def test_project_with_no_violations(self):
"""Tests that no violations are produced for a correct project."""
rules_local_path = get_datafile_path(
__file__, 'audit_logging_test_valid_rules.yaml')
rules_engine = alre.AuditLoggingRulesEngine(
rules_file_path=rules_local_path)
rules_engine.build_rule_book()
# Creates rules for 5 difference resources.
self.assertEqual(5, len(rules_engine.rule_book.resource_rules_map))
# proj-1 needs ADMIN_READ for allServices, and all three log types
# for compute and cloudsql.
service_configs = {
'allServices': {
'ADMIN_READ': set(),
'DATA_READ': set(),
},
'compute.googleapis.com': {
'DATA_WRITE': set(['user:[email protected]']),
},
'cloudsql.googleapis.com': {
'DATA_WRITE': set(),
},
'logging.googleapis.com': {
'DATA_READ': set(['user:[email protected]']),
}
}
actual_violations = rules_engine.find_violations(
self.proj_1, IamAuditConfig(service_configs))
self.assertEqual(set(), actual_violations)
def test_build_rule_book_invalid_mode_fails(self):
"""Tests that a rule with an inavlid mode cannot be created."""
rules_local_path = get_datafile_path(
__file__, 'audit_logging_test_invalid_rules.yaml')
rules_engine = alre.AuditLoggingRulesEngine(
rules_file_path=rules_local_path)
with self.assertRaises(InvalidRulesSchemaError):
rules_engine.build_rule_book()
def test_project_with_missing_log_configs(self):
"""Tests rules catch missing log types."""
rules_local_path = get_datafile_path(
__file__, 'audit_logging_test_valid_rules.yaml')
rules_engine = alre.AuditLoggingRulesEngine(
rules_file_path=rules_local_path)
rules_engine.build_rule_book()
# Creates rules for 5 difference resources.
self.assertEqual(5, len(rules_engine.rule_book.resource_rules_map))
# proj-2 requires all 3 log types for compute, and ADMIN_READ+DATA_WRITE
# for everything.
service_configs = {
'allServices': {
'ADMIN_READ': set(),
},
'compute.googleapis.com': {
'DATA_WRITE': set(),
},
'cloudsql.googleapis.com': {
'DATA_WRITE': set(),
}
}
actual_violations = rules_engine.find_violations(
self.proj_2, IamAuditConfig(service_configs))
expected_violations = set([
alre.Rule.RuleViolation(
resource_type='project',
resource_id='proj-2',
resource_name='My project 2',
full_name='organization/234/folder/56/project/proj-2/',
rule_name='Require DATA_WRITE logging in folder 56',
rule_index=1,
violation_type='AUDIT_LOGGING_VIOLATION',
service='allServices',
log_type='DATA_WRITE',
unexpected_exemptions=None,
resource_data='fake_project_data_4562'),
alre.Rule.RuleViolation(
resource_type='project',
resource_id='proj-2',
resource_name='My project 2',
full_name='organization/234/folder/56/project/proj-2/',
rule_name='Require all logging for compute, with exemptions.',
rule_index=2,
violation_type='AUDIT_LOGGING_VIOLATION',
service='compute.googleapis.com',
log_type='DATA_READ',
unexpected_exemptions=None,
resource_data='fake_project_data_4562'),
])
self.assertEqual(expected_violations, actual_violations)
def test_build_rule_book_from_local_yaml_file_works(self):
"""Tests that a RuleBook is built correctly with a yaml file."""
rules_local_path = get_datafile_path(
__file__, 'audit_logging_test_valid_rules.yaml')
rules_engine = alre.AuditLoggingRulesEngine(
rules_file_path=rules_local_path)
rules_engine.build_rule_book()
# Creates rules for 5 difference resources.
self.assertEqual(5, len(rules_engine.rule_book.resource_rules_map))
rule_resources = []
for resource in rules_engine.rule_book.resource_rules_map:
rule_resources.append(resource.name)
expected_rule_resources = [
'folders/56', 'projects/*', 'projects/proj-1', 'projects/proj-2',
'projects/proj-3']
self.assertEqual(expected_rule_resources, sorted(rule_resources))
def __init__(self, global_configs, scanner_configs, service_config,
model_name, snapshot_timestamp, rules):
"""Initialization.
Args:
global_configs (dict): Global configurations.
scanner_configs (dict): Scanner configurations.
service_config (ServiceConfig): Forseti 2.0 service configs
model_name (str): name of the data model
snapshot_timestamp (str): Timestamp, formatted as YYYYMMDDTHHMMSSZ.
rules (str): Fully-qualified path and filename of the rules file.
"""
super(AuditLoggingScanner,
self).__init__(global_configs, scanner_configs, service_config,
model_name, snapshot_timestamp, rules)
self.rules_engine = audit_logging_rules_engine.AuditLoggingRulesEngine(
rules_file_path=self.rules,
snapshot_timestamp=self.snapshot_timestamp)
self.rules_engine.build_rule_book(self.global_configs)
def test_project_with_no_configs(self):
"""Tests rules catch missing log types if a project has no config."""
rules_local_path = get_datafile_path(
__file__, 'audit_logging_test_valid_rules.yaml')
rules_engine = alre.AuditLoggingRulesEngine(
rules_file_path=rules_local_path)
rules_engine.build_rule_book()
# Creates rules for 5 difference resources.
self.assertEqual(5, len(rules_engine.rule_book.resource_rules_map))
# proj-3 needs ADMIN_READ for allServices (user1 & 3 exempted), and all
# three log types for cloudsql (no exemptions).
service_configs = {}
actual_violations = rules_engine.find_violations(
self.proj_3, IamAuditConfig(service_configs))
expected_violations = set([
alre.Rule.RuleViolation(
resource_type='project',
resource_id='project-3',
resource_name='My project 3',
full_name='organization/234/project/proj-3/',
rule_name='Require AUDIT_READ on all services, with exmptions.',
rule_index=0,
violation_type='AUDIT_LOGGING_VIOLATION',
service='allServices',
log_type='ADMIN_READ',
unexpected_exemptions=None,
resource_data='fake_project_data_1233'),
alre.Rule.RuleViolation(
resource_type='project',
resource_id='project-3',
resource_name='My project 3',
full_name='organization/234/project/proj-3/',
rule_name='Require all logging for cloudsql.',
rule_index=3,
violation_type='AUDIT_LOGGING_VIOLATION',
service='cloudsql.googleapis.com',
log_type='ADMIN_READ',
unexpected_exemptions=None,
resource_data='fake_project_data_1233'),
alre.Rule.RuleViolation(
resource_type='project',
resource_id='project-3',
resource_name='My project 3',
full_name='organization/234/project/proj-3/',
rule_name='Require all logging for cloudsql.',
rule_index=3,
violation_type='AUDIT_LOGGING_VIOLATION',
service='cloudsql.googleapis.com',
log_type='DATA_READ',
unexpected_exemptions=None,
resource_data='fake_project_data_1233'),
alre.Rule.RuleViolation(
resource_type='project',
resource_id='project-3',
resource_name='My project 3',
full_name='organization/234/project/proj-3/',
rule_name='Require all logging for cloudsql.',
rule_index=3,
violation_type='AUDIT_LOGGING_VIOLATION',
service='cloudsql.googleapis.com',
log_type='DATA_WRITE',
unexpected_exemptions=None,
resource_data='fake_project_data_1233'),
])
self.assertEqual(expected_violations, actual_violations)