Skip to content
Permalink
Browse files

Building website for v2.12.0 (#2607)

* bundle update and --verbose

* travis_wait 30 in front

* Take out travis_wait 30

* Add Terraform in install

Add Terraform in install

* Update install.md

* added blog post content (#2586)

* added blog post content

* added hyperlinks

* removed line

* added bullet points

* minor changes

* News for 1.0 deprecation announcement (#2580)

* News for 1.0 deprecation announcement

* Update 2019-02-18-deprecate-1.0.md

* Update inventory.md (#2583)

* Update inventory.md

Addresses a typo in preamble for Inventory CLI documentation.

* Update all versions of cli documentation to strip typo

* Updated KMS Scanner documentation with new rules (#2589)

* Updated KMS rules documentation

* added description

* Update descriptions.md

* updated document based on the updated rule for purpose

* updated doc to match with the rules

* Update inventory documentation to include details for composite root.

* Update existing documentation with additional configuration options
added since the last doc refresh.

* Added steps to upgrade from v2.11.0 to v2.12.0 (#2603)

* added upgrade steps

* updated doc with more details

* updated link

* nits

* v2.12.0 doc update (#2605)

* doc updated

* corrected formatting

* updated tag to point to v2.12.0 (#2606)

* generated 2.12 website
  • Loading branch information...
red2k18 committed Feb 28, 2019
1 parent 942d78e commit a640c1b99cefd870edec7eb67eac5953fb3c26c0
Showing 652 changed files with 136,355 additions and 506 deletions.
@@ -501,3 +501,33 @@ defaults:
path: _docs/v2.11/faq
values:
category: FAQ (v2.11)
- scope:
path: _docs/v2.12
values:
category: Overview (v2.12)
layout: docs
- scope:
path: _docs/v2.12/concepts
values:
category: Concepts (v2.12)
- scope:
path: _docs/v2.12/setup
values:
category: Setup (v2.12)
- scope:
path: _docs/v2.12/use
values:
category: Use (v2.12)
- scope:
path: _docs/v2.12/configure
values:
category: Configure (v2.12)
- scope:
path: _docs/v2.12/develop
values:
category: Develop (v2.12)
- scope:
path: _docs/v2.12/faq
values:
category: FAQ (v2.12)

@@ -176,3 +176,17 @@ v2.11:
href: docs/$$VERSION$$/develop/
- title: FAQ
href: docs/$$VERSION$$/faq/
v2.12:
- title: Concepts
href: docs/$$VERSION$$/concepts/
- title: Setup
href: docs/$$VERSION$$/setup/
- title: Configure
href: docs/$$VERSION$$/configure/
- title: Use
href: docs/$$VERSION$$/use/
- title: Develop
href: docs/$$VERSION$$/develop/
- title: FAQ
href: docs/$$VERSION$$/faq/

@@ -13,7 +13,7 @@ But, you also have the option to run Forseti on a subset of resources:
1. if you are Org Admin, and you want to run Forseti on a specific folder
1. if you are Folder Admin, and you want to run Forseti on a specific folder
1. if you are Project Admin, and you want to run Forseti on projects
that are only owned by you
that are only owned by you.

Inventory, Data Model, and Scanner will be supported for use on these subset
of resources, but Explain will not be supported.
@@ -32,13 +32,18 @@ manually assign the correct roles later.
to the target folder:
`folders/<foo_folder_id>`.

1. **NEW for version 2.12.0+**: You can use the `composite_root_resources`
configuration to include multiple resources in a single Forseti installation.
See [Configure Inventory]({% link _docs/latest/configure/inventory/index.md %})
for more details.

1. If Forseti was installed with Org Admin credentials, then the org-level
roles will be inherited on the folder-level.
roles will be inherited on the folder-level.

1. If Foresti was not installed with Org Admin credentails, then you need
to grant the Forseti server service account to have the same roles on the
target folder, as was [originally granted on the
organization]({% link _docs/latest/concepts/service-accounts.md %}#the-server-service-account).
to grant the Forseti server service account to have the same roles on the
target resources, as was [originally granted on the
organization]({% link _docs/latest/concepts/service-accounts.md %}#the-server-service-account).
1. Saving changes.
1. Save the changes to `forseti_conf_server.yaml` file.
@@ -52,12 +57,20 @@ organization]({% link _docs/latest/concepts/service-accounts.md %}#the-server-se
## Configure Forseti to Run on Projects
**NEW for version 2.12.0+**: As an alternative, you can use the
`composite_root_resources` configuration to include multiple resources in a
single Forseti installation.
See [Configure Inventory]({% link _docs/latest/configure/inventory/index.md %})
for more details.
1. This assumes that Forseti is not installed with Org Admin credential, and
you want Forseti to run on projects that you own. If Forseti is installed
with Org Admin credential, then all the resources in the organization
will be returned.
1. Leave the `root_resource_id` pointed to the organization that the Installer
inferred from the environment.
1. Grant project viewer role to the Forseti server service account,
on the projects that you own.
@@ -21,17 +21,13 @@ resources.
* The IP address of any GCP instances should not be listed on
the [emergingthreats](https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt) website.

## Cloud Storage (legacy ACL policies)
* Buckets ACLs should not be publicly accessible (`AllUsers`).
* Buckets ACLs should not be accessible by any authenticated user (`AllAuthenticatedUsers`).

