                if conn.raddr.port not in PUBLIC_SERVICES and conn.raddr.port not in SUSPICIOUS_PORTS:
+                    findings.append(Finding(
+                        finding_id="NET-005",
+                        title="Unusual outbound connection",
+                        severity="LOW",
+                        description=f"Connection to non-standard port {conn.raddr.port}",
+                        evidence=f"Local: {laddr}, Remote: {raddr}",
+                        recommendation="Monitor for potential data exfiltration",
+                        source_module=self.name
+                    ))
+
+        return findings
+    
+    def _is_private_ip(self, ip):
+        """Check if IP address is private"""
+        try:
+            ip_obj = ipaddress.ip_address(ip)
+            return ip_obj.is_private
+        except ValueError:
+            # Fallback to basic check for common private ranges
+            return (ip.startswith('10.') or ip.startswith('192.168.') or 
+                   ip.startswith('172.') or ip.startswith('127.') or
+                   ip.startswith('169.254.'))

sysvex-0.1.0/src/sysvex/modules/processes.py

@@ -0,0 +1,165 @@
+import psutil
+from sysvex.engine.models import Finding
+from .base import BaseModule
+from sysvex.utils.platform import get_platform_config, is_windows
+
+class Module(BaseModule):
+    name = "processes"
+
+    def run(self, context=None):
+        config = get_platform_config()
+        findings = []
+
+        for proc in psutil.process_iter(['pid', 'name', 'exe', 'cmdline', 'username', 'uids', 'gids']):
+            try:
+                proc_info = proc.info
+                
+                # Skip if we can't get basic info
+                if not proc_info['name'] or not proc_info['exe']:
+                    continue
+
+                # Check for unsigned/unexpected binaries
+                if self._is_suspicious_binary(proc_info['exe'], config):
+                    findings.append(Finding(
+                        finding_id="PROC-001",
+                        title="Suspicious or unsigned binary",
+                        severity="HIGH",
+                        description=f"Process running from suspicious location: {proc_info['exe']}",
+                        evidence=f"PID: {proc_info['pid']}, Name: {proc_info['name']}, Path: {proc_info['exe']}",
+                        recommendation="Investigate binary authenticity and origin",
+                        source_module=self.name
+                    ))
+
+                # Check for suspicious command-line patterns
+                if proc_info['cmdline']:
+                    cmdline = ' '.join(proc_info['cmdline']).lower()
+                    for pattern in config['suspicious_patterns']:
+                        if pattern in cmdline:
+                            findings.append(Finding(
+                                finding_id="PROC-002",
+                                title="Suspicious command-line pattern",
+                                severity="HIGH",
+                                description=f"Process with suspicious command line: {pattern}",
+                                evidence=f"PID: {proc_info['pid']}, Command: {' '.join(proc_info['cmdline'])}",
+                                recommendation="Investigate potential malicious activity",
+                                source_module=self.name
+                            ))
+                            break  # Only report once per process
+
+                # Check for privilege anomalies
+                if proc_info['uids'] and proc_info['gids']:
+                    real_uid, effective_uid, saved_uid = proc_info['uids']
+                    real_gid, effective_gid, saved_gid = proc_info['gids']
+
+                    # Process running with elevated privileges (Unix: root, Windows: admin)
+                    if is_windows():
+                        # Windows: Check for SYSTEM or Administrator privileges
+                        if effective_uid == 0 and not self._is_system_process(proc_info['name'], config):
+                            findings.append(Finding(
+                                finding_id="PROC-003",
+                                title="Non-system process with elevated privileges",
+                                severity="MEDIUM",
+                                description=f"Process {proc_info['name']} running with elevated privileges",
+                                evidence=f"PID: {proc_info['pid']}, Name: {proc_info['name']}, User: {proc_info['username']}",
+                                recommendation="Verify if elevated privileges are necessary",
+                                source_module=self.name
+                            ))
+                    else:
+                        # Unix: Check for root privileges
+                        if effective_uid == 0 and not self._is_system_process(proc_info['name'], config):
+                            findings.append(Finding(
+                                finding_id="PROC-003",
