Cloud Security Suite (cs-suite) - Version 3.0

Usage

usage: cs.py [-h] -env {aws,gcp,azure,digitalocean} -aip AUDIT_IP -u USER_NAME -pem
             PEM_FILE [-p] [-pId PROJECT_ID] [-az_u AZURE_USER]
             [-az_p AZURE_PASS] [-o OUTPUT] [-w] [-n NUMBER]
this is to get IP address for lynis audit only
optional arguments:
  -h, --help            show this help message and exit
  -env {aws,gcp,azure,digitalocean}, --environment {aws,gcp,azure,digitalocean}
                        The cloud on which the test-suite is to be run
  -aip AUDIT_IP, --audit_ip AUDIT_IP
                        The IP for which lynis Audit needs to be done .... by
                        default tries root/Administrator if username not
                        provided
  -u USER_NAME, --user_name USER_NAME
                        The username of the user to be logged in,for a
                        specific user
  -pem PEM_FILE, --pem_file PEM_FILE
                        The pem file to access to AWS instance
  -p, --password        hidden password prompt
  -pId PROJECT_ID, --project_id PROJECT_ID
                        Project ID for which GCP Audit needs to be run. Can be
                        retrivied using `gcloud projects list`
  -az_u AZURE_USER, --azure_user AZURE_USER
                        username of azure account, optionally used if you want
                        to run the azure audit with no user interaction.
  -az_p AZURE_PASS, --azure_pass AZURE_PASS
                        username of azure password, optionally used if you
                        want to run the azure audit with no user interaction.
  -o OUTPUT, --output OUTPUT
                        writes a log in JSON of an audit, ideal for
                        consumptions into SIEMS like ELK and Splunk. Defaults
                        to cs-audit.log
  -w, --wipe            rm -rf reports/ folder before executing an audit
  -n, --number          Retain number of report to store for a particular 
                        environment and user/project.

Requirements

Operating System OSX or Linux only
python 2.7
pip
git
jq
gcc (for sshpass installation (OS Audit). Not a mandatory pre-requisite)
AWS Audit - AWS ReadOnly Keys
GCP Audit - gcloud setup
Azure Audit - Azure user read-only access
DigitalOcean Audit - DigitalOcean API key and SPACES access_key and access_secret

Installation

(in order to avoid missing with the already installed python libraries)

get project git clone https://github.com/SecurityFTW/cs-suite.git && cd cs-suite/
install virtualenv pip install virtualenv
create a python 2.7 local enviroment virtualenv -p python2.7 venv
activate the virtual enviroment source venv/bin/activate
install project dependencies pip install -r requirements.txt
run the tool via python cs.py --help

AWS Configuration

In AWS create a IAM user with at least the following policy arniam:policy/ReadOnlyAccess
In your local install aws cli brew install awscli for OSX
Configure AWS cli aws configure

GCP Configuration

create a project in GCP
enable the Cloud resource manager API
create a service account, download its key JSON and place it under cs-suite/tools/G-Scout/keyfile.json)
Install google cloud sdk
configure google clound sdk gcloud init

Azure Configuration

signup and have logged in already to azure.microsoft.com
install azure CLI brew install az
authenticate the azure cli az login, you should see your subscription type if it was successful, simiarly to the response below:

[
  {
    "cloudName": "AzureCloud",
    "id": "xxxxx-5595-4da5-bc27-xxxeeee",
    "isDefault": true,
    "name": "Free Trial",
    "state": "Enabled",
    "tenantId": "xxxxx-18e9-41a4-961b-xxxxx",
    "user": {
      "name": "customer@email.com",
      "type": "user"
    }
  }
]

DigitalOcean Configuration

create Personal Access Tokens and Spaces Access keys cloud.digitalocean.com
set the credentials by running export

export DO_KEY=*

export DO_ACCESS_KEY=*

export DO_SECRET_KEY=**

Running cs-suite

To run AWS Audit - python cs.py -env aws
To run GCP Audit - python cs.py -env gcp -pId <project_name>
To run Azure Audit - python cs.py -env azure
To run DigitalOcean Audit - python cs.py -env digitalocean

The final report will be available in reports directory
The final AWS Audit report looks like below:

AWS Audit report

The final GCP Audit report looks like below:

GCP Audit report

Docker Setup

Create a local directory aws with credentials and config files
The config file looks like below

$ cat aws/config
[default]
output = json
region = us-east-1

The credentials file looks like below

$ cat aws/credentials
[default]
aws_access_key_id = XXXXXXXXXXXXXXX
aws_secret_access_key = XXXXXXXXXXXXXXXXXXXXXXXXX

Note: This tool requires arniam:policy/ReadOnlyAccess IAM policy

Then run the follwing docker command to start (passing your specific enviroment)

docker run -v `pwd`/aws:/root/.aws -v `pwd`/reports:/app/reports securityftw/cs-suite -env aws

Documentation

https://securityftw.github.io

Thanks

Scout2 - https://github.com/nccgroup/Scout2
Prowler - https://github.com/Alfresco/prowler
Lunar - https://github.com/lateralblast/lunar
Lynis - https://github.com/CISOfy/lynis
G-Scout - https://github.com/nccgroup/G-Scout
@alanrenouf - https://github.com/alanrenouf/Windows-Workstation-and-Server-Audit
Ranjeet Sengar - https://github.com/sengar23