search

GoogleCloudPlatform / security-response-automation

Take automated actions against threats and vulnerabilities.
Apache License 2.0
208 stars 52 forks source link

Outputs: createsnapshot with Turbinia #149

Closed ghost closed 3 years ago

ghost commented 4 years ago

Current representation of cloudfunctions/output/config.yaml:

apiVersion: security-response-automation.cloud.google.com/v1alpha1
kind: Notification
metadata:
  name: output
spec:
  outputs:
    turbinia:
      project_id: "turbina-tests-03012020"
      topic: "turbinia-ea4f80ef66a38477"
      zone: "us-central1-f"
googlebot commented 4 years ago

All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter.

We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only @googlebot I consent. in this pull request.

Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the cla label to yes (if enabled on your project).

ℹ️ Googlers: Go here for more info.

amandakarina commented 4 years ago

@googlebot I consent.

googlebot commented 4 years ago

CLAs look good, thanks!

ℹ️ Googlers: Go here for more info.

amandakarina commented 4 years ago

Current representation of cloudfunctions/output/config.yaml:

apiVersion: security-response-automation.cloud.google.com/v1alpha1
kind: Notification
metadata:
  name: output
spec:
  outputs:
    turbinia:
      project_id: "turbina-tests-03012020"
      topic: "turbinia-ea4f80ef66a38477"
      zone: "us-central1-f"

The config yaml for outputs was discarded. The outputs configurations will be in the remediations config file represented by:

apiVersion: security-response-automation.cloud.google.com/v1alpha1
kind: Remediation
metadata:
  name: router
spec:
  parameters:
    etd:
      bad_ip:
        - action: gce_create_disk_snapshot
          target:
            - organizations/__ORGANIZATION_ID__/*
          properties:
            dry_run: false
            target_snapshot_project_id: test-audit-log-260414
            target_snapshot_zone: "__TURBINIA_SNAPSHOOT_ZONE__"
            outputs: ['turbinia']
            turbinia:
              project_id: "__TURBINIA_PROJECT_ID__"
              topic: "__TURBINIA_TOPIC_NAME__"
              zone: "__TURBINIA_SNAPSHOOT_ZONE__"
      anomalous_iam:
        - action: iam_revoke
          target:
            - organizations/__ORGANIZATION_ID__/folders/__FOLDER_ID__/*
            - organizations/__ORGANIZATION_ID__/folders/__FOLDER_ID__/*
          properties:
            dry_run: false
            allow_domains:
              - google.com
      ssh_brute_force:
        - action: remediate_firewall
          target:
            - organizations/__ORGANIZATION_ID__/folders/__FOLDER_ID__/*
            - organizations/__ORGANIZATION_ID__/folders/__FOLDER_ID__/*
          properties:
            dry_run: false
    sha:
      audit_logging_disabled:
        - action: enable_audit_logs
          target:
            - organizations/__ORGANIZATION_ID__/folders/__FOLDER_ID__/*
          exclude:
            - projects/345
          properties:
            dry_run: false
      non_org_members:
        - action: remove_non_org_members
          target:
            - organizations/__ORGANIZATION_ID__/folders/__FOLDER_ID__
          exclude:
            - projects/345
          properties:
            dry_run: false
            allow_domains: ["__DOMAIN_ALLOWED__"]
      sql_no_root_password:
        - action: cloud_sql_update_password
          target:
            - organizations/__ORGANIZATION_ID__/folders/__FOLDER_ID__/*
          properties:
            dry_run: false
      ssl_not_enforced:
        - action: cloud_sql_require_ssl
          target:
            - organizations/__ORGANIZATION_ID__/folders/__FOLDER_ID__/*
            - organizations/__ORGANIZATION_ID__/folders/__FOLDER_ID__/*
          properties:
            dry_run: false
      public_sql_instance:
        - action: close_cloud_sql
          target:
            - organizations/__ORGANIZATION_ID__/folders/__FOLDER_ID__/*
            - organizations/__ORGANIZATION_ID__/folders/__FOLDER_ID__/*
          properties:
            dry_run: false
      open_firewall:
        - action: remediate_firewall
          target:
            - organizations/__ORGANIZATION_ID__/folders/__FOLDER_ID__/*
            - organizations/__ORGANIZATION_ID__/folders/__FOLDER_ID__/*
          properties:
            dry_run: false
            open_firewall:
              # values for remediation_action: disable, delete, update_source_range
              remediation_action: disable
              source_ranges:
                - "10.128.0.0/9"
      open_rdp_port:
        - action: remediate_firewall
          target:
            - organizations/__ORGANIZATION_ID__/folders/__FOLDER_ID__/*
            - organizations/__ORGANIZATION_ID__/folders/__FOLDER_ID__/*
          properties:
            dry_run: false
            open_firewall:
              # values for remediation_action: disable, delete, update_source_range
              remediation_action: disable
      open_ssh_port:
        - action: remediate_firewall
          target:
            - organizations/__ORGANIZATION_ID__/folders/__FOLDER_ID__/*
            - organizations/__ORGANIZATION_ID__/folders/__FOLDER_ID__/*
          properties:
            dry_run: false
            open_firewall:
              # values for remediation_action: disable, delete, update_source_range
              remediation_action: disable
      public_ip_address:
        - action: remove_public_ip
          target:
            - organizations/__ORGANIZATION_ID__/folders/__FOLDER_ID__/*
            - organizations/__ORGANIZATION_ID__/folders/__FOLDER_ID__/*
          properties:
            dry_run: false
      public_bucket_acl:
        - action: close_bucket
          target:
            - organizations/__ORGANIZATION_ID__/folders/__FOLDER_ID__/*
            - organizations/__ORGANIZATION_ID__/folders/__FOLDER_ID__/*
          properties:
            dry_run: false
  outputs:
    turbinia:
      project_id: "__TURBINIA_PROJECT_ID__"
      topic: "__TURBINIA_TOPIC_NAME__"
      zone: "__TURBINIA_SNAPSHOOT_ZONE__"
googlebot commented 4 years ago

All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter.

We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only @googlebot I consent. in this pull request.

Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the cla label to yes (if enabled on your project).

ℹ️ Googlers: Go here for more info.

atos-cit commented 4 years ago

@googlebot I consent.

googlebot commented 4 years ago

CLAs look good, thanks!

ℹ️ Googlers: Go here for more info.

atos-cit commented 4 years ago

The corrections that you suggested are done, just waiting for your review @tomscript

tomscript commented 4 years ago

unfortunately i'll need to pause on this review for the time being