Skip to content

v0.7.1 — Linux DFIR triplet + ground-truth function reconciliation

Choose a tag to compare

View all tags
@Juwon1405 Juwon1405 released this 16 May 10:36
· 315 commits to main since this release
v0.7.1
f64ae00

Highlights

Closed 6 of 10 missing-function gaps identified by post-release MCP surface audit against the 11-case ground-truth library.

Added — Linux DFIR triplet (2 new MCP functions)

  • parse_linux_text_log — parses Apache/nginx combined access logs, syslog (RFC3164), /var/log/messages, /var/log/secure, and auditd dispatcher text mode. Returns parsed records plus suspicious-content tags across 10 patterns covering T1003.008 shadow read, T1190 path traversal + SQLi, T1505.003 webshell patterns, T1105 remote download to shell, T1071.001 netcat, T1046 scanner invocation, T1222.002 dangerous chmod, T1059.004 reverse-shell oneliners, T1213.002 database credential use, plus a scanner-user-agent meta-rule (T1595.002).
  • parse_linux_shell_history — parses bash/zsh history with HISTTIMEFORMAT awareness (epoch comment lines). Detects 11 attacker patterns including T1098.004 SSH key persistence, T1070.003 history clear, T1053.003 cron mutation, T1027 base64 obfuscation.

(parse_linux_cron_jobs already existed in v0.6.1 — exposed via evidence_root + flagged_only schema. Not duplicated.)

Changed — case-09 ground-truth function names reconciled

Pre-v0.7.1 case-09 (Ali Hadi Challenge 1) referenced three functions that did not exist in the MCP surface. Now mapped to actual capabilities:

Finding Pre-v0.7.1 (missing) v0.7.1 (implemented)
F-HADI1-002 detect_web_shell_indicators detect_webshell
F-HADI1-007 enumerate_filesystem_anomalies parse_linux_text_log
F-HADI1-009 detect_log_tampering_indicators detect_defense_evasion

Ground-truth coverage post-reconciliation

Of 36 expected functions referenced across all 11 cases:

  • 32 implemented (89%)
  • 4 remain as tracked Phase 2 gaps: parse_recycle_bin_metadata (#54), parse_ie_history (#53), parse_outlook_dbx (#55), parse_usn_journal (post-release issue)

Added — test coverage

tests/test_parse_linux_dfir.py — 7 new tests covering auditd dispatcher format, http access combined format (Nikto UA + path traversal + shadow read), HISTTIMEFORMAT epoch parsing, per-hit required-keys contract, missing-file error contract, path traversal rejection. Total suite: 75 green (up from 68).

Added — sample evidence

examples/sample-evidence-realistic/linux/cron/sample.crontab — fixture exercising v0.6.1 parse_linux_cron_jobs with 4 suspicious patterns (remote-pipe-shell, exec from world-writable, reverse-shell oneliner, base64 obfuscation) plus benign baseline jobs.

Post-release counts

Surface Value
Native MCP functions 72 (was 67)
Total ground-truth findings 99
Ground-truth coverage (implemented / expected) 32 / 36 (89%)
Bundled case studies 11
Unit tests 75 green (was 68)

Verification

recall:                       1.000   (F-001 + F-013)
false_positive_rate:          0.000
hallucination_count:          0
evidence_integrity_preserved: true
self_correction_observed:     true

Compare: v0.7.0...v0.7.1

Assets 2
Loading