• Stars
    star
    1,580
  • Rank 29,620 (Top 0.6 %)
  • Language Open Policy Agent
  • License
    Creative Commons ...
  • Created over 2 years ago
  • Updated about 2 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Automation to assess the state of your M365 tenant against CISA's baselines

ScubaGear M365 Secure Configuration Baseline Assessment Tool

Developed by CISA, this assessment tool verifies that an M365 tenantโ€™s configuration conforms to the policies described in the Secure Cloud Business Applications (SCuBA) Minimum Viable Secure Configuration Baseline documents.

Warning This tool is in an alpha state and in active development. At this time, outputs could be incorrect and should be reviewed carefully.

M365 Product License Assumptions

This tool was tested against tenants that have an M365 E3 or G3 and E5 or G5 license bundle. It may still function for tenants that do not have one of these bundles.

Some of the policy checks in the baseline rely on the following licenses which are included by default in M365 E5 and G5.

  • Azure AD Premium Plan 2
  • Microsoft Defender for Office 365 Plan 1

If a tenant does not have the licenses listed above, the report will display a non-compliant output for those policies.

Note: GCC-High/DOD endpoints are included, but have not been tested. Please open an issue if you encounter bugs. GCC-High testing in progress.

Installation

Downloading Repository

To download ScubaGear:

  1. Click here to see the latest release.
  2. Click ScubaGear-v0-2-0.zip (or latest version) to download the release.
  3. Extract the folder in the zip file.

Installing the required PowerShell Modules

Note: Only PowerShell 5.1 is currently supported. PowerShell 7 may work, but has not been tested. PowerShell 7 will be added in a future release.

To import the module, open a new PowerShell 5.1 terminal and navigate to the repository folder.

Then run:

.\Setup.ps1 #Installs the required modules
Import-Module -Name .\PowerShell\ScubaGear #Imports the tool into your session

Download the required OPA executable

Note: OPA executable download script is called by default when running SetUp.ps1. OPA.ps1 can also be run by itself to download the executable. In the event of an unsuccessful download, users can manually download the OPA executable with the following steps:

  1. Go to OPA download site (https://www.openpolicyagent.org/docs/latest/#running-opa)
  2. Check the acceptable OPA version (Currently v0.42.1) for Scuba and select the corresponding version on top left of the website
  3. Navigate to the menu on left side of the screen: Introduction - Running OPA - Download OPA
  4. Locate the downloaded file, add the file to the root directory of this repository, open PowerShell, and use the following command to check the downloaded OPA version
.\opa_windows_amd64.exe version

Note Starting with release 0.3.0, ScubaGear is signed by a commonly trusted CA. Depending on the PowerShell execution policy of the system running ScubaGear, different steps may be required before running ScubaGear. See PowerShell Execution Policies for more details.

Usage

ScubaGear can be invoked interactively or non-interactively. The interactive authentication mode will prompt the user for credentials via Microsoft's popup windows. Non-interactive mode is for invoking ScubaGear using an Azure AD application service principal and supports running the tool in automated scenarios such as pipelines or scheduled jobs. Examples 1-3 provide examples for running with interactive mode and example 4 provides an example for running in non-interactive mode.

Example 1: Run an assessment against all products (except PowerPlatform)

Invoke-SCuBA

Example 2: Run an assessment against Azure Active Directory with custom report output location

Invoke-SCuBA -ProductNames aad -OutPath C:\Users\johndoe\reports

Example 3: Run assessments against multiple products

Invoke-SCuBA -ProductNames aad, spo, teams

Example 4: Run assessments non-interactively using an application service principal and authenticating via CertificateThumbprint

Invoke-SCuBA -ProductNames * -CertificateThumbprint "<insert-thumbprint>" -AppID "<insert-appid>" -Organization tenant.onmicrosoft.com

To view more examples and see detailed help run:

Get-Help -Name Invoke-SCuBA -Full

Parameter Definitions

  • $LogIn is a $true or $false variable that if set to $true will prompt the user to provide credentials to establish a connection to the specified M365 products in the $ProductNames variable. For most use cases, leave this variable to be $true. A connection is established in the current PowerShell terminal session with the first authentication. To run another verification in the same PowerShell session, set this variable to be $false to bypass the need to authenticate again in the same session. Note: defender will ask for authentication even if this variable is set to $false

  • $ProductNames is a list of one ore more M365 shortened product names that the tool will assess when it is executed. Acceptable product name values are listed below. To assess Azure Active Directory you would enter the value aad. To assess Exchange Online you would enter exo and so forth.

