Forseti 102 Training - 8 Apr 2019

Version 2

    Forseti SME 102

    Security

    Date:

    Authors:

    Prepared for:

    Contents

    1. Introduction  3

    2. Installation  3

    2.1 Default installation  3

    Prerequisite highlights  3

    2.2 Terraform installation  3

    Prerequisites  3

    Default VPC  4

    Shared VPC  4

    Benefits of G Suite  5

    G Suite setup  5

    3. Verification of Forseti  10

    3.1 Forseti commands  10

    3.2 Forseti inventory create/list  10

    3.3 Forseti model create/list  11

    3.4 Forseti explain  11

    3.5 Forseti scanner run  12

    3.6 Forseti notifier  12

    3.7 Forseti security recommendations  13

    4. Cloud Security Command Center  14

    5. References  16

    About this document

     

    Document details

    Purpose

    A reference guide for any customer-facing engineers, architects, consultants, or account managers working with customers to get Forseti deployed into a GCP organization.

    Intended audience

    The primary audience is Solution Architects, SCEs, Consultants and TAMs.

    Key

    assumptions

    Have taken the Forseti 101 course, understand at a high-level what Forseti is and does.

    Delivery

    note

    This document is relevant for Cloud Plan and Cloud Deploys focused on security.  This doc discusses installation options and verification of the Forseti Security tool within a customer’s organization. 

    1. Introduction

    Forseti 102 is focused on the installation of Forseti, understanding and verification of the tool running in the customer’s environment and the integration of Forseti into GCP’s Security Command Center.

     

    2. Installation

    Overview of a few mechanisms for installing Forseti.

     

    Note: By installing Forseti, you will be creating a Forseti client vm, a Forseti server vm and a cloud sql instance. You can upgrade/downgrade any of the instances as needed based on how big your organization is. Forseti Client VM can be downgraded to a smaller VM most of the time.

     

    2.1 Default installation

    Forseti installation: https://forsetisecurity.org/docs/v2.0/setup/install.html

      Prerequisite highlights

    • Git Clone
    • Required to be installed via an Organization Admin

     

    2.2 Terraform installation

      Prerequisites

    • Dependencies:
      • Terraform 0.11.x, terraform-provider-google-plugin v1.12.0, Python 3.7.x
    • A Dedicated Forseti GCP Project
      • Services enabled: compute.googleapis.com, serviceusage.googleapis.com
    • Service Account for Deployment
      • At Org Level:
        • Organization Admin, Security Reviewer
      • On the Dedicated Forseti GCP Project:
        • roles/owner
      • On Shared VPC Host Project:
        • roles/compute.securityAdmin
        • roles/compute.networkAdmin
    • G Suite Administrator Account (optional - provides additional insights)
      • For G Suite related queries around group / user membership / group expansion with IAM
    • SendGrid API Key (optional)
      • For email notification


    The best practice recommendation is to have a non-human-user dedicated G Suite Account

    • The Organization Id `gcloud organizations list`
    • GSUITE_ADMIN_EMAIL ⇒ Impersonated User Account

      Default VPC


    module "forseti" {    source  = "git::https://github.com/terraform-google-modules/terraform-google-forseti"    version = "v1.1.0"    gsuite_admin_email = "[YOUR_GSUITE_SUPERADMIN_ACCOUNT]@yourdomain.com"    domain             = "yourdomain.com"    project_id         = "my-forseti-project"    org_id             = "2313934234"}


      Shared VPC

    Shared VPC components AND the regions need to be synchronized

    ## Forseti Default Installation module "forseti" {    source  = “git::https://github.com/terraform-google-modules/terraform-google-forseti"    version = "v1.1.0"    gsuite_admin_email = "${var.admin_email}"    domain             = "corelogicasiahackathon.com"    project_id         = "${var.project_id}"    org_id             = "${var.org_id}"
    # for shared vpc...    network            = "shared-net-qqe3"    network_project     = "base-infrastructure"    subnetwork         = "projects/base-infrastructure/regions/us-west1/subnetworks/secondary-ranges-subnet-02"    client_region      = "us-west1"    server_region      = "us-west1"    cloudsql_region    = "us-west1"}


      Benefits of G Suite

    1. Group and Members Inventory / Group Expansion

    Group expansion allows us to understand how group permissions are inherited onto users.

