• This repository has been archived on 13/Jun/2018
  • Stars
    star
    156
  • Rank 230,741 (Top 5 %)
  • Language
    Python
  • License
    Apache License 2.0
  • Created about 7 years ago
  • Updated almost 6 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A tool for auditing security properties of GCP projects.

gcp-audit

This code purely exists for posterity, it is no longer developed or maintained. Please look to Forseti Security for your GCP auditing needs. The PyPi package gcp-audit is not the same thing.


A tool for auditing security properties of GCP projects. Inspired by Scout2.

gcp-audit takes a set of projects and audits them for common issues as defined by its ruleset. Issues can include, but are certainly not limited to, storage buckets with read/write permissions for anyone and compute engine instances with services exposed to the Internet.

The results are written to a report containing information about issues that were found along with information about which objects these issues were found in so that it's possible to address the problems.

gcp-audit is currently in alpha status. We are actively improving it and Spotify's production environment is our current test suite.

Installation

Run pip install git+https://github.com/spotify/gcp-audit.git.

Usage

usage: gcp-audit.py [-h] [-c CHECKS] [-k KEYFILE] [-o OUTPUT] [-p PROJECTS]

A tool for auditing security properties of GCP projects.

optional arguments:
  -h, --help            show this help message and exit
  -c CHECKS, --checks CHECKS
                        comma separated list of types of checks to run
  -k KEYFILE, --keyfile KEYFILE
                        keyfile to use for GCP credentials
  -o OUTPUT, --output OUTPUT
                        file to output results to
  -p PROJECTS, --projects PROJECTS
                        comma separated list of GCP projects to audit

Prerequisites

Make sure you have virtualenv (on OSX: brew install virtualenv) then run

virtualenv env
env/bin/pip install gcp-audit
GOOGLE_APPLICATION_CREDENTIALS=YourCredentials-abc123.json env/bin/python gcp-audit

Alternatively you can specify your credentials using the -k switch. Make sure your credentials have the Organization viewer role.

Supported Python versions: 2.7+

Development

To contribute and develop, clone the project inside a virtualenv and install all the dependencies with pip install -r requirements.txt.

Rules

Rules are put in a subdirectory under rules/. The subdirectories are based on the check category. Currently checks for the following categories exist:

  • bucket_objects - objects within buckets (as opposed to the buckets themselves)
  • buckets - buckets. :)
  • firewalls - GCP firewall settings
  • cloudsql - CloudSQL instances

The rule language is fairly simplistic and can be done using YAML (which will be translated to JSON internally) or raw JSON. Each rule can specify the following:

  • name - the name of the rule that will be shown in reports etc.
  • filters - a list of filters that the engine should use to match the rule to the object that is being evaluated. This section needs a set of subproperties defined, see below.
    • matchtype - specifies how the engine should match filter properties. Valid values are "regex", "exact", "partial" and "count". See the "Match types" section below for more details.
    • filter - a template of properties and values that will be matched against the object. The structure of the filter needs to mimic the structure of the object.
    • listcondition (OPTIONAL) - what boolean operator to apply if a rule specifies lists with values. Can be "and" or "or". "and" means all list entries must match. "or" means at least one list entry must match.
  • filtercondition (OPTIONAL) - what boolean operator to apply between multiple filters. Can be "and" or "or". "and" means all filters must match. "or" means at least one list entry must match. Default is "and".

Rules will match against output received from the API's Google exposes for each service supported by gcp-audit. The official documentation on the API's can be found here but to make writing rules easier, sample objects for each category are provided in the docs/samples directory. As an example of what a rule can look like, this rule will find CloudSQL instances that are exposed to 0.0.0.0/0:

{
    "name": "Traffic allowed from all IP's to CloudSQL instance",
    "filters": [{
        "matchtype": "exact",
        "filter": {
          "settings":{
            "ipConfiguration":{
              "authorizedNetworks":[{
                "value":"0.0.0.0/0"
              }]
            }
          }
        }
    }]
}

And here's the same rule in YAML format:

name: Traffic allowed from all IP's to CloudSQL instance
filters:
  - matchtype: exact
    filter:
      settings:
        ipConfiguration:
          authorizedNetworks:
            - value: 0.0.0.0/0

The engine will apply the filters defined in the template to the object and check whether the properties match exactly and the values match according to the defined matchtype for each filter.