    • Azure Active Directory: aad
    • Defender for Office 365: defender
    • Exchange Online: exo
    • OneDrive: onedrive
    • Power Platform: powerplatform
    • SharePoint Online: sharepoint
    • Teams: teams
  • $M365Environment parameter is used to authenticate to the various M365 commercial/ government environments. Valid values include commercial, gcc, gcchigh, or dod. Default value is commercial.

    • For M365 tenants that are non-government environments enter the value commercial.
    • For M365 Government Commercial Cloud tenants with G3/G5 licenses enter the value gcc.
    • For M365 Government Commercial Cloud High tenants enter the value gcchigh.
    • For M365 Department of Defense tenants enter the value dod.
  • $OPAPath refers to the folder location of the Open Policy Agent (OPA) policy engine executable file. By default the OPA policy engine executable embedded with this project is located in the project's root folder "./" and for most cases this value will not need to be modified. To execute the tool using a version of the OPA policy engine located in another folder, customize the variable value with the full path to the folder containing the OPA policy engine executable file.

  • $OutPath refers to the folder path where the output JSON and the HTML report will be created. Defaults to the same directory where the script is executed. This parameter is only necessary if an alternate report folder path is desired. The folder will be created if it does not exist.

Viewing the Report

The HTML report should open in your browser once the script completes. If it does not, navigate to the output folder and open the BaselineReports.html file using your browser. The result files generated from the tool are also saved to the output folder.

Required Permissions

When executing the tool interactively, there are two types of permissions that are required:

  • User Permissions (which are associated with Azure AD roles assigned to a user)
  • Application Permissions (which are assigned to the MS Graph PowerShell application in Azure AD).

User Permissions

The minimum user roles needed for each product are described in the table below.

This article also explains how to assign admin roles in M365.

Product Role
Azure Active Directory Global Reader
Teams Global Reader (or Teams Administrator)
Exchange Online Global Reader (or Exchange Administrator)
Defender for Office 365 Global Reader (or Exchange Administrator)
Power Platform Power Platform Administrator and a "Power Apps for Office 365" license
Sharepoint Online SharePoint Administrator
OneDrive SharePoint Administrator
  • Note: Users with the Global Administrator role always have the necessary user permissions to run the tool.

Microsoft Graph Powershell SDK permissions

The Azure AD baseline requires the use of Microsoft Graph. The script will attempt to configure the required API permissions needed by the Microsoft Graph PowerShell module, if they have not already been configured in the target tenant.

The process to configure the application permissions is sometimes referred to as the "application consent process" because an Administrator must "consent" for the Microsoft Graph PowerShell application to access the tenant and the necessary Graph APIs to extract the configuration data. Depending on the Azure AD roles assigned to the user running the tool and how the application consent settings are configured in the target tenant, the process may vary slightly. To understand the application consent process, read this article from Microsoft.

Microsoft Graph is used, because Azure AD PowerShell is being deprecated.

Note Microsoft Graph PowerShell SDK appears as "unverified" on the AAD application consent screen. This is a known issue.

The following API permissions are required for Microsoft Graph Powershell:

  • Directory.Read.All
  • GroupMember.Read.All
  • Organization.Read.All
  • Policy.Read.All
  • RoleManagement.Read.Directory
  • User.Read.All
  • UserAuthenticationMethod.Read.All

Application Service Principal Permissions & Setup

Below are the permissions for running the tool non-interactively. The minimum API permissions for all products are listed in the image below. The minimum user role permissions that need to be granted to the application are listed in the Assign the following Azure AD roles to the service principal subsection.

This video provides a good tutorial for creating an application manually in the Azure Portal. Augment the API permissions and replace the role assignment instructions in the video with the permissions listed below.

