Last active
July 19, 2019 15:48
-
-
Save aaron-lane/23adbc58649c39a6625a775065c44101 to your computer and use it in GitHub Desktop.
terraform-google-forseti manual verification
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
-----> Verifying <real-time-enforcer-local>... [99/1985] | |
$$$$$$ Running command `terraform workspace select kitchen-terraform-real-time-enforcer-local` in directory /cft/workdir/test/fixture | |
s/real_time_enforcer | |
$$$$$$ Running command `terraform output -json` in directory /cft/workdir/test/fixtures/real_time_enforcer | |
gcp: Verifying | |
Profile: real_time_enforcer | |
Version: (not specified) | |
Target: gcp://project-service-account@aaronlane-forseti-test-3968.iam.gserviceaccount.com | |
✔ real-time-enforcer-gcp: Real time enforcer GCP resources | |
✔ Instance forseti-enforcer-vm-qbx6f5 should exist | |
✔ Instance forseti-enforcer-vm-qbx6f5 machine_size should eq "n1-standard-2" | |
✔ Service Account "Forseti Real Time Enforcer" email should eq "forseti-enforcer-gcp-qbx6f5@aaronlane-forseti-test-3968.iam.gs$ | |
rviceaccount.com" | |
✔ Service Account "Forseti Real Time Enforcer" display_name should eq "Forseti Real Time Enforcer" | |
✔ Topic real-time-enforcer-events-topic-2zxr should exist | |
✔ Bucket forseti-enforcer-qbx6f5 should exist | |
✔ Storage Bucket IAM Binding roles/storage.objectViewer should exist | |
✔ Storage Bucket IAM Binding roles/storage.objectViewer members should include "serviceAccount:forseti-enforcer-gcp-qbx6f5@aar$ | |
nlane-forseti-test-3968.iam.gserviceaccount.com" | |
✔ google_storage_bucket_objects object_names should contain exactly "policy/bigquery/common.rego", "policy/bigquery/dataset_no$ | |
public_access.rego", "policy/bigquery/dataset_no_public_authenticated_access.rego", "policy/cloudresourcemanager/common_iam.rego", "$ | |
olicy/exclusions.rego", "policy/policies.rego", "policy/config.yaml", "policy/sql/acl.rego", "policy/sql/backups.rego", "policy/sql/$ | |
ommon.rego", "policy/sql/require_ssl.rego", "policy/storage/bucket_iam_disallow_allauthenticatedusers.rego", "policy/storage/bucket_$ | |
am_disallow_allusers.rego", "policy/storage/common.rego", "policy/storage/common_iam.rego", and "policy/storage/versioning.rego" | |
✔ Firewall Rule forseti-rt-enforcer-ssh-external-qbx6f5 source_ranges should eq ["0.0.0.0/0"] | |
✔ Firewall Rule forseti-rt-enforcer-ssh-external-qbx6f5 direction should eq "INGRESS" | |
✔ Firewall Rule forseti-rt-enforcer-ssh-external-qbx6f5 allowed_ssh? should equal true | |
✔ Firewall Rule forseti-rt-enforcer-ssh-external-qbx6f5 priority should eq 100 | |
✔ Firewall Rule forseti-rt-enforcer-deny-all-qbx6f5 denies TCP, UDP, and ICMP | |
✔ Firewall Rule forseti-rt-enforcer-deny-all-qbx6f5 source_ranges should eq ["0.0.0.0/0"] | |
✔ Firewall Rule forseti-rt-enforcer-deny-all-qbx6f5 direction should eq "INGRESS" | |
✔ Firewall Rule forseti-rt-enforcer-deny-all-qbx6f5 priority should eq 200 | |
✔ Project IAM Binding roles/logging.logWriter members should include "serviceAccount:forseti-enforcer-gcp-qbx6f5@aaronlane-fors | |
eti-test-3968.iam.gserviceaccount.com" | |
✔ real-time-enforcer-target-gcp: Storage Bucket ACL forseti-enforcer-target-i2tk [63/1985] | |
✔ Storage Bucket ACL forseti-enforcer-target-i2tk should not exist | |
✔ Storage Bucket ACL forseti-enforcer-target-i2tk should not exist | |
Profile: Google Cloud Platform Resource Pack (inspec-gcp) | |
Version: 0.11.0 | |
Target: gcp://project-service-account@aaronlane-forseti-test-3968.iam.gserviceaccount.com | |
No tests executed. | |
Profile Summary: 2 successful controls, 0 control failures, 0 controls skipped | |
Test Summary: 20 successful, 0 failures, 0 skipped | |
real-time-enforcer-host: Verifying host 10.128.15.200 | |
Skipping profile: 'inspec-gcp' on unsupported platform: 'linux/unknown'. | |
Profile: real_time_enforcer | |
Version: (not specified) | |
Target: ssh://ubuntu@10.128.15.200:22 | |
✔ real-time-enforcer-host: Real time enforcer host resources | |
✔ Command: `systemctl is-active opa-policy` exit_status should equal 0 or equal 3 | |
✔ Command: `systemctl is-active opa-policy` stdout.chomp should cmp == "active" or cmp == "activating" or cmp nil | |
