UNPKG

aiwg

Version:

Deployment tool and support utility for AI context. Copies agents, skills, commands, rules, and behaviors into the paths each AI platform reads (Claude Code, Codex, Copilot, Cursor, Warp, OpenClaw, and 6 more) so one source of truth works across 10 platfo

aiwg.io

jmagly/aiwg

156 lines (122 loc) 5.3 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
--- namespace: aiwg name: forensics-profile platforms: [all] description: Build target system profile via SSH or cloud API enumeration commandHint: argumentHint: "<target> [--output path] [--deep] [--cloud aws|azure|gcp]" category: forensics-reconnaissance --- # /forensics-profile Build a comprehensive system profile of the target by enumerating OS details, running services, user accounts, installed packages, network configuration, and security controls. The profile establishes a baseline for subsequent investigation stages. ## Usage `/forensics-profile <target> [options]` ## Arguments | Argument | Required | Description | |----------|----------|-------------| | target | Yes | SSH connection string (`ssh://user@host:port`) or cloud target (`aws://account-id/region`) | | --output | No | Custom output directory (default: `.aiwg/forensics/profiles/<hostname>-<date>/`) | | --deep | No | Perform deep enumeration including package inventory and kernel config | | --cloud | No | Cloud provider context: `aws`, `azure`, or `gcp` | | --no-network | No | Skip network enumeration (faster, less intrusive) | | --format | No | Output format: `markdown` (default) or `json` | ## Behavior When invoked, this command: 1. **Parse Target** - Resolve hostname or IP from connection string - Verify SSH connectivity or cloud API access - Detect operating system family (Linux distro, version, kernel) - Record target identifier for artifact naming 2. **System Enumeration** - Collect OS version, kernel version, architecture - Enumerate running processes and services - List installed packages and versions - Check uptime and last reboot time - Identify virtualization or container environment 3. **User and Account Inventory** - Enumerate local user accounts from `/etc/passwd` - Identify privileged users (UID 0, sudo group members) - Check for recently created or modified accounts - Review `/etc/sudoers` and sudoers.d entries - List active login sessions and recent auth history 4. **Network Baseline** - Capture listening ports and bound services - Document active network connections - Record network interfaces and IP assignments - Identify firewall rules (iptables, nftables, ufw) - Note DNS resolver configuration 5. **Security Control Assessment** - Check for security tools (auditd, fail2ban, SELinux, AppArmor) - Review SSH daemon configuration - Identify logging configuration and log rotation - Note enabled/disabled security features 6. **Save Profile Artifact** - Write `system-profile.md` with structured findings - Write `system-profile.json` for machine processing - Generate SHA-256 hash of profile files - Log acquisition metadata and timestamps ## Examples ### Example 1: Basic SSH profile ```bash /forensics-profile ssh://admin@192.168.1.50:22 ``` ### Example 2: Deep profile with custom output ```bash /forensics-profile ssh://root@10.0.0.5 --deep --output .aiwg/forensics/profiles/web-server/ ``` ### Example 3: Cloud target ```bash /forensics-profile aws://123456789012/us-east-1 --cloud aws ``` ### Example 4: JSON output for pipeline use ```bash /forensics-profile ssh://analyst@host --format json ``` ## Output Artifacts are saved to `.aiwg/forensics/profiles/<hostname>-<date>/`: ``` .aiwg/forensics/profiles/web01-2026-02-27/ ├── system-profile.md # Human-readable profile ├── system-profile.json # Machine-readable profile ├── acquisition-log.yaml # Timing and metadata └── checksums.sha256 # Integrity hashes ``` ### Sample Output ``` Profiling Target: 192.168.1.50 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Step 1: Connecting to target Connected via SSH (admin@192.168.1.50:22) OS detected: Ubuntu 22.04.3 LTS (kernel 5.15.0-91) Step 2: System enumeration Hostname: web01.internal Uptime: 47 days, 3 hours Architecture: x86_64 Running services: 23 active units Installed packages: 412 Step 3: User inventory Total accounts: 28 (4 with shell access) Privileged users: root, deploy Sudo group members: admin, deploy Active sessions: 2 Step 4: Network baseline Interfaces: eth0 (10.0.1.50/24), lo Listening ports: 22 (sshd), 80 (nginx), 443 (nginx), 3306 (mysqld) Active connections: 14 established Firewall: ufw active (12 rules) Step 5: Security controls auditd: active fail2ban: active (3 jails) AppArmor: enforcing (18 profiles) SSH: password auth disabled, key-only ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Profile complete. Output: .aiwg/forensics/profiles/web01-2026-02-27/ Next Steps: /forensics-triage ssh://admin@192.168.1.50 - Capture volatile data /forensics-investigate ssh://admin@192.168.1.50 --scope full ``` ## References - @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/agents/recon-agent.md - Recon Agent - @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/templates/system-profile.md - Profile template - @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/commands/forensics-triage.md - Next stage