Documentation ¶
Overview ¶
Package services holds commonly used methods used in security automation.
Index ¶
- Variables
- func CreateAncestors(members []string) *cloudresourcemanager.GetAncestryResponse
- func GeneratePassword() (string, error)
- func SendTurbinia(ctx context.Context, turbiniaProjectID, topic, zone string, diskNames []string) error
- type BigQuery
- type BigQueryClient
- type CloseBucket
- type CloseCloudSQL
- type ClosePublicDataset
- type CloudSQL
- func (s *CloudSQL) ClosePublicAccess(ctx context.Context, projectID, instance string, acls []*sqladmin.AclEntry) error
- func (s *CloudSQL) InstanceDetails(ctx context.Context, projectID string, instance string) (*sqladmin.DatabaseInstance, error)
- func (s *CloudSQL) IsPublic(acls []*sqladmin.AclEntry) bool
- func (s *CloudSQL) RequireSSL(ctx context.Context, projectID string, instance string) error
- func (s *CloudSQL) UpdateUserPassword(ctx context.Context, projectID, instance, host, name, password string) error
- type CloudSQLClient
- type CloudSQLRequireSSL
- type CommandCenter
- type CommandCenterClient
- type ComputeClient
- type Configuration
- type Container
- type ContainerClient
- type DisableDashboard
- type DisableFirewall
- type Email
- type EmailClient
- type EmailResponse
- type EnableAuditLogs
- type EnableBucketOnlyPolicy
- type Firewall
- func (f *Firewall) BlockSSH(ctx context.Context, projectID string, sourceRanges []string) error
- func (f *Firewall) DeleteFirewallRule(ctx context.Context, projectID string, ruleID string) (*compute.Operation, error)
- func (f *Firewall) DisableFirewallRule(ctx context.Context, projectID string, ruleID string, name string) (*compute.Operation, error)
- func (f *Firewall) EnableFirewallRule(ctx context.Context, projectID string, ruleID string, name string) (*compute.Operation, error)
- func (f *Firewall) FirewallRule(ctx context.Context, projectID string, ruleID string) (*compute.Firewall, error)
- func (f *Firewall) UpdateFirewallRuleSourceRange(ctx context.Context, projectID string, ruleID string, name string, ...) error
- func (f *Firewall) WaitGlobal(project string, op *compute.Operation) []error
- type FirewallClient
- type Global
- type GoogleCloudDisk
- type Host
- func (h *Host) CopyDiskSnapshot(ctx context.Context, srcProjectID, dstProjectID, zone, name string) error
- func (h *Host) CreateDiskSnapshot(ctx context.Context, projectID, zone, disk, name string) error
- func (h *Host) DeleteDiskSnapshot(ctx context.Context, projectID, snapshot string) error
- func (h *Host) DeleteInstance(ctx context.Context, projectID, zone, instance string) (*compute.Operation, error)
- func (h *Host) DiskSnapshot(ctx context.Context, snapshotName, projectID string, disk *compute.Disk) (*compute.Snapshot, error)
- func (h *Host) ListInstanceDisks(ctx context.Context, projectID, zone, instance string) ([]*compute.Disk, error)
- func (h *Host) ListProjectSnapshots(ctx context.Context, projectID string) (*compute.SnapshotList, error)
- func (h *Host) RemoveExternalIPs(ctx context.Context, project, zone, instance string) error
- func (h *Host) SetSnapshotLabels(ctx context.Context, projectID, snapshotName string, disk *compute.Disk, ...) error
- func (h *Host) StartInstance(ctx context.Context, projectID, zone, instance string) error
- func (h *Host) StopInstance(ctx context.Context, projectID, zone, instance string) error
- func (h *Host) WaitGlobal(project string, op *compute.Operation) []error
- func (h *Host) WaitZone(project, zone string, op *compute.Operation) []error
- type Logger
- type LoggerClient
- type Match
- type MatchResource
- type PagerDuty
- type PagerDutyClient
- type PagerDutyConfiguration
- type PubSub
- type PubSubClient
- type RemoveNonOrgMembers
- type RemovePublicIP
