Skip to content

Summary

  • Forseti violations can now be outputted for integration with Cloud Security Command Center on GCP. Sign-up for the Cloud SCC alpha program here!
  • Added a configurable retention_days option to purge the snapshot database tables.
  • Updated ke_version_scanner rule file to detect kubernetes nodes affected by severe vulnerabilities CVE-2017-1002101 and CVE-2017-1002102, allowing containers to access files outside the container.
  • Supported IAM policy member of domain type in IAM scanner's required mode,
  • Fixed group_email to use @googlegroups.com in bigquery rule file.
  • Improved regex matching on users.
  • Fixed forsetisecurity.org links in installer script.

Thanks to Our Contributors!

All Changes

Findings Notification (#1251 )
8a11b05 fix forsetisecurity.org links in installer script (#1253)
505a0db Update KE critical CVE rule. (#1248)
a28c699 Regex match (#1244)
2c7f17d Update README.md (#1212)
5465c2a Fix group_email to use @googlegroups.com (#1237)
2708cf5 Add configurable cleanup of inventory tables (#438) (#1129)
6a3bc81 Support iam policy member of domain type in iam scanner's required mode, (#1093)

Upgrade Notes

To enable Forseti violations to be outputted for CSCC integration, add the following to the notifier section in your forseti_conf.yaml file, and specify the correct GCS bucket path where Forseti violation should be saved for CSCC to ingest. This will transform Forseti violations into CSCC findings format. You will need to sign up for the CSCC alpha program to know which bucket to use.

    violation:
      cscc:
        enabled: true
        # gcs_path should begin with "gs://"
        gcs_path: gs://<path to the CSCC bucket>

To enable the purging of the snapshot database tables, add the following to the inventory section in your forseti_conf.yaml file, and specify the retention_days that you prefer. Then each time that inventory is run, any database tables older than the retention_days will be deleted.

    # Number of days to retain inventory data: 
    #  -1 : (default) keep all previous data forever
    #   0 : delete all previous inventory data before running
    retention_days: -1

To enable the updated ke_scanner rule file, you will need to copy the new ke_rules.yaml file to your Forseti GCS rules bucket, and replace the old ke_rules.yaml file.

To update your Forseti deployment to the new version.

  • Update deploy-forseti.yaml and change the property "branch-name" to v1.1.11, or "release-version" to "1.1.11"
  • Update your deployment:
    gcloud deployment-manager deployments update <YOUR DEPLOYMENT NAME> --config deploy-forseti.yaml
  • Restart the Forseti GCE instance.
Assets 2
You can’t perform that action at this time.