+                                title="Non-system process running as root",
+                                severity="MEDIUM",
+                                description=f"Process {proc_info['name']} running with root privileges",
+                                evidence=f"PID: {proc_info['pid']}, Name: {proc_info['name']}, User: {proc_info['username']}",
+                                recommendation="Verify if root privileges are necessary",
+                                source_module=self.name
+                            ))
+
+                    # SetUID/SetGID anomalies
+                    if real_uid != effective_uid:
+                        findings.append(Finding(
+                            finding_id="PROC-004",
+                            title="Process with elevated user privileges",
+                            severity="HIGH",
+                            description=f"Process running with different effective UID than real UID",
+                            evidence=f"PID: {proc_info['pid']}, Real UID: {real_uid}, Effective UID: {effective_uid}",
+                            recommendation="Investigate privilege escalation",
+                            source_module=self.name
+                        ))
+
+                    if real_gid != effective_gid:
+                        findings.append(Finding(
+                            finding_id="PROC-005",
+                            title="Process with elevated group privileges",
+                            severity="MEDIUM",
+                            description=f"Process running with different effective GID than real GID",
+                            evidence=f"PID: {proc_info['pid']}, Real GID: {real_gid}, Effective GID: {effective_gid}",
+                            recommendation="Investigate group privilege escalation",
+                            source_module=self.name
+                        ))
+
+                # Check for processes with no executable path (potential malware)
+                if not proc_info['exe'] and proc_info['name']:
+                    findings.append(Finding(
+                        finding_id="PROC-006",
+                        title="Process without executable path",
+                        severity="HIGH",
+                        description=f"Process {proc_info['name']} has no associated executable",
+                        evidence=f"PID: {proc_info['pid']}, Name: {proc_info['name']}",
+                        recommendation="Investigate potential memory-only malware",
+                        source_module=self.name
+                    ))
+
+            except (psutil.NoSuchProcess, psutil.AccessDenied, psutil.ZombieProcess):
+                continue
+
+        return findings
+
+    def _is_suspicious_binary(self, exe_path, config):
+        """Check if binary is in suspicious location or has suspicious characteristics"""
+        if not exe_path:
+            return True
+
+        # Common legitimate binary locations
+        legitimate_paths = config['legitimate_paths']
+
+        # Check if binary is in legitimate location
+        is_legitimate = any(exe_path.lower().startswith(path.lower()) for path in legitimate_paths)
+        
+        # Check for temporary directories
+        suspicious_paths = config['temp_dirs']
+        is_suspicious = any(exe_path.lower().startswith(temp_dir.lower()) for temp_dir in suspicious_paths)
+
+        # Check for hidden directories
+        if "/." in exe_path and not is_legitimate:
+            is_suspicious = True
+        
+        # Windows-specific hidden directory check
+        if is_windows() and ("\\." in exe_path or exe_path.startswith("\\\\?\\")):
+            is_suspicious = True
+
+        return is_suspicious or not is_legitimate
+
+    def _is_system_process(self, process_name, config):
+        """Check if process is a known system process"""
+        if not process_name:
+            return False
+        
+        # Check against whitelist
+        for legitimate in config['legitimate_processes']:
+            if legitimate.lower() in process_name.lower():
+                return True
+        
+        # Platform-specific checks
+        if is_windows():
+            # Windows system processes
+            if process_name.lower().endswith('.exe') and any(sys_proc in process_name.lower() for sys_proc in ['system', 'smss', 'csrss', 'wininit', 'services']):
+                return True
+        else:
+            # Unix kernel processes
+            if process_name.startswith('[') and process_name.endswith(']'):
+                return True
+        
+        return False

sysvex-0.1.0/src/sysvex/reporting/console.py

@@ -0,0 +1,11 @@
+def print_report(findings):
+    if not findings:
+        print("No issues found.")
+        return
+
+    for f in findings:
+        print(f"[{f.severity}] {f.title}")
+        print(f"  -> {f.description}")
+        if f.evidence:
+            print(f"  Evidence: {f.evidence}")
+        print()

