exec

package module
v0.0.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 13, 2019 License: Apache-2.0 Imports: 21 Imported by: 0

README

Security Response Automation

Take automated actions on your Cloud Security Command Center findings:

  • Automatically create disk snapshots to enable forensic investigations.
  • Revoke IAM grants that violate your desired policy.
  • Notify other systems such as PagerDuty, Slack or email.
  • See the full list of automations for more information.

You're in control:

  • Service account runs with lowest permission needed granted at granularity you specify.
  • You control which projects are enforced by each automation.
  • Every action is logged to StackDriver and is easy auditable.
  • Can be run in monitor mode where actions are logged only.
Configure automations

Before installation we'll configure our automations, copy ./router/empty-config.yaml to ./router/config.yaml. Within this file we'll define a few steps to get started:

  • Which automations should apply to which findings.
  • Which projects to target these automations with.
  • Which projects to exclude.
  • Fill in any needed variables.

Restricting projects

Every automation accepts a target and exclude array that accepts an ancestry pattern that is compared against the incoming project. For example lets say you have a folder 424242424242 that contains sensitive projects that you want to enforce. However your developers use folder ID 5656565656 that you want to leave alone. If you have projects outside of folders you can specify them too.

In this case your configuration could look like:

target:
  - organizations/1234567890/folders/424242424242/*
  - organizations/1234567890/projects/77981237242
excludes:
  - organizations/1234567890/folders/5656565656/*

In the automations documentation we see that this automation is configured in config.yaml under the action name revoke_iam. In this example we'll configure Security Response Automation to apply this automation to Event Threat Detection's Anomalous IAM Grant findigns.

It's important to note this automation requires the allow_domains to contain at least one valid domain. This is used to ensure SRA only removes domains not explictly allowed. It's also best practice to run SRA with dry_run enabled. This way you can let SRA generate StackDriver logs to see what actions it would have taken. Once you confirm this is as expected you can set dry_run to false and redeploy.

apiVersion: security-response-automation.cloud.google.com/v1alpha1
kind: Remediation
metadata:
  name: router
spec:
  parameters:
    etd:
      anomalous_iam:
        - action: iam_revoke
          target:
            - organizations/1234567890/folders/424242424242/*
          exclude:
          properties:
            dry_run: false
            allow_domains:
              - foo.com
Configuring permissions

The service account is configured separately within main.tf. Here we inform Terraform which folders we're enforcing so the required roles are automatically granted. You have a few choices for how to configure this step:

  • Recommended Specify a list of folder IDs that SRA could grant its service account the necessary roles to. This ensures SRA only has the access it needs at the folders where it's being used. This list will be asked below in the Installation section.
  • Grant permissions on your own either per project or at the organizational level.
Forward findings to Pub/Sub

Currently Event Threat Detection publishes to StackDriver and CSCC, Security Health Analytics publishes to CSCC only. We're currently in the process of moving to CSCC notifications but for completeness sake we'll list instructions for StackDriver (legacy) and CSCC notifications.

StackDriver

If you're only interested in processing ETD findings then your configuration is done for you automatically below using Terraform. You can skip the Setup CSCC Notifications section.

Setup CSCC Notifications

CSCC Notifications will enable you to receive SHA & ETD findings.

Configure CSCC notifications

$ export PROJECT_ID=<YOUR_AUTOMATION_PROJECT_ID>
$ export SERVICE_ACCOUNT_EMAIL=automation-service-account@$PROJECT_ID.iam.gserviceaccount.com \
  ORGANIZATION_ID=<YOUR_ORGANIZATION_ID> \
  TOPIC_ID=threat-findings

$ gcloud beta organizations add-iam-policy-binding \
	$ORGANIZATION_ID \
	--member="serviceAccount:$SERVICE_ACCOUNT_EMAIL" \
	--role='roles/securitycenter.notificationConfigEditor'

$ gcloud organizations add-iam-policy-binding $ORGANIZATION_ID \
  --member="serviceAccount:$SERVICE_ACCOUNT_EMAIL" \
  --role='roles/pubsub.admin'

$ go run ./local/cli/main.go \
  --command create \
  --org-id=$ORGANIZATION_ID \
  --topic=projects/$PROJECT_ID/topics/$TOPIC_ID

// Note the output, specifically the generated `service_acount`:
//
// 2019/11/07 14:06:00 New NotificationConfig created: \
// name:"organizations/1037840971520/notificationConfigs/sampleConfigId"
// description:"Notifies active findings"
// event_type:FINDING pubsub_topic:"projects/ae-threat-detection/topics/cscc-notifications-topic"
// service_account:"service-459837319394@gcp-sa-scc-notification.iam.gserviceaccount.com"
// streaming_config:<filter:"state = \"ACTIVE\"" >
//
// Make sure to replace `SERVICE_ACCOUNT_FROM_ABOVE` with the generated service account.

