Modern incident triage for CyberPanel:
- 🧰 Legacy bash cleanup scripts (basic & advanced)
- 🤖 Cyberzard — an AI‑assisted, safety‑constrained CLI for scanning, explaining, and planning remediation
- 📚 Docs: https://elwizard33.github.io/Cyberzard/
- 🧪 Try Cyberzard: see “Install & Use” below
- 🗺️ Roadmap: ROADMAP.md
- 🐞 Issues Guide: ISSUE_GUIDE.md
- 📜 License: MIT
📖 Table of Contents
Experimental preview. Interfaces may change until v0.1.
| Area | What you get |
|---|---|
| Multi‑source scanning | Files, processes, cron, services, users, SSH keys, encrypted files |
| Severity scoring | Critical/High/Medium/Low with rationale |
| Evidence preservation | Optional hashing/archiving prior to actions |
| Dry‑run planning | Generate remediation plan JSON first |
| AI reasoning (optional) | Summaries, prioritization, advice (OpenAI/Anthropic/none) |
| ReAct loop | Safe tool schema, sandboxed helpers |
| Output | Pretty tables + JSON |
| Chat mode | Interactive, permission‑aware assistant |
| TUI (optional) | Simple terminal UI for scan results |
| Email stack hardening | scan + AI summary + guided execution |
Fast install (Linux, user‑local, no sudo required):
bash -c "$(curl -fsSL https://raw.githubusercontent.com/elwizard33/Cyberzard/main/scripts/install.sh)"With AI extras (choose one):
CYBERZARD_EXTRAS=openai bash -c "$(curl -fsSL https://raw.githubusercontent.com/elwizard33/Cyberzard/main/scripts/install.sh)"
# or
CYBERZARD_EXTRAS=anthropic bash -c "$(curl -fsSL https://raw.githubusercontent.com/elwizard33/Cyberzard/main/scripts/install.sh)"Upgrade later:
cyberzard --upgrade # quick upgrade using global flag
cyberzard upgrade --channel stable # explicit upgrade commandManual install (from source, editable):
git clone https://github.com/elwizard33/Cyberzard.git
cd Cyberzard
python3 -m venv .venv && source .venv/bin/activate
python -m pip install -U pip setuptools wheel
pip install -e .[openai] # or .[anthropic] or just .Notes:
- Linux-only binary releases: We publish Linux x86_64/arm64 binaries on GitHub Releases. macOS/Windows users: install from source (below). See: https://github.com/elwizard33/Cyberzard/releases
- No PyPI publishing yet. Use the installer or source install above. PyPI releases may be added later.
Optional TUI (terminal UI):
pip install 'textual>=0.60'
cyberzard tuiCommon commands:
# Scan and pretty print
cyberzard scan
# JSON findings
cyberzard scan --json > findings.json
# Advice (static + optional AI enrichment)
CYBERZARD_MODEL_PROVIDER=openai OPENAI_API_KEY=sk-... cyberzard advise
# Explain findings (AI)
OPENAI_API_KEY=sk-... cyberzard explain --provider openai
# Bounded reasoning loop (ReAct)
OPENAI_API_KEY=sk-... cyberzard agent "Top suspicious processes and rationale" --steps 4
# Interactive chat (permission‑aware)
cyberzard chat
cyberzard chat --auto-approve --max-probes 8
# Remediation (requires explicit flags)
cyberzard remediate --delete --kill --preserve
# n8n deployment assistant (generate + optional apply)
# Native (OpenLiteSpeed reverse-proxy):
cyberzard n8n-setup --domain example.com --subdomain n8n --mode native --basic-auth --out-dir ./out
# Cloudflare Tunnel (docker compose + cloudflared):
cyberzard n8n-setup --domain example.com --subdomain n8n --mode tunnel --out-dir ./out
# Write-only JSON summary (no apply):
cyberzard n8n-setup --domain example.com --mode native --write-only --out-dir ./out --overwrite
# Email security (scan + hardening preview)
cyberzard email-security --dry-run
# Execute guided (still dry-run by default until --no-dry-run)
cyberzard email-security --run --dry-run --max-risk medium
# Full remediation guide + optional execution
cyberzard email-fix --run --dry-run --max-risk low
# JSON output (no rich)
cyberzard email-security --json --run --dry-runTroubleshooting
- Editable install error (missing build_editable hook): upgrade pip/setuptools/wheel in a venv, or use non‑editable install:
python -m pip install -U pip setuptools wheelpip install .[openai](or.[anthropic]or just.)
| Var | Purpose | Default |
|---|---|---|
| CYBERZARD_MODEL_PROVIDER | openai, anthropic, none |
none |
| OPENAI_API_KEY | API key when provider=openai | — |
| ANTHROPIC_API_KEY | API key when provider=anthropic | — |
| CYBERZARD_EVIDENCE_DIR | Evidence dir | /var/lib/cyberzard/evidence |
| CYBERZARD_DRY_RUN | Global dry‑run | true |
- No raw shell; curated, allow‑listed tools only
- Dry‑run by default; explicit flags to delete/kill
- Reasoning step cap; sandboxed helpers
- AI optional; offline works fine
Basic and Advanced bash scripts to triage and clean common artifacts from the November CyberPanel attacks.
| Capability | Basic | Advanced |
|---|---|---|
| Diagnostics (files, processes, encrypted files) | ✅ | ✅ |
| Cleanup of artifacts | ✅ | ✅ |
| User + SSH key audit | — | ✅ |
| Interactive confirmations | — | ✅ |
| Extra post‑hardening tips | — | ✅ |
Basic:
sudo bash -c "$(curl -fsSL https://raw.githubusercontent.com/elwizard33/Cyberzard/main/scripts/wizard_cleanup.sh)"Advanced:
sudo bash -c "$(curl -fsSL https://raw.githubusercontent.com/elwizard33/Cyberzard/main/scripts/advanced_wizard_cleanup.sh)".psauxfiles: 1-decrypt.sh.encrypfiles: encryp_dec.out
Please read the Issue Guide before filing.
- Small, focused PRs with tests/docs updates are welcome
- Clearly document environment and reproduction steps
These tools are provided as‑is, without warranty. Validate outputs before acting in production. Maintain backups and snapshots.