API Permissions ScubaGear App Service Principal API Permissions

Power Platform

For Power Platform, the application must be manually registered to Power Platform via interactive authentication.

Add-PowerAppsAccount -Endpoint prod -TenantID $tenantId # use -Endpoint usgov for gcc tenants
New-PowerAppManagementApp -ApplicationId $appId # Must be run from a Power Platform Adminstrator or Global Adminstrator account

Assign the following Azure AD roles to the service principal

  • SharePoint Administrator
  • Global Reader

Certificate store notes

  • Power Platform has a hardcoded expectation that the certificate is located in "Cert:\CurrentUser\My".
  • MS Graph seems to also have an expectation that the certificate at least be located in one of the local client's certificate store(s).

Notes: Only authentication via CertificateThumbprint is currently supported. We will also be supporting automated app registration in a later release.

Architecture

SCuBA Architecture diagram The tool employs a three-step process:

  1. Extract & Export. In this step, we utilize the various PowerShell modules authored by Microsoft to export and serialize all the relevant settings into JSON.
  2. Test & Record. Compare the exported settings from the previous step with the configuration prescribed in the baselines. This is done using OPA Rego, a declarative query language for defining policy. OPA provides a ready-to-use policy engine executable and version v0.41.0 is already included in this repository. The code for the ScubaGear tool was tested against the included version of OPA. To use a later version of the OPA policy engine, follow the instructions listed here and customize the $OPAPath variable described in the Usage section above.
  3. Format & Report. Package the data output by the OPA policy engine into a human-friendly HTML report.

Repository Organization

  • PowerShell contains the code used to export the configuration settings from the M365 tenant and orchestrate the entire process from export through evaluation to report. The main PowerShell module manifest SCuBA.psd1 is located in the PowerShell folder.
  • Rego holds the .rego files. Each Rego file audits against the desired state for each product, per the SCuBA M365 secure configuration baseline documents.
  • Testing contains code that is used during the development process to unit test Rego policies.

Project License

Unless otherwise noted, this project is distributed under the Creative Commons Zero license. With developer approval, contributions may be submitted with an alternate compatible license. If accepted, those contributions will be listed herein with the appropriate license.

Troubleshooting

Executing against multiple tenants

ScubaGear creates connections to several M365 services. If running against multiple tenants, it is necessary to disconnect those sessions.

Invoke-SCuBA includes the -DisconnectOnExit parameter to disconnect each of connection upon exit. To disconnect sessions after a run, use Disconnect-SCuBATenant. The cmdlet disconnects from Azure Active Directory (via MS Graph API), Defender, Exchange Online, OneDrive, Power Platform, SharePoint Online, and Microsoft Teams.

Disconnect-SCuBATenant

The cmdlet will attempt to disconnect from all services regardless of current session state. Only connections established within the current PowerShell session will be disconnected and removed. Services that are already disconnected will not generate an error.

Errors connecting to Defender

If when running the tool against Defender (via ExchangeOnlineManagement PowerShell Module), you may see the connection error "Create Powershell Session is failed using OAuth" in the Powershell window, follow the instructions in this section. An example of the full error message is provided below.

WARNING: Please note that you can only use above 9 new EXO cmdlets (the one with *-EXO* naming pattern). You can't use other cmdlets
as we couldn't establish a Remote PowerShell session as basic auth is disabled in your client machine. To enable Basic Auth, please
check instruction here
https://docs.microsoft.com/en-us/powershell/exchange/exchange-online-powershell-v2?view=exchange-ps#prerequisites-for-the-exo-v2-module
Create Powershell Session is failed using OAuth

If you see this error message it means that basic authentication needs to be enabled on the client computer running the automation scripts. The automation relies on the Microsoft Security & Compliance PowerShell environment for Defender information. Security & Compliance PowerShell connections, unlike other services used by the ExchangeOnlineManagement module, currently require basic authentication to be enabled on the local machine. Basic authentication is required because the ExchangeOnlineManagement module connects to Security & Compliance PowerShell using Remote PowerShell, which only supports basic authentication. Even in this case, your password is NOT sent to the remote server. When running the tool against M365 products other than Defender, basic authentication need not be enabled on the client computer. Note that these instructions are only about the behavior of the client computer running the tool. In particular, basic authentication should still be disabled using conditional access per the Azure Active Directory baseline instructions.