Match types

Each filter must define a match type that will be used for evaluating filter values against object values. Each filter can define only one match type, so for rules that need to evaluate something based on multiple match types, separate filters need to be created.

Examples below are all matching this mock object:

{"someproperty":"some text"}

exact

Match filter values to the corresponding object values exactly.

Example:

{
"name":"Example regex rule",
"filters":[{
  "matchtype":"exact",
  "filter":{
    "someproperty":"some text"
    }
  }]
}

partial

Match filter values to the corresponding object values by checking if the filter values are a subset of the object values. No wildcards needed, or supported - wildcards will be treated as regular characters so should only be used if you actually want to match a literal *.

Example:

{
"name":"Example partial rule",
"filters":[{
  "matchtype":"partial",
  "filter":{
    "someproperty":"me tex"
    }
  }]
}

regex

Match filter values to the corresponding object values based on regular expressions.

Example:

{
"name":"Example regex rule",
"filters":[{
  "matchtype":"regex",
  "filter":{
    "someproperty":"^.+?so?e\s+text\s*"
    }
  }]
}

numeric

Perform a numeric comparison between the filter value and the object value. The syntax is "field":"<op> <value>" where op is one of eq, lt, le, gt or ge.

Example:

{
"name":"Example numeric rule",
"filters":[{
  "matchtype":"numeric",
  "filter":{
    "someproperty":"lt 100"
    }
  }]
}

count

This match type doesn't actually look at the data in the fields themselves but rather counts how many occurrences are found of the field that is to be matched. Syntax is identical to the one used for the numeric match type, see previous section.

Example:

{
"name":"Example count rule",
"filters":[{
  "matchtype":"count",
  "filter":{
    "someproperty":"ge 1"
    }
  }]
}

Caveats

When writing rules, it's important to remember that the filter template needs to match the object EXACTLY. If a value exists within a list in the object, the template needs to reflect that too. So for the following object:

{"name":"someobject","properties":[{"someproperty":"somevalue"}]}

The following template will NOT match, because the subsection under "properties" is not specified as a list:

{"properties":{"someproperty":"somevalue"}}

But this one matches:

{"properties":[{"someproperty":"somevalue"}]}

Handling both these templates so they both match in an unambiguous way is on the todo list.

Code of Conduct

This project adheres to the Open Code of Conduct. By participating, you are expected to honor this code.

More Repositories

1

luigi

Luigi is a Python module that helps you build complex pipelines of batch jobs. It handles dependency resolution, workflow management, visualization etc. It also comes with Hadoop support built in.
Python
17,089
star
2

annoy

Approximate Nearest Neighbors in C++/Python optimized for memory usage and loading/saving to disk
C++
12,458
star
3

docker-gc

INACTIVE: Docker garbage collection of containers and images
Shell
5,068
star
4

pedalboard

🎛 🔊 A Python library for audio.
C++
4,823
star
5

chartify

Python library that makes it easy for data scientists to create charts.
Python
3,447
star
6

basic-pitch

A lightweight yet powerful audio-to-MIDI converter with pitch bend detection
Python
2,818
star
7

dockerfile-maven

MATURE: A set of Maven tools for dealing with Dockerfiles
Java
2,730
star
8

docker-maven-plugin

INACTIVE: A maven plugin for Docker
Java
2,652
star
9

scio

A Scala API for Apache Beam and Google Cloud Dataflow.
Scala
2,485
star
10

helios

Docker container orchestration platform
Java
2,097
star
11

web-api-examples

Basic examples to authenticate and fetch data using the Spotify Web API
HTML
1,889
star
12