$ gcloud beta pubsub topics add-iam-policy-binding projects/$PROJECT_ID/topics/$TOPIC_ID \
  --member="serviceAccount:service-459837319394@gcp-sa-scc-notification.iam.gserviceaccount.com" \
  --role="roles/pubsub.publisher"

$ gcloud organizations remove-iam-policy-binding $ORGANIZATION_ID \
  --member="serviceAccount:$SERVICE_ACCOUNT_EMAIL" \
  --role='roles/pubsub.admin'
Installation

Following these instructions will deploy all automations. Before you get started be sure you have:

  • Go version 1.11
  • Terraform version 0.12.17
$ gcloud auth application-default login
$ terraform init

// Install all automations.
$ terraform apply

// Install a single automations.
$ terraform apply --target module.revoke_iam_grants

NOTE

If you setup CSCC notifications it's important to remove the StackDriver export so automations are not triggered twice. This is done by running:

$ gcloud logging sinks delete sink-threat-findings --project=$PROJECT_ID

TIP: Instead of entering variables every time you can create terraform.tfvars file and input key value pairs there, i.e. automation-project="aerial-jigsaw-235219".

If at any point you want to revert the changes we've made just run terraform destroy .

Reinstalling a Cloud Function

Terraform will create or destroy everything by default. To redeploy a single Cloud Function you can do:

// revoke_iam_grants is the name of the Terraform module in `./main.tf`.
// IAMRevoke is the exported Cloud Function name in `exec.go`.
$ scripts/deploy.sh revoke_iam_grants IAMRevoke $PROJECT_ID
Logging

Each Cloud Function logs its actions to the below log location. This can be accessed by visiting StackDriver and clicking on the arrow on the right hand side then 'Convert to advanced filter'. Then paste in the below filter making sure to change the project ID to the project where your Cloud Functions are installed.

Documentation

Overview

Package exec is the entry point for security automation Cloud Functions.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CloseBucket 

func CloseBucket(ctx context.Context, m pubsub.Message) error

CloseBucket will remove any public users from buckets found within the provided folders.

Permissions required

  • roles/viewer to retrieve ancestry.
  • roles/storeage.admin to modify buckets.

func CloseCloudSQL 

func CloseCloudSQL(ctx context.Context, m pubsub.Message) error

CloseCloudSQL removes public IP for a Cloud SQL instance.

This Cloud Function will respond to Security Health Analytics **Public SQL Instance** findings from **SQL Scanner**. All public IP addresses of the affected instance will be deleted when this function is activated.

Permissions required

  • roles/cloudsql.editor to get instance data and delete access config.

func ClosePublicDataset 

func ClosePublicDataset(ctx context.Context, m pubsub.Message) error

ClosePublicDataset removes public access of a BigQuery dataset.

This Cloud Function will respond to Security Health Analytics **Public Dataset** findings from **Dataset Scanner**. All public access of the affected dataset will be removed when this function is activated.

Permissions required

  • roles/bigquery.dataOwner to get and update dataset metadata.

func CloudSQLRequireSSL 

func CloudSQLRequireSSL(ctx context.Context, m pubsub.Message) error

CloudSQLRequireSSL enables the SSL requirement for a Cloud SQL instance.

This Cloud Function will respond to Security Health Analytics **Public SQL Instance** findings from **SQL Scanner**. All public IP addresses of the affected instance will be deleted when this function is activated.

Permissions required

  • roles/cloudsql.editor to get instance data and delete access config.

func DisableDashboard 

func DisableDashboard(ctx context.Context, m pubsub.Message) error

DisableDashboard will disable the Kubernetes dashboard addon.

This Cloud Function will respond to Security Health Analytics **Web UI Enabled** findings from **Container Scanner**. The Kubernetes dashboard addon will be disabled when this function is activated.

Permissions required

  • roles/container.clusterAdmin update cluster addon.

func EnableAuditLogs 

func EnableAuditLogs(ctx context.Context, m pubsub.Message) error

EnableAuditLogs enables the Audit Logs to specific project

This Cloud Function will respond to Security Health Analytics **AUDIT_LOGGING_DISABLED** findings from **LOGGING_SCANNER**.

Permissions required

  • roles/resourcemanager.folderAdmin to get/update resource policy from projects in folder.
  • roles/editor to get/update resource policy to specific project.

func EnableBucketOnlyPolicy 

func EnableBucketOnlyPolicy(ctx context.Context, m pubsub.Message) error

EnableBucketOnlyPolicy Enable bucket only policy on a GCS bucket.

This Cloud Function will respond to Security Health Analytics **BUCKET_POLICY_ONLY_DISABLED** findings from **STORAGE_SCANNER**. Bucket only IAM policy will be enforced on the bucket.

Permissions required

  • roles/storage.admin to change the Bucket policy mode.

func IAMRevoke 

func IAMRevoke(ctx context.Context, m pubsub.Message) error

IAMRevoke is the entry point for the IAM revoker Cloud Function.

