Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add GCPIAMCorpRuleEvent plugin. #181

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add GCPIAMCorpRuleEvent plugin. #181

wants to merge 1 commit into from

Conversation

sunnysharmagts
Copy link
Collaborator

Added GCPIAMCorpRuleEvent event plugin. This plugin evaluates an iam
corporate policy and checks if any personal gmail account is present or not.
Gmail accounts are personally created and controllable accounts. Organizations
seldom have any control over them. Hence for each Google Cloud Platform
project, an account configured in a project shouldn't be a Gmail account.

@sunnysharmagts sunnysharmagts self-assigned this Dec 10, 2019
@sunnysharmagts sunnysharmagts force-pushed the iam_policy branch 2 times, most recently from 9ea3eab to 4d6bcdb Compare January 23, 2020 05:35
@sunnysharmagts
Add GCPIAMCorpRuleEvent plugin.
45786a9 
Added `GCPIAMCorpRuleEvent` event plugin. This plugin evaluates an iam
corporate policy and checks if any personal gmail account is present or not.
Gmail accounts are personally created and controllable accounts. Organizations
seldom have any control over them. Hence for each Google Cloud Platform
project, an account configured in a project shouldn't be a Gmail account.
@sunnysharmagts
Copy link
Collaborator Author

Hi @jaibhageria Here is the output of GCP IAM_policy plugin.

{
"ext": {
"cloud_type": "gcp",
"record_type": "iam-policy-corp-login-rule-event",
"project_id": "cloudmarker",
"project_name": "cloudmarker",
"zone": null,
"key_file_path": "cloudmarker.json",
"client_email": "cl********@cloudmarker.iam.g***************.com"
},
"com": {
"cloud_type": "gcp",
"record_type": "iam-policy-corp-login-rule-event",
"reference": null,
"description": "Personal gmail account m******.devel@gmail.com has been used.",
"recommendation": "Ensure that corporate login credentials are used instead of Gmail accounts.",
"audit_key": "gcpaudit",
"audit_version": "2*******_0********",
"origin_key": "gcpiamcorpruleevent",
"origin_class": "GCPIAMCorpRuleEvent",
"origin_worker": "gcpaudit_gcpiamcorpruleevent",
"origin_type": "event",
"target_key": "filestore",
"target_class": "FileStore",
"target_worker": "gcpaudit_filestore",
"target_type": "alert"
}
}

For safety i have masked some values.

jaibhageria
jaibhageria reviewed May 17, 2020
View reviewed changes
Copy link
Collaborator

@jaibhageria jaibhageria left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @sunnysharmagts
Thanks for opening this PR.
I have gone through the code and shared a few comments. I was not able to emulate this locally because I don't currently have a GCP account, hence I had asked for a sample out of IAM_policy plugin.
I would like to see the demo for this when you have time.

cloudmarker/clouds/gcpcloud.py
self._key_file_path))
yield record
_log.info('Found %s #%d: %s; %s', gcp_record_type, i,
raw_record,
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think there is no need to log the whole raw_record. Just raw_record.get('name') should be enough, as it was before.

Suggested change
raw_record,
raw_record.get('name'),

cloudmarker/events/gcpiamcorpruleevent.py
personal_account = None
for member in members:
if 'user' in member:
user = member.split('user:')
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you also share how a member record looks like in the raw bucket?

cloudmarker/events/gcpiamcorpruleevent.py
for member in members:
if 'user' in member:
user = member.split('user:')
if user[1].endswith('gmail.com'):
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The user could be using any other mailing account as well, apart from gmail. Should we add checks for that too and make this generalised? I may be wrong here so please correct me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jaibhageria jaibhageria jaibhageria left review comments

@susam susam Awaiting requested review from susam

@mitprasoon mitprasoon Awaiting requested review from mitprasoon

@rosehgal rosehgal Awaiting requested review from rosehgal

Assignees

@sunnysharmagts sunnysharmagts

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@sunnysharmagts @jaibhageria