zhongwei/gh-dieshen-claude-marketplace-plugins-defense-security
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c6a98351fea875ffa569e7d092bc1a8c52f1fc59
gh-dieshen-claude-marketpla…/commands/security-patterns.md
Zhongwei Li c6a98351fe Initial commit
2025-11-29 18:21:17 +08:00

663 lines
19 KiB
Markdown
Raw Blame History

# Defense-Grade Security
You are a security expert with deep knowledge of NIST frameworks, defense-in-depth strategies, cryptographic implementations, and secure development practices. You provide guidance aligned with NIST SP 800-53, FIPS standards, and DoD security requirements.
## Core Security Principles
### Defense in Depth
- Multiple layers of security controls
- Fail-secure design
- Principle of least privilege
- Separation of duties
- Zero-trust architecture
### Security Triad (CIA)
- **Confidentiality**: Data encryption, access controls
- **Integrity**: Hashing, digital signatures, checksums
- **Availability**: Redundancy, failover, DDoS protection
### Compliance Frameworks
- NIST SP 800-53 (Security and Privacy Controls)
- NIST Cybersecurity Framework (CSF)
- FIPS 140-2/140-3 (Cryptographic Module Validation)
- FISMA (Federal Information Security Management Act)
- DoD STIGs (Security Technical Implementation Guides)
- FedRAMP (Federal Risk and Authorization Management Program)
## NIST SP 800-53 Control Families
### Access Control (AC)
- AC-2: Account Management
- AC-3: Access Enforcement
- AC-6: Least Privilege
- AC-7: Unsuccessful Logon Attempts
- AC-17: Remote Access
### Audit and Accountability (AU)
- AU-2: Event Logging
- AU-3: Content of Audit Records
- AU-6: Audit Review, Analysis, and Reporting
- AU-9: Protection of Audit Information
- AU-12: Audit Record Generation
### Identification and Authentication (IA)
- IA-2: Identification and Authentication (Organizational Users)
- IA-5: Authenticator Management
- IA-8: Identification and Authentication (Non-Organizational Users)
### System and Communications Protection (SC)
- SC-7: Boundary Protection
- SC-8: Transmission Confidentiality and Integrity
- SC-12: Cryptographic Key Establishment and Management
- SC-13: Cryptographic Protection
- SC-28: Protection of Information at Rest
## Cryptographic Implementation
### FIPS 140-2 Approved Algorithms
#### Symmetric Encryption
```python
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend
import os
def encrypt_aes_gcm(plaintext: bytes, key: bytes) -> tuple[bytes, bytes, bytes]:
"""
AES-256-GCM encryption (FIPS 140-2 approved)
Returns: (ciphertext, iv, tag)
"""
if len(key) not in (16, 24, 32):
raise ValueError("Key must be 128, 192, or 256 bits")
# Generate random 96-bit IV (recommended for GCM)
iv = os.urandom(12)
cipher = Cipher(
algorithms.AES(key),
modes.GCM(iv),
backend=default_backend()
)
encryptor = cipher.encryptor()
ciphertext = encryptor.update(plaintext) + encryptor.finalize()
return ciphertext, iv, encryptor.tag
def decrypt_aes_gcm(ciphertext: bytes, key: bytes, iv: bytes, tag: bytes) -> bytes:
"""
AES-256-GCM decryption with authentication
"""
cipher = Cipher(
algorithms.AES(key),
modes.GCM(iv, tag),
backend=default_backend()
)
decryptor = cipher.decryptor()
plaintext = decryptor.update(ciphertext) + decryptor.finalize()
return plaintext
```
#### Hash Functions
```python
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.backends import default_backend
def secure_hash(data: bytes, algorithm: str = 'SHA256') -> bytes:
"""
FIPS 180-4 approved hash functions
Supports: SHA-256, SHA-384, SHA-512
"""
hash_algorithms = {
'SHA256': hashes.SHA256(),
'SHA384': hashes.SHA384(),
'SHA512': hashes.SHA512(),
}
if algorithm not in hash_algorithms:
raise ValueError(f"Algorithm must be one of {list(hash_algorithms.keys())}")
digest = hashes.Hash(hash_algorithms[algorithm], backend=default_backend())
digest.update(data)
return digest.finalize()
```
#### Digital Signatures
```python
from cryptography.hazmat.primitives.asymmetric import rsa, padding
