Comments (15)
Thanks for creating this issue l01cd3v!
Ready to test it as soon as it's ready ;)
Cheers,
L
from scout2.
Hey Leon,
So I pushed the tool on a dev branch for now, you should be able to use it and it should do the job if I understood properly.
checkout the dev-listall branch, then run the following command:
./ListAll.py --env your_profile_or_environment_name --config listall-configs/iam-users-without-mfa-in-select-groups.json
Note that I did not test it without a profile or environment name, so if it crashes you might need to hack as the following:
cp -r inc-awsconfig inc-awsconfig-newnamehere and in the command line above set the --env argument to newnamehere.
You'll also have to edit the config file to enter the name of the groups you want to check.
Basically the idea behind that tool is to be able to dump arbitrary data from the Scout2 dumped config, either via command line arguments or config files.
from scout2.
Awesome!
Thanks for the quick hack.
And yes, that tool is exactly what we need - to be able to dump, filter and analyse data from the Scout2 run on the command line or pipe it into the file!
I understand the syntax but not familiar with python ;)
Can you please give me an example of where to add group names (group1, group2, group3).
Should it go into "conditions" somewhere (in listall-configs/iam-users-without-mfa-in-select-groups.json)?
And btw, why do you need to copy inc-awsconfig/aws_config.js somewhere else? Can't you just use --env inc-awsconfig/aws_config.js (or is it because your ./ListAll.py changes data in aws_config.js. Isn't aws_config.js an aggregate data file from Scout2 run?)?
Thanks for your help!!!
from scout2.
In "listall-configs/iam-users-without-mfa-in-select-groups.json", you need to replace one condition:
["Groups.GroupName", "containAtleastOneOf", ["AllMisconfiguredUsers", "AllHumanUsers"] ],
["Groups.GroupName", "containAtleastOneOf", ["Group1", "Group2", "Group3"] ],
I did a little bit of testing on ListAll.py and now it should work similarly to Scout2 with regards to the env parameter. If you specified a profile when running Scout2, you'll need to give the same value as the "env" parameter when running ListAll. If you didn't, then you don't :)
I hope this works !
from scout2.
Awesome work l01cd3v
Thanks for that!
I do get the output (list of users) but also a bunch of errors (sample output below):
user1
user2
user3
[Errno 2] No such file or directory: 'inc-awsconfig-e/aws_config.js'
[Errno 2] No such file or directory: 'inc-awsconfig-e/aws_config.js'
[Errno 2] No such file or directory: 'inc-awsconfig-e/aws_config.js'
[Errno 2] No such file or directory: 'inc-awsconfig-e/aws_config.js'
[Errno 2] No such file or directory: 'inc-awsconfig-e/aws_config.js'
[Errno 2] No such file or directory: 'inc-awsconfig-e/aws_config.js'
[Errno 2] No such file or directory: 'inc-awsconfig-f/aws_config.js'
This is a great tool. It's a shame documentation (with usage examples) is not really there ;).
Hopefully it's all gonna come in time.
That's how I ran it:
$ python Scout2.py --csv-credentials /tmp/credentials-nonprod.csv
$ ./ListAll.py --config listall-configs/iam-users-without-mfa-in-select-groups.json
I will test --env option tomorrow too.
Have a great day!
from scout2.
Ok,
I see that the Scout2 run results are going into inc-awsconfig-s (ap-southeast?).
Did some more testing with --env:
OK, those just don't exists (so std err spewing those):
[Errno 2] No such file or directory: 'inc-awsconfig-a/aws_config.js'
[Errno 2] No such file or directory: 'inc-awsconfig--/aws_config.js'
[Errno 2] No such file or directory: 'inc-awsconfig-e/aws_config.js'
[Errno 2] No such file or directory: 'inc-awsconfig-e/aws_config.js'
[Errno 2] No such file or directory: 'inc-awsconfig-f/aws_config.js'
[Errno 2] No such file or directory: 'inc-awsconfig-i/aws_config.js'
[Errno 2] No such file or directory: 'inc-awsconfig-l/aws_config.js'
[Errno 2] No such file or directory: 'inc-awsconfig-n/aws_config.js'
[Errno 2] No such file or directory: 'inc-awsconfig-n/aws_config.js'
[Errno 2] No such file or directory: 'inc-awsconfig-n/aws_config.js'
[Errno 2] No such file or directory: 'inc-awsconfig-o/aws_config.js'
[Errno 2] No such file or directory: 'inc-awsconfig-o/aws_config.js'
[Errno 2] No such file or directory: 'inc-awsconfig-p/aws_config.js'
[Errno 2] No such file or directory: 'inc-awsconfig-r/aws_config.js'
[Errno 2] No such file or directory: 'inc-awsconfig-t/aws_config.js'
[Errno 2] No such file or directory: 'inc-awsconfig-u/aws_config.js'
It's interesting, if I use --env option in both Scout2 and ListAll.py runs I get a list of users times 4 (just duplicates) (|sort| uniq = 40)
But without "--env" option I get 40 users.
from scout2.
I'll try to have a look at it tonight.
from scout2.
