forked from webpwnized/gcp-audit
-
Notifications
You must be signed in to change notification settings - Fork 0
/
cis-3.8.2-firewall-logs.sh
executable file
·121 lines (95 loc) · 2.86 KB
/
cis-3.8.2-firewall-logs.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
#!/bin/bash
source functions.inc
declare PROJECT_IDS="";
declare DEBUG="False";
declare CSV="False";
declare ICH="False";
declare HELP=$(cat << EOL
$0 [-p, --project PROJECT] [-c, --csv] [-d, --debug] [-h, --help]
EOL
);
for arg in "$@"; do
shift
case "$arg" in
"--help") set -- "$@" "-h" ;;
"--debug") set -- "$@" "-d" ;;
"--csv") set -- "$@" "-c" ;;
"--project") set -- "$@" "-p" ;;
*) set -- "$@" "$arg"
esac
done
while getopts "hdcip:" option
do
case "${option}"
in
p)
PROJECT_IDS=${OPTARG};;
d)
DEBUG="True";;
c)
CSV="True";;
h)
echo $HELP;
exit 0;;
esac;
done;
if [[ $PROJECT_IDS == "" ]]; then
declare PROJECT_IDS=$(get_projects);
fi;
declare SEPARATOR="----------------------------------------------------------------------------------------";
if [[ $CSV == "True" ]]; then
echo "\"PROJECT_ID\", \"PROJECT_NAME\", \"PROJECT_OWNER\", \"PROJECT_APPLICATION\", \"FIREWALL_RULE_NAME\", \"LOG_CONFIG\", \"LOG_CONFIG_STATUS_MESSAGE\"";
fi;
for PROJECT_ID in $PROJECT_IDS; do
set_project $PROJECT_ID;
if ! api_enabled compute.googleapis.com; then
if [[ $CSV != "True" ]]; then
echo "Compute Engine API is not enabled on Project $PROJECT_ID";
continue;
fi;
fi;
#Get project details
get_project_details $PROJECT_ID
declare RESULTS=$(gcloud compute firewall-rules list --quiet --format="json");
if [[ $RESULTS != "[]" ]]; then
if [[ $CSV != "True" ]]; then
echo $SEPARATOR;
echo "Firewall rules for project $PROJECT_ID";
echo "";
fi;
#Loop through each firewall rule in the project
echo $RESULTS | jq -r -c '.[]' | while IFS='' read -r FIREWALL_RULE;do
# Debugging output
if [[ $DEBUG == "True" ]]; then
echo $FIREWALL_RULE | jq '.';
fi;
FIREWALL_RULE_NAME=$(echo $FIREWALL_RULE | jq -rc '.name');
LOG_CONFIG=$(echo $FIREWALL_RULE | jq -rc '.logConfig.enable // false');
# Calculate Logging Violations
if [[ $LOG_CONFIG == "false" ]]; then
LOG_CONFIG_STATUS_MESSAGE="VIOLATION: Firewall logging is not enabled";
else
LOG_CONFIG_STATUS_MESSAGE="Firewall logging is enabled";
fi;
if [[ $CSV != "True" ]]; then
# Print Project Information
echo "Name: $FIREWALL_RULE_NAME";
echo "Project Name: $PROJECT_NAME";
echo "Project Application: $PROJECT_APPLICATION";
echo "Project Owner: $PROJECT_OWNER";
echo "Logging: $LOG_CONFIG";
echo "Logging Status: $LOG_CONFIG_STATUS_MESSAGE";
echo "";
else
echo "\"$PROJECT_ID\", \"$PROJECT_NAME\", \"$PROJECT_OWNER\", \"$PROJECT_APPLICATION\", \"$FIREWALL_RULE_NAME\", \"$LOG_CONFIG\", \"$LOG_CONFIG_STATUS_MESSAGE\"";
fi;
done;
else
if [[ $CSV != "True" ]]; then
echo $SEPARATOR;
echo "No firewall rules found for $PROJECT_ID";
echo "";
fi;
fi;
sleep 0.5;
done;