Forseti Config Validator fail to find violations

[Daniel Ledrian]

Hi Everyone, 

I tried running forseti  2.23.2 and 2.25.2 and while python scanners works like a charm, config validator always fail to find me violations

My Steps are:

- Create a faulty security with everything open to whole world (i'm infra sec eng, i'm good at doing it lol )

 - having one policy in /home/ubuntu/policy-library/policy-library/policies/constraints/

  named restrict_fw_rules_world_open.yaml

- Make sure Config_Validator is running - Checked, up and running   

- MODEL_ID=$(/bin/date -u +%Y%m%dT%H%M%S) 

- forseti inventory create --import_as ${MODEL_ID} 

 - forseti model use ${MODEL_ID} 

 - forseti scanner run

At this stage i see that the config validator policy is being checked:

{

  "serverMessage": "Running ConfigValidatorScanner..."

}

{

  "serverMessage": "Scan completed!"

}

forseti notifier run --scanner_index_id $MY_INDEX

{

  "serverMessage": "Resource 'config_validator_violations' has no violations"

}

So CSCC plugin does not contain any violations while even in the inventory dump, i can see my wrong firewall rules

Could anyone help me with this one please, as i'm planning to use it for my organisation, a 7000+ employees

Thanks a lot for your help

[Gregg Kowalski]

Can you double check what is the target of the constraint? Forseti v2.25.2 (and earlier versions) do not support the double glob. Ensure that the target is set to "organizations/*". Although, if you were using the double glob it would likely have thrown an error. Can you send me a sample firewall rule's resource data (and remove sensitive info) that should violate this constraint? If you do send it, you can just send it directly to me.

Gregg

--
You received this message because you are subscribed to the Google Groups "Forseti Security Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss+u...@forsetisecurity.org.
To view this discussion on the web visit https://groups.google.com/a/forsetisecurity.org/d/msgid/discuss/a627eb10-2b04-484c-acc2-bfa275195e9an%40forsetisecurity.org.

[Daniel Ledrian]

Hi Gregg, 

First of all, thanks for your answer :)

yYes fixing the double glod in the policy was the first thing i had to do, otherwise config validator scanner was crashing with this RST_STREAM with error code 2.

So now i put the organisation ID along with the folder ID of the project i am targetting.

But still no joy, i tried lots of differents policies found in /samples/ folder, but no joy :(

[Daniel Ledrian]

Precisely the yaml look like this
- "organizations/XXXXXXXXXX/folders/XXXXXXXXXXXXXXX"

[Vincent van Daal]

Hi Daniel,

Please check https://github.com/forseti-security/policy-library/issues/385 it seems simulair to an issue I had in the past.

Try the non plural words (organization and folder).

Op maandag 14 december 2020 om 20:31:30 UTC+1 schreef Daniel Ledrian:

[Daniel Ledrian]

Hello :)

Thanks a lot for your suggestion, 

i edited the rule with:

- "organization/XXXXXXXXXX/folder/XXXXXXXX" instead

restarted config validator

and retried, but no joy. I had such strong hope after having read you haha :)

[Daniel Ledrian]

If that help, my rule look like this, its very simple copy paste from the template.

[Daniel Ledrian]

Does any of you are using forseti with config_validator/Enforcement at production level ?

We are a 7000 ppl IT company and i start wondering if forseti should be 

consider production ready.

Thanks ;)