So the output is written under inc-awsconfig-ENVIRONMENT_NAME/aws_config.js , where the value of ENVIRONMENT_NAME is as follow:
- none by default (no --profile and no --env arguments)
- value of profile if --profile argument
- value of environment name if --env argument (supersedes --profile)
I'll try to create/update the documentation one of these days, when time allows.
Can you update opinel and re-run Scout and ListAll? I did some modifications to make sure the behavior described above is what happens and think you shouldn't see errors anymore (or duplicates).
from scout2.
Thanks for that,
It works fine with the --env parameter now.
No errors and out of overall 69 users I get a list of 60 with mfa not enabled (when specifying all 15 groups in ).
Only one of those users is not a member of any group.
$ python Scout2.py --env company-nonprod --csv-credentials /tmp/credentials-company-nonprod.csv
inc-awsconfig-company-nonprod/aws_config.js created
$ ./ListAll.py --env company-nonprod --config listall-configs/iam-users-without-mfa-in-select-groups.json
getting a list of 60 users
$ python Scout2.py --csv-credentials /tmp/credentials-company-nonprod.csv
same old inc-awsconfig/aws_config.js
$ ./ListAll.py --config listall-configs/iam-users-without-mfa-in-select-groups.json
getting a list of 60 users
But both report-company-nonprod.html and report.html show 53 users with Lack of MFA.
Any idea why?
from scout2.
Added another condition to match Scout2's behavior in commit ID 7177d34. If your remove the group condition, you should see 53 users and with the group condition left, you should have the list you were looking for.
from scout2.
Yep,
I've just added this condition and I'm getting 53 users!
Thank you!
Awesome job!
from scout2.
Hey l01cd3v,
Sorry for commenting on this closed issue but the question relates to it directly ;)
Currently I have to specify all groups in iam-users-without-mfa-in-select-groups-env.json and it's huge.
Is there an option to tell it - scan ALL groups except the ones I specify (2-3 read-only groups)?
How can I add this condition?
This is an example of how it looks now:
{
"entities": [
"iam.Users"
],
"keys": [
"this"
],
"conditions": [
["Groups.GroupName", "containAtleastOneOf", ["base-iam-groups-Developers-1GNUUMHX5NF", "base-iam-groups-DevOps-13V386NLKZM", "base-iam-groups-EISCapacityPlan-K3KE7TDSHD", "base-iam-groups-EISDesign-YWHZJ3BQAP", "base-iam-groups-EISNetwork-188KIXC28BT", "base-iam-groups-EISPMs-3KH7JIRQR0", "base-iam-groups-EISSecurity-1SIK69SD2NX", "base-iam-groups-EISUnix-1NABCNXU8XX", "base-iam-groups-EISVirtualisation-TORNEXEPFZ", "base-iam-groups-NetOps-QWD78AEVM9", "base-iam-groups-Support-NH0F5C5H6T", "base-iam-groups-SysBuilder-M3AQQUQ088", "base-iam-groups-SysMonitor-9D98GKILDA", "base-iam-groups-SysUserManager-FIEVRI3A2Y", "netbackup-iam-groups-SysNetBackup-ZKDZ7WZ0TR", "steelstore-iam-groups-SysSteelstore-PBMYE0IP3K"] ],
["MFADevices", "empty", ""],
["LoginProfile", "notEmpty", ""]
]
}
from scout2.
I created a branch in an attempt to add that functionality, but it's not merged yet because I want to add regression tests for all existing configs and my current tests are incomplete and do not pass with the nightly python build.
If you want to try it, checkout the "dev-listall-tests'' branch. The config file you would want to modify is under listall-configs/iam-users-without-mfa-not-in-select-groups.json.
For other feature requests or bugs related to that tool, please create new issues. They're easier to track and managed.
from scout2.
Thanks l01cd3v!
Gotcha.
I gotta go now but I will test this feature tomorrow and update you with the test results.
Cheers,
Leon
from scout2.
I've just tested it and it works fine!
Tested with a couple of groups.
Can probably be merged into a master branch.
Thank you!
from scout2.
Related Issues (20)
- Flow Logs not mapped correctly to VPCs/Subnets HOT 1
- Error in Running Scout2 HOT 8
- KeyError: 'Name' in EFS service HOT 2
- KeyError: None in rules/preprocessing.py HOT 2
- KeyError in rules/preprocessing.py HOT 2
- KeyError in rules/preprocessing.py (VPC) HOT 2
- Report viewing problems with large AWS installs HOT 6
- allocation size overflow in JavaScript console HOT 6
- could not connect to the endpoint URL: "https://ec2.eu-west-1.amazonaws.com/ HOT 2
- Cloudtrail not configured / Shows empty region list on the left menu HOT 3
- No risk associated with "Non-empty rulesets for default security groups" HOT 3
- False positive in Security group whitelists AWS CIDRs HOT 2
- Export results as CSV HOT 2
- Export the report to json? HOT 1
- Suggesting ViewOnlyAccess instead of ReadOnlyAccess HOT 1
- TCP port open to all HOT 2
- any rule for unused IAM access keys that have not been used for 30 days or since creation HOT 1
- Matching EC2 instances and IAM roles error HOT 5
- https://nccgroup.github.io/Scout2/ returns a 404 HOT 6
- Usage of library in python (question) HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from scout2.