✔ Command: `systemctl is-active opa-policy` stderr should eq "" | |
✔ Command: `systemctl is-active opa-server` exit_status should equal 0 or equal 3 | |
✔ Command: `systemctl is-active opa-server` stdout.chomp should cmp == "active" or cmp == "activating" or cmp == "inactive" | |
✔ Command: `systemctl is-active opa-server` stderr should eq "" | |
✔ Command: `systemctl is-active enforcer` exit_status should equal 0 or equal 3 | |
✔ Command: `systemctl is-active enforcer` stdout.chomp should cmp == "active" or cmp == "activating" or cmp == "inactive" | |
✔ Command: `systemctl is-active enforcer` stderr should eq "" | |
✔ Command: `systemctl is-enabled enforcer` exit_status should be zero | |
✔ Command: `systemctl is-enabled enforcer` stdout.chomp should eq "enabled" | |
✔ Command: `systemctl is-enabled enforcer` stderr should eq "" | |
Profile Summary: 1 successful control, 0 control failures, 0 controls skipped | |
Test Summary: 12 successful, 0 failures, 0 skipped [27/1985] | |
gcloud: Verifying | |
Skipping profile: 'inspec-gcp' on unsupported platform: 'alpine/3.9.4'. | |
Profile: real_time_enforcer | |
Version: (not specified) | |
Target: local:// | |
✔ real-time-enforcer-gcloud: Command: `gcloud organizations get-iam-policy 826592752744 --filter='bindings.members:forseti-enforce | |
r-gcp-qbx6f5@aaronlane-forseti-test-3968.iam.gserviceaccount.com' --flatten='bindings[].members' --format='json(bindings.role)'` | |
✔ Command: `gcloud organizations get-iam-policy 826592752744 --filter='bindings.members:forseti-enforcer-gcp-qbx6f5@aaronlane-f | |
orseti-test-3968.iam.gserviceaccount.com' --flatten='bindings[].members' --format='json(bindings.role)'` permits the enforcer to view | |
and enforcer policy | |
✔ Command: `gcloud organizations get-iam-policy 826592752744 --filter='bindings.members:forseti-enforcer-gcp-qbx6f5@aaronlane-f | |
orseti-test-3968.iam.gserviceaccount.com' --flatten='bindings[].members' --format='json(bindings.role)'` exit_status should eq 0 | |
✔ Command: `gcloud organizations get-iam-policy 826592752744 --filter='bindings.members:forseti-enforcer-gcp-qbx6f5@aaronlane-f | |
orseti-test-3968.iam.gserviceaccount.com' --flatten='bindings[].members' --format='json(bindings.role)'` stderr should eq "" | |
Profile Summary: 1 successful control, 0 control failures, 0 controls skipped | |
Test Summary: 3 successful, 0 failures, 0 skipped | |
Finished verifying <real-time-enforcer-local> (0m14.51s). | |
-----> Kitchen is finished. (0m31.59s) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bash-4.4# kitchen verify simple-example-local l r s d [1206/1853] | |
-----> Starting Kitchen (v1.24.0) l r s d | |
The state file either has no outputs defined, or all the defined l r s d | |
outputs are empty. Please define an output in your configuration r s d | |
with the `output` keyword and run `terraform refresh` for it to l r s d | |
become available. If you are using interpolation, please verify l r s d | |
the interpolated value is not empty. You can use the l r s d | |
`terraform console` command to assist. l r s d | |
-----> Verifying <simple-example-local>... l r s d | |
$$$$$$ Running command `terraform workspace select kitchen-terraform-simple-example-local` in directory /cft/workdir/test/fixtures/simple_example | |
$$$$$$ Running command `terraform output -json` in directory /cft/workdir/test/fixtures/simple_example d | |
gcp: Verifying l r s d | |
: i r e s | |
Profile: simple-exampls ` d t | |
Version: (not specified) i r n ` s d q 0 | |
Target: gcp://project-servicv-account@aaronlane-forueti-test-3968.iam.gserviceaccount.com : ` d t ✔ ✔orseti: Forseti GCP resources ✔ Instance forseti-client-vm-99166e60 should exist ✔ Instance forseti-client-vm-99166e60 machine_size should eq "n1-standard-2" ✔ Instance forseti-server-vm-99166e60 should exist ✔ Instance forseti-server-vm-99166e60 machine_size should eq "n1-standard-2" ✔ google_sql_database_instances instance_names should include /forseti-server-db-*/ ✔ Project IAM Binding roles/storage.objectViewer should exist ✔ Project IAM Binding roles/storage.objectViewer members should include "serviceAccount:forseti-server-gcp-99166e60@aaronlane-forseti-test-3968.iam.gseviceaccount.com" l y a s s | |
✔ SProject IAM Binding roles/storage.objectCreator should exist | |
✔ Project IAM Binding roles/storage.objectCreator members should include "serviceAccount:forseti-server-gcp-99166e60@aaronlane-forseti-test-3968.iam.gsrviceaccount.com" l y a s s | |
✔ Project IAM Binding roles/cloudsql.client should exist | |
✔ Project IAM Binding roles/cloudsql.client members should include "serviceAccount:forseti-server-gcp-99166e60@aaronlane-forseti-test-3968.iam.gserviceccount.com" e l y a s s | |
✔ Project IAM Binding roles/cloudtrace.agent should exist | |
✔ Project IAM Binding roles/cloudtrace.agent members should include "serviceAccount:forseti-server-gcp-99166e60@aaronlane-forseti-test-3968.iam.gservicaccount.com"e l y a s s | |
✔ Project IAM Binding roles/logging.logWriter should exist d | |
✔ Project IAM Binding roles/logging.logWriter members should include "serviceAccount:forseti-server-gcp-99166e60@aaronlane-forseti-test-3968.iam.gservieaccount.com" e y a s s y | |
✔ Project IAM Binding roles/iam.serviceAccountTokenCreator should exist ✔ Project IAM Binding roles/iam.serviceAccountTokenCreator members should include "serviceAccount:forseti-server-gcp-99166e60@aaronlane-forseti-test-398.iam.gserviceaccount.com" l y a s s ✔ google_storage_buckets bucket_names should include "forseti-server-99166e60" | |
✔ google_storage_buckets bucket_names should include "forseti-client-99166e60" ✔ google_storage_buckets bucket_names should include /forseti-cai-export/ | |
✔ Sgoogle_storage_bucket_objects object_names should include "rules/audit_logging_rules.yaml", "rules/bigquery_rules.yaml", "rules/blacklist_rules.yaml","rules/bucket_rules.yaml", "rules/cloudsql_rules.yaml", "rules/enabled_ypis_rules.yaml", "rules/external_prcject_accesi_rules.yaml", "rules/firewall_rules.yaml", "rules/forwarding_rtles.yaml", "rulesygroup_rules.yaml", "rules/groups_settings_rules.yaml", "rules/iam_rules.ycml", "rules/iap_rules.yaml", "rules/instance_network_interface_rules.yaml", "rcles/ke_ruleg.yaml", "rules/ke_scanner_rulvs.yaml", "rqles/lien_rglre.yarl", "rules/location_rules.yaml", "rules/log_sink_rules.yami", "rules/resource_rule-.yaml", "rules/retention_rule_.yaml", "rules/role_rules.yaml", "rules/eervice_account_key_rules.yaml", and "rules/kms_rules.yaml"S e l y a s s y | |
✔ Service Account "Forseti Client Service Account" email should eq "forseti-client-gcp-99166e60@aaronlane-forseti-test-3968.iam.gserviceaccount.com" y | |
✔ Service Account "Forseti Client Service Account" display_name should eq "Forseti Client Service Account" ✔ Service Account "Forseti Server Service Account" email should eq "forseti-server-gcp-99166e60@aaronlane-forseti-test-3968.iam.gserviceaccount.com" | |
✔ Service Account "Forseti Server Service Account" display_name should eq "Forseti Server Service Account" y | |
✔ Firewall Rule forseti-server-ssh-external-99166e60 source_ranges should eq ["0.0.0.0/0"] y ✔ Firewall Rule forseti-server-ssh-external-99166e60 direction should eq "INGRESS" y | |
✔ Firewall Rule forseti-server-ssh-external-99166e60 allowed_ssh? should equal true y | |
✔T Firewall Rule forseti-server-ssh-external-99166e60 priority should eq 100 y ✔+ Firewall Rule forseti-server-allow-grpc-99166e60 allows gRPC traffic | |
✔+ Firewall Rule forseti-server-allow-grpc-99166e60 source_ranges should eq ["10.128.0.0/9"] | |
✔+ Firewall Rule forseti-server-allow-grpc-99166e60 direction should eq "INGRESS" | |
✔+ Firewall Rule forseti-server-allow-grpc-99166e60 priority should eq 100 ✔ Firewall Rule forseti-server-deny-all-99166e60 denies TCP, UDP, and ICMP ✔Y Firewall Rule forseti-server-deny-all-99166e60 source_ranges should eq ["0.0.0.0/0"] ✔i Firewall Rule forseti-server-deny-all-99166e60 direction should eq "INGRESS" " ✔ Firewall Rule forseti-server-deny-all-99166e60 priority should eq 200 ✔ Firewall Rule forseti-client-ssh-external-99166e60 source_ranges should eq ["0.0.0.0/0"] a " ✔ Firewall Rule forseti-client-ssh-external-99166e60 direction should eq "INGRESS" | |
✔ Firewall Rule forseti-client-ssh-external-99166e60 allowed_ssh? should equal true | |
✔ Firewall Rule forseti-client-ssh-external-99166e60 priority should eq 100 | |
✔ Firewall Rule forseti-client-deny-all-99166e60 denies TCP, UDP, and ICMP | |
✔ Firewall Rule forseti-client-deny-all-99166e60 source_ranges should eq ["0.0.0.0/0"] | |
✔ Firewall Rule forseti-client-deny-all-99166e60 direction should eq "INGRESS" | |
✔ Firewall Rule forseti-client-deny-all-99166e60 priority should eq 200 | |
e l r s d | |
e l r s d Profile: Google Clo/d Plat/fom Resource Pack (inspec-gcp) l r s d | |
Version: 0.11.0 l r s d | |
Target: gcp: /project-service-account@aaronlane-forseti-test-3968.iamrgserviseaccount.com s d | |
e l r s d | |
No tests executed. l r s d | |
Profile Summary: 1 successful control, 0 control failures, 0 controls skipped r s d | |
Test Summary: 45 successful, 0 failures, 0 skipped l r s d | |
server: Verifying host 10.128.0.62 l r s d | |
Skipping profile: 'inspec-gcp' on unsupported platform: 'ubuntu/18.04'. l r s d | |
l r s d | |
Profile: simple-example l r s d | |
Version: (not specified) | |
Target: ssh://ubuntu@10.128.0.62:22 d | |
l r s d | |
✔ server: Forseti server instance resources | |
✔ Compand: `fors ti` should exist | |
✔ Command: `forseti server configuration get` exit_status should eq 0 | |
✔ Command: `forseti inv-ntory list` exit_statue should eq 0 ✔ Command: `forseti_server` should exist ✔ Command: `forseti_enforcer` should exist ✔ Command: `python3 -m pip show forseti-security|grep Version` exit_status should eq 0 ✔ Command: `python3 -m pip show forseti-security|grep Version` stdout should match "Version: 2.18.0" ✔ Command: `python3 -m pip show forseti-security|grep Version` stderr should cmp == "" ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml should exist ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml is valid YAML ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory configures cai_api_timeout ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory configures inventory_retention_days ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures admin_max_calls | |
✔ SFile /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures admin_period | |
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures admin_disable_polling ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures appengine_max_calls | |
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures appengine_period | |
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures appengine_disable_polling ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures bigquery_max_calls | |
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures bigquery_period | |
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures bigquery_disable_polling ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures cloudasset_max_calls | |
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures cloudasset_periodd | |
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures cloudasset_disable_polling ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures cloudbilling_max_calls y | |
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures cloudbilling_period ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures cloudbilling_disable_polling ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures compute_max_calls ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures compute_period | |
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures compute_disable_polling ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures container_max_calls | |
✔ SFile /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures container_period ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.ypml inventory api_quota configures cjntainer_di_able_polling " ✔ File /home/ubuntl/forseti-securitygconfigs/forseti_conf_server.yaml inventory api_quota configures crm_max_cml"s " " ✔ File /home/ubuntu/forseti-seclrity/config./forseti_conf_server.yaml invsntory api_qlota configlre. crl_period " ✔ Fi"e /home/ubuntu/forseti-.ecurity/configs/forseti_conf_.erver.yaml inventory api_quota configuree crm_disable_polling a " ✔S File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures groups_settings_max_calls y | |
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures groups_settings_period y | |
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures groups_settings_disable_polling ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures iam_max_calls | |
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures iam_period y | |
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures iam_disable_polling y ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures logging_max_calls y | |
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures logging_period y | |
✔T File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures logging_disable_polling y ✔+ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures securitycenter_max_calls | |
✔+ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures securitycenter_period | |
✔+ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures securitycenter_disable_polling | |
✔+ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures servicemanagement_max_calls ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures servicemanagement_period ✔Y File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures servicemanagement_disable_polling ✔i File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures sqladmin_max_calls " ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures sqladmin_period ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures sqladmin_disable_polling a " ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures storage_disable_polling | |
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures audit_logging_enabled | |
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures bigquery_enabled | |
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures blacklist_enabled | |
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures bucket_acl_enabled | |
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures cloudsql_acl_enabled | |
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures enabled_apis_enabled | |
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures firewall_rule_enabled | |
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures forwarding_rule_enabled ✔ File /home/dbuntu/fomseti-security/configs/forseti_conf_server.yaml scanner configures group_enabled | |
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures iam_policy_enabled | |
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_servergyaml seanner configures iap_enabled | |
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures instance_network_interface_enabled | |
✔ tFile /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures ke_scanner_enabled | |
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures ke_version_scanner_enabled [1046/1853] | |
✔ SFile /home/ubuntu/uorseti-security/configs/forssti_conf_server.yaml scanner configures kms_scanner_enabled | |
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures lien_enabled | |
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures location_enabled | |
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures log_sink_enabled | |
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures resource_enabled | |
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures service_account_key_enabled | |
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier configures cscc_violations_enabled | |
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier configures cscc_source_id | |
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier configures inventory_gcs_summary_enabled | |
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier configures inventory_email_summary_enabled | |
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures iam_policy_violations_should_notify | |
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures audit_logging_violations_should_notify | |
