Application whitelisting/blacklisting & end-user notifications for GSuite
OAuth grants make it easier than ever to unintentionally give full access to employee and company data in the cloud to Phishermen/women, companies that data mine, and other undesirables.
This toolkit enables you to keep records about what access is shared and educate the users about the scopes that they grant an application. Currently the Google API does not allow our tooling to take an active role in deciding what access is granted.
oaudit-collectorindexes authorization events from the Google Admin API into Elasticsearch.
oaudit-notifiersends notifications with educational information about Oauth scopes.
Verify that you are a Google Admin or Superadmin with permission to access to the Admin Directory SDK API. Note: OAudit works with a standard admin account, you will not be able to revoke tokens that belong to other admins.
Follow Google’s Python Quickstart Guide to create a project with the Admin SDK API enabled.
Create a service account under your new project.
Save the service account secret file (default:client_secret.json).
Install oaudit-collector requirements:
sudo pip3 install -r collector/requirements.txt
Place the service account secret in a safe location.
Run oaudit-collector with CLI args:
python3 collector/collector.py \--secret-file "/run/secrets/oauth-notify" \--service-account-email "svcaccount@domain.com" \--elasticsearch-hosts "esnode1:9200,esnode2:9200"
Install oaudit-notifier requirements:
sudo pip3 install -r notifier/requirements.txt
Run oaudit-notifier with CLI args:
python3 notifier/notifier.py \--secret-file "/run/secrets/oauth-notify" \--service-account-email "svcaccount@domain.com" \--elasticsearch-hosts "esnode1:9200,esnode2:9200" \--sender-email "yourapp@domain.com" \--smtp-server "smtp.domain.com" \--test-email "youremail@domain.com" \--elasticsearch-index "index"