Github GitHub - GoogleCloudPlatform/inspec-gcp-cis-benchmark: GCP CIS 1.1.0 Benc...
source link: https://github.com/GoogleCloudPlatform/inspec-gcp-cis-benchmark
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
GCP CIS 1.1.0 Benchmark Inspec Profile
This repository holds the Google Cloud Platform (GCP) Center for Internet Security (CIS) version 1.1 Benchmark Inspec Profile.
Required Disclaimer
This is not an officially supported Google product. This code is intended to help users assess their security posture on the Google Cloud against the CIS Benchmark. This code is not certified by CIS.
Coverage
The following GCP CIS v1.1.0 Benchmark Controls are not covered:
- Identity and Access Management 1.2 - "Ensure that multi-factor authentication is enabled for all non-service accounts"
- Identity and Access Management 1.3 - "Ensure that Security Key Enforcement is enabled for all admin accounts"
- Identity and Access Management 1.12 - "Ensure API keys are not created for a project"
- Identity and Access Management 1.13 - "Ensure API keys are restricted to use by only specified Hosts and Apps"
- Identity and Access Management 1.14 - "Ensure API keys are restricted to only APIs that application needs access"
- Identity and Access Management 1.15 - "Ensure API keys are rotated every 90 days"
- Cloud SQL Database Services 6.3 - "Ensure that MySql database instance does not allow anyone to connect with administrative privileges"
- Cloud SQL Database Services 6.4 - "Ensure that MySQL Database Instance does not allows root login from any Host"
Usage
Profile Inputs (see inspec.yml
file)
This profile uses InSpec Inputs to make the tests more flexible. You are able to provide inputs at runtime either via the cli
or via YAML files
to help the profile work best in your deployment.
pro tip: Do not change the inputs in the inspec.yml
file directly, either:
- update them via the cli - via the
--input
flag - pass them in via a YAML file as shown in the
Example
- via the--input-file
flag
Further details can be found here: https://docs.chef.io/inspec/inputs/
(Required) User Provided Inputs - via the CLI or Input Files
- gcp_project_id - (Default: null, type: String) - The target GCP Project you are scanning.
(Optional) User Provided Inputs
- sa_key_older_than_seconds - (Default: 7776000, type: int, CIS IAM 1.15) - The maximum allowed age of GCP User-managed Service Account Keys (90 days in seconds).
- kms_rotation_period_seconds - (Default: 7776000, type: int, CIS IAM 1.10) - The maximum allowed age of KMS keys (90 days in seconds).
Cloud Shell Walkthrough
Use this Cloud Shell Walkthrough for a hands-on example.
CLI Example
#install inspec
$ gem install inspec-bin --no-document --quiet
# make sure you're authenticated to GCP
$ gcloud auth list
# acquire credentials to use with Application Default Credentials
$ gcloud auth application-default login
# scan a project with this profile, replace {{project-id}} with your project ID
$ inspec exec https://github.com/GoogleCloudPlatform/inspec-gcp-cis-benchmark.git -t gcp:// --input gcp_project_id={{project-id}} --reporter cli json:{{project-id}}_scan.json
...snip...
Profile Summary: 48 successful controls, 5 control failures, 7 controls skipped
Test Summary: 166 successful, 7 failures, 7 skipped
Required APIs
Consider these GCP projects, which may all be the same or different:
- the project of the Service Account that's used to authenticate the scan
- the project from which the benchmark is called
- the project to be scanned
The following GCP APIs should be enabled in all of these projects:
- cloudkms.googleapis.com
- cloudresourcemanager.googleapis.com
- compute.googleapis.com
- dns.googleapis.com
- iam.googleapis.com
- logging.googleapis.com
- monitoring.googleapis.com
- sqladmin.googleapis.com
- storage-api.googleapis.com
Required Permissions
The following permissions are required to run the CIS benchmark profile:
On organization level:
- resourcemanager.organizations.get
- resourcemanager.projects.get
- resourcemanager.projects.getIamPolicy
- resourcemanager.folders.get
On project level:
- cloudkms.cryptoKeys.get
- cloudkms.cryptoKeys.getIamPolicy
- cloudkms.cryptoKeys.list
- cloudkms.keyRings.list
- cloudsql.instances.get
- cloudsql.instances.list
- compute.firewalls.get
- compute.firewalls.list
- compute.instances.get
- compute.instances.list
- compute.networks.get
- compute.networks.list
- compute.projects.get
- compute.regions.list
- compute.sslPolicies.get
- compute.sslPolicies.list
- compute.subnetworks.get
- compute.subnetworks.list
- compute.targetHttpsProxies.get
- compute.targetHttpsProxies.list
- compute.zones.list
- dns.managedZones.get
- dns.managedZones.list
- iam.serviceAccountKeys.list
- iam.serviceAccounts.list
- logging.logMetrics.list
- logging.sinks.get
- logging.sinks.list
- monitoring.alertPolicies.list
- resourcemanager.projects.get
- resourcemanager.projects.getIamPolicy
- storage.buckets.get
- storage.buckets.getIamPolicy
- storage.buckets.list
Recommend
-
212
Cloud Firestore for PHP Idiomatic PHP client for Cloud Firestore.
-
123
container-diff What is container-diff? container-diff is a tool for analyzing and comparing container images. container-diff can examine images along several different criteria, including: Docker Image History
-
15
README.md CIS-444 CIS-444 Welcome to CIS-444 See CIS-444 Wiki
-
21
1 Chef InSpec介绍 任何业务都依赖于基础设施环境。近年来,基础设施领域已发生了巨大的变化。从最初的传统数据中心到数据中心托管服务,而如今,基础设施即服务和云平台在企业中更受欢迎。因此,大多数企业正在将其工作负载从本...
-
14
5 min read Disclaimer: I like for my blog posts to be pretty basic so that you can pick up a new skill without knowing a ton of background, but this post assumes that yo...
-
16
Article Image InSpec Basics: Day 11 - Validating Azure Resources with InSpec Azure Annie Hedgpe...
-
9
Sep 30, 2019 • 贾正华 Aliyun Linux 2 CIS benchmark正式发布 Aliyun Linux 2(注1) CIS benchmark在2019年8月16日正式通过了CIS组织的全部认证流程对外发布,详情参见:https://workbench.cisecurity.org/benchmarks/2228。 关于...
-
13
InSpec GCP (Google Cloud Platform) Resource Pack Project State: Maintained For more information on project states and SLAs, see
-
14
GKE CIS 1.1.0 Benchmark Inspec Profile This repository holds the Google Kubernetes Engine (GKE) Center for Internet Security (CIS)
-
5
Reading Time: 2 minutes Introduction: Hello Readers. In this blog, we are going to see how to configure chef inspec in our local system to execute the tests. Chef is an open-source testing framework. They are used to te...
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK