search

GoogleCloudPlatform / security-response-automation

Take automated actions against threats and vulnerabilities.
Apache License 2.0
208 stars 52 forks source link

Function error: rule "" not found #193

Closed chiokejjones closed 3 years ago

chiokejjones commented 4 years ago

Hello. I've deployed the SRA cloud functions but am running into errors with the Router function. There are 100s of errors logged with a similar message:

Function error: rule "" not found
at runtime/debug.Stack (stack.go:24)
at main.executeFunction (worker.go:193)
at net/http.HandlerFunc.ServeHTTP (server.go:1964)
at net/http.(*ServeMux).ServeHTTP (server.go:2361)
at net/http.serverHandler.ServeHTTP (server.go:2741)
at net/http.(*conn).serve (server.go:1847)
tomscript commented 4 years ago

can i see your config.yaml file? be sure to redact any sensitive information

chiokejjones commented 4 years ago

Here you go:

kind: Remediation
metadata:
  name: router
spec:
  parameters:
    etd:
      anomalous_iam:
        - action: iam_revoke
          target:
            - organizations/<redacted>/folders/<redacted>/*
          properties:
            dry_run: true
            anomalous_iam:
              allow_domains:
                - google.com
                - mycompany.com
    sha:
      public_bucket_acl:
        - action: close_bucket
          target:
            - organizations/<redacted>/folders/<redacted>/*
          properties:
            dry_run: true
      public_ip_address:
        - action: remove_public_ip
          target:
            - organizations/<redacted>/folders/<redacted>/*
          properties:
            dry_run: true
      open_firewall:
        - action: remediate_firewall
          target:
            - organizations/<redacted>/folders/<redacted>/*
          properties:
            dry_run: true
            open_firewall:
              remediate_action: disable
tomscript commented 4 years ago

great thanks, can you share a bit on how you have SRA hooked up? are you exporting ETD findings via stackdriver? or using CSCC notifications?

chiokejjones commented 4 years ago

I followed the instructions in the readme to hookup the CSCC notifications. Was there anything else I needed to do for the CSCC notifications? I deployed the scc notification and assigned policy binding following the directions here; https://github.com/GoogleCloudPlatform/security-response-automation#set-up-security-command-center-notifications.

chiokejjones commented 4 years ago

There are also similar "not found" errors for:

compute_secure_boot_disabled ip_forwarding_enabled full_api_access compute_project_wide_shh_keys_allowed

tomscript commented 4 years ago

I followed the instructions in the readme to hookup the CSCC notifications. Was there anything else I needed to do for the CSCC notifications? I deployed the scc notification and assigned policy binding following the directions here;

should be working there. let me double check to see if there's been any schema changes, unfortunately that may cause this error :(

There are also similar "not found" errors for:

compute_secure_boot_disabled ip_forwarding_enabled full_api_access compute_project_wide_shh_keys_allowed

ah ok, so that looks like SHA findings that we don't parse. so those are probably expected to not be found since we don't deserialize them. good feedback, we should probably not report that as an error.

tomscript commented 4 years ago

should be working there. let me double check to see if there's been any schema changes, unfortunately that may cause this error :(

hm ya, everything seems to be working there. this part is just slightly complicated since there's two paths, ill explain it here but should not have anything to do with this problem that i can tell. first, ETD uses either StackDriver or CSCC notifications. SHA however only uses CSCC notifications. the default instructions walk you through both, but if you use only CSCC notifications you'll want to disable the auto generated StackDriver log sink. gcloud logging sinks delete sink-threat-findings --project=$PROJECT_ID

regardless of what happens above, the SRA router should receive your findings, deserialize them and attempt to run the remediations you specified. thinking on this a bit more, the rule "" not found is likely a finding type that is a different and thus not supported so you're probably good to ignore that. i'll make a note to not return an error there.

so then my question is, are things working otherwise for you? meaning, if you manually generate an ETD anomalous IAM grant, do you see the finding get created? Then do you see SRA attempt to process that? look in StackDriver under "Threat Detector" where the findings are sent to verify if the finding is being created. should be there. then check "Cloud Function" logs where SRA is installed, you should see the router find it as well. lets start with that, let me know what you find and if i can help. is no problem :)

chiokejjones commented 4 years ago

Thanks for the information @tomscript. It was really helpful.

I do see successful logging of threat findings in Stackdriver, so the functions are working. I'm going to attempt a remediation action, and will let you know if it's working as intended.