Add support for groups settings scanner

forseti-security · Apr 2, 2019 · 526ffca · 526ffca
1 parent e453560
commit 526ffca
Show file tree

Hide file tree

Showing 9 changed files with 158 additions and 0 deletions.
diff --git a/main.tf b/main.tf
@@ -201,5 +201,11 @@ module "server" {
   bigquery_acl_violations_should_notify               = "${var.bigquery_acl_violations_should_notify}",
   audit_logging_violations_should_notify              = "${var.audit_logging_violations_should_notify}"
 
+  groups_settings_max_calls                = "${var.groups_settings_max_calls}"
+  groups_settings_period                   = "${var.groups_settings_period}"
+  groups_settings_disable_polling          = "${var.groups_settings_disable_polling}"
+  groups_settings_enabled                  = "${var.groups_settings_enabled}"
+  groups_settings_violations_should_notify = "${var.groups_settings_violations_should_notify}"
+
   services = "${google_project_service.main.*.service}"
 }
diff --git a/modules/rules/main.tf b/modules/rules/main.tf
@@ -26,6 +26,7 @@ locals {
     "rules/firewall_rules.yaml",
     "rules/forwarding_rules.yaml",
     "rules/group_rules.yaml",
+    "rules/groups_settings_rules.yaml",
     "rules/iam_rules.yaml",
     "rules/iap_rules.yaml",
     "rules/instance_network_interface_rules.yaml",

diff --git a/modules/rules/templates/rules/groups_settings_rules.yaml b/modules/rules/templates/rules/groups_settings_rules.yaml
@@ -0,0 +1,56 @@
+# Copyright 2017 The Forseti Security Authors. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Rule Keys:
+# name: The unique name describing the rule
+# mode: Depending on whether you want to allow or block in a given situation,
+#      whitelist: violates when any specified property:value combination
+#                 doesn't match.  OR used on settings properties
+#      blacklist: violates when all specified property:value combinations
+#                 match.  AND used on settings properties
+# mode can be whitelist or blacklist
+# group_emails: unique emails matching gsuite groups. Essentially the same rule
+#               is created for each email listed here, or for all in case of
+#               wildcard
+# settings: settings rules.  Supported settings are
+#           - whoCanAdd
+#           - whoCanJoin
+#           - whoCanViewMembership
+#           - whoCanViewGroup
+#           - whoCanInvite
+#           - allowExternalMembers
+#           - whoCanLeaveGroup
+#https://developers.google.com/admin-sdk/groups-settings/v1/reference/groups
+
+rules:
+  - name: All groups with iam policies should have all of these settings
+    mode: whitelist
+    only_iam_groups: True
+    groups_emails:
+      - '*'
+    settings:
+      allowExternalMembers: True
+      whoCanJoin: "INVITED_CAN_JOIN"
+      whoCanInvite: "ALL_MANAGERS_CAN_INVITE"
+      whoCanAdd: "ALL_MANAGERS_CAN_ADD"
+      allowExternalMembers: False
+      whoCanLeaveGroup: "ALL_MANAGERS_CAN_LEAVE"
+  # - name: Recommended for groups only used for IAM and not for email
+  #   mode: whitelist
+  #   only_iam_groups: True
+  #   groups_emails:
+  #     - '*'
+  #   settings:
+  #     whoCanViewMembership: "ALL_IN_DOMAIN_CAN_VIEW"
+  #     whoCanViewGroup: "ALL_MANAGERS_CAN_VIEW"
diff --git a/modules/server/main.tf b/modules/server/main.tf
@@ -213,6 +213,12 @@ data "template_file" "forseti_server_config" {
     BLACKLIST_VIOLATIONS_SHOULD_NOTIFY                  = "${var.blacklist_violations_should_notify ? "true" : "false"}",
     BIGQUERY_ACL_VIOLATIONS_SHOULD_NOTIFY               = "${var.bigquery_acl_violations_should_notify ? "true" : "false"}",
     AUDIT_LOGGING_VIOLATIONS_SHOULD_NOTIFY              = "${var.audit_logging_violations_should_notify ? "true" : "false"}"
+
+    GROUPS_SETTINGS_MAX_CALLS                = "${var.groups_settings_max_calls}"
+    GROUPS_SETTINGS_PERIOD                   = "${var.groups_settings_period}"
+    GROUPS_SETTINGS_DISABLE_POLLING          = "${var.groups_settings_disable_polling ? "true" : "false"}"
+    GROUPS_SETTINGS_ENABLED                  = "${var.groups_settings_enabled ? "true" : "false"}"
+    GROUPS_SETTINGS_VIOLATIONS_SHOULD_NOTIFY = "${var.groups_settings_violations_should_notify ? "true" : "false"}"
   }
 }
 