Enabling basic authentication instructions are here. We provide a convenience script named .\AllowBasicAuthentication.ps1, in the root project folder, to enable basic authentication. The script must be run from a PowerShell "Run as administrator" window and it updates a registry key. Depending on how your client computer is configured you may have to re-enable basic authentication each time you restart your computer or after it completes a group policy update.

Exchange Online maximum connections error

If when running the tool against Exchange Online, you see the error below in the Powershell window, follow the instructions in this section.

New-ExoPSSession : Processing data from remote server outlook.office365.com failed with the
following error message: [AuthZRequestId=8feccdea-493c-4c12-85dd-d185232cc0be][FailureCategory=A
uthZ-AuthorizationException] Fail to create a runspace because you have exceeded the maximum
number of connections allowed : 3

If you see the error above run the command below in Powershell:

Disconnect-ExchangeOnline

or alternatively run Disconnect-SCuBATenant exported by the ScubaGear module.

Disconnect-SCuBATenant

Power Platform empty policy in report

In order for the tool to properly assess the Power Platform product, one of the following conditions must be met:

  • The tenant includes the Power Apps for Office 365 license AND the user running the tool has the Power Platform Administrator role assigned
  • The user running the tool has the Global Administrator role

If these conditions are not met, the tool will generate an incorrect report output. The development team is working on a fix to address this bug that will be included in the next release. The screenshot below shows an example of this error for Power Platform policy 2.3. When a user with the required license and role runs the tool, it will produce a correct report.

Power Platform missing license

Microsoft Graph Errors

Infinite AAD Signin Loop

While running the tool, AAD signin prompts sometimes get stuck in a loop. This is likely an issue with the connection to Microsoft Graph.

To fix the loop, run:

Disconnect-MgGraph

Then run the tool again.

Error Connect-MgGraph : Key not valid for use in specified state.

This is due to a bug in the Microsoft Authentication Library. The workaround is to delete broken configuration information by running this command (replace {username} with your username):

rm -r C:\Users\{username}\.graph

After deleting the .graph folder in your home directory, re-run the tool and the error should disappear.

Error Could not load file or assembly 'Microsoft.Graph.Authentication'

This indicates that the authentication module is at a version level that conflicts with the MS Graph modules used by the tool. Follow the instructions in the Installation section and execute the Setup script again. This will ensure that the module versions get synchronized with dependencies and then execute the tool again.

Running the Script Behind Some Proxies

If you receive connection or network proxy errors, try running:

$Wcl=New-Object System.Net.WebClient
$Wcl.Proxy.Credentials=[System.Net.CredentialCache]::DefaultNetworkCredentials

Utility Scripts

The ScubaGear repository includes several utility scripts to help with troubleshooting and recovery from error conditions in the utils folder. These helper scripts are designed to assist developers and users when running into errors with the ScubaGear tool or local system environment. See the sections below for details on each script.

ScubaGear Support

If a user receives errors and needs additional support diagnosing issues, the ScubaGearSupport.ps1 script can be run to gather information about their system environment and previous tool output. The script gathers this information into a single ZIP formatted archive to allow for easy sharing with developers or other support staff to assist in troubleshooting. Since the script does gather report output, do keep in mind that the resulting archive may contain details about the associated M365 environment and its settings.

The script can be run with no arguments and will only collect environment information for troubleshooting. If the IncludeReports parameter is provided, it will contain the most recent report from the default Reports folder.

.\ScubaGearSupport.ps1

An alternate report path can be specified via the ReportPath parameter.

.\ScubaGearSupport.ps1 -ReportPath C:\ScubaGear\Reports

Finally, the script can optionally include all previous reports rather than the most recent one by adding the AllReports option.

