feat: add 4 new cybersecurity skills - UEBA insider threat, BeyondCorp zero trust, Linux kernel rootkits, CobaltStrike beacon hunting

This commit is contained in:
mukul975
2026-03-11 00:48:50 +01:00
parent 6b32dc4da2
commit 0c26c1eb87
16 changed files with 1371 additions and 0 deletions
@@ -0,0 +1,21 @@
MIT License
Copyright (c) 2025 Mahipal
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
@@ -0,0 +1,43 @@
---
name: implementing-zero-trust-with-beyondcorp
description: Deploy Google BeyondCorp Enterprise zero trust access controls using Identity-Aware Proxy (IAP), context-aware access policies, device trust validation, and Access Context Manager to enforce identity and posture-based access to GCP resources and internal applications.
domain: cybersecurity
subdomain: zero-trust
tags: [zero-trust, beyondcorp, google-cloud, iap, context-aware-access, device-trust, identity]
version: "1.0"
author: mahipal
license: Apache-2.0
---
# Implementing Zero Trust with BeyondCorp
## Overview
Google BeyondCorp Enterprise implements the zero trust security model by eliminating the concept of a trusted network perimeter. Instead of relying on VPNs and network location, BeyondCorp authenticates and authorizes every request based on user identity, device posture, and contextual attributes. Identity-Aware Proxy (IAP) serves as the enforcement point, intercepting all requests to protected resources and evaluating them against Access Context Manager policies. This skill covers configuring IAP for web applications, defining access levels based on device trust and network attributes, and auditing access policies for compliance.
## Prerequisites
- Google Cloud project with BeyondCorp Enterprise license
- IAP API enabled (iap.googleapis.com)
- Access Context Manager API enabled (accesscontextmanager.googleapis.com)
- GCP resources to protect (Compute Engine, App Engine, or GKE services)
- Endpoint Verification deployed on managed devices
- Python 3.9+ with google-cloud-iap library
## Steps
### Step 1: Enable IAP on Target Resources
Configure Identity-Aware Proxy on Compute Engine, App Engine, or HTTPS load balancer backends.
### Step 2: Define Access Levels
Create Access Context Manager access levels based on IP ranges, device attributes (OS version, encryption, screen lock), and geographic location.
### Step 3: Bind Access Policies
Apply access levels as IAP conditions to enforce context-aware access decisions on protected resources.
### Step 4: Audit and Monitor
Query IAP audit logs, verify policy enforcement, and identify gaps in zero trust coverage.
## Expected Output
JSON report containing IAP-protected resources, access level definitions, policy binding audit results, and zero trust coverage metrics.
@@ -0,0 +1,92 @@
# API Reference: Implementing Zero Trust with BeyondCorp
## gcloud IAP Commands
```bash
# Enable IAP on backend service
gcloud iap web enable --resource-type=backend-services \
--service=my-backend --project=my-project
# Get IAP IAM policy
gcloud iap web get-iam-policy --project=my-project
# Grant IAP access with access level condition
gcloud iap web add-iam-policy-binding --project=my-project \
--member="group:team@example.com" \
--role="roles/iap.httpsResourceAccessor" \
--condition="expression=accessPolicies/123/accessLevels/corp_device,title=CorpDevice"
# Enable required APIs
gcloud services enable iap.googleapis.com
gcloud services enable accesscontextmanager.googleapis.com
gcloud services enable beyondcorp.googleapis.com
```
## Access Context Manager Commands
```bash
# Create access policy
gcloud access-context-manager policies create --organization=ORG_ID --title="Corp Policy"
# Create access level (device + IP)
gcloud access-context-manager levels create corp_trusted \
--policy=POLICY_ID --title="Corporate Trusted" \
--basic-level-spec=level_spec.yaml
# List access levels
gcloud access-context-manager levels list --policy=POLICY_ID --format=json
```
## Access Level Spec (YAML)
```yaml
conditions:
- ipSubnetworks:
- "10.0.0.0/8"
- "172.16.0.0/12"
devicePolicy:
requireScreenlock: true
osConstraints:
- osType: DESKTOP_WINDOWS
minimumVersion: "10.0.19041"
- osType: DESKTOP_MAC
minimumVersion: "12.0.0"
allowedEncryptionStatuses:
- ENCRYPTED
regions:
- "US"
- "GB"
```
## IAP Roles
| Role | Description |
|------|-------------|
| roles/iap.httpsResourceAccessor | Access IAP-protected resources |
| roles/iap.admin | Full IAP administration |
| roles/iap.settingsAdmin | Modify IAP settings |
| roles/iap.tunnelResourceAccessor | Access via IAP TCP tunneling |
## Python SDK
```python
from google.cloud import iap_v1
client = iap_v1.IdentityAwareProxyAdminServiceClient()
# List tunnel destinations
request = iap_v1.ListTunnelDestGroupsRequest(parent=f"projects/{project}/iap_tunnel/locations/-")
```
## Audit Log Query (Cloud Logging)
```
resource.type="gce_backend_service"
logName="projects/PROJECT/logs/cloudaudit.googleapis.com%2Fdata_access"
protoPayload.methodName="AuthorizeUser"
protoPayload.authenticationInfo.principalEmail!=""
```
### References
- BeyondCorp Enterprise: https://cloud.google.com/beyondcorp
- IAP Concepts: https://cloud.google.com/iap/docs/concepts-overview
- Access Context Manager: https://cloud.google.com/access-context-manager/docs
@@ -0,0 +1,164 @@
#!/usr/bin/env python3
"""BeyondCorp Zero Trust Agent - audits IAP configuration, access levels, and policy bindings."""
import json
import argparse
import logging
import subprocess
from collections import defaultdict
from datetime import datetime
logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s")
logger = logging.getLogger(__name__)
def gcloud_json(args_list):
"""Execute gcloud command and return JSON output."""
cmd = ["gcloud"] + args_list + ["--format=json"]
result = subprocess.run(cmd, capture_output=True, text=True, timeout=60)
return json.loads(result.stdout) if result.returncode == 0 and result.stdout else []
def list_iap_protected_resources(project):
"""List resources protected by Identity-Aware Proxy."""
backends = gcloud_json(["compute", "backend-services", "list", "--project", project])
protected = []
for backend in backends:
iap = backend.get("iap", {})
protected.append({
"name": backend.get("name", ""),
"iap_enabled": iap.get("enabled", False),
"oauth2_client_id": bool(iap.get("oauth2ClientId", "")),
})
return protected
def get_access_levels(policy_name):
"""Retrieve Access Context Manager access levels."""
levels = gcloud_json(["access-context-manager", "levels", "list", "--policy", policy_name])
parsed = []
for level in levels:
basic = level.get("basic", {})
conditions = basic.get("conditions", [])
parsed.append({
"name": level.get("name", "").split("/")[-1],
"title": level.get("title", ""),
"combining_function": basic.get("combiningFunction", "AND"),
"condition_count": len(conditions),
"has_ip_restriction": any(c.get("ipSubnetworks") for c in conditions),
"has_device_policy": any(c.get("devicePolicy") for c in conditions),
"has_region_restriction": any(c.get("regions") for c in conditions),
})
return parsed
def audit_iap_iam_bindings(project):
"""Audit IAM bindings on IAP-protected resources."""
findings = []
cmd = ["gcloud", "iap", "web", "get-iam-policy", "--project", project, "--format=json"]
result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
if result.returncode != 0:
return [{"issue": "Cannot retrieve IAP IAM policy", "severity": "high"}]
policy = json.loads(result.stdout) if result.stdout else {}
for binding in policy.get("bindings", []):
role = binding.get("role", "")
members = binding.get("members", [])
condition = binding.get("condition")
if role == "roles/iap.httpsResourceAccessor":
if "allUsers" in members or "allAuthenticatedUsers" in members:
findings.append({
"role": role, "issue": "Public access via allUsers/allAuthenticatedUsers",
"severity": "critical",
"recommendation": "Restrict to specific user/group identities",
})
if not condition:
findings.append({
"role": role, "members": members[:5],
"issue": "IAP binding without access level condition",
"severity": "high",
"recommendation": "Add access level condition for context-aware enforcement",
})
return findings
def audit_access_level_strength(access_levels):
"""Audit access levels for security strength."""
findings = []
for level in access_levels:
if not level["has_device_policy"]:
findings.append({
"access_level": level["name"],
"issue": "No device policy requirement",
"severity": "medium",
"recommendation": "Add device trust requirements (encryption, screen lock, OS version)",
})
if not level["has_ip_restriction"] and not level["has_region_restriction"]:
findings.append({
"access_level": level["name"],
"issue": "No network or geographic restriction",
"severity": "medium",
"recommendation": "Consider adding corporate IP range or geo restrictions",
})
if level["condition_count"] == 0:
findings.append({
"access_level": level["name"],
"issue": "Empty access level with no conditions",
"severity": "high",
})
return findings
def check_endpoint_verification(project):
"""Check Endpoint Verification deployment status."""
devices = gcloud_json(["endpoint-verification", "list", "--project", project])
total = len(devices)
compliant = sum(1 for d in devices if d.get("complianceState") == "COMPLIANT")
return {
"total_devices": total,
"compliant": compliant,
"non_compliant": total - compliant,
"compliance_rate": round(compliant / max(total, 1) * 100, 1),
}
def generate_report(protected, access_levels, iam_findings, level_findings, endpoint_status):
iap_enabled = sum(1 for r in protected if r["iap_enabled"])
all_findings = iam_findings + level_findings
return {
"timestamp": datetime.utcnow().isoformat(),
"framework": "BeyondCorp Enterprise / Zero Trust",
"iap_protected_resources": len(protected),
"iap_enabled_count": iap_enabled,
"iap_coverage": round(iap_enabled / max(len(protected), 1) * 100, 1),
"access_levels_defined": len(access_levels),
"access_level_details": access_levels,
"endpoint_verification": endpoint_status,
"iam_findings": iam_findings,
"access_level_findings": level_findings,
"total_findings": len(all_findings),
"critical_findings": sum(1 for f in all_findings if f.get("severity") == "critical"),
}
def main():
parser = argparse.ArgumentParser(description="BeyondCorp Zero Trust Audit Agent")
parser.add_argument("--project", required=True, help="GCP project ID")
parser.add_argument("--access-policy", required=True, help="Access Context Manager policy ID")
parser.add_argument("--output", default="beyondcorp_audit_report.json")
args = parser.parse_args()
protected = list_iap_protected_resources(args.project)
access_levels = get_access_levels(args.access_policy)
iam_findings = audit_iap_iam_bindings(args.project)
level_findings = audit_access_level_strength(access_levels)
endpoint_status = check_endpoint_verification(args.project)
report = generate_report(protected, access_levels, iam_findings, level_findings, endpoint_status)
with open(args.output, "w") as f:
json.dump(report, f, indent=2, default=str)
logger.info("BeyondCorp: %.1f%% IAP coverage, %d access levels, %d findings",
report["iap_coverage"], report["access_levels_defined"], report["total_findings"])
print(json.dumps(report, indent=2, default=str))
if __name__ == "__main__":
main()