diff --git a/modules/server/templates/configs/forseti_conf_server.yaml.tpl b/modules/server/templates/configs/forseti_conf_server.yaml.tpl
@@ -76,6 +76,10 @@ inventory:
           max_calls: ${CRM_MAX_CALLS}
           period: ${CRM_PERIOD}
           disable_polling: ${CRM_DISABLE_POLLING}
+        groupssettings:
+          max_calls: ${GROUPS_SETTINGS_MAX_CALLS}
+          period: ${GROUPS_SETTINGS_PERIOD}
+          disable_polling: ${GROUPS_SETTINGS_DISABLE_POLLING}
         iam:
           max_calls: ${IAM_MAX_CALLS}
           period: ${IAM_PERIOD}
@@ -219,6 +223,8 @@ scanner:
           enabled: ${FORWARDING_RULE_ENABLED}
         - name: group
           enabled: ${GROUP_ENABLED}
+        - name: groups_settings
+          enabled: ${GROUPS_SETTINGS_ENABLED}
         - name: iam_policy
           enabled: ${IAM_POLICY_ENABLED}
         - name: iap
@@ -374,6 +380,18 @@ notifier:
                 # gcs_path should begin with "gs://"
                 gcs_path: gs://${FORSETI_BUCKET}/scanner_violations
 
+        - resource: groups_settings_violations
+          should_notify: ${GROUPS_SETTINGS_VIOLATIONS_SHOULD_NOTIFY}
+          notifiers:
+            # Email violations
+            - name: email_violations
+            # Upload violations to GCS.
+            - name: gcs_violations
+              configuration:
+                data_format: csv
+                # gcs_path should begin with "gs://"
+                gcs_path: gs://{FORSETI_BUCKET}/scanner_violations
+
         - resource: ke_version_violations
           should_notify: ${KE_VERSION_VIOLATIONS_SHOULD_NOTIFY}
           notifiers:

diff --git a/modules/server/variables.tf b/modules/server/variables.tf
@@ -650,3 +650,32 @@ variable "services" {
   type        = "list"
   default     = [""]
 }
+
+#---------------------------------------#
+# Groups settings scanner configuration #
+#---------------------------------------#
+
+variable "groups_settings_max_calls" {
+  description = "Maximum calls that can be made to the G Suite Groups API"
+  default     = "5"
+}
+
+variable "groups_settings_period" {
+  description = "The period of max calls to the G Suite Groups API"
+  default     = "1.1"
+}
+
+variable "groups_settings_disable_polling" {
+  description = "Whether to disable polling for the G Suite Groups API"
+  default     = "False"
+}
+
+variable "groups_settings_enabled" {
+  description = "Groups settings scanner enabled."
+  default     = "true"
+}
+
+variable "groups_settings_violations_should_notify" {
+  description = "Notify for groups settings violations"
+  default     = "true"
+}
diff --git a/test/integration/simple_example/controls/forseti.rb b/test/integration/simple_example/controls/forseti.rb
@@ -96,6 +96,7 @@
         rules/firewall_rules.yaml
         rules/forwarding_rules.yaml
         rules/group_rules.yaml
+        rules/groups_settings_rules.yaml
         rules/iam_rules.yaml
         rules/iap_rules.yaml
         rules/instance_network_interface_rules.yaml

diff --git a/test/integration/simple_example/controls/server.rb b/test/integration/simple_example/controls/server.rb
@@ -142,6 +142,18 @@
           expect(config["inventory"]["api_quota"]["crm"]["disable_polling"]).to eq false
         end
 
+        it "configures groups_settings_max_calls" do
+          expect(config["inventory"]["api_quota"]["groupssettings"]["max_calls"]).to eq 5
+        end
+
+        it "configures groups_settings_period" do
+          expect(config["inventory"]["api_quota"]["groupssettings"]["period"]).to eq 1.1
+        end
+
+        it "configures groups_settings_disable_polling" do
+          expect(config["inventory"]["api_quota"]["groupssettings"]["disable_polling"]).to eq false
+        end
+
         it "configures iam_max_calls" do
           expect(config["inventory"]["api_quota"]["iam"]["max_calls"]).to eq 90
         end

diff --git a/variables.tf b/variables.tf
@@ -543,6 +543,35 @@ variable "inventory_email_summary_enabled" {
   default     = "true"
 }
 
+#---------------------------------------#
+# groups settings scanner configuration #
+#---------------------------------------#
+
+variable "groups_settings_max_calls" {
+  description = "maximum calls that can be made to the g suite groups api"
+  default     = "5"
+}
+
+variable "groups_settings_period" {
+  description = "the period of max calls to the g suite groups api"
+  default     = "1.1"
+}
+
+variable "groups_settings_disable_polling" {
+  description = "whether to disable polling for the g suite groups api"
+  default     = "false"
+}
+
+variable "groups_settings_enabled" {
+  description = "groups settings scanner enabled."
+  default     = "true"
+}
+
+variable "groups_settings_violations_should_notify" {
+  description = "notify for groups settings violations"
+  default     = "true"
+}
+
 #----------------#
 # Forseti client #
 #----------------#