/oaudit

Application whitelisting/blacklisting & end-user notifications for GSuite

Primary LanguagePythonApache License 2.0Apache-2.0

oaudit

Why

OAuth grants make it easier than ever to unintentionally give full access to employee and company data in the cloud to Phishermen/women, companies that data mine, and other undesirables.

This toolkit enables you to keep records about what access is shared and educate the users about the scopes that they grant an application. Currently the Google API does not allow our tooling to take an active role in deciding what access is granted.

Features

  • Writes all GSuite token events to Elasticsearch
  • Notifies users upon authorizing untrusted or blacklisted apps
  • Revokes access to blacklisted apps
  • Educates end-users by visualizing risk rating of uncategorized apps using color-coded templates

Components

oaudit-collector

indexes authorization events from the Google Admin API into Elasticsearch.

oaudit-notifier

sends notifications with educational information about Oauth scopes.

Architecture diagram

oaudit toolkit

Getting started

Prerequisites

Creating your Google project

  1. Verify that you are a Google Admin or Superadmin with permission to access to the Admin Directory SDK API. Note: OAudit works with a standard admin account, you will not be able to revoke tokens that belong to other admins.

  2. Follow Google’s Python Quickstart Guide to create a project with the Admin SDK API enabled.

  3. Create a service account under your new project.

  4. Save the service account secret file (default:client_secret.json).

Standalone

starting oaudit-collector standalone

  1. Install oaudit-collector requirements:

    sudo pip3 install -r collector/requirements.txt

  2. Place the service account secret in a safe location.

  3. Run oaudit-collector with CLI args:

    python3 collector/collector.py \
    --secret-file "/run/secrets/oauth-notify" \
    --service-account-email "svcaccount@domain.com" \
    --elasticsearch-hosts "esnode1:9200,esnode2:9200"

starting oaudit-notififer standalone

  1. Install oaudit-notifier requirements:

    sudo pip3 install -r notifier/requirements.txt

  2. Run oaudit-notifier with CLI args:

    python3 notifier/notifier.py \
    --secret-file "/run/secrets/oauth-notify" \
    --service-account-email "svcaccount@domain.com" \
    --elasticsearch-hosts "esnode1:9200,esnode2:9200" \
    --sender-email "yourapp@domain.com" \
    --smtp-server "smtp.domain.com" \
    --test-email "youremail@domain.com" \
    --elasticsearch-index "index"