A scanner for running security-related configuration checks such as CIS benchmarks

Related tags

Security localtoast
Overview

Localtoast

Localtoast is a scanner for running security-related configuration checks such as CIS benchmarks in an easily configurable manner.

The scanner can either be used as a standalone binary to scan the local machine or as a library with a custom wrapper to perform scans on e.g. container images or remote hosts.

How to use

As a standalone binary:

  1. bazel build localtoast
  2. ./bazel-bin/localtoast_/localtoast --config=configs/example.textproto --result=scan-result.textproto

As a library:

  1. Import library/scanner.go in your Go project
  2. Write a custom implementation for the ScanAPIProvider interface
  3. Call scanner.Scanner{}.Scan() with the appropriate config and the implementation

See the scan config and result protos for details on the input+output format.

Contributing

Read how to contribute to Localtoast.

License

Localtoast is released under the Apache 2.0 license.

Copyright 2021 Google Inc.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

Disclaimers

Localtoast is not an official Google product.

You might also like...
MX1014 is a flexible, lightweight and fast port scanner.

MX1014 MX1014 是一个遵循 “短平快” 原则的灵活、轻便和快速端口扫描器 此工具仅限于安全研究和教学,用户承担因使用此工具而导致的所有法律和相关责任! 作者不承担任何法律和相关责任! Version 1.1.1 - 版本修改日志 Features 兼容 nmap 的端口和目标语法 支持各

Ladon Pentest Scanner framework  全平台Go开源内网渗透扫描器框架,Windows/Linux/Mac内网渗透,使用它可轻松一键批量探测C段、B段、A段存活主机、高危漏洞检测MS17010、SmbGhost,远程执行SSH/Winrm,密码爆破SMB/SSH/FTP/Mysql/Mssql/Oracle/Winrm/HttpBasic/Redis,端口扫描服务识别PortScan指纹识别/HttpBanner/HttpTitle/TcpBanner/Weblogic/Oxid多网卡主机,端口扫描服务识别PortScan。 A scanner/exploitation tool written in GO, which leverages Prototype Pollution to XSS by exploiting known gadgets.
A scanner/exploitation tool written in GO, which leverages Prototype Pollution to XSS by exploiting known gadgets.

ppmap A simple scanner/exploitation tool written in GO which automatically exploits known and existing gadgets (checks for specific variables in the g

Another JS scanner but in Go
Another JS scanner but in Go

NipeJS Read list of JS files and look for sensitive data via regex. ☕ Install go get github.com/i5nipe/nipejs ☕ Regular expressions Download the file

Super Java Vulnerability Scanner
Super Java Vulnerability Scanner

XiuScan 不完善,正在开发中 介绍 一个纯Golang编写基于命令行的Java框架漏洞扫描工具 致力于参考xray打造一款高效方便的漏扫神器 计划支持Fastjson、Shiro、Struts2、Spring、WebLogic等框架 PS: 取名为XiuScan因为带我入安全的大哥是修君 特点

Example mini project golang scanner application
Example mini project golang scanner application

Golang Scanner Contoh pembuatan aplikasi Java menggunakan BlueJ cek disini, tetapi berikut ini adalah versi rebuild dari Java ke Golang, dengan menggu

Carbon Black Harbor Adapter is a scanner to scan images in Harbor Registry with the help of Carbon Black Cloud.
Carbon Black Harbor Adapter is a scanner to scan images in Harbor Registry with the help of Carbon Black Cloud.

carbon-black-adapter-for-harbor Overview Carbon Black adapter for Harbor integrates your Harbor Registry with the Carbon Black Cloud. It leverages Har

A vulnerability scanner for container images and filesystems
A vulnerability scanner for container images and filesystems

A vulnerability scanner for container images and filesystems

Network scanner for Netbox IPAM with VRF support

Installation git clone https://github.com/axxyhtrx/netbox-rollcall.git cd netbox-rollcall Pre-requirements Create config.yaml file in a root of the pr

Comments
  • Consider adding `/scannerlib/proto` as part of source control

    Consider adding `/scannerlib/proto` as part of source control

    Currently, in a clean repo state, the Go module has unknown dependencies that exist only after a build has happened (or the build-proto.sh script is run):

