Permalink
Fetching contributors…
Cannot retrieve contributors at this time
182 lines (161 sloc) 5.62 KB
# Copyright 2017 The Forseti Security Authors. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
global:
# database
db_host: DB_HOST
db_user: DB_USER
db_name: DB_NAME
# gsuite
groups_service_account_key_file: GROUPS_SERVICE_ACCOUNT_KEY_FILE
domain_super_admin_email: DOMAIN_SUPER_ADMIN_EMAIL
# notification
# Remove or comment out the email properties if you do not want Forseti to
# send email notifications.
email_recipient: EMAIL_RECIPIENT1,EMAIL_RECIPIENT2
email_sender: EMAIL_SENDER
sendgrid_api_key: SENDGRID_API_KEY
# quota
# The pre-populated values are the defaults from GCP.
max_admin_api_calls_per_100_seconds: 1500
max_appengine_api_calls_per_second: 20
max_bigquery_api_calls_per_100_seconds: 17000
max_cloudbilling_api_calls_per_60_seconds: 300
max_compute_api_calls_per_second: 20
max_container_api_calls_per_100_seconds: 1000
max_crm_api_calls_per_100_seconds: 400
max_iam_api_calls_per_second: 20
max_results_admin_api: 500
max_sqladmin_api_calls_per_100_seconds: 100
##############################################################################
inventory:
# Valid values are: debug, info, warning, error
loglevel: info
# Number of days to retain inventory data:
# -1 : (default) keep all previous data forever
# 0 : delete all previous inventory data before running
retention_days: -1
pipelines:
- resource: appengine
enabled: true
- resource: backend_services
enabled: true
- resource: bigquery_datasets
enabled: true
- resource: buckets
enabled: true
- resource: buckets_acls
enabled: true
- resource: cloudsql
enabled: true
- resource: firewall_rules
enabled: true
- resource: folder_iam_policies
enabled: true
- resource: folders
enabled: true
- resource: forwarding_rules
enabled: true
- resource: ke
enabled: true
- resource: group_members
enabled: true
- resource: groups
enabled: true
- resource: instance_group_managers
enabled: true
- resource: instance_groups
enabled: true
- resource: instance_templates
enabled: true
- resource: instances
enabled: true
- resource: org_iam_policies
enabled: true
- resource: organizations
enabled: true
- resource: projects
enabled: true
- resource: projects_iam_policies
enabled: true
- resource: service_accounts
enabled: true
##############################################################################
scanner:
# Valid values are: debug, info, warning, error
loglevel: info
# Output path (do not include filename).
# If GCS location, the format of the path should be:
# gs://bucket-name/path/for/output
output_path: OUTPUT_PATH
# Rules path (do not include filename).
# If GCS location, the format of the path should be:
# gs://bucket-name/path/for/rules_path
# if no rules_path is specified, rules are
# searched in /path/to/forseti_security/rules/
# rules_path: RULES_PATH
scanners:
- name: bigquery
enabled: true
- name: blacklist
enabled: true
- name: bucket_acl
enabled: true
- name: cloudsql_acl
enabled: true
- name: firewall_rule
enabled: true
- name: forwarding_rule
enabled: true
- name: ke_version_scanner
enabled: true
- name: group
enabled: true
- name: iam_policy
enabled: true
- name: iap
enabled: true
- name: instance_network_interface
enabled: true
##############################################################################
notifier:
# For every resource type you can set up a notification pipeline
# to send alerts for every violation found
resources:
- resource: policy_violations
should_notify: false
pipelines:
# Email violations
- name: email_violations_pipeline
configuration:
sendgrid_api_key: ''
sender: ''
# Multiple recipients can be specified as comma-separated text.
recipient: ''
# Upload violations to GCS.
- name: gcs_violations_pipeline
configuration:
# gcs_path should begin with "gs://"
gcs_path: ''
# Slack webhook pipeline
# Create an incoming webhook in your organization's Slack setting, located at:
# https://[your_org].slack.com/apps/manage/custom-integrations
# Add the provided URL in the configuration below in `webhook_url`.
- name: slack_webhook_pipeline
configuration:
webhook_url: ''
violation:
cscc:
enabled: true
# gcs_path should begin with "gs://"
gcs_path: gs://CSCC_BUCKET