Exemplos de AuditLoggingRulesEngine em Python

Exemplo n.º 1

    def test_project_with_no_violations(self):
        """Tests that no violations are produced for a correct project."""
        rules_local_path = get_datafile_path(
            __file__, 'audit_logging_test_valid_rules.yaml')
        rules_engine = alre.AuditLoggingRulesEngine(
            rules_file_path=rules_local_path)
        rules_engine.build_rule_book()
        # Creates rules for 5 difference resources.
        self.assertEqual(5, len(rules_engine.rule_book.resource_rules_map))

        # proj-1 needs ADMIN_READ for allServices, and all three log types
        # for compute and cloudsql.
        service_configs = {
            'allServices': {
                'ADMIN_READ': set(),
                'DATA_READ': set(),
            },
            'compute.googleapis.com': {
                'DATA_WRITE': set(['user:[email protected]']),
            },
            'cloudsql.googleapis.com': {
                'DATA_WRITE': set(),
            },
            'logging.googleapis.com': {
                'DATA_READ': set(['user:[email protected]']),
            }
        }
        actual_violations = rules_engine.find_violations(
            self.proj_1, IamAuditConfig(service_configs))
        self.assertEqual(set(), actual_violations)

Exemplo n.º 2

 def test_build_rule_book_invalid_mode_fails(self):
     """Tests that a rule with an inavlid mode cannot be created."""
     rules_local_path = get_datafile_path(
         __file__, 'audit_logging_test_invalid_rules.yaml')
     rules_engine = alre.AuditLoggingRulesEngine(
         rules_file_path=rules_local_path)
     with self.assertRaises(InvalidRulesSchemaError):
         rules_engine.build_rule_book()

Exemplo n.º 3

    def test_project_with_missing_log_configs(self):
        """Tests rules catch missing log types."""
        rules_local_path = get_datafile_path(
            __file__, 'audit_logging_test_valid_rules.yaml')
        rules_engine = alre.AuditLoggingRulesEngine(
            rules_file_path=rules_local_path)
        rules_engine.build_rule_book()
        # Creates rules for 5 difference resources.
        self.assertEqual(5, len(rules_engine.rule_book.resource_rules_map))

        # proj-2 requires all 3 log types for compute, and ADMIN_READ+DATA_WRITE
        # for everything.
        service_configs = {
            'allServices': {
                'ADMIN_READ': set(),
            },
            'compute.googleapis.com': {
                'DATA_WRITE': set(),
            },
            'cloudsql.googleapis.com': {
                'DATA_WRITE': set(),
            }
        }
        actual_violations = rules_engine.find_violations(
            self.proj_2, IamAuditConfig(service_configs))
        expected_violations = set([
            alre.Rule.RuleViolation(
                resource_type='project',
                resource_id='proj-2',
                resource_name='My project 2',
                full_name='organization/234/folder/56/project/proj-2/',
                rule_name='Require DATA_WRITE logging in folder 56',
                rule_index=1,
                violation_type='AUDIT_LOGGING_VIOLATION',
                service='allServices',
                log_type='DATA_WRITE',
                unexpected_exemptions=None,
                resource_data='fake_project_data_4562'),
            alre.Rule.RuleViolation(
                resource_type='project',
                resource_id='proj-2',
                resource_name='My project 2',
                full_name='organization/234/folder/56/project/proj-2/',
                rule_name='Require all logging for compute, with exemptions.',
                rule_index=2,
                violation_type='AUDIT_LOGGING_VIOLATION',
                service='compute.googleapis.com',
                log_type='DATA_READ',
                unexpected_exemptions=None,
                resource_data='fake_project_data_4562'),
        ])
        self.assertEqual(expected_violations, actual_violations)

