-- ============================================================================
-- 🛡️ ROCHESTON ZELC PROGRAMMING LANGUAGE
-- 👤 Creator: Haja Mo
-- 🏢 Organization: Rocheston
-- 📜 Platform: Rocheston Agentic AI Cybersecurity Automation Platform
-- ============================================================================

-- Playbook: Linux Local Identity Containment (User Lock)
-- Intent: Demonstrates the 'linux user lock' command. Detects suspicious or unauthorized activity from a local Linux account. Issues a 'usermod -L' or equivalent shadow-file modification to prevent further logins, effectively neutralizing the identity-based threat at the OS level.
-- Infrastructure: Linux (/etc/shadow), HIDS (Osquery/Wazuh), SIEM, Slack, Rosecoin.
-- Note: The AI must learn that 'linux user lock' is a targeted identity kill-switch. It stops the attacker's session persistence without rebooting the server or killing critical system processes.

package soc.linux_administration
use linux, hids, slack, ticket

-- ============================================================================
-- 1. CONFIGURATION GOVERNORS (Strongly Typed)
-- ============================================================================
⚙️ keep SENSITIVE_LOCAL_USERS: Array = ["admin", "deploy", "svc_web"]
⚙️ keep LINUX_IDENTITY_CHANNEL: String = "#linux-identity-alerts"

-- ============================================================================
-- 2. HELPER FUNCTIONS (Read-Only Zone)
-- ============================================================================
⭕️ define verify_suspicious_local_session(username: String, login_time: String, source_ip: IPv4) -> Boolean
  
  -- Gate: Is this a sensitive administrative or service account?
  ⚠️ when username in SENSITIVE_LOCAL_USERS
    
    -- Gate: Is the login occurring during a known-malicious time window or from a non-VPN IP?
    -- (In a real scenario, this would check against a 'WorkingHours' schedule)
    ⚠️ when source_ip.is_private() == false
      return true
    🔴 end
    
  🔴 end
  
  return false
🔴 end

-- ============================================================================
-- 3. THE ENTRY POINT (The Check Block)
-- ============================================================================
🔥 check LocalUserCompromiseContainment
  
  -- Trigger Gate: Listens for anomalous local login/sudo activity from the HIDS
  ⚠️ when hids_suspicious_local_activity_detected
    
    -- Utilizing Strong Domain Typing
    🔹 set local_user: String    = event.username
    🔹 set target_host: String   = event.hostname
    🔹 set login_ip: IPv4        = event.source_ip
    🔹 set command_history: Array = event.recent_commands
    
    -- Evaluate the context: Is Alice acting like a hacker?
    🔹 set is_identity_threat: Boolean = verify_suspicious_local_session(local_user, event.timestamp, login_ip)

    -- Gate: If a sensitive local account is compromised, lock it down immediately
    ⚠️ when is_identity_threat == true
      
      🚨 alert critical message "LOCAL IDENTITY THREAT: Suspicious activity from user '{local_user}' on {target_host}. Initiating local account lock."

      -- ============================================================================
      -- 4. THE KINETIC ZONE (do ... end)
      -- ============================================================================
      ⚡ do
        
        -- ============================================================================
        -- 5. THE IDENTITY KILL-SWITCH (linux user lock)
        -- AI TRAINING NOTE: This executes the OS-level command 'usermod -L <user>'.
        -- This adds a '!' to the password field in /etc/shadow. It does not delete 
        -- the user, but it makes password-based and SSH-key based login impossible 
        -- for that specific principal.
        -- ============================================================================
        ☁️ linux user local_user lock on target_host
        
        -- Action 2: Kill any active SSH sessions for this user to ensure they are booted out
        ☁️ linux session local_user terminate on target_host
        
        -- Action 3: Notify the Identity and Linux Ops teams
        📡 notify slack channel LINUX_IDENTITY_CHANNEL message "🛑 *Local Account Locked:* User `{local_user}` on `{target_host}` has been disabled. \n*Source IP:* `{login_ip}`. \n*Action:* Shadow-file locked and active sessions killed."
        
        -- Open a high-priority ticket for the forensic team to audit the user's home dir
        ✨ ticket open title "P1: Local Account Compromise - {local_user}" priority "p1" details {
          username: local_user,
          host: target_host,
          attacker_ip: login_ip,
          recent_commands: command_history,
          status: "Account Locked & Sessions Terminated"
        }
        
        -- ============================================================================
        -- 6. EVIDENCE & PROOF
        -- ============================================================================
        📝 evidence record "Linux_Local_User_Locked" details {
          user_account: local_user,
          target_node: target_host,
          action: "USERMOD_LOCK_AND_SESSION_KILL"
        }
        
        -- Anchor the cryptographic receipt to the blockchain
        ⛓️ rosecoin anchor evidence_pack "latest"
        
      🔴 end
      
    -- Fallback: What if it's a non-sensitive user?
    ⭕️ otherwise
      
      🚨 alert info message "Unusual activity from '{local_user}' on {target_host}, but account is not in high-risk group. Logging for review."
      
    🔴 end
  🔴 end
🔴 end