sysvex-0.1.0/src/sysvex/reporting/json_report.py

@@ -0,0 +1,5 @@
+import json
+
+def export_json(findings, path="report.json"):
+    with open(path, "w", encoding="utf-8") as f:
+        json.dump([f.to_dict() for f in findings], f, indent=2)

sysvex-0.1.0/src/sysvex/utils/platform.py

@@ -0,0 +1,104 @@
+import platform as _platform
+import os
+
+def get_platform():
+    """Get the current platform name"""
+    return _platform.system().lower()
+
+def is_windows():
+    """Check if running on Windows"""
+    return get_platform() == 'windows'
+
+def is_linux():
+    """Check if running on Linux"""
+    return get_platform() == 'linux'
+
+def is_macos():
+    """Check if running on macOS"""
+    return get_platform() == 'darwin'
+
+def get_platform_config():
+    """Get platform-specific configuration"""
+    if is_windows():
+        return {
+            'sensitive_paths': [
+                os.path.expandvars(r'%SystemRoot%\System32\config\SAM'),
+                os.path.expandvars(r'%SystemRoot%\System32\drivers\etc\hosts'),
+                os.path.expandvars(r'%SystemRoot%\System32\drivers\etc\networks'),
+                os.path.expandvars(r'%SystemRoot%\System32\config\SECURITY'),
+                os.path.expandvars(r'%ProgramData%\Microsoft\Network\Connections\Pbk\rasphone.pbk'),
+            ],
+            'temp_dirs': [
+                os.path.expandvars(r'%TEMP%'),
+                os.path.expandvars(r'%TMP%'),
+                os.path.expandvars(r'%SystemRoot%\Temp'),
+            ],
+            'legitimate_paths': [
+                os.path.expandvars(r'%SystemRoot%\System32'),
+                os.path.expandvars(r'%SystemRoot%\SysWOW64'),
+                os.path.expandvars(r'%ProgramFiles%'),
+                os.path.expandvars(r'%ProgramFiles(x86)%'),
+                os.path.expandvars(r'%ProgramData%'),
+            ],
+            'suspicious_patterns': [
+                'powershell -c', 'cmd /c', 'powershell.exe -enc',
+                'rundll32.exe', 'regsvr32.exe', 'certutil.exe',
+                'bitsadmin.exe', 'wmic.exe', 'netsh.exe',
+                'schtasks.exe', 'sc.exe', 'wevtutil.exe'
+            ],
+            'legitimate_processes': {
+                'svchost.exe', 'lsass.exe', 'winlogon.exe', 'explorer.exe',
+                'chrome.exe', 'firefox.exe', 'code.exe', 'python.exe',
+                'java.exe', 'node.exe', 'powershell.exe', 'cmd.exe',
+                'system', 'smss.exe', 'csrss.exe', 'wininit.exe'
+            }
+        }
+    else:  # Linux/Unix/macOS
+        return {
+            'sensitive_paths': [
+                '/etc/passwd', '/etc/shadow', '/etc/sudoers',
+                '/etc/ssh/sshd_config', '/etc/hosts', '/etc/crontab',
+                '/etc/gshadow', '/etc/group', '/etc/protocols'
+            ],
+            'temp_dirs': [
+                '/tmp', '/var/tmp', '/dev/shm', '/run/user'
+            ],
+            'legitimate_paths': [
+                '/usr/bin', '/usr/sbin', '/bin', '/sbin',
+                '/usr/local/bin', '/usr/local/sbin',
+                '/opt', '/snap', '/flatpak',
+                '/lib', '/lib64', '/usr/lib', '/usr/lib64'
+            ],
+            'suspicious_patterns': [
+                'nc -l', 'netcat', 'ncat', 'socat',
+                'bash -i', 'sh -i', '/bin/sh', '/bin/bash',
+                'python -c', 'perl -e', 'ruby -e',
+                'wget', 'curl', 'fetch',
+                'chmod +x', 'chmod 777',
+                'nohup', 'screen', 'tmux',
+                'iptables', 'ufw', 'firewall',
+                'crontab', 'at', 'batch',
+                'ssh-keygen', 'authorized_keys',
+                'passwd', 'shadow', '/etc/passwd'
+            ],
+            'legitimate_processes': {
+                'init', 'kthreadd', 'ksoftirqd', 'migration', 'rcu_', 'watchdog',
+                'systemd', 'kmod', 'udevd', 'NetworkManager', 'gdm', 'Xorg',
+                'gnome-shell', 'firefox', 'chrome', 'chromium', 'code', 'vim',
+                'bash', 'zsh', 'fish', 'python', 'python3', 'node', 'java'
+            }
+        }
+
+def get_default_scan_path():
+    """Get default scan path for the current platform"""
+    if is_windows():
+        return os.path.expandvars(r'%TEMP%')
+    else:
+        return '/tmp'
+
+def normalize_path(path):
+    """Normalize path for the current platform"""
+    if is_windows():
+        return os.path.normpath(path).replace('/', '\\')
+    else:
+        return os.path.normpath(path)