HubFramework

DEPRECATED – Spotify’s component-driven UI framework for iOS
Objective-C
1,864
star
13

apollo

Java libraries for writing composable microservices
Java
1,648
star
14

dh-virtualenv

Python virtualenvs in Debian packages
Python
1,590
star
15

docker-client

INACTIVE: A simple docker client for the JVM
Java
1,425
star
16

docker-kafka

Kafka (and Zookeeper) in Docker
Shell
1,400
star
17

SPTPersistentCache

Everyone tries to implement a cache at some point in their iOS app’s lifecycle, and this is ours.
Objective-C
1,244
star
18

mobius

A functional reactive framework for managing state evolution and side-effects.
Java
1,205
star
19

sparkey

Simple constant key/value storage library, for read-heavy systems with infrequent large bulk inserts.
C
1,143
star
20

ruler

Gradle plugin which helps you analyze the size of your Android apps.
Kotlin
1,100
star
21

voyager

🛰️ Voyager is an approximate nearest-neighbor search library for Python and Java with a focus on ease of use, simplicity, and deployability.
C++
1,090
star
22

XCMetrics

XCMetrics is the easiest way to collect Xcode build metrics and improve developer productivity.
Swift
1,079
star
23

web-api

This issue tracker is no longer used. Join us in the Spotify for Developers forum for support with the Spotify Web API ➡️ https://community.spotify.com/t5/Spotify-for-Developers/bd-p/Spotify_Developer
RAML
981
star
24

echoprint-codegen

Codegen for Echoprint
C++
948
star
25

snakebite

A pure python HDFS client
Python
859
star
26

heroic

The Heroic Time Series Database
Java
843
star
27

klio

Smarter data pipelines for audio.
Python
827
star
28

XCRemoteCache

Swift
815
star
29

apps-tutorial

A Spotify App that contains working examples of the use of Spotify Apps API
627
star
30

SPTDataLoader

The HTTP library used by the Spotify iOS client
Objective-C
624
star
31

ios-sdk

Spotify SDK for iOS
Objective-C
609
star
32

postgresql-metrics

Tool that extracts and provides metrics on your PostgreSQL database
Python
584
star
33

JniHelpers

Tools for writing great JNI code
C++
584
star
34

reactochart

📈 React chart component library 📉
JavaScript
548
star
35

Mobius.swift

A functional reactive framework for managing state evolution and side-effects [Swift implementation]
Swift
543
star
36

dockerfile-mode

An emacs mode for handling Dockerfiles
Emacs Lisp
520
star
37

threaddump-analyzer

A JVM threaddump analyzer
JavaScript
482
star
38

featran

A Scala feature transformation library for data science and machine learning
Scala
467
star
39

android-sdk

Spotify SDK for Android
HTML
440
star
40

echoprint-server

Server for the Echoprint audio fingerprint system
Java
398
star
41

web-scripts

DEPRECATED: A collection of base configs and CLI wrappers used to speed up development @ Spotify.
TypeScript
381
star
42

completable-futures

Utilities for working with futures in Java 8
Java
378
star
43

SpotifyLogin

Swift framework for authenticating with the Spotify API
Swift
344
star
44

ratatool

A tool for data sampling, data generation, and data diffing
Scala
334
star
45

fmt-maven-plugin

Opinionated Maven Plugin that formats your Java code.
Java
299
star
46

big-data-rosetta-code

Code snippets for solving common big data problems in various platforms. Inspired by Rosetta Code
Scala
286
star
47

trickle

A small library for composing asynchronous code
Java
284
star
48

coordinator

A visual interface for turning an SVG into XY coördinates.
HTML
282
star
49

pythonflow

🐍 Dataflow programming for python.
Python
279
star
50

styx

"The path to execution", Styx is a service that schedules batch data processing jobs in Docker containers on Kubernetes.
Java
267
star
51

cstar

Apache Cassandra cluster orchestration tool for the command line
Python
254
star
52

netty-zmtp

A Netty implementation of ZMTP, the ZeroMQ Message Transport Protocol.
Java
242
star
53

ios-style

Guidelines for iOS development in use at Spotify
240
star
54

cassandra-reaper

Software to run automated repairs of cassandra
235
star
55

confidence

Python
232
star
56

spotify-web-api-ts-sdk

A Typescript SDK for the Spotify Web API with types for returned data.
TypeScript
231
star
57