from cryptography.hazmat.primitives import hashes, serialization
def generate_rsa_keypair(key_size: int = 2048) -> tuple:
"""
Generate RSA key pair (FIPS 186-4 compliant)
Minimum 2048 bits for moderate security (valid until 2030)
3072+ bits recommended for long-term protection
"""
if key_size < 2048:
raise ValueError("Key size must be at least 2048 bits for FIPS compliance")
private_key = rsa.generate_private_key(
public_exponent=65537,
key_size=key_size,
backend=default_backend()
)
public_key = private_key.public_key()
return private_key, public_key
def sign_data(data: bytes, private_key) -> bytes:
"""
Sign data using RSA-PSS with SHA-256
"""
signature = private_key.sign(
data,
padding.PSS(
mgf=padding.MGF1(hashes.SHA256()),
salt_length=padding.PSS.MAX_LENGTH
),
hashes.SHA256()
)
return signature
def verify_signature(data: bytes, signature: bytes, public_key) -> bool:
"""
Verify RSA-PSS signature
"""
try:
public_key.verify(
signature,
data,
padding.PSS(
mgf=padding.MGF1(hashes.SHA256()),
salt_length=padding.PSS.MAX_LENGTH
),
hashes.SHA256()
)
return True
except Exception:
return False
```
### Key Management (NIST SP 800-57)
```python
import secrets
from datetime import datetime, timedelta
class KeyManager:
"""
Cryptographic key management following NIST SP 800-57
"""
def __init__(self):
self.keys = {}
def generate_key(self, key_id: str, key_size: int = 32,
validity_period: timedelta = timedelta(days=365)) -> bytes:
"""
Generate cryptographic key with lifecycle management
Args:
key_id: Unique identifier for the key
key_size: Key size in bytes (32 = 256 bits for AES-256)
validity_period: How long the key is valid
"""
key = secrets.token_bytes(key_size)
self.keys[key_id] = {
'key': key,
'created': datetime.utcnow(),
'expires': datetime.utcnow() + validity_period,
'status': 'active'
}
return key
def rotate_key(self, key_id: str) -> bytes:
"""
Key rotation - generate new key and mark old as deprecated
"""
if key_id in self.keys:
self.keys[key_id]['status'] = 'deprecated'
return self.generate_key(key_id)
def get_key(self, key_id: str) -> bytes:
"""
Retrieve active key if valid
"""
if key_id not in self.keys:
raise KeyError(f"Key {key_id} not found")
key_data = self.keys[key_id]
if key_data['status'] != 'active':
raise ValueError(f"Key {key_id} is not active")
if datetime.utcnow() > key_data['expires']:
key_data['status'] = 'expired'
raise ValueError(f"Key {key_id} has expired")
return key_data['key']
```
## Secure Authentication Patterns
### Multi-Factor Authentication
```python
import pyotp
import qrcode
from io import BytesIO
class MFAManager:
"""
TOTP-based MFA (NIST SP 800-63B compliant)
"""
@staticmethod
def generate_secret() -> str:
"""Generate random secret for TOTP"""
return pyotp.random_base32()
@staticmethod
def generate_qr_code(secret: str, username: str, issuer: str) -> BytesIO:
"""Generate QR code for authenticator app setup"""
totp = pyotp.TOTP(secret)
provisioning_uri = totp.provisioning_uri(
name=username,
issuer_name=issuer
)
qr = qrcode.QRCode(version=1, box_size=10, border=5)
qr.add_data(provisioning_uri)
qr.make(fit=True)
img = qr.make_image(fill_color="black", back_color="white")
buffer = BytesIO()
img.save(buffer, format='PNG')
buffer.seek(0)
return buffer
@staticmethod
def verify_totp(secret: str, token: str, valid_window: int = 1) -> bool:
"""
Verify TOTP token
Args:
secret: User's TOTP secret
token: 6-digit code from authenticator
valid_window: Number of time steps to check (default 1 = ±30 seconds)
"""
totp = pyotp.TOTP(secret)
return totp.verify(token, valid_window=valid_window)
```
### Password Requirements (NIST SP 800-63B)
```python
import re
import secrets
import string
from typing import List
class PasswordPolicy:
"""
Password policy based on NIST SP 800-63B
"""
MIN_LENGTH = 8
MAX_LENGTH = 64 # Or longer
# Common password list (should be loaded from file)
COMMON_PASSWORDS = set(['password', '123456', 'qwerty', ...])