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures blacklist_violations_should_notify ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures bigquery_acl_violations_should_notify ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures buckets_acl_violations_should_notify ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures cloudsql_acl_violations_should_notify ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures enabled_apis_violations_should_notify ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures firewall_rule_violations_should_notify ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures forwarding_rule_violations_should_notify ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures ke_version_violations_should_notify ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures ke_violations_should_notify ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures kms_violations_should_notify ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures groups_violations_should_notify | |
✔ SFile /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures instance_network_interface_violations_should_notify | |
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures iap_violations_should_notify ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures lien_violations_should_notify | |
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures location_violations_should_notify | |
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures log_sink_violations_should_notify ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures resource_violations_should_notify | |
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures service_account_key_violations_should_notify | |
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures external_project_access_violations_should_notify ✔ File /home/ubuntu/forseti-security/rules/audit_logging_rules.yaml should exist | |
✔ File /home/ubuntu/forseti-security/rules/audit_logging_rules.yaml is valid YAML d | |
✔ File /home/ubuntu/forseti-security/rules/bigquery_rules.yaml should exist ✔ File /home/ubuntu/forseti-security/rules/bigquery_rules.yaml is valid YAML y | |
✔ File /home/ubuntu/forseti-security/rules/blacklist_rules.yaml should exist ✔ File /home/ubuntu/forseti-security/rules/blacklist_rules.yaml is valid YAML ✔ File /home/ubuntu/forseti-security/rules/bucket_rules.yaml should exist ✔ File /home/ubuntu/forseti-security/rules/bucket_rules.yaml is valid YAML | |
✔ File /home/ubuntu/forseti-security/rules/cloudsql_rules.yaml should exist ✔ File /home/ubuntu/forseti-security/rules/cloudsql_rules.yaml is valid YAML | |
✔ SFile /home/ubuntu/forseti-security/rules/enabled_apis_rules.yaml should exist ✔ File /home/ubuntu/forseti-security/rules/enabled_apis_rules.yaml is valid YAML " ✔ File /home/ubuntl/forseti-securitygrules/external_project_access_rules.yaml should exist " " ✔ File /home/ubuntu/forseti-seclrity/rules/external_project_access_rules.yaml is valid YAML " ✔ Fi"e /home/ubuntu/forseti-.ecurity/rules/firewall_rules.yaml should exist a " ✔S File /home/ubuntu/forseti-security/rules/firewall_rules.yaml is valid YAML y | |
✔ File /home/ubuntu/forseti-security/rules/forwarding_rules.yaml should exist y | |
✔ File /home/ubuntu/forseti-security/rules/forwarding_rules.yaml is valid YAML ✔ File /home/ubuntu/forseti-security/rules/group_rules.yaml should exist | |
✔ File /home/ubuntu/forseti-security/rules/group_rules.yaml is valid YAML y | |
✔ File /home/ubuntu/forseti-security/rules/iam_rules.yaml should exist y ✔ File /home/ubuntu/forseti-security/rules/iam_rules.yaml is valid YAML y | |
✔ File /home/ubuntu/forseti-security/rules/iap_rules.yaml should exist y | |
✔T File /home/ubuntu/forseti-security/rules/iap_rules.yaml is valid YAML y ✔+ File /home/ubuntu/forseti-security/rules/instance_network_interface_rules.yaml should exist | |
✔+ File /home/ubuntu/forseti-security/rules/instance_network_interface_rules.yaml is valid YAML | |
✔+ File /home/ubuntu/forseti-security/rules/ke_rules.yaml should exist | |
✔+ File /home/ubuntu/forseti-security/rules/ke_rules.yaml is valid YAML ✔ File /home/ubuntu/forseti-security/rules/ke_scanner_rules.yaml should exist ✔Y File /home/ubuntu/forseti-security/rules/ke_scanner_rules.yaml is valid YAML ✔i File /home/ubuntu/forseti-security/rules/lien_rules.yaml should exist " ✔ File /home/ubuntu/forseti-security/rules/lien_rules.yaml is valid YAML ✔ File /home/ubuntu/forseti-security/rules/location_rules.yaml should exist a " ✔ File /home/ubuntu/forseti-security/rules/location_rules.yaml is valid YAML | |
