forked from webpwnized/gcp-audit
-
Notifications
You must be signed in to change notification settings - Fork 0
/
cis-5.1.1-publicly-accessible-cloud-storage.sh
executable file
·136 lines (112 loc) · 3.42 KB
/
cis-5.1.1-publicly-accessible-cloud-storage.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
#!/bin/bash
source functions.inc
declare SEPARATOR="---------------------------------------------------------------------------------";
declare PROJECT_IDS="";
declare DEBUG="False";
declare CSV="False";
declare ICH="False";
declare HELP=$(cat << EOL
$0 [-p, --project PROJECT] [-c, --csv] [-d, --debug] [-h, --help]
EOL
);
for arg in "$@"; do
shift
case "$arg" in
"--help") set -- "$@" "-h" ;;
"--debug") set -- "$@" "-d" ;;
"--csv") set -- "$@" "-c" ;;
"--project") set -- "$@" "-p" ;;
*) set -- "$@" "$arg"
esac
done
while getopts "hdcip:" option
do
case "${option}"
in
p)
PROJECT_IDS=${OPTARG};;
d)
DEBUG="True";;
c)
CSV="True";;
h)
echo $HELP;
exit 0;;
esac;
done;
if [[ $PROJECT_IDS == "" ]]; then
declare PROJECT_IDS=$(get_projects);
fi;
if [[ $CSV == "True" ]]; then
echo "\"PROJECT_ID\", \"PROJECT_NAME\", \"PROJECT_OWNER\", \"PROJECT_APPLICATION\", \"BUCKET_NAME\", \"MEMBERS\", \"ROLE\", \"ALL_USERS_MESSAGE\", \"ALL_AUTHENTICATED_USERS_MESSAGE\"";
fi;
for PROJECT_ID in $PROJECT_IDS; do
set_project $PROJECT_ID;
if ! api_enabled storage.googleapis.com; then
if [[ $CSV != "True" ]]; then
echo "Storage API is not enabled on Project $PROJECT_ID";
echo "";
fi;
continue;
fi
declare BUCKET_NAMES=$(gsutil ls);
if [[ $DEBUG == "True" ]]; then
echo "Buckets: $BUCKET_NAMES";
echo "";
fi;
if [[ $BUCKET_NAMES != "" ]]; then
#Get project details
get_project_details $PROJECT_ID
if [[ $CSV != "True" ]]; then
echo $SEPARATOR;
echo "Storage Buckets for Project $PROJECT_ID";
echo $SEPARATOR;
fi;
for BUCKET_NAME in $BUCKET_NAMES; do
declare PERMISSIONS=$(gsutil iam get $BUCKET_NAME);
if [[ $DEBUG == "True" ]]; then
echo "Permissions (JSON): $PERMISSIONS";
fi;
if [[ $CSV != "True" ]]; then
echo $SEPARATOR;
echo "IAM Permissions for Bucket $BUCKET_NAME";
echo $SEPARATOR;
fi;
echo $PERMISSIONS | jq -r -c '.bindings[]' | while IFS='' read -r PERMISSION;do
MEMBERS=$(echo $PERMISSION | jq -rc '.members[]');
ROLE=$(echo $PERMISSION | jq '.role');
if [[ $ROLE =~ "allUsers" ]]; then
ALL_USERS_MESSAGE="VIOLATION: Bucket publicly exposed to allUsers";
else
ALL_USERS_MESSAGE="OK: The allUsers group does not have permission to the bucket";
fi;
if [[ $ROLE =~ "allAuthenticatedUsers" ]]; then
ALL_AUTHENTICATED_USERS_MESSAGE="VIOLATION: Bucket publicly exposed to allAuthenticatedUsers";
else
ALL_AUTHENTICATED_USERS_MESSAGE="OK: The allAuthenticatedUsers group does not have permission to the bucket";
fi;
if [[ $CSV != "True" ]]; then
echo "Project ID: $PROJECT_ID";
echo "Project Name: $PROJECT_NAME";
echo "Project Application: $PROJECT_APPLICATION";
echo "Project Owner: $PROJECT_OWNER";
echo "Bucket Name: $BUCKET_NAME";
echo "Members: $MEMBERS";
echo "Role: $ROLE";
echo "$ALL_USERS_MESSAGE";
echo "$ALL_AUTHENTICATED_USERS_MESSAGE";
echo "";
else
echo "\"$PROJECT_ID\", \"$PROJECT_NAME\", \"$PROJECT_OWNER\", \"$PROJECT_APPLICATION\", \"$BUCKET_NAME\", \"$MEMBERS\", \"$ROLE\", \"$ALL_USERS_MESSAGE\", \"$ALL_AUTHENTICATED_USERS_MESSAGE\"";
fi;
done;
done;
echo "";
else
if [[ $CSV != "True" ]]; then
echo "No storage buckets found for Project $PROJECT_ID";
echo "";
fi;
fi;
sleep 0.5;
done;