docker-cassandra

Cassandra in Docker with fast startup
Shell
219
star
58

terraform-gke-kubeflow-cluster

Terraform module for creating GKE clusters to run Kubeflow
HCL
209
star
59

dns-java

DNS wrapper library that provides SRV lookup functionality
Java
203
star
60

linux

Spotify's Linux kernel for Debian-based systems
C
203
star
61

git-test

test your commits
Shell
202
star
62

SPStackedNav

[DEPRECATED] Navigation controller which represents its content in stacks of panes, rather than one at a time
Objective-C
195
star
63

basic-pitch-ts

A lightweight yet powerful audio-to-MIDI converter with pitch bend detection.
TypeScript
194
star
64

quickstart

A CommonJS module resolver, loader and compiler for node.js and browsers.
JavaScript
193
star
65

spotify-json

Fast and nice to use C++ JSON library.
C++
190
star
66

dbeam

DBeam exports SQL tables into Avro files using JDBC and Apache Beam
Java
181
star
67

flink-on-k8s-operator

Kubernetes operator for managing the lifecycle of Apache Flink and Beam applications.
Go
178
star
68

bazel-tools

Tools for dealing with very large Bazel-managed repositories
Java
165
star
69

lingon

A user friendly tool for building single-page JavaScript applications
JavaScript
162
star
70

dataenum

Algebraic data types in Java.
Java
159
star
71

magnolify

A collection of Magnolia add-on modules
Scala
157
star
72

async-google-pubsub-client

[SUNSET] Async Google Pubsub Client
Java
156
star
73

spark-bigquery

Google BigQuery support for Spark, SQL, and DataFrames
Scala
154
star
74

flo

A lightweight workflow definition library
Java
146
star
75

folsom

An asynchronous memcache client for Java
Java
143
star
76

should-up

Remove most of the "should" noise from your tests
JavaScript
143
star
77

missinglink

Build time tool for detecting link problems in java projects
Java
142
star
78

zoltar

Common library for serving TensorFlow, XGBoost and scikit-learn models in production.
Java
141
star
79

android-auth

Spotify authentication and authorization for Android. Part of the Spotify Android SDK.
HTML
139
star
80

proto-registry

An implementation of the Protobuf Registry API
TypeScript
139
star
81

futures-extra

Java library for working with Guava futures
Java
136
star
82

annoy-java

Approximate nearest neighbors in Java
Java
134
star
83

spydra

Ephemeral Hadoop clusters using Google Compute Platform
Java
133
star
84

spotify-tensorflow

Provides Spotify-specific TensorFlow helpers
Python
124
star
85

docker-stress

Simple docker stress test and monitoring tools
Python
124
star
86

spotify-web-playback-sdk-example

React based example app that creates a new player in Spotify Connect to play music from in the browse using Spotify Web Playback SDK.
JavaScript
120
star
87

crtauth

a public key backed client/server authentication system
Python
118
star
88

redux-location-state

Utilities for reading & writing Redux store state to & from the URL
JavaScript
118
star
89

sparkey-java

Java implementation of the Sparkey key value store
Java
117
star
90

rspec-dns

Easily test your DNS with RSpec
Ruby
108
star
91

web-playback-sdk

This issue tracker is no longer used. Join us in the Spotify for Developers forum for support with the Spotify Web Playback SDK ➡️ https://community.spotify.com/t5/Spotify-for-Developers/bd-p/Spotify_Developer
108
star
92

ffwd-ruby

An event and metrics fast-forwarding agent.
Ruby
106
star
93

realbook

Easier audio-based machine learning with TensorFlow.
Python
106
star
94

github-java-client

A Java client to Github API
Java
105
star
95

gimme

Creating time bound IAM Conditions with ease and flair
Python
103
star
96

super-smash-brogp

Sends and withdraws BGP prefixes for fun.
Python
98
star
97

lighthouse-audit-service

TypeScript
93
star
98

noether

Scala Aggregators used for ML Model metrics monitoring
Scala
91
star
99

python-graphwalker

Python re-implementation of the graphwalker testing tool
Python
90
star
100

spotify-js-challenge

JavaScript
87
star