This page describes how to define rules for Forseti Scanner.
You can find some starter rules in the
directory. When you make changes to the rule files, upload them to your
Forseti bucket or copy them to the
rules_path (found in
Forseti Scanner recognizes the following rule grammar in YAML or JSON:
rules: - name: $rule_name mode: $rule_mode resource: - type: $resource_type applies_to: $applies_to resource_ids: - $resource_id1 - $resource_id2 - ... inherit_from_parents: $inherit_from bindings: - role: $role_name members: - $member1 - $member2 ...
serviceAccount:*@*gserviceaccount.com(all service accounts) or
user:*@company.com(anyone with an identity at company.com).
- name: Allow my company users and gmail users to be in my company groups. group_email: my_customer mode: whitelist conditions: - member_email: '@MYDOMAIN.com' - member_email: '@gmail.com'
rules: - name: sample bucket acls rule to search for public buckets bucket: '*' entity: AllUsers email: '*' domain: '*' role: '*' resource: - resource_ids: - YOUR_ORG_ID / YOUR_PROJECT_ID
For more information, refer to the BucketAccessControls documentation.
rules: - name: sample cloudsql rule to search for publicly exposed instances instance_name: '*' authorized_networks: '0.0.0.0/0' ssl_enabled: 'False' resource: - type: organization resource_ids: - YOUR_ORG_ID / YOUR_PROJECT_ID
BigQuery scanner rules serve as blacklists.
rules: - name: sample BigQuery rule to search for public datasets dataset_id: '*' special_group: 'allAuthenticatedUsers' user_email: '*' domain: '*' group_email: '*' role: '*' resource: - type: organization resource_ids: - YOUR_ORG_ID / YOUR_PROJECT_ID
*applies the rule to all your datasets.
The BigQuery Scanner rules specify entities that aren’t allowed to access
your datasets. When you set a value of
group_email, Scanner checks to make sure that no entities can
access your datasets. If you specify any other value, Scanner only checks to
make sure that the entity you specified doesn’t have access.
rules: - name: Rule Name Example target: Forwarding Rule Target Example mode: whitelist load_balancing_scheme: EXTERNAL ip_protocol: ESP ip_address: "198.51.100.46"
To learn more, see the ForwardingRules documentation.
rules: # custom rules - name: Allow direct access from debug IPs and internal monitoring hosts resource: - type: organization applies_to: self_and_children resource_ids: - YOUR_ORG_ID inherit_from_parents: true allowed_direct_access_sources: '10.*,monitoring-instance-tag'
rules: # This rule helps with: # #1 Ensure instances with external IPs are only running # on whitelisted networks # #2 Ensure instances are only running on networks created in allowed # projects (using XPN) - name: all networks covered in whitelist project: '*' network: '*' is_external_network: True # this would be a custom list of your networks/projects. whitelist: master: - master-1 network: - network-1 - network-2 default: - default-1
whitelist: The whitelist describes which projects and networks for which VM instances can have external IPs. For example, the following values would specify that VM instances in project_01’s network_01 can have external IP addresses:
project_01: - network_01