mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-18 13:39:40 +03:00
feat: add 4 new cybersecurity skills - UEBA insider threat, BeyondCorp zero trust, Linux kernel rootkits, CobaltStrike beacon hunting
This commit is contained in:
@@ -0,0 +1,21 @@
|
||||
MIT License
|
||||
|
||||
Copyright (c) 2025 Mahipal
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
in the Software without restriction, including without limitation the rights
|
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
copies of the Software, and to permit persons to whom the Software is
|
||||
furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in all
|
||||
copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
SOFTWARE.
|
||||
@@ -0,0 +1,43 @@
|
||||
---
|
||||
name: implementing-zero-trust-with-beyondcorp
|
||||
description: Deploy Google BeyondCorp Enterprise zero trust access controls using Identity-Aware Proxy (IAP), context-aware access policies, device trust validation, and Access Context Manager to enforce identity and posture-based access to GCP resources and internal applications.
|
||||
domain: cybersecurity
|
||||
subdomain: zero-trust
|
||||
tags: [zero-trust, beyondcorp, google-cloud, iap, context-aware-access, device-trust, identity]
|
||||
version: "1.0"
|
||||
author: mahipal
|
||||
license: Apache-2.0
|
||||
---
|
||||
|
||||
# Implementing Zero Trust with BeyondCorp
|
||||
|
||||
## Overview
|
||||
|
||||
Google BeyondCorp Enterprise implements the zero trust security model by eliminating the concept of a trusted network perimeter. Instead of relying on VPNs and network location, BeyondCorp authenticates and authorizes every request based on user identity, device posture, and contextual attributes. Identity-Aware Proxy (IAP) serves as the enforcement point, intercepting all requests to protected resources and evaluating them against Access Context Manager policies. This skill covers configuring IAP for web applications, defining access levels based on device trust and network attributes, and auditing access policies for compliance.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Google Cloud project with BeyondCorp Enterprise license
|
||||
- IAP API enabled (iap.googleapis.com)
|
||||
- Access Context Manager API enabled (accesscontextmanager.googleapis.com)
|
||||
- GCP resources to protect (Compute Engine, App Engine, or GKE services)
|
||||
- Endpoint Verification deployed on managed devices
|
||||
- Python 3.9+ with google-cloud-iap library
|
||||
|
||||
## Steps
|
||||
|
||||
### Step 1: Enable IAP on Target Resources
|
||||
Configure Identity-Aware Proxy on Compute Engine, App Engine, or HTTPS load balancer backends.
|
||||
|
||||
### Step 2: Define Access Levels
|
||||
Create Access Context Manager access levels based on IP ranges, device attributes (OS version, encryption, screen lock), and geographic location.
|
||||
|
||||
### Step 3: Bind Access Policies
|
||||
Apply access levels as IAP conditions to enforce context-aware access decisions on protected resources.
|
||||
|
||||
### Step 4: Audit and Monitor
|
||||
Query IAP audit logs, verify policy enforcement, and identify gaps in zero trust coverage.
|
||||
|
||||
## Expected Output
|
||||
|
||||
JSON report containing IAP-protected resources, access level definitions, policy binding audit results, and zero trust coverage metrics.
|
||||
@@ -0,0 +1,92 @@
|
||||
# API Reference: Implementing Zero Trust with BeyondCorp
|
||||
|
||||
## gcloud IAP Commands
|
||||
|
||||
```bash
|
||||
# Enable IAP on backend service
|
||||
gcloud iap web enable --resource-type=backend-services \
|
||||
--service=my-backend --project=my-project
|
||||
|
||||
# Get IAP IAM policy
|
||||
gcloud iap web get-iam-policy --project=my-project
|
||||
|
||||
# Grant IAP access with access level condition
|
||||
gcloud iap web add-iam-policy-binding --project=my-project \
|
||||
--member="group:team@example.com" \
|
||||
--role="roles/iap.httpsResourceAccessor" \
|
||||
--condition="expression=accessPolicies/123/accessLevels/corp_device,title=CorpDevice"
|
||||
|
||||
# Enable required APIs
|
||||
gcloud services enable iap.googleapis.com
|
||||
gcloud services enable accesscontextmanager.googleapis.com
|
||||
gcloud services enable beyondcorp.googleapis.com
|
||||
```
|
||||
|
||||
## Access Context Manager Commands
|
||||
|
||||
```bash
|
||||
# Create access policy
|
||||
gcloud access-context-manager policies create --organization=ORG_ID --title="Corp Policy"
|
||||
|
||||
# Create access level (device + IP)
|
||||
gcloud access-context-manager levels create corp_trusted \
|
||||
--policy=POLICY_ID --title="Corporate Trusted" \
|
||||
--basic-level-spec=level_spec.yaml
|
||||
|
||||
# List access levels
|
||||
gcloud access-context-manager levels list --policy=POLICY_ID --format=json
|
||||
```
|
||||
|
||||
## Access Level Spec (YAML)
|
||||
|
||||
```yaml
|
||||
conditions:
|
||||
- ipSubnetworks:
|
||||
- "10.0.0.0/8"
|
||||
- "172.16.0.0/12"
|
||||
devicePolicy:
|
||||
requireScreenlock: true
|
||||
osConstraints:
|
||||
- osType: DESKTOP_WINDOWS
|
||||
minimumVersion: "10.0.19041"
|
||||
- osType: DESKTOP_MAC
|
||||
minimumVersion: "12.0.0"
|
||||
allowedEncryptionStatuses:
|
||||
- ENCRYPTED
|
||||
regions:
|
||||
- "US"
|
||||
- "GB"
|
||||
```
|
||||
|
||||
## IAP Roles
|
||||
|
||||
| Role | Description |
|
||||
|------|-------------|
|
||||
| roles/iap.httpsResourceAccessor | Access IAP-protected resources |
|
||||
| roles/iap.admin | Full IAP administration |
|
||||
| roles/iap.settingsAdmin | Modify IAP settings |
|
||||
| roles/iap.tunnelResourceAccessor | Access via IAP TCP tunneling |
|
||||
|
||||
## Python SDK
|
||||
|
||||
```python
|
||||
from google.cloud import iap_v1
|
||||
client = iap_v1.IdentityAwareProxyAdminServiceClient()
|
||||
# List tunnel destinations
|
||||
request = iap_v1.ListTunnelDestGroupsRequest(parent=f"projects/{project}/iap_tunnel/locations/-")
|
||||
```
|
||||
|
||||
## Audit Log Query (Cloud Logging)
|
||||
|
||||
```
|
||||
resource.type="gce_backend_service"
|
||||
logName="projects/PROJECT/logs/cloudaudit.googleapis.com%2Fdata_access"
|
||||
protoPayload.methodName="AuthorizeUser"
|
||||
protoPayload.authenticationInfo.principalEmail!=""
|
||||
```
|
||||
|
||||
### References
|
||||
|
||||
- BeyondCorp Enterprise: https://cloud.google.com/beyondcorp
|
||||
- IAP Concepts: https://cloud.google.com/iap/docs/concepts-overview
|
||||
- Access Context Manager: https://cloud.google.com/access-context-manager/docs
|
||||
@@ -0,0 +1,164 @@
|
||||
#!/usr/bin/env python3
|
||||
"""BeyondCorp Zero Trust Agent - audits IAP configuration, access levels, and policy bindings."""
|
||||
|
||||
import json
|
||||
import argparse
|
||||
import logging
|
||||
import subprocess
|
||||
from collections import defaultdict
|
||||
from datetime import datetime
|
||||
|
||||
logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s")
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
|
||||
def gcloud_json(args_list):
|
||||
"""Execute gcloud command and return JSON output."""
|
||||
cmd = ["gcloud"] + args_list + ["--format=json"]
|
||||
result = subprocess.run(cmd, capture_output=True, text=True, timeout=60)
|
||||
return json.loads(result.stdout) if result.returncode == 0 and result.stdout else []
|
||||
|
||||
|
||||
def list_iap_protected_resources(project):
|
||||
"""List resources protected by Identity-Aware Proxy."""
|
||||
backends = gcloud_json(["compute", "backend-services", "list", "--project", project])
|
||||
protected = []
|
||||
for backend in backends:
|
||||
iap = backend.get("iap", {})
|
||||
protected.append({
|
||||
"name": backend.get("name", ""),
|
||||
"iap_enabled": iap.get("enabled", False),
|
||||
"oauth2_client_id": bool(iap.get("oauth2ClientId", "")),
|
||||
})
|
||||
return protected
|
||||
|
||||
|
||||
def get_access_levels(policy_name):
|
||||
"""Retrieve Access Context Manager access levels."""
|
||||
levels = gcloud_json(["access-context-manager", "levels", "list", "--policy", policy_name])
|
||||
parsed = []
|
||||
for level in levels:
|
||||
basic = level.get("basic", {})
|
||||
conditions = basic.get("conditions", [])
|
||||
parsed.append({
|
||||
"name": level.get("name", "").split("/")[-1],
|
||||
"title": level.get("title", ""),
|
||||
"combining_function": basic.get("combiningFunction", "AND"),
|
||||
"condition_count": len(conditions),
|
||||
"has_ip_restriction": any(c.get("ipSubnetworks") for c in conditions),
|
||||
"has_device_policy": any(c.get("devicePolicy") for c in conditions),
|
||||
"has_region_restriction": any(c.get("regions") for c in conditions),
|
||||
})
|
||||
return parsed
|
||||
|
||||
|
||||
def audit_iap_iam_bindings(project):
|
||||
"""Audit IAM bindings on IAP-protected resources."""
|
||||
findings = []
|
||||
cmd = ["gcloud", "iap", "web", "get-iam-policy", "--project", project, "--format=json"]
|
||||
result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
|
||||
if result.returncode != 0:
|
||||
return [{"issue": "Cannot retrieve IAP IAM policy", "severity": "high"}]
|
||||
policy = json.loads(result.stdout) if result.stdout else {}
|
||||
for binding in policy.get("bindings", []):
|
||||
role = binding.get("role", "")
|
||||
members = binding.get("members", [])
|
||||
condition = binding.get("condition")
|
||||
if role == "roles/iap.httpsResourceAccessor":
|
||||
if "allUsers" in members or "allAuthenticatedUsers" in members:
|
||||
findings.append({
|
||||
"role": role, "issue": "Public access via allUsers/allAuthenticatedUsers",
|
||||
"severity": "critical",
|
||||
"recommendation": "Restrict to specific user/group identities",
|
||||
})
|
||||
if not condition:
|
||||
findings.append({
|
||||
"role": role, "members": members[:5],
|
||||
"issue": "IAP binding without access level condition",
|
||||
"severity": "high",
|
||||
"recommendation": "Add access level condition for context-aware enforcement",
|
||||
})
|
||||
return findings
|
||||
|
||||
|
||||
def audit_access_level_strength(access_levels):
|
||||
"""Audit access levels for security strength."""
|
||||
findings = []
|
||||
for level in access_levels:
|
||||
if not level["has_device_policy"]:
|
||||
findings.append({
|
||||
"access_level": level["name"],
|
||||
"issue": "No device policy requirement",
|
||||
"severity": "medium",
|
||||
"recommendation": "Add device trust requirements (encryption, screen lock, OS version)",
|
||||
})
|
||||
if not level["has_ip_restriction"] and not level["has_region_restriction"]:
|
||||
findings.append({
|
||||
"access_level": level["name"],
|
||||
"issue": "No network or geographic restriction",
|
||||
"severity": "medium",
|
||||
"recommendation": "Consider adding corporate IP range or geo restrictions",
|
||||
})
|
||||
if level["condition_count"] == 0:
|
||||
findings.append({
|
||||
"access_level": level["name"],
|
||||
"issue": "Empty access level with no conditions",
|
||||
"severity": "high",
|
||||
})
|
||||
return findings
|
||||
|
||||
|
||||
def check_endpoint_verification(project):
|
||||
"""Check Endpoint Verification deployment status."""
|
||||
devices = gcloud_json(["endpoint-verification", "list", "--project", project])
|
||||
total = len(devices)
|
||||
compliant = sum(1 for d in devices if d.get("complianceState") == "COMPLIANT")
|
||||
return {
|
||||
"total_devices": total,
|
||||
"compliant": compliant,
|
||||
"non_compliant": total - compliant,
|
||||
"compliance_rate": round(compliant / max(total, 1) * 100, 1),
|
||||
}
|
||||
|
||||
|
||||
def generate_report(protected, access_levels, iam_findings, level_findings, endpoint_status):
|
||||
iap_enabled = sum(1 for r in protected if r["iap_enabled"])
|
||||
all_findings = iam_findings + level_findings
|
||||
return {
|
||||
"timestamp": datetime.utcnow().isoformat(),
|
||||
"framework": "BeyondCorp Enterprise / Zero Trust",
|
||||
"iap_protected_resources": len(protected),
|
||||
"iap_enabled_count": iap_enabled,
|
||||
"iap_coverage": round(iap_enabled / max(len(protected), 1) * 100, 1),
|
||||
"access_levels_defined": len(access_levels),
|
||||
"access_level_details": access_levels,
|
||||
"endpoint_verification": endpoint_status,
|
||||
"iam_findings": iam_findings,
|
||||
"access_level_findings": level_findings,
|
||||
"total_findings": len(all_findings),
|
||||
"critical_findings": sum(1 for f in all_findings if f.get("severity") == "critical"),
|
||||
}
|
||||
|
||||
|
||||
def main():
|
||||
parser = argparse.ArgumentParser(description="BeyondCorp Zero Trust Audit Agent")
|
||||
parser.add_argument("--project", required=True, help="GCP project ID")
|
||||
parser.add_argument("--access-policy", required=True, help="Access Context Manager policy ID")
|
||||
parser.add_argument("--output", default="beyondcorp_audit_report.json")
|
||||
args = parser.parse_args()
|
||||
|
||||
protected = list_iap_protected_resources(args.project)
|
||||
access_levels = get_access_levels(args.access_policy)
|
||||
iam_findings = audit_iap_iam_bindings(args.project)
|
||||
level_findings = audit_access_level_strength(access_levels)
|
||||
endpoint_status = check_endpoint_verification(args.project)
|
||||
report = generate_report(protected, access_levels, iam_findings, level_findings, endpoint_status)
|
||||
with open(args.output, "w") as f:
|
||||
json.dump(report, f, indent=2, default=str)
|
||||
logger.info("BeyondCorp: %.1f%% IAP coverage, %d access levels, %d findings",
|
||||
report["iap_coverage"], report["access_levels_defined"], report["total_findings"])
|
||||
print(json.dumps(report, indent=2, default=str))
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
Reference in New Issue
Block a user