- type Resource
- func (r *Resource) CheckMatches(ctx context.Context, projectID string, target, ignore []string) (bool, error)
- func (r *Resource) EnableAuditLogs(ctx context.Context, projectID string) (*crm.Policy, error)
- func (r *Resource) EnableBucketOnlyPolicy(ctx context.Context, bucketName string) error
- func (r *Resource) GetProjectAncestry(ctx context.Context, projectID string) ([]string, error)
- func (r *Resource) IfProjectInFolders(ctx context.Context, ids []string, projectID string, fn func() error) error
- func (r *Resource) IfProjectInOrg(ctx context.Context, orgID, projectID string, fn func() error) error
- func (r *Resource) IfProjectInProjects(ctx context.Context, ids []string, projectID string, fn func() error) error
- func (r *Resource) IfProjectWithinResources(ctx context.Context, conf *Resources, projectID string, fn func() error) error
- func (r *Resource) Organization(ctx context.Context, orgID string) (*crm.Organization, error)
- func (r *Resource) OrganizationOnlyKeepUsersFromDomains(ctx context.Context, orgID string, allowDomains []string) ([]string, error)
- func (r *Resource) PolicyOrganization(ctx context.Context, name string) (*crm.Policy, error)
- func (r *Resource) ProjectOnlyKeepUsersFromDomains(ctx context.Context, projectID string, allowDomains []string) ([]string, error)
- func (r *Resource) RemoveMembersFromBucket(ctx context.Context, bucketName string, members []string) error
- func (r *Resource) RemoveUsersProject(ctx context.Context, projectID string, remove []string) error
- type Resources
- type Router
- type StackDriverLog
- type TurbiniaRequest
- type UpdatePassword
Constants ¶
This section is empty.
Variables ¶
var ( // ErrUnmarshal thrown when unable to unmarshal. ErrUnmarshal = errors.New("failed to unmarshal") // ErrParsing thrown when unable to parse. ErrParsing = errors.New("not a valid log") // ErrValueNotFound thrown when a value is requested but not found. ErrValueNotFound = errors.New("value not found") // ErrUnsupportedFinding thrown when a finding is not supported by a function. ErrUnsupportedFinding = errors.New("unsupported finding") // ErrSkipFinding thrown when a finding is not supported by a function. ErrSkipFinding = errors.New("unsupported finding") )
Functions ¶
func CreateAncestors ¶
func CreateAncestors(members []string) *cloudresourcemanager.GetAncestryResponse
CreateAncestors creates an ancestry response using a provided slice of members.
func GeneratePassword ¶
GeneratePassword generates a password based on randomly generated numbers that are hashed using SHA256.
Types ¶
type BigQuery ¶
type BigQuery struct {
// contains filtered or unexported fields
}
BigQuery service.
func InitBigQuery ¶
InitBigQuery creates and initializes a new instance of BigQuery.
func NewBigQuery ¶
func NewBigQuery(cs BigQueryClient) *BigQuery
NewBigQuery returns a BigQuery service.
type BigQueryClient ¶
type BigQueryClient interface { DatasetMetadata(ctx context.Context, projectID, datasetID string) (*bigquery.DatasetMetadata, error) OverwriteDatasetMetadata(ctx context.Context, projectID, datasetID string, dm bigquery.DatasetMetadataToUpdate) (*bigquery.DatasetMetadata, error) }
BigQueryClient contains minimum interface required by the service.
type CloseBucket ¶
CloseBucket contains configuration required for the Cloud Bucket function.
type CloseCloudSQL ¶
CloseCloudSQL contains configuration required for the close Cloud SQL function.
type ClosePublicDataset ¶
ClosePublicDataset contains configuration required for the close public dataset function.
type CloudSQL ¶
type CloudSQL struct {
// contains filtered or unexported fields
}
CloudSQL service.
func NewCloudSQL ¶
func NewCloudSQL(cc CloudSQLClient) *CloudSQL
NewCloudSQL returns a Cloud SQL service.