    1. Group Scanner

    Ensure that G Suite group - all the members are within that group are within your domain

    1. Group Settings Scanner

    G Suite Group Metadata

      G Suite setup

    Enable DWD on the forseti-server service account will allow us to query and access G Suite data (readonly). This will provide additional insights into groups and users. Once the Forseti install is finished, enable G Suite DWD on the service account (optional, if you don’t want to leverage G Suite data).
    Navigate to IAM & admin / Service accounts
    Select ‘Edit’ beside your forseti server service account (the format of the service account name is forseti-server-gcp-xxxx@....)
    Check ‘Enable G Suite Domain-wide Delegation’, enter ‘forseti’ for Product name for consent screen and click SAVE

    • Navigate back to IAM & admin / Service accounts and click View Client ID beside the forseti server service account.




    Copy the Client ID

    Navigate to admin.google.com, make sure you are logged in as a GSuite admin.

    Select Security, expand Advanced Settings and click on Manage API client access.




    3. Verification of Forseti

    Here we want to demonstrate manually what occurs during the Forseti cron job that is configured by default to run every two hours.

    3.1 Forseti commands

    To verify forseti commands, we need to SSH into the forseti-client VM within our Forseti GCP project. 

    • SSH into the “forseti-client-vm”.
      • forseti -h
        • help options

    3.2 Forseti inventory create/list

    • SSH into the “forseti-client-vm”
      • forseti inventory list
        • This will list out existing inventories
    • forseti inventory create


    • The inventory_index_id will be listed as the “id” field in the last object of the JSON payload
    • --import_as $MODEL_NAME
    • forseti inventory -h
      • for additional options

     

    3.3 Forseti model create/list

    • Models are built on top of inventory to show relations within the data.
    • Models are created every 2 hours with Forseti Cron sync but are also deleted after the process finishes.
    • SSH into the “forseti-client-vm”
      • forseti model list
        • This will list out existing models
      • forseti model create --inventory_index_id 1551044525796600 model-2019-02-25
        • Point of reference in time of data reference for a given inventory
      • forseti model use model-2019-02-25
        • Set the session

     

    3.4 Forseti explain

    • forseti model use model-2019-02-25
    • forseti explainer list_resources
      • This will show us a list of all our resources in the data model
    • forseti explainer list_members
      • Get all members in data model
    • forseti explainer get_policy folder/379678980128
      • Policy on a resource
    • forseti explainer access_by_member user/<USER_NAME>
      • IAM policies across organization

     

    3.5 Forseti scanner run

    • forseti model use $MODEL_NAME
    • forseti scanner run
    • forseti scanner run --scanner external_project_access_scanner
      • This may take up to a few hours
    • Scanner writes violations to Cloud SQL database:
      • SELECT * FROM forseti_security.violations;



    3.6 Forseti notifier

    • forseti notifier run
      • Written to the GCS bucket:
        • forseti-server-[RANDOM_ID]/inventory_summary
        • forseti-server-[RANDOM_ID]/scanner_violations


    • Filter by Prefix: “violations.cloudsql_acl_violations.$SCANNER_INDEX_ID”

     

    3.7 Forseti security recommendations

     

    4. Cloud Security Command Center

    Forseti has a plugin with Cloud Security Command Center (CSCC) which allows you to receive PubSubs with CSCC. With these PubSubs, you have control of remediating manually or programmatically with Cloud Functions.
    To connect to CSCC, you need the following roles:

    • Organization Admin
    • Security Center Admin
    • Service Account Admin

     

    Follow step 1-4 listed here to set CSCC up for Forseti.

     

    Once you have CSCC set up, you can navigate to the CSCC settings page from the Google Cloud Platform (GCP) UI. For example:

     

     

    Example UI from CSCC when Forseti is enabled:

     

     

    Example violation details when you select a Forseti violation in CSCC: