Giter VIP home page Giter VIP logo

g-scout's Introduction

G-Scout

G-Scout is a tool for auditing Google Cloud Platform configurations. By making API calls, applying security rules, and generating HTML files based on the output, G-Scout makes it easy to analyze the security of a GCP environment.

There are two ways for the project owner to grant API permissions:

  1. User Account:
    1. Use an account with Viewer and Security Reviewer permissions on the project (may require the project to activate the Google Identity and Access Management API, which can be done in the console).
    2. Approve the Oauth2 authentication request when prompted in your browser.
  2. Service Account:
    1. Go to the console service accounts page at https://console.cloud.google.com/iam-admin/serviceaccounts/project?project=[project] and create a service account.
    2. Go to IAM management console at https://console.cloud.google.com/iam-admin/iam/project?project=[project] and add Security Reviewer and Viewer permissions to the service account created in step 1.
    3. Generate a Service Account key from https://console.cloud.google.com/apis/credentials?project=[project].
    4. Place the JSON file (named keyfile.json) generated in step 3 into the application directory.
    5. Set the environment variable GOOGLE_APPLICATION_CREDENTIALS to the path of the JSON file downloaded. Or use the SDK to run gcloud auth application-default login.

To run the application:

virtualenv -p python2 venv
source venv/bin/activate
pip install -r requirements.txt
python gscout.py -h

The HTML report output will be in the "Report Output" folder.

When specifying the project name you can also use a wildcard to run G-Scout on multiple projects, for example: python gscout.py --project-name "dev-*". You can also run G-Scout on all projects in an organization like this: python gscout.py --organization "organization id", where the id will be a number you can find next to the organization name in the GCP console.

To create a custom rule, add it to the rules.py file. A Rule object takes a name, a category, and a filter function. The function will be passed a json object corresponding to the category. To see an example for each category (some of which are altered from the standard API response), see the entity_samples.json file.

Running python x_project.py will create a file showing all results across all projects G-Scout has been run on for each finding specified. Change the items in the list of rule names in x_project.py to specify which rules to generate the files for.

g-scout's People

Contributors

angelomellos avatar angelomellos-nccgroup avatar blincoln-dd avatar carise avatar ddragusin avatar lgap avatar x4v13r64 avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

stono arjuneng05 lgap fogsec ugoenyioha dobbythefreeelf v0re nanyte25 x4v13r64 nbg0x1 zhuomingliang angelomellos-nccgroup houey limkokholefork ecrsecurity ddragusin c002 makyotox blincoln-dd zulily veer7 ibenrodriguez attackgithub aayush-ai slooppe gdraperi mclavel orf53975 koukatsumi m8e mosburn modulexcite nuala33 hitesh50 josehelps rafi693 mmg1 coredamage the-legend3 blue-infosec vikas-prabhakar benhe119 jsoehner yalonso7 5l1v3r1 santhoshinty franklinharry an0nym0u5101 asrarak youngowl13 arvisha16

g-scout's Issues

AttributeError: 'Namespace' object has no attribute 'project'

Receive the following error when running over a user account (previous version did run without issue)

Authentication successful.
Traceback (most recent call last):
File "gscout.py", line 175, in
main()
File "gscout.py", line 166, in main
list_projects(project_or_org='project' if args.project else 'organization',
AttributeError: 'Namespace' object has no attribute 'project'

raise httplib.ResponseNotReady

Hi,

I've just tried to use this tool and got error:

$ ~/G-Scout (master) python gscout.py project project
/usr/local/lib/python2.7/dist-packages/oauth2client/_helpers.py:255: UserWarning: Cannot access creds.data: No such file or directory
  warnings.warn(_MISSING_FILE_MESSAGE.format(filename))
Traceback (most recent call last):
  File "gscout.py", line 60, in <module>
    list_projects(sys.argv[1],sys.argv[2])
  File "gscout.py", line 22, in list_projects
    'v1',credentials=storage.get())
  File "/usr/local/lib/python2.7/dist-packages/oauth2client/_helpers.py", line 133, in positional_wrapper
    return wrapped(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/googleapiclient/discovery.py", line 226, in build
    credentials=credentials)
  File "/usr/local/lib/python2.7/dist-packages/oauth2client/_helpers.py", line 133, in positional_wrapper
    return wrapped(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/googleapiclient/discovery.py", line 358, in build_from_document
    credentials = _auth.default_credentials()
  File "/usr/local/lib/python2.7/dist-packages/googleapiclient/_auth.py", line 41, in default_credentials
    return oauth2client.client.GoogleCredentials.get_application_default()
  File "/usr/local/lib/python2.7/dist-packages/oauth2client/client.py", line 1271, in get_application_default
    return GoogleCredentials._get_implicit_credentials()
  File "/usr/local/lib/python2.7/dist-packages/oauth2client/client.py", line 1256, in _get_implicit_credentials
    credentials = checker()
  File "/usr/local/lib/python2.7/dist-packages/oauth2client/client.py", line 1187, in _implicit_credentials_from_gce
    if not _in_gce_environment():
  File "/usr/local/lib/python2.7/dist-packages/oauth2client/client.py", line 1042, in _in_gce_environment
    if NO_GCE_CHECK != 'True' and _detect_gce_environment():
  File "/usr/local/lib/python2.7/dist-packages/oauth2client/client.py", line 999, in _detect_gce_environment
    http, _GCE_METADATA_URI, headers=_GCE_HEADERS)
  File "/usr/local/lib/python2.7/dist-packages/oauth2client/transport.py", line 282, in request
    connection_type=connection_type)
  File "/usr/local/lib/python2.7/dist-packages/httplib2/__init__.py", line 1659, in request
    (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
  File "/usr/local/lib/python2.7/dist-packages/httplib2/__init__.py", line 1399, in _request
    (response, content) = self._conn_request(conn, request_uri, method, body, headers)
  File "/usr/local/lib/python2.7/dist-packages/httplib2/__init__.py", line 1355, in _conn_request
    response = conn.getresponse()
  File "/usr/lib/python2.7/httplib.py", line 1123, in getresponse
    raise ResponseNotReady()
httplib.ResponseNotReady

TypeError: cannot instantiate ctype 'EVP_MD_CTX' of unknown size

Hi,

With newst openssl installed:

$ apt-get upgrade openssl
openssl is already the newest version (1.0.2g-1ubuntu4.8).
$ apt-get upgrade python-openssl

python-openssl is already the newest version (0.15.1-2build1).

I'm getting this error:

python gscout.py project test-project
Traceback (most recent call last):
  File "gscout.py", line 61, in <module>
    list_projects(sys.argv[1],sys.argv[2])
  File "gscout.py", line 32, in list_projects
    response = request.execute()
  File "/usr/local/lib/python2.7/dist-packages/oauth2client/_helpers.py", line 133, in positional_wrapper
    return wrapped(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/googleapiclient/http.py", line 833, in execute
    method=str(self.method), body=self.body, headers=self.headers)
  File "/usr/local/lib/python2.7/dist-packages/googleapiclient/http.py", line 160, in _retry_request
    resp, content = http.request(uri, method, *args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/oauth2client/transport.py", line 159, in new_request
    credentials._refresh(orig_request_method)
  File "/usr/local/lib/python2.7/dist-packages/oauth2client/client.py", line 749, in _refresh
    self._do_refresh_request(http)
  File "/usr/local/lib/python2.7/dist-packages/oauth2client/client.py", line 774, in _do_refresh_request
    body = self._generate_refresh_request_body()
  File "/usr/local/lib/python2.7/dist-packages/oauth2client/client.py", line 1484, in _generate_refresh_request_body
    assertion = self._generate_assertion()
  File "/usr/local/lib/python2.7/dist-packages/oauth2client/service_account.py", line 385, in _generate_assertion
    key_id=self._private_key_id)
  File "/usr/local/lib/python2.7/dist-packages/oauth2client/crypt.py", line 97, in make_signed_jwt
    signature = signer.sign(signing_input)
  File "/usr/local/lib/python2.7/dist-packages/oauth2client/_openssl_crypt.py", line 97, in sign
    return crypto.sign(self._key, message, 'sha256')
  File "/usr/lib/python2.7/dist-packages/OpenSSL/crypto.py", line 2403, in sign
    md_ctx = _ffi.new("EVP_MD_CTX*")
TypeError: cannot instantiate ctype 'EVP_MD_CTX' of unknown size