    ❯ go mod tidy
    go: finding module for package github.com/google/localtoast/scannerlib/proto/severity_go_proto
    go: finding module for package github.com/google/localtoast/scannerlib/proto/compliance_go_proto
    go: finding module for package github.com/google/localtoast/scannerlib/proto/scan_instructions_go_proto
    go: finding module for package github.com/google/localtoast/scannerlib/proto/api_go_proto
    github.com/google/localtoast imports
            github.com/google/localtoast/scannerlib/proto/api_go_proto: no matching versions for query "latest"
    github.com/google/localtoast/configs/genfullconfig/genfullconfiglib imports
            github.com/google/localtoast/scannerlib/proto/compliance_go_proto: no matching versions for query "latest"
    github.com/google/localtoast/configs/genfullconfig/genfullconfiglib imports
            github.com/google/localtoast/scannerlib/proto/scan_instructions_go_proto: no matching versions for query "latest"
    github.com/google/localtoast/configs tested by
            github.com/google/localtoast/configs.test imports
            github.com/google/localtoast/scannerlib/proto/severity_go_proto: no matching versions for query "latest"
    
    ❯ make
    ./build_protos.sh
    --2022-09-06 17:37:44--  https://github.com/grafeas/grafeas/archive/0163b5bb2ff5afbf059ddf472fb4d128faae85e3.tar.gz
    Resolving github.com (github.com)... 192.30.255.112
    Connecting to github.com (github.com)|192.30.255.112|:443... connected.
    HTTP request sent, awaiting response... 302 Found
    Location: https://codeload.github.com/grafeas/grafeas/tar.gz/0163b5bb2ff5afbf059ddf472fb4d128faae85e3 [following]
    --2022-09-06 17:37:45--  https://codeload.github.com/grafeas/grafeas/tar.gz/0163b5bb2ff5afbf059ddf472fb4d128faae85e3
    Resolving codeload.github.com (codeload.github.com)... 192.30.255.120
    Connecting to codeload.github.com (codeload.github.com)|192.30.255.120|:443... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: unspecified [application/x-gzip]
    Saving to: ‘0163b5bb2ff5afbf059ddf472fb4d128faae85e3.tar.gz’
    
    0163b5bb2ff5afbf059ddf472fb4d128faae85e3.tar.gz                        [         <=>                                                                                                                                                  ]   9.24M  5.24MB/s    in 1.8s
    
    2022-09-06 17:37:47 (5.24 MB/s) - ‘0163b5bb2ff5afbf059ddf472fb4d128faae85e3.tar.gz’ saved [9694009]
    
    go build localtoast.go
    

    After the fact, go mod is able to resolve the dependencies correctly. Looks like it's primarily the dependency on github.com/grafeas/grafeas. This creates an interlinking of code sources in the build tree that do not exist as part of the source control.

    Would it be possible to add github.com/grafeas/grafeas as part of the source control? Possible as a git submodule or maybe a static code dependency?

    This makes building from a airgapped / non-networked environment much more challenging since the entire source code is not in the base repo.

    opened by jpmcb 0
  • Need documentation on `protoc` buildtime dependency

    Need documentation on `protoc` buildtime dependency

    On attempting to build the localtoast binary per the README.md instructions from the v1.1.4.3 code tarball:

    ❯ make
    go install google.golang.org/protobuf/cmd/protoc-gen-go
    protoc -I=. --go_out=. scannerlib/proto/*.proto
    /bin/sh: line 1: protoc: command not found
    make: *** [Makefile:5: localtoast] Error 127
    

    Seems that it's expected to build the gRPC protos before a build is executed through the build_protos.sh script.

