def test_project_with_no_violations(self): """Tests that no violations are produced for a correct project.""" rules_local_path = get_datafile_path( __file__, 'audit_logging_test_valid_rules.yaml') rules_engine = alre.AuditLoggingRulesEngine( rules_file_path=rules_local_path) rules_engine.build_rule_book() # Creates rules for 5 difference resources. self.assertEqual(5, len(rules_engine.rule_book.resource_rules_map)) # proj-1 needs ADMIN_READ for allServices, and all three log types # for compute and cloudsql. service_configs = { 'allServices': { 'ADMIN_READ': set(), 'DATA_READ': set(), }, 'compute.googleapis.com': { 'DATA_WRITE': set(['user:[email protected]']), }, 'cloudsql.googleapis.com': { 'DATA_WRITE': set(), }, 'logging.googleapis.com': { 'DATA_READ': set(['user:[email protected]']), } } actual_violations = rules_engine.find_violations( self.proj_1, IamAuditConfig(service_configs)) self.assertEqual(set(), actual_violations)
def test_build_rule_book_invalid_mode_fails(self): """Tests that a rule with an inavlid mode cannot be created.""" rules_local_path = get_datafile_path( __file__, 'audit_logging_test_invalid_rules.yaml') rules_engine = alre.AuditLoggingRulesEngine( rules_file_path=rules_local_path) with self.assertRaises(InvalidRulesSchemaError): rules_engine.build_rule_book()
def test_project_with_missing_log_configs(self): """Tests rules catch missing log types.""" rules_local_path = get_datafile_path( __file__, 'audit_logging_test_valid_rules.yaml') rules_engine = alre.AuditLoggingRulesEngine( rules_file_path=rules_local_path) rules_engine.build_rule_book() # Creates rules for 5 difference resources. self.assertEqual(5, len(rules_engine.rule_book.resource_rules_map)) # proj-2 requires all 3 log types for compute, and ADMIN_READ+DATA_WRITE # for everything. service_configs = { 'allServices': { 'ADMIN_READ': set(), }, 'compute.googleapis.com': { 'DATA_WRITE': set(), }, 'cloudsql.googleapis.com': { 'DATA_WRITE': set(), } } actual_violations = rules_engine.find_violations( self.proj_2, IamAuditConfig(service_configs)) expected_violations = set([ alre.Rule.RuleViolation( resource_type='project', resource_id='proj-2', resource_name='My project 2', full_name='organization/234/folder/56/project/proj-2/', rule_name='Require DATA_WRITE logging in folder 56', rule_index=1, violation_type='AUDIT_LOGGING_VIOLATION', service='allServices', log_type='DATA_WRITE', unexpected_exemptions=None, resource_data='fake_project_data_4562'), alre.Rule.RuleViolation( resource_type='project', resource_id='proj-2', resource_name='My project 2', full_name='organization/234/folder/56/project/proj-2/', rule_name='Require all logging for compute, with exemptions.', rule_index=2, violation_type='AUDIT_LOGGING_VIOLATION', service='compute.googleapis.com', log_type='DATA_READ', unexpected_exemptions=None, resource_data='fake_project_data_4562'), ]) self.assertEqual(expected_violations, actual_violations)
def test_build_rule_book_from_local_yaml_file_works(self): """Tests that a RuleBook is built correctly with a yaml file.""" rules_local_path = get_datafile_path( __file__, 'audit_logging_test_valid_rules.yaml') rules_engine = alre.AuditLoggingRulesEngine( rules_file_path=rules_local_path) rules_engine.build_rule_book() # Creates rules for 5 difference resources. self.assertEqual(5, len(rules_engine.rule_book.resource_rules_map)) rule_resources = [] for resource in rules_engine.rule_book.resource_rules_map: rule_resources.append(resource.name) expected_rule_resources = [ 'folders/56', 'projects/*', 'projects/proj-1', 'projects/proj-2', 'projects/proj-3'] self.assertEqual(expected_rule_resources, sorted(rule_resources))
def __init__(self, global_configs, scanner_configs, service_config, model_name, snapshot_timestamp, rules): """Initialization. Args: global_configs (dict): Global configurations. scanner_configs (dict): Scanner configurations. service_config (ServiceConfig): Forseti 2.0 service configs model_name (str): name of the data model snapshot_timestamp (str): Timestamp, formatted as YYYYMMDDTHHMMSSZ. rules (str): Fully-qualified path and filename of the rules file. """ super(AuditLoggingScanner, self).__init__(global_configs, scanner_configs, service_config, model_name, snapshot_timestamp, rules) self.rules_engine = audit_logging_rules_engine.AuditLoggingRulesEngine( rules_file_path=self.rules, snapshot_timestamp=self.snapshot_timestamp) self.rules_engine.build_rule_book(self.global_configs)
def test_project_with_no_configs(self): """Tests rules catch missing log types if a project has no config.""" rules_local_path = get_datafile_path( __file__, 'audit_logging_test_valid_rules.yaml') rules_engine = alre.AuditLoggingRulesEngine( rules_file_path=rules_local_path) rules_engine.build_rule_book() # Creates rules for 5 difference resources. self.assertEqual(5, len(rules_engine.rule_book.resource_rules_map)) # proj-3 needs ADMIN_READ for allServices (user1 & 3 exempted), and all # three log types for cloudsql (no exemptions). service_configs = {} actual_violations = rules_engine.find_violations( self.proj_3, IamAuditConfig(service_configs)) expected_violations = set([ alre.Rule.RuleViolation( resource_type='project', resource_id='project-3', resource_name='My project 3', full_name='organization/234/project/proj-3/', rule_name='Require AUDIT_READ on all services, with exmptions.', rule_index=0, violation_type='AUDIT_LOGGING_VIOLATION', service='allServices', log_type='ADMIN_READ', unexpected_exemptions=None, resource_data='fake_project_data_1233'), alre.Rule.RuleViolation( resource_type='project', resource_id='project-3', resource_name='My project 3', full_name='organization/234/project/proj-3/', rule_name='Require all logging for cloudsql.', rule_index=3, violation_type='AUDIT_LOGGING_VIOLATION', service='cloudsql.googleapis.com', log_type='ADMIN_READ', unexpected_exemptions=None, resource_data='fake_project_data_1233'), alre.Rule.RuleViolation( resource_type='project', resource_id='project-3', resource_name='My project 3', full_name='organization/234/project/proj-3/', rule_name='Require all logging for cloudsql.', rule_index=3, violation_type='AUDIT_LOGGING_VIOLATION', service='cloudsql.googleapis.com', log_type='DATA_READ', unexpected_exemptions=None, resource_data='fake_project_data_1233'), alre.Rule.RuleViolation( resource_type='project', resource_id='project-3', resource_name='My project 3', full_name='organization/234/project/proj-3/', rule_name='Require all logging for cloudsql.', rule_index=3, violation_type='AUDIT_LOGGING_VIOLATION', service='cloudsql.googleapis.com', log_type='DATA_WRITE', unexpected_exemptions=None, resource_data='fake_project_data_1233'), ]) self.assertEqual(expected_violations, actual_violations)