Skip to content

@red2k18 red2k18 released this Sep 6, 2018 · 9 commits to release-2-3-0 since this release

Summary

Installer

  • More robust installation process by handling ssh failure gracefully, and by enabling additional Google APIs in case they are not enabled by default.

Scanner

  • KE Scanner: Kubernetes rule updated to scan for the below vulnerabilities.
    • CVE-2018-5390 describes a kernel-level networking vulnerability that increases the effectiveness of denial of service (DoS) attacks against vulnerable systems over TCP connections.
    • CVE-2018-5391 describes a kernel-level networking vulnerability that increases the effectiveness of denial of service (DoS) attacks against vulnerable systems over IP connections.
  • BigQuery Scanner: Enhanced BigQuery rules syntax to support bindings in BigQuery rules
    with backward compatibility.
  • IAM Scanner:
    • Added a new rule to scan for bucket with allUsers permission set in IAM policy.
    • allAuthenticatedUsers can now be audited and added the associated rule.
    • Billing account can now be audited.

Upgrade instructions

  • If you deployed version v2.0.0 or v2.1.0, due to a deployment script change in v2.2.0, you will need to be on the older git tag of your Forseti to run the deployment manager update command.
  • Complete instructions
    • Download the Forseti server deployment template from the Forseti server GCS bucket, the template is located under folder deployment_templates.
    • Update the fields in the deployment template according to the Forseti official website, look at section Change deployment properties under Upgrading 2.X installations.
      • Specifically, change these default values for the newly added fields in the deploy-forseti-server-{HASH}.yaml to:
        • vpc-host-project-id: {YOUR_PROJECT_ID}
        • vpc-host-network: default
        • vpc-host-subnetwork: default
    • Put the deployment template file under forseti-security/deployment-templates/ in your cloud shell.
    • Make sure the git tag of forseti-security is on the same Forseti version you ran the deployment on (e.g. if you deployed version v2.0.0, you will need to make sure forseti-security is on git tag v2.0.0).
    • You can verify the git tag by running command git status under the forseti-security folder.
    • Run command gcloud deployment-manager deployments update {DEPLOYMENT_NAME} --config path/to/deploy-forseti-server-{HASH}.yaml to do the update.

Thanks to our contributors!

All changes

a4df217 (HEAD -> release-2-3-0, tag: v2.3.0, origin/release-2-3-0) added contributors and modified version
5c928f2 (dev) Merge branch 'dev' of github.com:GoogleCloudPlatform/forseti-security into dev
a8322ea (origin/dev, origin/HEAD) kubernetes rule updated to address the latest vulnerabilities (#1990)
70d45ea Merge branch 'dev' of github.com:GoogleCloudPlatform/forseti-security into dev
df48b43 Stop matching unset member fields in BigQuery ACLs (#1989)
6c6de3f Support multiple dataset ids in BigQuery rules (#1986)
092c460 (firewallrule) Merge branch 'dev' of github.com:GoogleCloudPlatform/forseti-security into dev
bf9b667 Fixed IAM Scanner so it audits allAuthenticatedUsers correctly (#1983)
b105396 Support bindings in BigQuery rules (#1977)
42b767f Merge branch 'dev' of github.com:GoogleCloudPlatform/forseti-security into dev
af66fd5 Add support for billing_account to IAM scanner (#1975)
6b05607 adding Michael Capicotto as a contributor (#1970)
9221815 Handle SSH failure gracefully during the installation process (#1969)
d3d0bfc more APIs require enabling (#1967)
1e3a337 (fixiamscanner) Merge branch 'dev' of github.com:GoogleCloudPlatform/forseti-security into dev
87477eb Removed upgrade option (#1965)
02323bd (authusers) Merge branch 'dev' of github.com:GoogleCloudPlatform/forseti-security into dev
e47b2aa Added a new rule to scan for bucket with allUsers in IAM policy (#1964)
d80d53e (allauthusers) Merge branch 'dev' of github.com:GoogleCloudPlatform/forseti-security into dev
9a66da6 Default non-existent fields in bigquery acl to glob (#1958)
a742de4 (1909authusers) Merge branch 'dev' of github.com:GoogleCloudPlatform/forseti-security into dev
1c99b00 Use the file_loader util method for safe yaml loading. (#1959)
df01f4e Remove the AE for now while it's reworked. (#1961)
99c7105 [Issue 1848] Fixing parameterized test to mock out logger to fix log pollution (#1929)
3fda0e0 Merge stable to dev (#1956)
035d553 [Fixes #783] Support whitelist mode in Bigquery scanner (#1925)
037039c Add billing accounts to log sink scanner (#1922)
94c2171 Removed unused constant MESSAGE_GSUITE_DATA_COLLECTION (#1953)

Assets 2
You can’t perform that action at this time.