ElectricEye

<p align="center"> <img src="./screenshots/logo.svg" width="420" height="420"> </p>

ElectricEye is a multi-cloud, multi-SaaS Python CLI tool for Asset Management, Security Posture Management & Attack Surface Monitoring supporting 100s of services and evaluations to harden your CSP & SaaS environments with controls mapped to over 20 industry, regulatory, and best practice controls frameworks.

<p> <a href="https://hub.docker.com/r/electriceye/electriceye"><img alt="Docker Pulls" src="https://img.shields.io/docker/pulls/electriceye/electriceye"></a> <a href="https://hub.docker.com/r/electriceye/electriceye"><img alt="Docker" src="https://img.shields.io/docker/image-size/electriceye/electriceye"></a> <a href="https://github.com/jonrau1/ElectricEye"><img alt="Repo size" src="https://img.shields.io/github/repo-size/jonrau1/ElectricEye"></a> <a href="https://github.com/jonrau1/ElectricEye/issues"><img alt="Issues" src="https://img.shields.io/github/issues/jonrau1/ElectricEye"></a> <a href="https://github.com/jonrau1/ElectricEye"><img alt="Contributors" src="https://img.shields.io/github/contributors-anon/jonrau1/ElectricEye"></a> <a href="https://github.com/jonrau1/ElectricEye"><img alt="License" src="https://img.shields.io/github/license/jonrau1/ElectricEye"></a> </p> <p align="center"> <a href="https://gallery.ecr.aws/t4o3u7t2/electriceye"><img width="150" height="40" padding="5" alt="AWS ECR Gallery" src="https://user-images.githubusercontent.com/3985464/151531396-b6535a68-c907-44eb-95a1-a09508178616.png"></a> <a href="https://hub.docker.com/r/electriceye/electriceye"><img width="150" height="40" padding="5" alt="Docker Hub" src="https://www.unixtutorial.org/images/software/docker-hub.png"></a> </p>

Up here in space<br/> I'm looking down on you<br/> My lasers trace<br/> Everything you do<br/> _{Judas Priest, 1982}

Table of Contents

• Workflow
• Quick Run Down
• Configuring ElectricEye
• Cloud Asset Management
• Supported Services and Checks
• ElectricEye on Docker
• Outputs
• Contributing
• FAQ
• Developer & Testing Guide
• Repository Security
• License

Workflow

Quick Run Down :running: :running:

• ElectricEye is a Python CLI tool that offers cross-Account, cross-Region, multi-Cloud & SaaS Asset Management, Security Posture Management, and Attack Surface Monitoring capabilities across AWS, all Partitions supported!, GCP, Oracle Cloud Infrastructure (OCI), ServiceNow, Microsoft 365 Enterprise (M365), Salesforce (SFDC), and Azure.

• ElectricEye offers over 1000 Checks against security, resilience, performance, and financial best practices across more than 100 CSP & SaaS services, including atypical services not supported by CSP/SaaS-native asset management tools/views or mainstream CSPM & CNAPP tools.

• Every single Check is mapped to over 20 controls frameworks covering general best practices, regulatory, industry-specific, and legal frameworks such as NIST CSF, AICPA TSCs (for SOC 2), the HIPAA Security Rule, NIST 800-171 Rev. 2, CMMC V2.0, European Central Bank's CROE Section 2, PCI-DSS V4.0, CIS Foundations Benchmarks, and more!

• Multi-faceted Attack Surface Monitoring uses tools such as VirusTotal, Nmap, Shodan.io, Detect-Secrets, and CISA's KEV to locate assets indexed on the internet, find exposed services, locate exploitable vulnerabilities, and malicious packages in artifact repositories, respectively.

• Outputs to AWS Security Hub, the Open Cyber Security Framework (OCSF) V1.1.0 in JSON, AWS DocumentDB, JSON, CSV, HTML Reports, MongoDB, Amazon SQS, PostgreSQL, Slack (via Slack App Bots), and FireMon Cloud Defense.

ElectricEye's core concept is the Auditor which are sets of Python scripts that run Checks per Service dedicated to a specific SaaS vendor or public cloud service provider called an Assessment Target. You can run an entire Assessment Target, a specific Auditor, or a specific Check within an Auditor. After ElectricEye is done with evaluations, it supports over a dozen types of Outputs ranging from an HTML executive report to AWS DocumentDB clusters - you can run multiple Outputs as you see fit.

ElectricEye also uses utilizes other tools such as Shodan.io, Yelp's detect-secrets, VirusTotal, the United States Cyber and Infrastructure Security Agency (CISA) Known Exploited Vulnerability (KEV) Catalog, and NMAP for carrying out its Checks and enriching their findings.

1. First, clone this repository and install the requirements using pip3: pip3 install -r requirements.txt.

2. If you are evaluating anything other than your local AWS Account, modify the TOML configuration located in ElectricEye/eeauditor/external_providers.toml, or provide a path to your own with with --toml-path. The TOML file specifies multi-account, mulit-region, credential, and output specifics.

3. Finally, run the Controller to learn about the various Checks, Auditors, Assessment Targets, and Outputs.

python3 eeauditor/controller.py --help
Usage: controller.py [OPTIONS]

Options:
  -t, --target-provider [AWS|Azure|OCI|GCP|Servicenow|M365|Salesforce|Snowflake]
                                  Public cloud or SaaS assessment target,
                                  ensure that any -a or -c arg maps to your
                                  target provider to avoid any errors. e.g.,
                                  -t AWS -a Amazon_APGIW_Auditor
  -a, --auditor-name TEXT         Specify which Auditor you want to run by
                                  using its name NOT INCLUDING .py. . Use the
                                  --list-checks arg to receive a list.
                                  Defaults to ALL Auditors
  -c, --check-name TEXT           A specific Check in a specific Auditor you
                                  want to run, this correlates to the function
                                  name. Use the --list-checks arg to receive a
                                  list. Defaults to ALL Checks
  -d, --delay INTEGER             Time in seconds to sleep between Auditors
                                  being ran, defaults to 0. Use this argument
                                  to avoid rate limiting
  -o, --outputs TEXT              A list of Outputs (files, APIs, databases,
                                  ChatOps) to send ElectricEye Findings,
                                  specify multiple with additional arguments:
                                  -o csv -o postgresql -o slack  [default:
                                  ocsf_stdout]
  -of, --output-file TEXT         For file outputs such as JSON and CSV, the
                                  name of the file, DO NOT SPECIFY .file_type
                                  [default: output]
  -lo, --list-options             Lists all valid Output options
  -lch, --list-checks             Prints a table of Auditors, Checks, and
                                  Check descriptions to stdout - use this
                                  command for help with populating -a (Auditor
                                  selection) or -c (Check selection) args
  -lco, --list-controls           Lists all ElectricEye controls - that is to
                                  say: the Check Titles - for an Assessment
                                  Target
  -tp, --toml-path TEXT           The full path to the TOML file used for
                                  configure e.g.,
                                  ~/path/to/mydir/external_providers.toml. If
                                  this value is not provided the default path
                                  of ElectricEye/eeauditor/external_providers.
                                  toml is used.
  --help                          Show this message and exit.

For more information see here, you can read the FAQ here, information on Outputs is here or, if you want a more in-depth analysis of the control flow and concepts review the Developer Guide.

Configuring ElectricEye

Refer to sub-headings for per-CSP or per-SaaS setup instructions. Go to Outputs to