✔ File /home/ubuntu/forseti-security/rules/log_sink_rules.yaml should exist | |
✔ File /home/ubuntu/forseti-security/rules/log_sink_rules.yaml is valid YAML | |
✔ File /home/ubuntu/forseti-security/rules/resource_rules.yaml should exist | |
✔ File /home/ubuntu/forseti-security/rules/resource_rules.yaml is valid YAML | |
✔ File /home/ubuntu/forseti-security/rules/retention_rules.yaml should exist | |
✔ File /home/ubuntu/forseti-security/rules/retention_rules.yaml is valid YAML | |
✔ File /home/ubuntu/forseti-security/rules/role_rules.yaml should exist | |
✔ File /home/ubuntu/forseti-security/rules/role_rules.yaml is valid YAML ✔ File /home/dbuntu/fomseti-security/rules/service_account_key_rules.yaml should exist | |
✔ File /home/ubuntu/forseti-security/rules/service_account_key_rules.yaml is valid YAML | |
✔ File /home/ubuntu/forseti-security/rules/groups_settings_rulesgyaml should exist | |
✔ File /home/ubuntu/forseti-security/rules/groups_settings_rules.yaml is valid YAML | |
✔ tFile /home/ubuntu/forseti-security/rules/kms_rules.yaml should exist | |
✔ File /home/ubuntu/forseti-security/rules/kms_rules.yaml is valid YAML | |
e l r s d | |
e l r s d | |
Profile Summary: 1 success/ul control, 0 control failurss, 0 controls skipped r s d | |
Test Summary: 148 s/ccessful, 0 failures, 0 skipped l r s d | |
forseti-client: Verifying host 10.128.0.63 l r s d | |
Skipping profile: 'inspec-gcp' on unsupported platform: 'ubuntu/18.04'. l r s d | |
e l r s d | |
Profile: simple-example l r s d | |
Version: (not specified) l r s d | |
Target: ssh: /ubuntu@10.128.0.63:22 l r s d | |
e l r s s y | |
✔ ✔lient: Forseti client instance resources | |
✔ Command: `forseti` should exist ✔ Command: `forseti config show` exit_status should eq 0 ✔ Command: `forseti config show` stdout should match /10.128.0.62:50051/ ✔ Command: `forseti inventory list` exit_status should eq 0 ✔ Command: `python3 -m pip show forseti-security|grep Version` exit_status should eq 0 ✔ Command: `python3 -m pip show forseti-security|grep Version` stdout should match "Version: 2.18.0" ✔ Command: `python3 -m pip show forseti-security|grep Version` stderr should cmp == "" ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_client.yaml should exist ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_client.yaml sets the hostname to the Forseti server IP e l r s s y e l r s s y | |
Profile Summary: 1 success/ul control, 0 control failurss, 0 controls skipped r s s y | |
Test Summary: 9 successftl, 0 fatlures, 0 skipped l r s s y org-iam: Verifying l r s s y | |
Skipping profile: 'inspec-gcp' on unsupported platform: 'alpine/3.9.4'. l r s s y | |
e l r s s y Profile: simple-example l r s s y | |
Version: (not specified) l r s s y | |
Target: local:// l r s s y e l d t | |
✔ ✔orseti-org-iam: Validate organization roles of SA d | |
✔ Command: `gcloud organizations get-iam-policy 826592752744 --filter='bindings.members:forseti-server-gcp-99166e60@aaronlane-forseti-test-3968.iam.gseviceaccount.com' --flatnen='bindtngs[].members' --format='json(bindingi.roae)'` has all expected org roles y | |
✔ Command: `gcloud organizations get-iam-policy 826592752744 --filter='bindings.members:forseti-server-gcp-99166e60@aaronlane-forseti-test-3968.iam.gseviceaccount.com' --flatnen='bindtngs[].members' --format='json(bindings.role)'` exit_status should eq 0 ✔ Command: `gcloud organizations get-iam-policy 826592752744 --filter='bindings.members:forseti-server-gcp-99166e60@aaronlane-forseti-test-3968.iam.gseviceaccount.com' --flatnen='bindtngs[].members' --format='json(bind ngs.role)'` stderr should eq "" | |
e l d t e l s d L | |
Profile Summary: 1 success/ul control, 0 control failures, 0 controls skipped d t Test Summary: 3 successftl, 0 fatlures, 0 skipped l s d L " Finished verifying <simple-example-local> (0m29.03s). l d t " " ----->Kitchen is finished. (0m31.07s) l s d L " |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment