Source code for

# Copyright 2018 The Forseti Security Authors. All rights reserved.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# See the License for the specific language governing permissions and
# limitations under the License.

"""Scanner for Audit Logging."""

from builtins import next
import json

from import iam_policy
from import Project
from import logger
from import audit_logging_rules_engine
from import base_scanner
from import utils

LOGGER = logger.get_logger(__name__)

[docs]class AuditLoggingScanner(base_scanner.BaseScanner): """Scanner for Audit Logging.""" def __init__(self, global_configs, scanner_configs, service_config, model_name, snapshot_timestamp, rules): """Initialization. Args: global_configs (dict): Global configurations. scanner_configs (dict): Scanner configurations. service_config (ServiceConfig): Forseti 2.0 service configs model_name (str): name of the data model snapshot_timestamp (str): Timestamp, formatted as YYYYMMDDTHHMMSSZ. rules (str): Fully-qualified path and filename of the rules file. """ super(AuditLoggingScanner, self).__init__( global_configs, scanner_configs, service_config, model_name, snapshot_timestamp, rules) self.rules_engine = audit_logging_rules_engine.AuditLoggingRulesEngine( rules_file_path=self.rules, snapshot_timestamp=self.snapshot_timestamp) self.rules_engine.build_rule_book(self.global_configs)
[docs] @staticmethod def _flatten_violations(violations): """Flatten RuleViolations into a dict for each violation. Args: violations (list): The RuleViolations to flatten. Yields: dict: Iterator of RuleViolations as a dict per member. """ for violation in violations: violation_data = { 'full_name': violation.full_name, 'service': violation.service, 'log_type': violation.log_type, } if violation.unexpected_exemptions: violation_data['unexpected_exemptions'] = list( violation.unexpected_exemptions) yield { 'resource_id': violation.resource_id, 'resource_type': violation.resource_type, 'full_name': violation.full_name, 'rule_index': violation.rule_index, 'rule_name': violation.rule_name, 'violation_type': violation.violation_type, 'violation_data': violation_data, 'resource_data': violation.resource_data }
[docs] def _output_results(self, all_violations): """Output results. Args: all_violations (list): A list of violations """ all_violations = list(self._flatten_violations(all_violations)) self._output_results_to_db(all_violations)
[docs] def _find_violations(self, audit_logging_data): """Find violations in the audit log configs. Args: audit_logging_data (list): audit log data to find violations in. Returns: list: A list of all violations """ all_violations = []'Finding audit logging violations...') for project, audit_config in audit_logging_data: violations = self.rules_engine.find_violations( project, audit_config) LOGGER.debug(violations) all_violations.extend(violations) return all_violations
[docs] def _retrieve(self): """Retrieves the data for scanner. Returns: list: List of projects' audit logging config data. """ model_manager = self.service_config.model_manager scoped_session, data_access = model_manager.get(self.model_name) with scoped_session as session: project_configs = [] ancestor_configs = {} # Types that can contain AuditConfigs in the IamPolicy. audit_policy_types = frozenset([ 'organization', 'folder', 'project']) for policy in data_access.scanner_iter(session, 'iam_policy'): if policy.parent.type not in audit_policy_types: continue audit_config = iam_policy.IamAuditConfig.create_from( json.loads('auditConfigs', [])) if policy.parent.type == 'project': project_configs.append( (Project(, policy.parent.full_name,, audit_config)) elif audit_config.service_configs: ancestor_configs[policy.parent.type,] = ( audit_config) # Merge ancestor configs into project level configs. for project, audit_config in project_configs: ancestors = utils.get_resources_from_full_name(project.full_name) next(ancestors) for res_type, res_name in ancestors: ancestor_config = ancestor_configs.get((res_type, res_name)) if ancestor_config: audit_config.merge_configs(ancestor_config) return project_configs
[docs] def run(self): """Runs the data collection.""" audit_logging_data = self._retrieve() all_violations = self._find_violations(audit_logging_data) self._output_results(all_violations)