Here are some frequently asked questions about Forseti Security.
Setting Forseti up in a separate project ensures that Forseti has the necessary quota for API calls and managing service accounts and roles. This also restricts who has access to your Forseti-related resources.
If Forseti is reading data from only one project, your Forseti service account might have access only to that particular project. To get read access to all of the projects under your organization, add the service account to the organization Cloud IAM policy with the required roles. Your Organization Admin should be able to help you with that.
By default, Forseti runs Inventory and Scanner on the top of every hour using a simple cronjob. You can edit the deployment template to change this cron value.
The installation log is stored in
/tmp/deployment.log on the Forseti
Compute Engine instance.
The Forseti Inventory, Scanner, and Enforcer logs can be found in the Cloud Platform Console, under Stackdriver. Change the first dropdown filter to “GCE VM Instance”, and the second dropdown filter to “syslog”.
You can implement bucket lifecycle rules to delete the output or migrate them to a lower cost class. Alternatively, you may wish to export the output to BigQuery.
The Admin API, which performs the G Suite Groups data retrieval, uses methods from an OAuth library which expect the private key to be local to where the code is running. To minimize G Suite service account access, don’t assign any Cloud IAM roles to it and only grant the Groups/Group Members Read-Only scope in G Suite. To learn more, see the Forseti Service Accounts page.
Forseti uses a service account which is granted roles on the organization Cloud IAM policy. Because roles are hierarchical in GCP, if someone has a Cloud IAM role the organization level, the role is inherited by lower levels, like the folder or project. For example, if you grant the “Browser” role to someone on the organization, they will also be able to see folders and projects within the organization.
For more information, please refer to “Service account for Forseti Security”.