.\ScubaGearSupport.ps1 -AllReports

Data gathered by the script includes:

  • Listings of locally installed PowerShell modules and their installation paths
  • PowerShell versions and environment details
  • WinRM client service Basic Authentication registry setting
  • (optional) ScubaGear output from one or more previous invocations which contains
    • HTML product and summary reports
    • JSON-formatted M365 product configuration extracts
    • JSON and CSV-formatted M365 baseline test results

Removing installed modules

ScubaGear requires a number of PowerShell modules to function. A user or developer, however, may wish to remove these PowerShell modules for testing or for cleanup after ScubaGear has been run. The UninstallModules.ps1 script will remove the latest version of the modules required by ScubaGear and installed by the associated Setup.ps1 script. The script does not take any options and can be as follows:

.\UninstallModules.ps1

PowerShellGet 2.x has a known issue uninstalling modules installed on a OneDrive path that may result in an "Access to the cloud file is denied" error. Installing PSGet 3.0, currently in beta, will allow the script to successfully uninstall such modules or you can remove the modules files from OneDrive manually.

PowerShell Execution Policies

On Windows Servers, the default execution policy is RemoteSigned, which will allow ScubaGear to run after the publisher (CISA) is agreed to once.

On Windows Clients, the default execution policy is Restricted. In this case, Set-ExecutionPolicy RemoteSigned should be invoked to permit ScubaGear to run.

In ScubaGear version 0.2.1 and earlier, running Unblock-File on the ScubaGear folder may be required. See here for more information.

More Repositories

1

RedEye

RedEye is a visual analytic tool supporting Red & Blue Team operations
TypeScript
2,654
star
2

Malcolm

Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files), Zeek logs and Suricata alerts.
Python
1,504
star
3

cset

Cybersecurity Evaluation Tool
TSQL
1,424
star
4

Sparrow

Sparrow.ps1 was created by CISA's Cloud Forensics team to help detect possible compromised accounts and applications in the Azure/m365 environment.
PowerShell
1,371
star
5

log4j-scanner

log4j-scanner is a project derived from other members of the open-source community by CISA to help organizations identify potentially vulnerable web services affected by the log4j vulnerabilities.
Java
1,262
star
6

log4j-affected-db

A community sourced list of log4j-affected software
Shell
1,115
star
7

CHIRP

A DFIR tool written in Python.
Python
1,040
star
8

decider

A web application that assists network defenders, analysts, and researchers in the process of mapping adversary behaviors to the MITRE ATT&CKยฎ framework.
HTML
1,021
star
9

LME

Logging Made Easy (LME) is a no-cost and open logging and protective monitoring solution serving all organizations.
Python
795
star
10

untitledgoosetool

Untitled Goose Tool is a robust and flexible hunt and incident response tool that adds novel authentication and data gathering methods in order to run a full investigation against a customerโ€™s Azure Active Directory (AzureAD), Azure, and M365 environments.
Python
699
star
11

pshtt

Scan domains and return data based on HTTPS best practices
Python
670
star
12

crossfeed

External monitoring for organization assets
TypeScript
320
star
13

ESXiArgs-Recover

A tool to recover from ESXiArgs ransomware
Shell
292
star
14

trustymail

Scan domains and return data based on trustworthy email best practices
Python
185
star
15

bad-practices

CISA's catalog of bad practices that are exceptionally risky.
Shell
181
star
16

development-guide

A set of guidelines and best practices for an awesome engineering team
Python
180
star
17

ScubaGoggles

SCuBA Secure Configuration Baselines and assessment tool for Google Workspace
Open Policy Agent
148
star
18

cyber.dhs.gov

A site for CISA directives
SCSS
138
star
19

dotgov-data

Official list of .gov domains
108
star
20

check-cve-2019-19781

Test a host for susceptibility to CVE-2019-19781
Python
105
star
21

ICSNPP

Industrial Control Systems Network Protocol Parsers
104
star
22

findcdn

findCDN is a tool created to help accurately identify what CDN a domain is using.
Python
95
star
23

prescup-challenges

President's Cup Cybersecurity Competition Challenges
Python
78
star
24

shareable-soar-workflows

This is a repository of vendor-agnostic workflows provided for those interested in deploying Security Orchestration, Automation, and Response capabilities within their organizations.
74
star
25

parsnip

Python
68
star
26

ansible-role-cobalt-strike

An Ansible role for installing Cobalt Strike.
HCL
66
star
27

cybersecurity-performance-goals

CISA's space for collaboration on the Cybersecurity Performance Goals.
Shell
53
star
28

