Hayat is a auditing & hardening script for Google Cloud Platform providers corresponding to:
- Identity & Access Management
- Virtual Machines
- Cloud SQL Instances
- Kubernetes Clusters
- Ensure that company login credentials are used as an alternative of Gmail accounts.
- Ensure that there are solely GCP-managed service account keys for every service account.
- Ensure that ServiceAccount has no Admin privileges.
- Ensure that IAM customers are usually not assigned Service Account User position at venture stage.
- Ensure the default community doesn’t exist in a venture.
- Ensure legacy networks doesn’t exists for a venture.
- Ensure that DNSSEC is enabled for Cloud DNS.
- Ensure that RSASHA1 is just not used for key-signing key in Cloud DNS DNSSEC.
- Ensure that RSASHA1 is just not used for zone-signing key in Cloud DNS DNSSEC.
- Ensure that RDP entry is restricted from the Internet.
Ensure Private Google Access is enabled for all subnetwork in VPC Network.
- Ensure VPC Flow logs is enabled for each subnet in VPC Network.
- Ensure that cases are usually not configured to make use of the default service account with full entry to all Cloud APIs.
- Ensure “Block Project-wide SSH keys” enabled for VM cases.
- Ensure oslogin is enabled for a Project.
- Ensure ‘Enable connecting to serial ports’ is just not enabled for VM Instance.
- Ensure that IP forwarding is just not enabled on Instances.
- Ensure that Cloud Storage bucket is just not anonymously or publicly accessible.
- Ensure that logging is enabled for Cloud storage bucket.
Cloud SQL Database Services
- Ensure that Cloud SQL database occasion requires all incoming connections to make use of SSL.
- Ensure that Cloud SQL database Instances are usually not open to the world.
- Ensure that MySql database occasion doesn’t permit anybody to attach with administrative privileges.
- Ensure that MySQL Database Instance doesn’t permits root login from any host.
- Ensure Stackdriver Logging is ready to Enabled on Kubernetes Engine Clusters.
- Ensure Stackdriver Monitoring is ready to Enabled on Kubernetes Engine Clusters.
- Ensure Legacy Authorization is ready to Disabled on Kubernetes Engine Clusters.
- Ensure Master licensed networks is ready to Enabled on Kubernetes Engine Clusters.
- Ensure Kubernetes Clusters are configured with Labels.
- Ensure Kubernetes net UI / Dashboard is disabled.
Automatic node restoreis enabled for Kubernetes Clusters.
- Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes.
Hayat has been written in bash script utilizing gcloud and it is suitable with Linux and OSX.
git clone https://github.com/DenizParlak/Hayat.git && cd Hayat && chmod +x hayat.sh && ./hayat.sh
You can use with particular capabilities, e.g if you wish to scan simply Kubernetes Cluster: