Categories: Kali Linux

Hayat – Google Cloud Platform & Auditing & Hardening Script

Hayat tool used for Google Cloud Platform Auditing & Hardening Script.

What does that mean Hayat?

Well, I had a hard time finding a unique name, honestly. “Hayat” is a Turkish word which means “Life” in English and also my niece’s name. Are you ready to meet her?

Hayat is a auditing & hardening script for Google Cloud Platform services such as:

  • Identity & Access Management
  • Logging and monitoring
  • Networking
  • Virtual Machines
  • Storage
  • Cloud SQL Instances
  • Kubernetes Clusters

for now.

Also ReadKamerka – Build Interactive Map Of Cameras From Shodan

Identity & Access Management

  • Ensure that corporate login credentials are used instead of Gmail accounts.
  • Ensure that there are only GCP-managed service account keys for each service account.
  • Ensure that ServiceAccount has no Admin privileges.
  • Ensure that IAM users are not assigned Service Account User role at project level.

Logging and Monitoring

  • Ensure that sinks are configured for all Log entries.

Networking

  • Ensure the default network does not exist in a project.
  • Ensure legacy networks does not exists for a project.
  • Ensure that DNSSEC is enabled for Cloud DNS.
  • Ensure that RSASHA1 is not used for key-signing key in Cloud DNS DNSSEC.
  • Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS DNSSEC.
  • Ensure that RDP access is restricted from the Internet.
  • Ensure Private Google Access is enabled for all subnetwork in VPC Network.
  • Ensure VPC Flow logs is enabled for every subnet in VPC Network.

Virtual Machines

  • Ensure that instances are not configured to use the default service account with full access to all Cloud APIs.
  • Ensure “Block Project-wide SSH keys” enabled for VM instances.
  • Ensure oslogin is enabled for a Project.
  • Ensure ‘Enable connecting to serial ports’ is not enabled for VM Instance.
  • Ensure that IP forwarding is not enabled on Instances.

Storage

  • Ensure that Cloud Storage bucket is not anonymously or publicly accessible.
  • Ensure that logging is enabled for Cloud storage bucket.

Cloud SQL Database Services

  • Ensure that Cloud SQL database instance requires all incoming connections to use SSL.
  • Ensure that Cloud SQL database Instances are not open to the world.
  • Ensure that MySql database instance does not allow anyone to connect with administrative privileges.
  • Ensure that MySQL Database Instance does not allows root login from any host.

Kubernetes Engine

  • Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters.
  • Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters.
  • Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters.
  • Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters.
  • Ensure Kubernetes Clusters are configured with Labels.
  • Ensure Kubernetes web UI / Dashboard is disabled.
  • Ensure Automatic node repair is enabled for Kubernetes Clusters.
  • Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes.
  • Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image.
  • Ensure Basic Authentication is disabled on Kubernetes Engine Clusters.

Usage

git clone https://github.com/DenizParlak/Hayat.git && cd Hayat && chmod +x hayat.sh && ./hayat.sh

You can use with specific functions, e.g if you want to scan just Kubernetes Cluster:

./hayat.sh --only-kubernetes

Screenshots

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

R K

Recent Posts

Playwright-MCP : A Powerful Tool For Browser Automation

Playwright-MCP (Model Context Protocol) is a cutting-edge tool designed to bridge the gap between AI…

2 weeks ago

JBDev : A Tool For Jailbreak And TrollStore Development

JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…

2 weeks ago

Kereva LLM Code Scanner : A Revolutionary Tool For Python Applications Using LLMs

The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…

2 weeks ago

Nuclei-Templates-Labs : A Hands-On Security Testing Playground

Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…

2 weeks ago

SSH-Stealer : The Stealthy Threat Of Advanced Credential Theft

SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…

2 weeks ago

ollvm-unflattener : A Tool For Reversing Control Flow Flattening In OLLVM

Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…

2 weeks ago