func (*CloudSQL) ClosePublicAccess ¶
func (s *CloudSQL) ClosePublicAccess(ctx context.Context, projectID, instance string, acls []*sqladmin.AclEntry) error
ClosePublicAccess removes all valid IPs the from the authorized networks for an instance.
func (*CloudSQL) InstanceDetails ¶
func (s *CloudSQL) InstanceDetails(ctx context.Context, projectID string, instance string) (*sqladmin.DatabaseInstance, error)
InstanceDetails get details for an instance.
func (*CloudSQL) RequireSSL ¶
RequireSSL modifies the configuration to require only SSL connections.
type CloudSQLClient ¶
type CloudSQLClient interface { PatchInstance(context.Context, string, string, *sqladmin.DatabaseInstance) (*sqladmin.Operation, error) WaitSQL(string, *sqladmin.Operation) []error InstanceDetails(context.Context, string, string) (*sqladmin.DatabaseInstance, error) UpdateUser(context.Context, string, string, string, string, *sqladmin.User) (*sqladmin.Operation, error) }
CloudSQLClient contains minimum interface required by the Cloud SQL service.
type CloudSQLRequireSSL ¶
CloudSQLRequireSSL contains configuration required for the Cloud SQL require SSL function.
type CommandCenter ¶
type CommandCenter struct {
// contains filtered or unexported fields
}
CommandCenter service.
func NewCommandCenter ¶
func NewCommandCenter(cc CommandCenterClient) *CommandCenter
NewCommandCenter returns a commmand center service.
func (*CommandCenter) AddSecurityMarks ¶
func (r *CommandCenter) AddSecurityMarks(ctx context.Context, serviceID string, securityMarks map[string]string) (*crm.SecurityMarks, error)
AddSecurityMarks to a finding or asset.
type CommandCenterClient ¶
type CommandCenterClient interface {
AddSecurityMarks(context.Context, *crm.UpdateSecurityMarksRequest) (*crm.SecurityMarks, error)
}
CommandCenterClient contains minimum interface required by the command center service.
type ComputeClient ¶
type ComputeClient interface { DiskInsert(context.Context, string, string, *compute.Disk) (*compute.Operation, error) CreateSnapshot(context.Context, string, string, string, *compute.Snapshot) (*compute.Operation, error) DeleteAccessConfig(ctx context.Context, project, zone, instance, accessConfig, networkInterface string) (*compute.Operation, error) DeleteDiskSnapshot(context.Context, string, string) (*compute.Operation, error) DeleteInstance(context.Context, string, string, string) (*compute.Operation, error) GetInstance(ctx context.Context, project, zone, instance string) (*compute.Instance, error) ListDisks(context.Context, string, string) (*compute.DiskList, error) ListProjectSnapshots(context.Context, string) (*compute.SnapshotList, error) SetLabels(context.Context, string, string, *compute.GlobalSetLabelsRequest) (*compute.Operation, error) StartInstance(context.Context, string, string, string) (*compute.Operation, error) StopInstance(context.Context, string, string, string) (*compute.Operation, error) WaitGlobal(string, *compute.Operation) []error WaitZone(string, string, *compute.Operation) []error }
ComputeClient contains minimum interface required by the host service.
type Configuration ¶
type Configuration struct { PagerDuty *PagerDutyConfiguration `json:"pager_duty"` CloseBucket *CloseBucket `json:"close_bucket"` DisableFirewall *DisableFirewall `json:"open_firewall"` RemovePublicIP *RemovePublicIP `json:"remove_public_ip"` ClosePublicDataset *ClosePublicDataset `json:"close_public_dataset"` CloseCloudSQL *CloseCloudSQL `json:"close_cloud_sql"` CloudSQLRequireSSL *CloudSQLRequireSSL `json:"cloud_sql_require_ssl"` DisableDashboard *DisableDashboard `json:"disable_dashboard"` EnableBucketOnlyPolicy *EnableBucketOnlyPolicy `json:"enable_bucket_only_policy"` EnableAuditLogs *EnableAuditLogs `json:"enable_audit_logs"` UpdatePassword *UpdatePassword `json:"cloud_sql_update_password"` RemoveNonOrgMembers *RemoveNonOrgMembers `json:"remove_non_org_members"` Router *Router }
Configuration contains the ID(s) to apply actions to.
func NewConfiguration ¶
func NewConfiguration(file string) (*Configuration, error)
NewConfiguration returns a new configuration.
type Container ¶
type Container struct {
// contains filtered or unexported fields
}
Container Service.
func NewContainer ¶
func NewContainer(client ContainerClient) *Container
NewContainer returns a new Container service.
type ContainerClient ¶
type ContainerClient interface {
UpdateAddonsConfig(context.Context, string, string, string, *container.SetAddonsConfigRequest) (*container.Operation, error)
}
ContainerClient holds the minimum interface required by the Container service.
type DisableDashboard ¶
DisableDashboard contains configuration required for the disable dashboard function.
type DisableFirewall ¶
type DisableFirewall struct { Resources *Resources RemediationAction string `json:"remediation_action"` SourceRanges []string `json:"source_ranges"` DryRun bool `json:"dry_run"` OutputDestinations []string `json:"output_destinations"` }
DisableFirewall contains configuration required for the disable firewall function.
type Email ¶
type Email struct {
// contains filtered or unexported fields
}
Email is the service used to send emails.
func (*Email) RenderTemplate ¶
RenderTemplate parses the content based on template.
type EmailClient ¶
type EmailClient interface {
Send(subject, from, body string, to []string) (*rest.Response, error)
}
EmailClient is the interface used for sending emails.
type EmailResponse ¶
EmailResponse contains the response from sending an email.
type EnableAuditLogs ¶
EnableAuditLogs configuration required to enable data access audit logs
type EnableBucketOnlyPolicy ¶
EnableBucketOnlyPolicy contains configuration required for the enable bucket only policy function.
type Firewall ¶
type Firewall struct {
// contains filtered or unexported fields
}
Firewall service.
func NewFirewall ¶
func NewFirewall(client FirewallClient) *Firewall
NewFirewall returns a new firewall service.
func (*Firewall) BlockSSH ¶
BlockSSH will add a firewall rule that blocks SSH for the given project.
func (*Firewall) DeleteFirewallRule ¶
func (f *Firewall) DeleteFirewallRule(ctx context.Context, projectID string, ruleID string) (*compute.Operation, error)
DeleteFirewallRule delete the firewall rule.
func (*Firewall) DisableFirewallRule ¶
func (f *Firewall) DisableFirewallRule(ctx context.Context, projectID string, ruleID string, name string) (*compute.Operation, error)
DisableFirewallRule sets the firewall rule to disabled.
func (*Firewall) EnableFirewallRule ¶
func (f *Firewall) EnableFirewallRule(ctx context.Context, projectID string, ruleID string, name string) (*compute.Operation, error)
EnableFirewallRule sets the firewall rule to enabled.
func (*Firewall) FirewallRule ¶
func (f *Firewall) FirewallRule(ctx context.Context, projectID string, ruleID string) (*compute.Firewall, error)
FirewallRule get a firewall rule
type FirewallClient ¶
type FirewallClient interface { InsertFirewallRule(context.Context, string, *compute.Firewall) (*compute.Operation, error) PatchFirewallRule(context.Context, string, string, *compute.Firewall) (*compute.Operation, error) FirewallRule(context.Context, string, string) (*compute.Firewall, error) DeleteFirewallRule(context.Context, string, string) (*compute.Operation, error) WaitGlobal(string, *compute.Operation) []error }
FirewallClient holds the minimum interface required by the firewall service.
type Global ¶
type Global struct { Configuration *Configuration Logger *Logger Resource *Resource Host *Host Firewall *Firewall Container *Container CloudSQL *CloudSQL }
Global holds all initialized services.
type GoogleCloudDisk ¶
type GoogleCloudDisk struct { Project string `json:"project"` Zone string `json:"zone"` DiskName string `json:"disk_name"` }
GoogleCloudDisk represents a GCP disk.
type Host ¶
type Host struct {
// contains filtered or unexported fields
}
Host service.
func (*Host) CopyDiskSnapshot ¶
func (h *Host) CopyDiskSnapshot(ctx context.Context, srcProjectID, dstProjectID, zone, name string) error
CopyDiskSnapshot creates a disk from a snapshot and moves it to another project.
func (*Host) CreateDiskSnapshot ¶
CreateDiskSnapshot creates a snapshot.
func (*Host) DeleteDiskSnapshot ¶
DeleteDiskSnapshot deletes the given snapshot from the project.
func (*Host) DeleteInstance ¶
func (h *Host) DeleteInstance(ctx context.Context, projectID, zone, instance string) (*compute.Operation, error)
DeleteInstance starts a given instance in given zone.
func (*Host) DiskSnapshot ¶
func (h *Host) DiskSnapshot(ctx context.Context, snapshotName, projectID string, disk *compute.Disk) (*compute.Snapshot, error)
DiskSnapshot gets a snapshot by name associated with a given disk.
func (*Host) ListInstanceDisks ¶
func (h *Host) ListInstanceDisks(ctx context.Context, projectID, zone, instance string) ([]*compute.Disk, error)
ListInstanceDisks returns a list of disk names for a given instance.
func (*Host) ListProjectSnapshots ¶
func (h *Host) ListProjectSnapshots(ctx context.Context, projectID string) (*compute.SnapshotList, error)
ListProjectSnapshots returns a list of snapshots.
func (*Host) RemoveExternalIPs ¶
RemoveExternalIPs iterates on all network interfaces of an instance and deletes its accessConfigs, actually removing the external IP addresses of the instance.
func (*Host) SetSnapshotLabels ¶
func (h *Host) SetSnapshotLabels(ctx context.Context, projectID, snapshotName string, disk *compute.Disk, labels map[string]string) error
SetSnapshotLabels sets the labels on a snapshot.
func (*Host) StartInstance ¶
StartInstance starts a given instance in given zone.
func (*Host) StopInstance ¶
StopInstance stops the provided instance.
func (*Host) WaitGlobal ¶
WaitGlobal will wait for the global operation to complete.
type Logger ¶
type Logger struct {
// contains filtered or unexported fields
}
Logger client.
func NewLogger ¶
func NewLogger(l LoggerClient) *Logger
NewLogger initializes and returns a Logger struct.
type LoggerClient ¶
type LoggerClient interface { Info(message string, a ...interface{}) Warning(message string, a ...interface{}) Error(message string, a ...interface{}) Debug(message string, a ...interface{}) Close() }
LoggerClient contains minimum interface required by the logger service.
type Match ¶ added in v0.0.2
type Match struct { Target []MatchResource Exclude []MatchResource }
type MatchResource ¶ added in v0.0.2
type MatchResource string
type PagerDuty ¶
type PagerDuty struct {
// contains filtered or unexported fields
}
PagerDuty service.
func InitPagerDuty ¶
InitPagerDuty creates and initializes a new instance of PagerDuty.
func NewPagerDuty ¶
func NewPagerDuty(cs PagerDutyClient) *PagerDuty
NewPagerDuty returns a PagerDuty service.
type PagerDutyClient ¶
type PagerDutyClient interface {
CreateIncident(from, serviceID, title, body string) (*pagerduty.Incident, error)
}
PagerDutyClient contains methods used by the PagerDuty service.
type PagerDutyConfiguration ¶
type PagerDutyConfiguration struct { APIKey string `json:"api_key"` Enabled bool `json:"enabled"` // ServiceID of the affected service within PagerDuty. ServiceID string `json:"service_id"` // From is the email address that sends the incident. This must be a valid user within PagerDuty. From string `json:"from"` }
PagerDutyConfiguration contains configuration for the PagerDuty client.
