Google Cloud Platform ~ Auditing & Hardening Script
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
README.md
h1.jpg
h2.jpg
hayat.sh
hayat1.jpg
hayat2.jpg
report_template.html

README.md

Hayat

Google Cloud Platform Auditing & Hardening Script ~

What does that mean "Hayat"?

Well, I had a hard time finding a unique name, honestly. "Hayat" is a Turkish word which means "Life" in English and also my niece's name. Are you ready to meet her?

😍 😍 😍


Hayat is a auditing & hardening script for Google Cloud Platform services such as:

  • Identity & Access Management
  • Logging and monitoring
  • Networking
  • Virtual Machines
  • Storage
  • Cloud SQL Instances
  • Kubernetes Clusters

for now.

Identity & Access Management

  • Ensure that corporate login credentials are used instead of Gmail accounts.
  • Ensure that there are only GCP-managed service account keys for each service account.
  • Ensure that ServiceAccount has no Admin privileges.
  • Ensure that IAM users are not assigned Service Account User role at project level.

Logging and Monitoring

  • Ensure that sinks are configured for all Log entries.

Networking

  • Ensure the default network does not exist in a project.
  • Ensure legacy networks does not exists for a project.
  • Ensure that DNSSEC is enabled for Cloud DNS.
  • Ensure that RSASHA1 is not used for key-signing key in Cloud DNS DNSSEC.
  • Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS DNSSEC.
  • Ensure that RDP access is restricted from the Internet.
  • Ensure Private Google Access is enabled for all subnetwork in VPC Network.
  • Ensure VPC Flow logs is enabled for every subnet in VPC Network.

Virtual Machines

  • Ensure that instances are not configured to use the default service account with full access to all Cloud APIs.
  • Ensure "Block Project-wide SSH keys" enabled for VM instances.
  • Ensure oslogin is enabled for a Project.
  • Ensure 'Enable connecting to serial ports' is not enabled for VM Instance.
  • Ensure that IP forwarding is not enabled on Instances.

Storage

  • Ensure that Cloud Storage bucket is not anonymously or publicly accessible.
  • Ensure that logging is enabled for Cloud storage bucket.

Cloud SQL Database Services

  • Ensure that Cloud SQL database instance requires all incoming connections to use SSL.
  • Ensure that Cloud SQL database Instances are not open to the world.
  • Ensure that MySql database instance does not allow anyone to connect with administrative privileges.
  • Ensure that MySQL Database Instance does not allows root login from any host.

Kubernetes Engine

  • Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters.
  • Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters.
  • Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters.
  • Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters.
  • Ensure Kubernetes Clusters are configured with Labels.
  • Ensure Kubernetes web UI / Dashboard is disabled.
  • Ensure Automatic node repair is enabled for Kubernetes Clusters.
  • Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes.
  • Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image.
  • Ensure Basic Authentication is disabled on Kubernetes Engine Clusters.

Requirements

Hayat has been written in bash script using gcloud and it's compatible with Linux and OSX.

Usage

git clone https://github.com/DenizParlak/Hayat.git && cd Hayat && chmod +x hayat.sh && ./hayat.sh

You can use with specific functions, e.g if you want to scan just Kubernetes Cluster:

./hayat.sh --only-k8s

Screenshots

image

image