Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IAM Audit log policy validation seems producing false positives #367

Open
xingao267 opened this issue Jun 16, 2020 · 6 comments
Open

IAM Audit log policy validation seems producing false positives #367

xingao267 opened this issue Jun 16, 2020 · 6 comments

Comments

@xingao267
Copy link
Member

I have the following constraints and CAI data

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPIAMAuditLogConstraintV1
metadata:
  name: iam_enable_audit_logs
spec:
  severity: high
  match:
    target:
    - "organization/12345678/*"
    - "folder/4567/*"
  parameters:
    log_types:
    - DATA_READ
    - DATA_WRITE
    - ADMIN_READ
    services:
    - allServices

{"ancestors":["folders/88888888","organizations/12345678"],"name":"//cloudresourcemanager.googleapis.com/projects/good","asset_type":"cloudresourcemanager.googleapis.com/Project","iam_policy":{"version":1,"etag":"BwWKImhngxs=","audit_configs":[{"service":"allServices","audit_log_configs":[{"log_type":1},{"log_type":2},{"log_type":3}]}]}}

It seems should be good and do not report violations. But when I run the CFT scorecard on those, it gives the following violation

Other,iam_enable_audit_logs,//cloudresourcemanager.googleapis.com/projects/good,"IAM policy for //cloudresourcemanager.googleapis.com/projects/good does not have correct audit logs enabled in service(s) [""allServices""]"
@xingao267 xingao267 mentioned this issue Jun 16, 2020
Open
@morgante morgante self-assigned this Jun 16, 2020
@morgante
Copy link
Contributor

For your case, I suspect it's because there are additional audit logs enabled besides allServices. A fix will need to be made on the policy template (happy to accept a PR).

@morgante morgante removed their assignment Jun 16, 2020
@xingao267
Copy link
Member Author

xingao267 commented Jun 16, 2020
edited

My testing CAI dataset only has that one entry. I suspect there is other bug in the rego rule. I tried to understand https://github.com/forseti-security/policy-library/blob/master/validator/iam_audit_log.rego and follow the logic there but it was quite involving. Might need some help or guidance from the original author @t12g

@xingao267
Copy link
Member Author

I did a bit more investigation. It looks like input.asset.audit_configs is empty after CAI data is read into CFT Scorecard or CV. input.asset.bindings is there though.

@morgante
Copy link
Contributor

This might be a problem with the asset protos not including audit configus.

@xingao267 xingao267 mentioned this issue Jun 19, 2020
Closed
@briantkennedy
Copy link
Member

What's the setup you have for forseti / config validator?

@xingao267
Copy link
Member Author

I'm testing with CFT Scorecard using cft 0.3.4.

I guess the proto might be here https://github.com/googleapis/googleapis/blob/master/google/iam/v1/policy.proto where audit_config is not there.

@xingao267 xingao267 mentioned this issue Jun 29, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@morgante @briantkennedy @xingao267