-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add GCPIAMCorpRuleEvent plugin. #181
base: master
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,82 @@ | ||
"""IAM-Policy rule event. | ||
|
||
This module defines the :class:`GCPIAMCorpRuleEvent` class that identifies | ||
weak IAM-Policy related rules. This plugin works on the GCP IAM properties | ||
found in the ``com`` bucket of IAM-Policy rule records. | ||
""" | ||
|
||
|
||
import logging | ||
|
||
from cloudmarker import util | ||
|
||
_log = logging.getLogger(__name__) | ||
|
||
|
||
class GCPIAMCorpRuleEvent: | ||
"""IAM-Policy rule event plugin.""" | ||
|
||
def __init__(self): | ||
"""Create an instance of :class:`GCPIAMCorpRuleEvent` plugin.""" | ||
|
||
def eval(self, record): | ||
"""Evaluate IAM rules to check corporate login credentials. | ||
|
||
Arguments: | ||
record (dict): A IAM-Corp-Login-Policy rule record. | ||
|
||
Yields: | ||
dict: An event record representing a personal Gmail accounts. | ||
|
||
""" | ||
# If 'com' bucket is missing, we have a malformed record. Log a | ||
# warning and ignore it. | ||
com = record.get('com') | ||
if com is None: | ||
_log.warning('IAM-Policy rule record is missing com key: %r', | ||
record) | ||
return | ||
|
||
# This plugin understands IAM-Policy rule records only, so ignore | ||
# any other record types. | ||
common_record_type = com.get('record_type') | ||
if common_record_type != 'iam_corp_login_policy_rule': | ||
return | ||
|
||
members = record['raw']['members'] | ||
personal_account = None | ||
for member in members: | ||
if 'user' in member: | ||
user = member.split('user:') | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Can you also share how a |
||
if user[1].endswith('gmail.com'): | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The user could be using any other mailing account as well, apart from |
||
personal_account = user[1] | ||
reference = com.get('reference') | ||
description = ( | ||
'Personal gmail account {} has been used.' | ||
.format(personal_account) | ||
) | ||
recommendation = ( | ||
'Ensure that corporate login credentials are used instead of Gmail accounts.' | ||
) | ||
|
||
event_record = { | ||
'ext': util.merge_dicts(record.get('ext', {}), { | ||
'record_type': 'iam-policy-corp-login-rule-event' | ||
}), | ||
|
||
'com': { | ||
'cloud_type': com.get('cloud_type'), | ||
'record_type': 'iam-policy-corp-login-rule-event', | ||
'reference': reference, | ||
'description': description, | ||
'recommendation': recommendation, | ||
} | ||
} | ||
_log.info('Generating iam_policy_rule; %r', event_record) | ||
yield event_record | ||
|
||
def done(self): | ||
"""Perform cleanup work. | ||
|
||
Currently, this method does nothing. This may change in future. | ||
""" |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -37,3 +37,4 @@ slackclient==1.3.1 | |
uritemplate==3.0.0 | ||
urllib3==1.24.3 | ||
websocket-client==0.54.0 | ||
oauth2client==4.1.3 |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -14,3 +14,4 @@ pymongo | |
PyYAML | ||
schedule | ||
slackclient==1.3.1 | ||
oauth2client |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think there is no need to log the whole
raw_record
. Justraw_record.get('name')
should be enough, as it was before.