PNT-Integrity

The PNT Integrity Library provides users a method to verify the integrity of the received GPS data and ranging signals, thereby improving resiliency against potential GPS signal loss.
C++
49
star
29

join-cisagov

CISA is hiring! Weโ€™re looking for candidates passionate about our mission to lead the national effort to understand and manage cyber and physical risk to our critical infrastructure.
Shell
45
star
30

gophish-tools

Helpful tools for interacting with a GoPhish phishing instance
Python
42
star
31

gophish-docker

Docker container for the gophish phishing framework.
Shell
40
star
32

ioc-scanner

Search a filesystem for indicators of compromise (IoC).
Python
39
star
33

pca-gophish-composition

Phishing campaign docker composition for Gophish
Shell
34
star
34

vdp-in-fceb

Vulnerability disclosure policies in the US Government's executive branch
32
star
35

Epsilon

The Epsilon Algorithm Suite provides users a method to verify the integrity of the received GPS data and ranging signals, thereby improving resiliency against potential GPS signal loss.
Python
31
star
36

check-your-pulse

This utility can help determine if indicators of compromise (IOCs) exist in the log files of a Pulse Secure VPN Appliance for CVE-2019-11510.
Python
28
star
37

getgov

Building a new .gov registrar for a bright .gov future
Python
27
star
38

postfix-docker

Docker container with a postfix server designed for use during phishing campaigns
Shell
26
star
39

dotgov-home

Homepage for the .gov registry
SCSS
25
star
40

assessment-reporting-engine

Python
24
star
41

skeleton-python-library

A skeleton project for quickly getting a new cisagov Python library started.
Python
19
star
42

scanner

Automated pshtt, trustymail, and sslyze scanning
Shell
18
star
43

cyhy_amis

AWS infrastructure for Cyber Hygiene and BOD 18-01 scanning
HCL
16
star
44

skeleton-docker

A skeleton project for quickly getting a new cisagov Docker container started.
Shell
15
star
45

admiral

Distributed certificate transparency log harvester
Python
14
star
46

icsnpp-opcua-binary

Zeek OPCUA Binary Parser - CISA ICSNPP
JavaScript
13
star
47

pe-reports

Automated process to build and distribute Posture & Exposure Reports' bi-weekly to customers.
Python
13
star
48

icsnpp-enip

Zeek Ethernet/IP and CIP Parser - CISA ICSNPP
Zeek
13
star
49

icsnpp-bacnet

Zeek BACnet Parser - CISA ICSNPP
JavaScript
12
star
50

ansible-role-clamav

Ansible role to install and enable the ClamAV virus scanner
Shell
12
star
51

lambda_functions

Generate AWS Lambda environment zip files for use by cisagov/domain-scan
Shell
12
star
52

icsnpp-s7comm

Zeek S7comm, S7comm-plus, and COTP Parser - CISA ICSNPP
JavaScript
11
star
53

network-architecture-verification-and-validation

The NAVV (Network Architecture Verification and Validation) tool creates a spreadsheet for network traffic analysis from PCAP data and Zeek logs, automating Zeek analysis of PCAP files, the collation of Zeek logs and the dissection of conn.log and dns.log to create a summary or network traffic in an XLSX-formatted spreadsheet.
Python
11
star
54

docker-kali-ansible

A systemd-enabled Kali Linux Docker image, in the spirit of geerlingguy/docker-debian11-ansible.
Dockerfile
10
star
55

tic3.0

Collaborating on Trusted Internet Connection 3.0 use cases
10
star
56

icsnpp-genisys

Industrial Control Systems Network Protocol Parsers (ICSNPP) - Genisys over TCP/IP
Python
10
star
57

gh-skeleton

This extension for the gh CLI provides the ability to easily start new projects from our existing library of skeleton repositories.
Shell
10
star
58

scoping-validation-tool

SVT is a tool that can be used to verify ownership and location of assets during the scoping process of a penetration test.
Python
9
star
59

orchestrator

Orchestrate gatherer, scanner, saver, and trustymail_reporter
Shell
9
star
60

pshtt_reporter

Generate HTTPS reports based on scan data
Python
9
star
61

cyhy-mailer

Email Cyber Hygiene, Trustworthy Email, and HTTPS reports to the appropriate technical or distribution addresses
Python
9
star
62

trustymail_reporter

Generate Trustworthy Email reports based on scan data
Python
9
star
63

pre-commit-packer

Provides pre-commit hooks for Packer projects.
Shell
9
star
64

nessus-packer

Create machine images containing the Nessus vulnerability scanner
HCL
9
star
65

domain-manager-api

Flask API for Domain Manager
Python
9
star
66

gatherer

Gather domains as a precursor to scanning
Shell
9
star
67

certboto-docker

Certbot container that stores its configuration in an AWS S3 bucket
Shell
9
star
68

icsnpp-modbus

Zeek Modbus Extension Scripts - CISA ICSNPP
Zeek
8
star
69

ansible-role-kali

An Ansible role for provisioning kali
HCL
8
star
70

aws-profile-sync

Synchronize AWS credential profiles from remote sources
Python
8
star
71

icsnpp-dnp3

Zeek DNP3 Extension Scripts - CISA ICSNPP
Zeek
8
star
72

dmarc-import

A tool for parsing DMARC aggregate reports.
Python
8
star
73

icsnpp-bsap-ip

Zeek BSAP over IP Parser - CISA ICSNPP
JavaScript
8
star
74

CISASuite

The CSET, Malcom, Con-PCA suite of tools
HTML
8
star
75

skeleton-generic

A generic skeleton project for quickly getting a new cisagov project started.
Shell
8
star
76

icsnpp-ethercat

Zeek Ethercat Parser - CISA ICSNPP
C++
8
star
77

Sogu

This script generates a list of possible SOGU filenames based on serial numbers of active drives. It has the added functionality of searching each drive from the generated file list.
PowerShell
8
star
78

PNT-Integrity-Toolkit

The PNT Integrity DIY Toolkit describes how a perspective end-user of the PNT Integrity Library can assemble a demonstrational toolkit with commercial-off-the-shelf (COTS) hardware.
C++
7
star
79

travis-wait-improved

A tool to help long-running, yet reticent, processes avoid death at the hands of Traivs-CI.
Python
7
star
80

con-pca-api

API Docker Container for Con-PCA
HTML
7
star
81

.dotfiles

Generic set of dotfiles to get you started with a cisagov development environment
Shell
7
star
82

domain-manager-ui

UI for the Domain Manager
HTML
7
star
83

pen-testing-findings

A collection of Active Directory, phishing, mobile technology, system, service, web application, and wireless technology weaknesses that may be discovered during a penetration test.
7
star
84

vulnerable-instances

Virtual machines that are set up with a variety of known vulnerabilities.
HCL
7
star
85

scan-target-data

Contains data used to identify targets for scanning
Shell
6
star
86

openvpn-server-tf-module

Terraform module to create an OpenVPN server instance
HCL
6
star
87

ansible-role-burp-suite-pro

An Ansible role for installing Burp Suite Professional
HCL
6
star
88

con-pca-web

The website source and terraform code for continuous phishing assessment.
HTML
6
star
89

security-contact-finder

Making government security contacts accessible
CSS
6
star
90

con-pca-cicd

continuous phishing main repository
HCL
6
star
91

flare-misp-service

Automate the regular transfer of AIS data into a MISP Server
Java
6
star
92

saver

Save scan results to a database
Python
6
star
93

megazord-composition

Shell
6
star
94

ansible-role-openvpn

Ansible role to install an OpenVPN server and configure it to authenticate users certificates against FreeIPA.
Shell
6
star
95

ansible-role-amazon-efs-utils

An Ansible role for installing aws/efs-utils
Shell
5
star
96

awssh

Tool to simplify secure shell connections over AWS simple systems manager.
Python
5
star
97

sslyze-lambda

AWS Lambda function for sslyze
Python
5
star
98

cyhy-core

Python
5
star
99

ncats-data-dictionary

Shell
5
star
100

cool-assessment-terraform

Terraform to deploy an assessment environment to the COOL
HCL
5
star