Question about config validator and Security Center Notifications

[John Godehn]

Hello all, hope everyone is doing well.

I've just recently started playing around with Forseti and the Config Validator Scanner. I wanted to test it with monitoring compliance of GKE resources, so I enabled all of the GKE related constraints in the policy library. Then I created a cluster such that it would violate many if not all of the constraints.

I see from the config validator violations CSV file that forseti found all the violations that I would expect it to, but I noticed that only one of those violations showed up in the Security Command Center findings (I have the notifier integration set up).

Debugging a bit, I saw that the notifier's CSCC module was attempting to create the missing findings, but was getting a 409 response code back -  it was attempting to create with a finding id that was already present. 

From my reading though the code, seems like the finding id that the notifier attempts to use is based on the violation_hash value of the violation and that the violation_hash value is based on the resource's full_name, violation_data (that comes from config validator) and the resource data. The violation_data seems to come from the metadata that is present in the violation, which for the gke related policy templates seems to just contain the resource path. Seems like all of this data is the same across violations against the same cluster resource even though those violations are caused by different policy constraints - leading to different violations having the same violation hash and therefore duplicate CSCC finding ids.

I feel like there must be something I am missing or misunderstanding.

Can anyone shed some light on what I may be doing wrong?

Thanks,

John

[Gregg Kowalski]

Hi John,

Thanks for contacting us and providing helpful information! I'm assuming you are using the latest version of Forseti, but can you confirm? I skimmed through the code and it appears you are correct about this issue. I checked the metadata returned by some of the Policy Library templates, and for the most part the templates are just returning the resource name. Most Forseti users are not using Config Validator, but it is something that we would like more users to switch over to. I think we can make a change to the violation data to include the constraint name, which should take care of ensuring the violations are unique to CSCC. I will do some more looking into it next week and get back to you.

I created this issue to track it: https://github.com/forseti-security/forseti-security/issues/3769

Let me know if you have any other questions or issues.

Gregg

--
You received this message because you are subscribed to the Google Groups "Forseti Security Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss+u...@forsetisecurity.org.
To view this discussion on the web visit https://groups.google.com/a/forsetisecurity.org/d/msgid/discuss/6cc71936-1e4d-4ee1-8f23-ce7cc0ef7e42n%40forsetisecurity.org.

[John Godehn]

Hi Gregg, 

To confirm, I am using forseti-security version 2.25.1, installed via terraform-google-forseti-5.2.1

Thanks so much for looking into this issue, I really appreciate it.

John