google.cloud.forseti.scanner.audit.audit_logging_rules_engine module

Cloud Audit Logging rules engine for organizations, folders, and projects.

Builds the RuleBook (AuditLoggingRuleBook) from the rule definitions (file either stored locally or in GCS) and compares a resource’s enabled audit logs against the RuleBook to determine whether there are violations.

class AuditLoggingRuleBook(global_configs, rule_defs=None, snapshot_timestamp=None)[source]

Bases: google.cloud.forseti.scanner.audit.base_rules_engine.BaseRuleBook

The RuleBook for Audit Logging configs.

Rules from the rules definition file are parsed and placed into a map, which associates the GCP resource (project, folder or organization) with the rules defined for it.

A project’s merged IamAuditConfig is evaulated against rules for all ancestor resources of that project.

__eq__(other)[source]

Equals.

Parameters:other (object) – Object to compare.
Returns:True or False.
Return type:bool
__ne__(other)[source]

Not Equals.

Parameters:other (object) – Object to compare.
Returns:True or False.
Return type:bool
__repr__()[source]

Object representation.

Returns:The object representation.
Return type:str
_abc_cache = <_weakrefset.WeakSet object>
_abc_negative_cache = <_weakrefset.WeakSet object>
_abc_negative_cache_version = 186
_abc_registry = <_weakrefset.WeakSet object>
add_rule(rule_def, rule_index)[source]

Add a rule to the rule book.

The rule supplied to this method is the dictionary parsed from the rules definition file.

For example, this rule…

# rules yaml: rules:

  • name: a rule resource:

    • type: project resource_ids:

      • my-project-123

    service: allServices log_types:

    • ‘ADMIN_READ’
    • ‘DATA_WRITE’
    allowed_exemptions:
    • ‘user:user1@org.com’
    • ‘user:user2@org.com’

… gets parsed into:

{

‘name’: ‘a rule’, ‘resource’: {

‘type’: ‘project’, ‘resource_ids’: [‘my-project-id’]

}, ‘service’: ‘allServices’, ‘log_types’: [

‘ADMIN_READ’, ‘DATA_WRITE’,

], ‘allowed_exemptions’: [

‘user:user1@org.com’, ‘user:user2@org.com’,

]

}

Parameters:
  • rule_def (dict) – Contains rule definition properties.
  • rule_index (int) – The index of the rule from the rule definitions. Assigned automatically when the rule book is built.
add_rules(rule_defs)[source]

Add rules to the rule book.

Parameters:rule_defs (dict) – Rules parsed from the rule definition file.
find_violations(project, audit_config)[source]

Find Cloud Audit Logging violations in the rule book.

Parameters:
  • project (gcp_type) – The project that has this configuation.
  • audit_config (IamAuditConfig) – The audit config for this project, merged with ancestor configs.
Returns:

A generator of the rule violations.

Return type:

iterable

supported_resource_types = frozenset(['project', 'organization', 'folder'])
class AuditLoggingRulesEngine(rules_file_path, snapshot_timestamp=None)[source]

Bases: google.cloud.forseti.scanner.audit.base_rules_engine.BaseRulesEngine

Rules engine for Cloud Audit Logging.

add_rules(rules)[source]

Add rules to the rule book.

Parameters:rules (list) – The list of rules to add to the book.
build_rule_book(global_configs=None)[source]

Build AuditLoggingRuleBook from the rules definition file.

Parameters:global_configs (dict) – Global configurations.
find_violations(project, audit_config, force_rebuild=False)[source]

Determine whether a project’s audit logging config violates rules.

Parameters:
  • project (gcp_type) – The project with audit log config.
  • audit_config (IamAuditConfig) – The audit config for this project, merged with ancestor configs.
  • force_rebuild (bool) – If True, rebuilds the rule book. This will reload the rules definition file and add the rules to the book.
Returns:

A generator of rule violations.

Return type:

iterable

class Rule(rule_name, rule_index, rule)[source]

Bases: object

Rule properties from the rule definition file. Also finds violations.

class RuleViolation(resource_type, resource_id, full_name, rule_name, rule_index, violation_type, service, log_type, unexpected_exemptions, resource_data)

Bases: tuple

__getnewargs__()

Return self as a plain tuple. Used by copy and pickle.

__getstate__()

Exclude the OrderedDict from pickling

__repr__()

Return a nicely formatted representation string

_asdict()

Return a new OrderedDict which maps field names to their values

_fields = ('resource_type', 'resource_id', 'full_name', 'rule_name', 'rule_index', 'violation_type', 'service', 'log_type', 'unexpected_exemptions', 'resource_data')
classmethod _make(iterable, new=<built-in method __new__ of type object>, len=<built-in function len>)

Make a new RuleViolation object from a sequence or iterable

_replace(**kwds)

Return a new RuleViolation object replacing specified fields with new values

full_name
log_type
resource_data
resource_id
resource_type
rule_index
rule_name
service
unexpected_exemptions
violation_type
find_violations(project, audit_config)[source]

Find Cloud Audit Logging violations in the rule book. :param project: The project that has this configuation. :type project: gcp_type :param audit_config: The audit config for this project,

merged with ancestor configs.
Yields:namedtuple – Returns RuleViolation named tuple.