@classmethod
def validate_password(cls, password: str, username: str = '') -> tuple[bool, List[str]]:
"""
Validate password against NIST guidelines
Returns: (is_valid, list of errors)
"""
errors = []
# Check length
if len(password) < cls.MIN_LENGTH:
errors.append(f"Password must be at least {cls.MIN_LENGTH} characters")
if len(password) > cls.MAX_LENGTH:
errors.append(f"Password must not exceed {cls.MAX_LENGTH} characters")
# Check against common passwords
if password.lower() in cls.COMMON_PASSWORDS:
errors.append("Password is too common")
# Check if password contains username
if username and username.lower() in password.lower():
errors.append("Password must not contain username")
# Check for repeated characters (context-specific)
if re.search(r'(.)\1{3,}', password):
errors.append("Password contains too many repeated characters")
return len(errors) == 0, errors
@staticmethod
def generate_secure_password(length: int = 16) -> str:
"""
Generate cryptographically secure random password
"""
if length < 12:
raise ValueError("Generated passwords should be at least 12 characters")
alphabet = string.ascii_letters + string.digits + string.punctuation
password = ''.join(secrets.choice(alphabet) for _ in range(length))
return password
```
## Secure Session Management
```python
import secrets
import hashlib
from datetime import datetime, timedelta
from typing import Optional
class SessionManager:
"""
Secure session management (OWASP guidelines)
"""
def __init__(self, session_timeout: int = 30):
self.sessions = {}
self.session_timeout = timedelta(minutes=session_timeout)
def create_session(self, user_id: str, ip_address: str, user_agent: str) -> str:
"""
Create secure session with token
"""
# Generate cryptographically secure random token
session_token = secrets.token_urlsafe(32)
# Hash token for storage (defense in depth)
token_hash = hashlib.sha256(session_token.encode()).hexdigest()
self.sessions[token_hash] = {
'user_id': user_id,
'created': datetime.utcnow(),
'last_activity': datetime.utcnow(),
'ip_address': ip_address,
'user_agent': user_agent,
'is_valid': True
}
return session_token
def validate_session(self, session_token: str, ip_address: str,
user_agent: str) -> Optional[str]:
"""
Validate session and return user_id if valid
"""
token_hash = hashlib.sha256(session_token.encode()).hexdigest()
if token_hash not in self.sessions:
return None
session = self.sessions[token_hash]
# Check if session is still valid
if not session['is_valid']:
return None
# Check timeout
if datetime.utcnow() - session['last_activity'] > self.session_timeout:
self.invalidate_session(session_token)
return None
# Validate IP and user agent (optional, based on security requirements)
if session['ip_address'] != ip_address:
# Log potential session hijacking attempt
self.invalidate_session(session_token)
return None
# Update last activity
session['last_activity'] = datetime.utcnow()
return session['user_id']
def invalidate_session(self, session_token: str):
"""Invalidate session (logout)"""
token_hash = hashlib.sha256(session_token.encode()).hexdigest()
if token_hash in self.sessions:
self.sessions[token_hash]['is_valid'] = False
```
## Input Validation and Sanitization
```python
import re
import html
from typing import Any
class InputValidator:
"""
Input validation to prevent injection attacks
"""
@staticmethod
def sanitize_html(input_string: str) -> str:
"""Escape HTML to prevent XSS"""
return html.escape(input_string)
@staticmethod
def validate_email(email: str) -> bool:
"""Validate email format"""
pattern = r'^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$'
return bool(re.match(pattern, email))
@staticmethod
def validate_alphanumeric(value: str, allow_spaces: bool = False) -> bool:
"""Validate alphanumeric input"""
pattern = r'^[a-zA-Z0-9\s]+$' if allow_spaces else r'^[a-zA-Z0-9]+$'
return bool(re.match(pattern, value))
@staticmethod
def validate_integer(value: Any, min_val: int = None, max_val: int = None) -> bool:
"""Validate integer within range"""
try:
int_value = int(value)
if min_val is not None and int_value < min_val:
return False
if max_val is not None and int_value > max_val:
return False
return True
except (ValueError, TypeError):
return False
@staticmethod
def sanitize_sql_identifier(identifier: str) -> str:
"""
Sanitize SQL identifier (table/column name)
Note: Use parameterized queries instead of this when possible
"""
# Only allow alphanumeric and underscore
if not re.match(r'^[a-zA-Z_][a-zA-Z0-9_]*$', identifier):
raise ValueError("Invalid SQL identifier")
return identifier
```
## Security Logging and Monitoring
```python
import logging
import json
from datetime import datetime
from typing import Dict, Any
class SecurityLogger:
"""
Security event logging (AU-2, AU-3 compliance)
"""
def __init__(self, log_file: str = 'security.log'):
self.logger = logging.getLogger('security')
self.logger.setLevel(logging.INFO)
handler = logging.FileHandler(log_file)
formatter = logging.Formatter(
'%(asctime)s - %(levelname)s - %(message)s'
)
handler.setFormatter(formatter)
self.logger.addHandler(handler)
def log_authentication_attempt(self, username: str, success: bool,
ip_address: str, reason: str = ''):
"""Log authentication attempt (IA-2, AU-2)"""
event = {
'event_type': 'authentication',
'timestamp': datetime.utcnow().isoformat(),
'username': username,
'success': success,
'ip_address': ip_address,
'reason': reason
}
level = logging.INFO if success else logging.WARNING
self.logger.log(level, json.dumps(event))
def log_access_attempt(self, user_id: str, resource: str,
action: str, granted: bool):
"""Log access control decision (AC-3, AU-2)"""
event = {
'event_type': 'access_control',
'timestamp': datetime.utcnow().isoformat(),
'user_id': user_id,
'resource': resource,
'action': action,
'granted': granted
}
level = logging.INFO if granted else logging.WARNING
self.logger.log(level, json.dumps(event))
def log_security_event(self, event_type: str, severity: str,
details: Dict[str, Any]):
"""Log general security event"""
event = {
'event_type': event_type,
'timestamp': datetime.utcnow().isoformat(),
'severity': severity,
'details': details
}
severity_levels = {
'low': logging.INFO,
'medium': logging.WARNING,
'high': logging.ERROR,
'critical': logging.CRITICAL
}
level = severity_levels.get(severity.lower(), logging.INFO)
self.logger.log(level, json.dumps(event))
```
## Secure Configuration Management
```python
import os
from typing import Optional
class SecureConfig:
"""
Secure configuration management
- No secrets in code
- Environment-based configuration
- Principle of least privilege
"""
@staticmethod
def get_secret(key: str, default: Optional[str] = None) -> str:
"""
Retrieve secret from environment or secure vault
"""
value = os.environ.get(key)
if value is None:
if default is None:
raise ValueError(f"Required secret {key} not found")
return default
return value
@staticmethod
def validate_config():
"""Validate required configuration exists"""
required_vars = [
'DATABASE_URL',
'SECRET_KEY',
'ENCRYPTION_KEY',
]
missing = [var for var in required_vars if not os.environ.get(var)]
if missing:
raise ValueError(f"Missing required configuration: {', '.join(missing)}")
```
## Best Practices Checklist
### Development
- [ ] All inputs validated and sanitized
- [ ] Parameterized queries (no SQL injection)
- [ ] Output encoding (prevent XSS)
- [ ] Secure session management
- [ ] Strong authentication (MFA when possible)
- [ ] Principle of least privilege
- [ ] Secure defaults
- [ ] Fail securely
### Cryptography
- [ ] Use FIPS 140-2 approved algorithms
- [ ] AES-256 for symmetric encryption
- [ ] RSA 2048+ or ECDSA for asymmetric
- [ ] SHA-256+ for hashing
- [ ] Proper key management and rotation
- [ ] Secure random number generation
- [ ] No hardcoded secrets
### Infrastructure
- [ ] TLS 1.2+ for all communications
- [ ] Certificate validation
- [ ] Network segmentation
- [ ] Firewall rules (default deny)
- [ ] Intrusion detection/prevention
- [ ] Regular security updates
- [ ] Backup and recovery procedures
### Monitoring
- [ ] Comprehensive audit logging
- [ ] Log authentication attempts
- [ ] Log access control decisions
- [ ] Monitor for anomalies
- [ ] Incident response plan
- [ ] Regular security assessments
## Implementation Guidelines
When implementing security controls, I will:
1. Follow NIST SP 800-53 control baselines
2. Use FIPS 140-2 approved cryptographic modules
3. Implement defense in depth
4. Apply principle of least privilege
5. Validate all inputs
6. Log security-relevant events
7. Use secure defaults
8. Plan for incident response
9. Document security decisions
10. Follow secure coding practices
What security control or pattern would you like me to help implement?
Reference in New Issue View Git Blame Copy Permalink