Exemplo n.º 4

 def test_build_rule_book_from_local_yaml_file_works(self):
     """Tests that a RuleBook is built correctly with a yaml file."""
     rules_local_path = get_datafile_path(
         __file__, 'audit_logging_test_valid_rules.yaml')
     rules_engine = alre.AuditLoggingRulesEngine(
         rules_file_path=rules_local_path)
     rules_engine.build_rule_book()
     # Creates rules for 5 difference resources.
     self.assertEqual(5, len(rules_engine.rule_book.resource_rules_map))
     rule_resources = []
     for resource in rules_engine.rule_book.resource_rules_map:
         rule_resources.append(resource.name)
     expected_rule_resources = [
         'folders/56', 'projects/*', 'projects/proj-1', 'projects/proj-2',
         'projects/proj-3']
     self.assertEqual(expected_rule_resources, sorted(rule_resources))

Exemplo n.º 5

    def __init__(self, global_configs, scanner_configs, service_config,
                 model_name, snapshot_timestamp, rules):
        """Initialization.

        Args:
            global_configs (dict): Global configurations.
            scanner_configs (dict): Scanner configurations.
            service_config (ServiceConfig): Forseti 2.0 service configs
            model_name (str): name of the data model
            snapshot_timestamp (str): Timestamp, formatted as YYYYMMDDTHHMMSSZ.
            rules (str): Fully-qualified path and filename of the rules file.
        """
        super(AuditLoggingScanner,
              self).__init__(global_configs, scanner_configs, service_config,
                             model_name, snapshot_timestamp, rules)
        self.rules_engine = audit_logging_rules_engine.AuditLoggingRulesEngine(
            rules_file_path=self.rules,
            snapshot_timestamp=self.snapshot_timestamp)
        self.rules_engine.build_rule_book(self.global_configs)

Exemplo n.º 6

    def test_project_with_no_configs(self):
        """Tests rules catch missing log types if a project has no config."""
        rules_local_path = get_datafile_path(
            __file__, 'audit_logging_test_valid_rules.yaml')
        rules_engine = alre.AuditLoggingRulesEngine(
            rules_file_path=rules_local_path)
        rules_engine.build_rule_book()
        # Creates rules for 5 difference resources.
        self.assertEqual(5, len(rules_engine.rule_book.resource_rules_map))

        # proj-3 needs ADMIN_READ for allServices (user1 & 3 exempted), and all
        # three log types for cloudsql (no exemptions).
        service_configs = {}
        actual_violations = rules_engine.find_violations(
            self.proj_3, IamAuditConfig(service_configs))
        expected_violations = set([
            alre.Rule.RuleViolation(
                resource_type='project',
                resource_id='project-3',
                resource_name='My project 3',
                full_name='organization/234/project/proj-3/',
                rule_name='Require AUDIT_READ on all services, with exmptions.',
                rule_index=0,
                violation_type='AUDIT_LOGGING_VIOLATION',
                service='allServices',
                log_type='ADMIN_READ',
                unexpected_exemptions=None,
                resource_data='fake_project_data_1233'),
            alre.Rule.RuleViolation(
                resource_type='project',
                resource_id='project-3',
                resource_name='My project 3',
                full_name='organization/234/project/proj-3/',
                rule_name='Require all logging for cloudsql.',
                rule_index=3,
                violation_type='AUDIT_LOGGING_VIOLATION',
                service='cloudsql.googleapis.com',
                log_type='ADMIN_READ',
                unexpected_exemptions=None,
                resource_data='fake_project_data_1233'),
            alre.Rule.RuleViolation(
                resource_type='project',
                resource_id='project-3',
                resource_name='My project 3',
                full_name='organization/234/project/proj-3/',
                rule_name='Require all logging for cloudsql.',
                rule_index=3,
                violation_type='AUDIT_LOGGING_VIOLATION',
                service='cloudsql.googleapis.com',
                log_type='DATA_READ',
                unexpected_exemptions=None,
                resource_data='fake_project_data_1233'),
            alre.Rule.RuleViolation(
                resource_type='project',
                resource_id='project-3',
                resource_name='My project 3',
                full_name='organization/234/project/proj-3/',
                rule_name='Require all logging for cloudsql.',
                rule_index=3,
                violation_type='AUDIT_LOGGING_VIOLATION',
                service='cloudsql.googleapis.com',
                log_type='DATA_WRITE',
                unexpected_exemptions=None,
                resource_data='fake_project_data_1233'),
        ])
        self.assertEqual(expected_violations, actual_violations)