This function will attempt to revoke the external members added to the policy if they match the provided list of disallowed domains. Additionally this method will only remove members if the project they were added to is within the specified folders. This configuration allows you to take a remediation action only on specific members and folders. For example, you may have a folder "development" where users can experiment without strict policies. However in your "production" folder you may want to revoke any grants that ETD finds as long as they match the domains you specify.

Permissions required

  • roles/resourcemanager.folderAdmin to revoke IAM grants.
  • roles/viewer to verify the affected project is within the enforced folder.

func OpenFirewall 

func OpenFirewall(ctx context.Context, m pubsub.Message) error

OpenFirewall will remediate an open firewall.

Permissions required

  • roles/viewer to retrieve ancestry.
  • roles/compute.securityAdmin to modify firewall rules.

func RemoveNonOrganizationMembers 

func RemoveNonOrganizationMembers(ctx context.Context, m pubsub.Message) error

RemoveNonOrganizationMembers removes all members that do not match the organization domain.

This Cloud Function will respond to Security Health Analytics **NON_ORG_IAM_MEMBER** findings from **IAM Scanner**. All user member types (user:) that do not correspond to the organization will be removed from policy binding.

Permissions required

  • roles/resourcemanager.organizationAdmin to get org info and policies and set policies.

func RemovePublicIP 

func RemovePublicIP(ctx context.Context, m pubsub.Message) error

RemovePublicIP removes all the external IP addresses of a GCE instance.

This Cloud Function will respond to Security Health Analytics **Public IP Address** findings from **Compute Instance Scanner**. All public IP addresses of the affected instance will be deleted when this function is activated.

Permissions required

  • roles/compute.instanceAdmin.v1 to get instance data and delete access config.

func Router added in v0.0.2 

func Router(ctx context.Context, m pubsub.Message) error

Router is the entry point for the router Cloud Function.

This Cloud Function will receive all findings and route them to configured automation.

func SnapshotDisk 

func SnapshotDisk(ctx context.Context, m pubsub.Message) error

SnapshotDisk is the entry point for the auto creation of GCE snapshots Cloud Function.

Once a supported finding is received this Cloud Function will look for any existing disk snapshots for the affected instance. If there are recent snapshots then no action is taken. This is so we do not overwrite a recent snapshot. If we have not taken a snapshot recently, take a new snapshot for each disk within the instance.

Permissions required

  • roles/compute.instanceAdmin.v1 to manage disk snapshots.

func UpdatePassword 

func UpdatePassword(ctx context.Context, m pubsub.Message) error

UpdatePassword updates the root password for a Cloud SQL instance.

This Cloud Function will respond to Security Health Analytics **SQL No Root Password** findings from **SQL Scanner**. The root user of the affected instance will be updated with a new password when this function is activated.

Permissions required

  • roles/cloudsql.admin to update a user password.

Types

This section is empty.

Source Files

View all Source files

Directories

Path Synopsis
Package clients holds client libraries used by security automation Cloud Functions.
 Package clients holds client libraries used by security automation Cloud Functions.
cscc/apiv1p1alpha1
Package securitycenter is an auto-generated package for the Cloud Security Command Center API.
 Package securitycenter is an auto-generated package for the Cloud Security Command Center API.
cscc/v1p1alpha1
stubs
Package stubs provides testable stubs for clients.
 Package stubs provides testable stubs for clients.
cloudfunctions
bigquery/closepublicdataset
cloud-sql/removepublic
cloud-sql/requiressl
cloud-sql/updatepassword
gce/createsnapshot
gce/openfirewall
gce/removepublicip
gcs/closebucket
gcs/enablebucketonlypolicy
gke/disabledashboard
iam/enableauditlogs
iam/removenonorgmembers
iam/revoke
Package revoke provides the implementation of automated actions.
 Package revoke provides the implementation of automated actions.
router
compiled
etd/protos
sha
Package protos is a generated protocol buffer package.
 Package protos is a generated protocol buffer package.
sha/protos
Package sha is a generated protocol buffer package.
 Package sha is a generated protocol buffer package.
local
cli
This package will create a CSCC notification config that sends all active findings to the specified Pub/Sub topic.
 This package will create a CSCC notification config that sends all active findings to the specified Pub/Sub topic.
debug
Package main runs a Cloud Function locally.
 Package main runs a Cloud Function locally.
providers
etd
etd/anomalousiam
Package anomalousiam represents the anomalous IAM grant finding.
 Package anomalousiam represents the anomalous IAM grant finding.
etd/badip
Package badip represents the bad IP finding.
 Package badip represents the bad IP finding.
etd/sshbruteforce
sha
Package sha holds Security Health Analytics finding entities and functions
 Package sha holds Security Health Analytics finding entities and functions
Package services holds commonly used methods used in security automation.
 Package services holds commonly used methods used in security automation.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.