## Cloud SQL
* Cloud SQL instances should not allow access from anywhere (authorized networks).
* Cloud SQL instances should not allow access over SSL from anywhere (authorized networks).

## G Suite
* Your company users (@domain.tld) and all gmail users are allowed to be members of your G Suite
groups.
## Cloud Storage (legacy ACL policies)
* Buckets ACLs should not be publicly accessible (`AllUsers`).
* Buckets ACLs should not be accessible by any authenticated user (`AllAuthenticatedUsers`).

## Cloud Identity and Access Management (Cloud IAM) policies
* Only Cloud IAM users and group members in my domain may be granted the role `Organization Admin`.
@@ -46,6 +42,17 @@ resources.
## Firewall
* Prevent allow all ingress (used to detect allow ingress to all policies)

## G Suite
* Your company users (@domain.tld) and all gmail users are allowed to be members of your G Suite
groups.

## KMS
* Crypto keys with the following config should be rotated in 100 days.
algorithm: GOOGLE_SYMMETRIC_ENCRYPTION
protection_level: SOFTWARE
purpose: ENCRYPT_DECRYPT
state: ENABLED

## Kubernetes Engine Version
* Only allow the following supported versions:
* For major version 1.8, the minor version must be at least 12-gke.1
@@ -100,17 +100,6 @@ For examples of how to define scanner rules for your firewall rules scanner, see
[`firewall_rules.yaml`](https://github.com/GoogleCloudPlatform/forseti-security/blob/stable/rules/firewall_rules.yaml)
rule file.

## Load balancer forwarding rules scanner

You can configure load balancer forwarding rules to direct unauthorized external
traffic to your target instances. The forwarding rule scanner supports a
whitelist mode, to ensure each forwarding rule only directs to the intended
target instances.

For examples of how to define scanner rules for your forwarding rules, see the
[`forwarding_rules.yaml`](https://github.com/GoogleCloudPlatform/forseti-security/blob/stable/rules/forwarding_rules.yaml)
rule file.

## Groups scanner

Because groups can be added to Cloud Identity and Access Management (Cloud IAM)
@@ -159,6 +148,16 @@ For examples of how to define scanner rules for network interfaces, see the
[`instance_network_interface_rules.yaml`](https://github.com/GoogleCloudPlatform/forseti-security/blob/stable/rules/instance_network_interface_rules.yaml)
rule file.

## KMS scanner

Alert or notify if the crypto keys in the organization are not rotated within the
time specified. This scanner can ensure that all the cryptographic keys are
properly configured.

For examples of how to define scanner rules for your crypto keys, see the
[`kms_rules.yaml`](https://github.com/GoogleCloudPlatform/forseti-security/blob/dev/rules/kms_rules.yaml)
rule file.

## Kubernetes Engine scanner

Kubernetes Engine clusters have a wide-variety of options. You might
@@ -200,6 +199,17 @@ For examples of how to define scanner rules for lien, see the
[`lien_rules.yaml`](https://github.com/GoogleCloudPlatform/forseti-security/blob/dev/rules/lien_rules.yaml)
rule file.

## Load balancer forwarding rules scanner

You can configure load balancer forwarding rules to direct unauthorized external
traffic to your target instances. The forwarding rule scanner supports a
whitelist mode, to ensure each forwarding rule only directs to the intended
target instances.

For examples of how to define scanner rules for your forwarding rules, see the
[`forwarding_rules.yaml`](https://github.com/GoogleCloudPlatform/forseti-security/blob/stable/rules/forwarding_rules.yaml)
rule file.

## Location scanner
Allow customers to ensure their resources are located only in the intended
locations. Set guards around locations as part of automated project deployment.
@@ -216,6 +226,12 @@ For examples of how to define scanner rules for log sink, see the
[`log_sink_rules.yaml`](https://github.com/GoogleCloudPlatform/forseti-security/blob/dev/rules/log_sink_rules.yaml)
rule file.

## Retention scanner

Allow customers to ensure the retention policies on their resources are set as intended.

For examples of how to define scanner rules for retention, see the ['retention_rules.yaml'](https://github.com/GoogleCloudPlatform/forseti-security/blob/dev/rules/retention_rules.yaml) rule file.

## Service Account Key scanner

It's best to periodically rotate your user-managed service account
@@ -228,17 +244,3 @@ For examples of how to define scanner rules for your service account keys, see t
[`service_account_key_rules.yaml`](https://github.com/GoogleCloudPlatform/forseti-security/blob/stable/rules/service_account_key_rules.yaml)
file.

## Retention scanner

Allow customers to ensure the retention policies on their resources are set as intended.

For examples of how to define scanner rules for retention, see the ['retention_rules.yaml'](https://github.com/GoogleCloudPlatform/forseti-security/blob/dev/rules/retention_rules.yaml) rule file.

## KMS scanner

This scanner checks if the crypto keys in the organization are rotated within
the time specified, and notifies if they are not.

For examples of how to define scanner rules for your crypto keys, see the
[`kms_rules.yaml`](https://github.com/GoogleCloudPlatform/forseti-security/blob/dev/rules/kms_rules.yaml)
rule file.
Oops, something went wrong.

0 comments on commit a640c1b

Please sign in to comment.
You can’t perform that action at this time.