sysvex-0.1.0/src/sysvex/utils/system.py

@@ -0,0 +1,5 @@
+import psutil
+
+def get_open_ports():
+    connections = psutil.net_connections()
+    return [c.laddr.port for c in connections if c.status == "LISTEN"]

sysvex-0.1.0/src/sysvex.egg-info/PKG-INFO

@@ -0,0 +1,27 @@
+Metadata-Version: 2.4
+Name: sysvex
+Version: 0.1.0
+Summary: Modular system security auditing toolkit
+Author: PuRIToX
+License-Expression: MIT
+Project-URL: Homepage, https://github.com/PuRiToX/sysvex
+Project-URL: Repository, https://github.com/PuRiToX/sysvex
+Project-URL: Documentation, https://github.com/PuRiToX/sysvex#readme
+Project-URL: Bug Tracker, https://github.com/PuRiToX/sysvex/issues
+Keywords: security,auditing,system,forensics,cross-platform
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: System Administrators
+Classifier: Intended Audience :: Information Technology
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Security
+Classifier: Topic :: System :: Systems Administration
+Classifier: Topic :: System :: Monitoring
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: psutil
+Dynamic: license-file

sysvex-0.1.0/src/sysvex.egg-info/SOURCES.txt

@@ -0,0 +1,25 @@
+LICENSE
+MANIFEST.in
+pyproject.toml
+src/sysvex/__init__.py
+src/sysvex/cli.py
+src/sysvex.egg-info/PKG-INFO
+src/sysvex.egg-info/SOURCES.txt
+src/sysvex.egg-info/dependency_links.txt
+src/sysvex.egg-info/entry_points.txt
+src/sysvex.egg-info/requires.txt
+src/sysvex.egg-info/top_level.txt
+src/sysvex/engine/__init__.py
+src/sysvex/engine/loader.py
+src/sysvex/engine/models.py
+src/sysvex/engine/runner.py
+src/sysvex/modules/__init__.py
+src/sysvex/modules/base.py
+src/sysvex/modules/filesystem.py
+src/sysvex/modules/network.py
+src/sysvex/modules/processes.py
+src/sysvex/reporting/console.py
+src/sysvex/reporting/json_report.py
+src/sysvex/utils/__init__.py
+src/sysvex/utils/platform.py
+src/sysvex/utils/system.py

sysvex-0.1.0/src/sysvex.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

sysvex-0.1.0/src/sysvex.egg-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+sysvex = sysvex.cli:main

sysvex-0.1.0/src/sysvex.egg-info/requires.txt

@@ -0,0 +1 @@
+psutil

sysvex-0.1.0/src/sysvex.egg-info/top_level.txt

@@ -0,0 +1 @@
+sysvex