Release ListAll about scout2 HOT 15 CLOSED

Thanks for creating this issue l01cd3v!

Ready to test it as soon as it's ready ;)

Cheers,
L

from scout2.

Hey Leon,

So I pushed the tool on a dev branch for now, you should be able to use it and it should do the job if I understood properly.

checkout the dev-listall branch, then run the following command:

./ListAll.py --env your_profile_or_environment_name --config listall-configs/iam-users-without-mfa-in-select-groups.json

Note that I did not test it without a profile or environment name, so if it crashes you might need to hack as the following:

cp -r inc-awsconfig inc-awsconfig-newnamehere and in the command line above set the --env argument to newnamehere.

You'll also have to edit the config file to enter the name of the groups you want to check.

Basically the idea behind that tool is to be able to dump arbitrary data from the Scout2 dumped config, either via command line arguments or config files.

from scout2.

Awesome!
Thanks for the quick hack.
And yes, that tool is exactly what we need - to be able to dump, filter and analyse data from the Scout2 run on the command line or pipe it into the file!

I understand the syntax but not familiar with python ;)
Can you please give me an example of where to add group names (group1, group2, group3).
Should it go into "conditions" somewhere (in listall-configs/iam-users-without-mfa-in-select-groups.json)?

And btw, why do you need to copy inc-awsconfig/aws_config.js somewhere else? Can't you just use --env inc-awsconfig/aws_config.js (or is it because your ./ListAll.py changes data in aws_config.js. Isn't aws_config.js an aggregate data file from Scout2 run?)?

Thanks for your help!!!

from scout2.

In "listall-configs/iam-users-without-mfa-in-select-groups.json", you need to replace one condition:

    ["Groups.GroupName", "containAtleastOneOf", ["AllMisconfiguredUsers", "AllHumanUsers"] ],

    ["Groups.GroupName", "containAtleastOneOf", ["Group1", "Group2", "Group3"] ],

I did a little bit of testing on ListAll.py and now it should work similarly to Scout2 with regards to the env parameter. If you specified a profile when running Scout2, you'll need to give the same value as the "env" parameter when running ListAll. If you didn't, then you don't :)

I hope this works !

from scout2.

Awesome work l01cd3v
Thanks for that!

I do get the output (list of users) but also a bunch of errors (sample output below):
user1
user2
user3
[Errno 2] No such file or directory: 'inc-awsconfig-e/aws_config.js'
[Errno 2] No such file or directory: 'inc-awsconfig-e/aws_config.js'
[Errno 2] No such file or directory: 'inc-awsconfig-e/aws_config.js'
[Errno 2] No such file or directory: 'inc-awsconfig-e/aws_config.js'
[Errno 2] No such file or directory: 'inc-awsconfig-e/aws_config.js'
[Errno 2] No such file or directory: 'inc-awsconfig-e/aws_config.js'
[Errno 2] No such file or directory: 'inc-awsconfig-f/aws_config.js'

This is a great tool. It's a shame documentation (with usage examples) is not really there ;).
Hopefully it's all gonna come in time.

That's how I ran it:
$ python Scout2.py --csv-credentials /tmp/credentials-nonprod.csv
$ ./ListAll.py --config listall-configs/iam-users-without-mfa-in-select-groups.json

I will test --env option tomorrow too.

Have a great day!

from scout2.

Ok,

I see that the Scout2 run results are going into inc-awsconfig-s (ap-southeast?).

Did some more testing with --env:
OK, those just don't exists (so std err spewing those):
[Errno 2] No such file or directory: 'inc-awsconfig-a/aws_config.js'
[Errno 2] No such file or directory: 'inc-awsconfig--/aws_config.js'
[Errno 2] No such file or directory: 'inc-awsconfig-e/aws_config.js'
[Errno 2] No such file or directory: 'inc-awsconfig-e/aws_config.js'
[Errno 2] No such file or directory: 'inc-awsconfig-f/aws_config.js'
[Errno 2] No such file or directory: 'inc-awsconfig-i/aws_config.js'
[Errno 2] No such file or directory: 'inc-awsconfig-l/aws_config.js'
[Errno 2] No such file or directory: 'inc-awsconfig-n/aws_config.js'
[Errno 2] No such file or directory: 'inc-awsconfig-n/aws_config.js'
[Errno 2] No such file or directory: 'inc-awsconfig-n/aws_config.js'
[Errno 2] No such file or directory: 'inc-awsconfig-o/aws_config.js'
[Errno 2] No such file or directory: 'inc-awsconfig-o/aws_config.js'
[Errno 2] No such file or directory: 'inc-awsconfig-p/aws_config.js'
[Errno 2] No such file or directory: 'inc-awsconfig-r/aws_config.js'
[Errno 2] No such file or directory: 'inc-awsconfig-t/aws_config.js'
[Errno 2] No such file or directory: 'inc-awsconfig-u/aws_config.js'

It's interesting, if I use --env option in both Scout2 and ListAll.py runs I get a list of users times 4 (just duplicates) (|sort| uniq = 40)
But without "--env" option I get 40 users.

from scout2.

I'll try to have a look at it tonight.

from scout2.

So the output is written under inc-awsconfig-ENVIRONMENT_NAME/aws_config.js , where the value of ENVIRONMENT_NAME is as follow:

• none by default (no --profile and no --env arguments)
• value of profile if --profile argument
• value of environment name if --env argument (supersedes --profile)

I'll try to create/update the documentation one of these days, when time allows.

Can you update opinel and re-run Scout and ListAll? I did some modifications to make sure the behavior described above is what happens and think you shouldn't see errors anymore (or duplicates).

from scout2.

Thanks for that,

It works fine with the --env parameter now.
No errors and out of overall 69 users I get a list of 60 with mfa not enabled (when specifying all 15 groups in ).
Only one of those users is not a member of any group.

$ python Scout2.py --env company-nonprod --csv-credentials /tmp/credentials-company-nonprod.csv
inc-awsconfig-company-nonprod/aws_config.js created
$ ./ListAll.py --env company-nonprod --config listall-configs/iam-users-without-mfa-in-select-groups.json
getting a list of 60 users

$ python Scout2.py --csv-credentials /tmp/credentials-company-nonprod.csv
same old inc-awsconfig/aws_config.js
$ ./ListAll.py --config listall-configs/iam-users-without-mfa-in-select-groups.json
getting a list of 60 users

But both report-company-nonprod.html and report.html show 53 users with Lack of MFA.
Any idea why?

from scout2.

Added another condition to match Scout2's behavior in commit ID 7177d34. If your remove the group condition, you should see 53 users and with the group condition left, you should have the list you were looking for.

from scout2.

Yep,
I've just added this condition and I'm getting 53 users!
Thank you!
Awesome job!

from scout2.

Hey l01cd3v,

Sorry for commenting on this closed issue but the question relates to it directly ;)
Currently I have to specify all groups in iam-users-without-mfa-in-select-groups-env.json and it's huge.
Is there an option to tell it - scan ALL groups except the ones I specify (2-3 read-only groups)?
How can I add this condition?

This is an example of how it looks now:
{
"entities": [
"iam.Users"
],
"keys": [
"this"
],
"conditions": [
["Groups.GroupName", "containAtleastOneOf", ["base-iam-groups-Developers-1GNUUMHX5NF", "base-iam-groups-DevOps-13V386NLKZM", "base-iam-groups-EISCapacityPlan-K3KE7TDSHD", "base-iam-groups-EISDesign-YWHZJ3BQAP", "base-iam-groups-EISNetwork-188KIXC28BT", "base-iam-groups-EISPMs-3KH7JIRQR0", "base-iam-groups-EISSecurity-1SIK69SD2NX", "base-iam-groups-EISUnix-1NABCNXU8XX", "base-iam-groups-EISVirtualisation-TORNEXEPFZ", "base-iam-groups-NetOps-QWD78AEVM9", "base-iam-groups-Support-NH0F5C5H6T", "base-iam-groups-SysBuilder-M3AQQUQ088", "base-iam-groups-SysMonitor-9D98GKILDA", "base-iam-groups-SysUserManager-FIEVRI3A2Y", "netbackup-iam-groups-SysNetBackup-ZKDZ7WZ0TR", "steelstore-iam-groups-SysSteelstore-PBMYE0IP3K"] ],
["MFADevices", "empty", ""],
["LoginProfile", "notEmpty", ""]
]
}

from scout2.

I created a branch in an attempt to add that functionality, but it's not merged yet because I want to add regression tests for all existing configs and my current tests are incomplete and do not pass with the nightly python build.

If you want to try it, checkout the "dev-listall-tests'' branch. The config file you would want to modify is under listall-configs/iam-users-without-mfa-not-in-select-groups.json.

For other feature requests or bugs related to that tool, please create new issues. They're easier to track and managed.

from scout2.

Thanks l01cd3v!

Gotcha.
I gotta go now but I will test this feature tomorrow and update you with the test results.

Cheers,
Leon

from scout2.

I've just tested it and it works fine!
Tested with a couple of groups.
Can probably be merged into a master branch.

Thank you!

from scout2.