    It'd be nice if this was documented or if there was a different make target provided that didn't require the protos to be created before the binary is built.

    opened by jpmcb 0
Releases(v1.1.4.3)
  • v1.1.4.3(Mar 14, 2022)

  • v1.1.4.2(Mar 9, 2022)

    Minor revision, changes since 1.1.4.1:

    • Adjusted the COS config files to be in line with the benchmark document.
    • Fixed race condition with traversing the /proc directory.
    Source code(tar.gz)
    Source code(zip)
  • v1.1.4.1(Feb 11, 2022)

    Minor revision, changes since 1.1.4:

    • Added CLI flag for excluding checks with higher CIS profile levels
    • Reduced the CIS profile level of some COS benchmarks
    • Changed return status for failed or non-compliant scans
    Source code(tar.gz)
    Source code(zip)
  • v1.1.4(Jan 24, 2022)

    Changes since 1.1.3:

    • Miscellaneous benchmark fixes
    • Released config files for COS 97
    • Removed the Basel-related build files
    • Made building compatible with older Go versions
    • More work on de-duplicating benchmark configs
    Source code(tar.gz)
    Source code(zip)
  • v1.1.3.1(Jan 7, 2022)

    Minor revision, changes since 1.1.3:

    • Cleaned some things up around the "go build" compilation
    • Made things compatible with older Go versions
    • Removed Bazel-based compilation capabilities
    Source code(tar.gz)
    Source code(zip)
  • v1.1.3(Jan 5, 2022)

    Changes since 1.1.2:

    • Made compilation with "go build" possible
    • Fixed some of the checks in the COS benchmark config
    • Started work on de-duplicating benchmark configs
    Source code(tar.gz)
    Source code(zip)
  • v1.1.2(Dec 7, 2021)

    Changes since 1.1.1:

    • Added more detailed error logging
    • Set a maximum traversal depth to mitigate loops in cyclic filesystems
    • Expanded the RepeatConfig instruction capabilities
    • Changed the build rules to work with Bazel 3.7.2
    Source code(tar.gz)
    Source code(zip)
Owner
Google
Google ❤️ Open Source
Google
Gbu-scanner - Go Blog Updates (Scanner service)

Go Blog Updates - Scanner This service scans go blog (go.dev) and publishes new posts to message broker (rabbitmq). It uses mongodb as a storage for a

null 1 Jan 10, 2022
GONET-Scanner - Golang network scanner with arp discovery and own parser

GO/NET Scanner ScreenShots Install chmod +x install.sh ./install.sh [as root] U

Luis Javier 60 Sep 24, 2022
Web-Security-Academy - Web Security Academy, developed in GO

Web-Security-Academy - Web Security Academy, developed in GO

Xavier Llauca 1 Feb 23, 2022
GoLang script that checks for password leaks by sending email address to the BreachDirectory API

GoLang script that checks for password leaks by sending email address to the BreachDirectory API

null 11 Feb 17, 2022
IIS shortname scanner written in Go

sns IIS shortname scanner written in Go Installation Make sure you've a recent version of the Go compiler installed on your system. Then just run: GO1

null 131 Sep 20, 2022
The fastest dork scanner written in Go.

go-dork The fastest dork scanner written in Go. There are also various search engines supported by go-dork, including Google, Shodan, Bing, Duck, Yaho

dw1 684 Sep 18, 2022
Agent-less vulnerability scanner for Linux, FreeBSD, Container, WordPress, Programming language libraries, Network devices

Vuls: VULnerability Scanner Vulnerability scanner for Linux/FreeBSD, agent-less, written in Go. We have a slack team. Join slack team Twitter: @vuls_e

Future Corp 9.5k Sep 28, 2022
Prototype Pollution Scanner

protoscan Prototype Pollution Scanner made in Golang, it was actually made by @tomnomnom in NahamCon2021 https://www.youtube.com/watch?v=Gv1nK6Wj8qM I

Kathan Patel 82 Sep 22, 2022
A fast port scanner written in go with a focus on reliability and simplicity. Designed to be used in combination with other tools for attack surface discovery in bug bounties and pentests

Naabu is a port scanning tool written in Go that allows you to enumerate valid ports for hosts in a fast and reliable manner. It is a really simple to

ProjectDiscovery 2.6k Sep 28, 2022
simple webshell scanner

shellboy ShellBoy is a useful web shell finder. It simply knows the signatures of active or inactive webshells on the market and looks for these signa

Oğuzhan YILMAZ 36 Feb 10, 2022