Possible fix:

diff --git a/requirements.txt b/requirements.txt
index 18e384d..542b2b2 100755
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,3 +1,4 @@
 tinydb==3.2.2
 google_api_python_client==1.6.1
-jinja2==2.9.5
\ No newline at end of file
+jinja2==2.9.5
+cryptography==1.4

GCS public objects not identified.

Currently the checks in buckets.py are looking solely at bucket level permissions. Since object level acl's can differ from bucket level permissions, publicly accessible objects are not identified. In order to determine if objects are publicly accessible acl's could be checked as well for the allUsers entity.

Getting KeyError in gscout.py

I just did the setup as the README and got this error

master $ python gscout.py  "project" "decent-oxygen-188712"
Traceback (most recent call last):
  File "gscout.py", line 61, in <module>
    list_projects(sys.argv[1],sys.argv[2])
  File "gscout.py", line 33, in list_projects
    for project in response['projects']:
KeyError: 'projects'

Is that I am doing something wrong somewhere?
I have created these projects as well

master $ gcloud projects list
PROJECT_ID                             NAME         PROJECT_NUMBER
decent-oxygen-188712                   test         789585268386
my-project-1481904208488               My Project   978641422651

Failed to Fetch

I have followed the README.md have created a service account with Security Reviewer and Viewer access but while running the scan I get the below output

(gscout) Sanjogs-MacBook-Pro:G-Scout sanjogpanda$ python gscout.py --project "infra*"
/Users/sanjogpanda/Envs/gscout/lib/python2.7/site-packages/oauth2client/_helpers.py:255: UserWarning: Cannot access creds.data: No such file or directory
warnings.warn(_MISSING_FILE_MESSAGE.format(filename))
('Scouting ', u'infra')
Failed to fetch roles.
Failed to fetch service accounts.
Failed to fetch SQL instances.

I understand the 3rd line ie. Failed to fetch SQL instances.

But I am not sure why G-Scout is not able to scan service accounts and roles

Failed to fetch roles.
Failed to fetch service accounts.

Could anyone please help me understand where I am going wrong?

Fixed Bug in fetch.py

The original code references submodules inside of core/, like core/rules.py, without the leading 'core.' Fixed that and the script runs cleanly now.

fetch.py.zip

KeyError: '_module'

I am having issues starting the G-Scout audit

(venv) a@zbox:~/src/G-Scout$ python gscout.py -p-name "XXXXX" 
Traceback (most recent call last):
  File "gscout.py", line 115, in <module>
    main()
  File "gscout.py", line 97, in main
    list_projects(project_or_org='project-name', specifier=args.project_name)
  File "gscout.py", line 36, in list_projects
    'v1', credentials=storage.get())
  File "/home/a/src/G-Scout/venv/local/lib/python2.7/site-packages/oauth2client/client.py", line 407, in get
    return self.locked_get()
  File "/home/a/src/G-Scout/venv/local/lib/python2.7/site-packages/oauth2client/file.py", line 54, in locked_get
    credentials = client.Credentials.new_from_json(content)
  File "/home/a/src/G-Scout/venv/local/lib/python2.7/site-packages/oauth2client/client.py", line 302, in new_from_json
    module_name = data['_module']
KeyError: '_module'

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.