Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gcp_k8s_rules: require k8s-specific resource type #882

Merged
merged 5 commits into from
Oct 17, 2023
Merged

gcp_k8s_rules: require k8s-specific resource type #882

merged 5 commits into from
Oct 17, 2023

Conversation

skottler
Copy link
Contributor

Background

The GCP audit log contains entries for Bigquery (and likely other services) which have protoPayload fields. This makes the check run against events which aren't relevant. Here is one such event:

...
  "protoPayload": {
	"at_sign_type": "type.googleapis.com/google.cloud.audit.AuditLog",
	"authenticationInfo": {
		"principalEmail": "[redacted]@[redacted].iam.gserviceaccount.com",
		"serviceAccountKeyName": "//iam.googleapis.com/projects/[redacted]/serviceAccounts/[redacted]/keys/[redacted]"
	},
	"authorizationInfo": [
		{
			"granted": true,
			"permission": "bigquery.jobs.create",
			"resource": "projects/[redacted]",
			"resourceAttributes": {}
		}
	],
	"methodName": "tabledataservice.list",
	"requestMetadata": {
		"callerIP": "[redacted]",
		"callerSuppliedUserAgent": "[redacted]"
		"destinationAttributes": {},
		"requestAttributes": {}
	},
	"resourceName": "projects/[redacted]/datasets/[redacted]/tables/[redacted]/data",
	"serviceData": {
		"@type": "type.googleapis.com/google.cloud.bigquery.logging.v1.AuditData",
		"tableDataListRequest": {
			"maxResults": 100
		}
	},
	"serviceName": "bigquery.googleapis.com",
	"status": {}
  }
...

Changes

Bypass check logic (always return false) when the resource type in the audit log is not k8s_cluster. This ensures the check behaves as expected and only picks up events related to Kubernetes.

@skottler skottler requested a review from a team September 26, 2023 16:50
@CLAassistant
Copy link

CLAassistant commented Sep 26, 2023
edited

CLA assistant check
All committers have signed the CLA.

@arielkr256 arielkr256 enabled auto-merge (squash) October 16, 2023 19:04
@grantjoy grantjoy mentioned this pull request Oct 17, 2023
Closed
@arielkr256 arielkr256 merged commit 3f3caed into panther-labs:master Oct 17, 2023
4 checks passed
@skottler skottler deleted the k8s_cluster-resource-type branch October 17, 2023 17:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arielkr256 arielkr256 arielkr256 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@skottler @CLAassistant @arielkr256