type PubSub ¶
type PubSub struct {
// contains filtered or unexported fields
}
PubSub service.
func InitPubSub ¶
InitPubSub creates and initializes a new instance of PubSub.
type PubSubClient ¶
type PubSubClient interface { Topic(string) *pubsub.Topic Publish(context.Context, *pubsub.Topic, *pubsub.Message) (string, error) }
PubSubClient contains minimum interface required by the service.
type RemoveNonOrgMembers ¶
type RemoveNonOrgMembers struct { Resources *Resources AllowDomains []string `json:"allow_domains"` DryRun bool `json:"dry_run"` }
RemoveNonOrgMembers contains configuration required for remove non-org members function.
type RemovePublicIP ¶
RemovePublicIP contains configuration required for the remove public IP function.
type Resource ¶
type Resource struct {
// contains filtered or unexported fields
}
Resource service.
func NewResource ¶
func NewResource(crm crmClient, s storageClient) *Resource
NewResource returns a new resource service.
func (*Resource) CheckMatches ¶
func (r *Resource) CheckMatches(ctx context.Context, projectID string, target, ignore []string) (bool, error)
CheckMatches checks if a project is included in the target and not included in ignore.
func (*Resource) EnableAuditLogs ¶
EnableAuditLogs enable audit logs to all services and LogTypes.
func (*Resource) EnableBucketOnlyPolicy ¶
EnableBucketOnlyPolicy enable bucket only policy for the given bucket
func (*Resource) GetProjectAncestry ¶
GetProjectAncestry returns a slice of the project's ancestry.
func (*Resource) IfProjectInFolders ¶
func (r *Resource) IfProjectInFolders(ctx context.Context, ids []string, projectID string, fn func() error) error
IfProjectInFolders will apply the function if the project ID is within the folder IDs.
func (*Resource) IfProjectInOrg ¶
func (r *Resource) IfProjectInOrg(ctx context.Context, orgID, projectID string, fn func() error) error
IfProjectInOrg will apply the function if the project ID is within the organization.
func (*Resource) IfProjectInProjects ¶
func (r *Resource) IfProjectInProjects(ctx context.Context, ids []string, projectID string, fn func() error) error
IfProjectInProjects will apply the function if the project ID is within the project IDs.
func (*Resource) IfProjectWithinResources ¶
func (r *Resource) IfProjectWithinResources(ctx context.Context, conf *Resources, projectID string, fn func() error) error
IfProjectWithinResources executes the provided function if the project ID is an ancestor of any provided resources.
func (*Resource) Organization ¶
Organization returns the organization name for the given organization resource.
func (*Resource) OrganizationOnlyKeepUsersFromDomains ¶
func (r *Resource) OrganizationOnlyKeepUsersFromDomains(ctx context.Context, orgID string, allowDomains []string) ([]string, error)
OrganizationOnlyKeepUsersFromDomains removes all users from an organization except where the user matches allowed domains.
func (*Resource) PolicyOrganization ¶
PolicyOrganization returns the IAM policy for the given resource name.
func (*Resource) ProjectOnlyKeepUsersFromDomains ¶
func (r *Resource) ProjectOnlyKeepUsersFromDomains(ctx context.Context, projectID string, allowDomains []string) ([]string, error)
ProjectOnlyKeepUsersFromDomains removes users from the policy if they do not match the domain. (Non-users are not affected.)
type Resources ¶
type Resources struct { FolderIDs []string `json:"folder_ids"` ProjectIDs []string `json:"project_ids"` OrganizationID string `json:"organization_id"` }
Resources represents common resource IDs used for configuration.
type StackDriverLog ¶
StackDriverLog struct fits StackDriver logs.
type TurbiniaRequest ¶
type TurbiniaRequest struct { RequestID string `json:"request_id"` Type string `json:"type"` Evidence []GoogleCloudDisk `json:"evidence"` }
TurbiniaRequest is a request to send to Turbinia.
type UpdatePassword ¶
UpdatePassword contains configuration required for the update password function.