Skip to content

Instantly share code, notes, and snippets.

@aaron-lane

aaron-lane/real-time-enforcer-local

Last active July 19, 2019 15:48
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save aaron-lane/23adbc58649c39a6625a775065c44101 to your computer and use it in GitHub Desktop.
Save aaron-lane/23adbc58649c39a6625a775065c44101 to your computer and use it in GitHub Desktop.
Download ZIP
terraform-google-forseti manual verification
Raw
real-time-enforcer-local
-----> Verifying <real-time-enforcer-local>... [99/1985]
$$$$$$ Running command `terraform workspace select kitchen-terraform-real-time-enforcer-local` in directory /cft/workdir/test/fixture
s/real_time_enforcer
$$$$$$ Running command `terraform output -json` in directory /cft/workdir/test/fixtures/real_time_enforcer
gcp: Verifying
Profile: real_time_enforcer
Version: (not specified)
Target: gcp://project-service-account@aaronlane-forseti-test-3968.iam.gserviceaccount.com
✔ real-time-enforcer-gcp: Real time enforcer GCP resources
✔ Instance forseti-enforcer-vm-qbx6f5 should exist
✔ Instance forseti-enforcer-vm-qbx6f5 machine_size should eq "n1-standard-2"
✔ Service Account "Forseti Real Time Enforcer" email should eq "forseti-enforcer-gcp-qbx6f5@aaronlane-forseti-test-3968.iam.gs$
rviceaccount.com"
✔ Service Account "Forseti Real Time Enforcer" display_name should eq "Forseti Real Time Enforcer"
✔ Topic real-time-enforcer-events-topic-2zxr should exist
✔ Bucket forseti-enforcer-qbx6f5 should exist
✔ Storage Bucket IAM Binding roles/storage.objectViewer should exist
✔ Storage Bucket IAM Binding roles/storage.objectViewer members should include "serviceAccount:forseti-enforcer-gcp-qbx6f5@aar$
nlane-forseti-test-3968.iam.gserviceaccount.com"
✔ google_storage_bucket_objects object_names should contain exactly "policy/bigquery/common.rego", "policy/bigquery/dataset_no$
public_access.rego", "policy/bigquery/dataset_no_public_authenticated_access.rego", "policy/cloudresourcemanager/common_iam.rego", "$
olicy/exclusions.rego", "policy/policies.rego", "policy/config.yaml", "policy/sql/acl.rego", "policy/sql/backups.rego", "policy/sql/$
ommon.rego", "policy/sql/require_ssl.rego", "policy/storage/bucket_iam_disallow_allauthenticatedusers.rego", "policy/storage/bucket_$
am_disallow_allusers.rego", "policy/storage/common.rego", "policy/storage/common_iam.rego", and "policy/storage/versioning.rego"
✔ Firewall Rule forseti-rt-enforcer-ssh-external-qbx6f5 source_ranges should eq ["0.0.0.0/0"]
✔ Firewall Rule forseti-rt-enforcer-ssh-external-qbx6f5 direction should eq "INGRESS"
✔ Firewall Rule forseti-rt-enforcer-ssh-external-qbx6f5 allowed_ssh? should equal true
✔ Firewall Rule forseti-rt-enforcer-ssh-external-qbx6f5 priority should eq 100
✔ Firewall Rule forseti-rt-enforcer-deny-all-qbx6f5 denies TCP, UDP, and ICMP
✔ Firewall Rule forseti-rt-enforcer-deny-all-qbx6f5 source_ranges should eq ["0.0.0.0/0"]
✔ Firewall Rule forseti-rt-enforcer-deny-all-qbx6f5 direction should eq "INGRESS"
✔ Firewall Rule forseti-rt-enforcer-deny-all-qbx6f5 priority should eq 200
✔ Project IAM Binding roles/logging.logWriter members should include "serviceAccount:forseti-enforcer-gcp-qbx6f5@aaronlane-fors
eti-test-3968.iam.gserviceaccount.com"
✔ real-time-enforcer-target-gcp: Storage Bucket ACL forseti-enforcer-target-i2tk [63/1985]
✔ Storage Bucket ACL forseti-enforcer-target-i2tk should not exist
✔ Storage Bucket ACL forseti-enforcer-target-i2tk should not exist
Profile: Google Cloud Platform Resource Pack (inspec-gcp)
Version: 0.11.0
Target: gcp://project-service-account@aaronlane-forseti-test-3968.iam.gserviceaccount.com
No tests executed.
Profile Summary: 2 successful controls, 0 control failures, 0 controls skipped
Test Summary: 20 successful, 0 failures, 0 skipped
real-time-enforcer-host: Verifying host 10.128.15.200
Skipping profile: 'inspec-gcp' on unsupported platform: 'linux/unknown'.
Profile: real_time_enforcer
Version: (not specified)
Target: ssh://ubuntu@10.128.15.200:22
✔ real-time-enforcer-host: Real time enforcer host resources
✔ Command: `systemctl is-active opa-policy` exit_status should equal 0 or equal 3
✔ Command: `systemctl is-active opa-policy` stdout.chomp should cmp == "active" or cmp == "activating" or cmp nil
✔ Command: `systemctl is-active opa-policy` stderr should eq ""
✔ Command: `systemctl is-active opa-server` exit_status should equal 0 or equal 3
✔ Command: `systemctl is-active opa-server` stdout.chomp should cmp == "active" or cmp == "activating" or cmp == "inactive"
✔ Command: `systemctl is-active opa-server` stderr should eq ""
✔ Command: `systemctl is-active enforcer` exit_status should equal 0 or equal 3
✔ Command: `systemctl is-active enforcer` stdout.chomp should cmp == "active" or cmp == "activating" or cmp == "inactive"
✔ Command: `systemctl is-active enforcer` stderr should eq ""
✔ Command: `systemctl is-enabled enforcer` exit_status should be zero
✔ Command: `systemctl is-enabled enforcer` stdout.chomp should eq "enabled"
✔ Command: `systemctl is-enabled enforcer` stderr should eq ""
Profile Summary: 1 successful control, 0 control failures, 0 controls skipped
Test Summary: 12 successful, 0 failures, 0 skipped [27/1985]
gcloud: Verifying
Skipping profile: 'inspec-gcp' on unsupported platform: 'alpine/3.9.4'.
Profile: real_time_enforcer
Version: (not specified)
Target: local://
✔ real-time-enforcer-gcloud: Command: `gcloud organizations get-iam-policy 826592752744 --filter='bindings.members:forseti-enforce
r-gcp-qbx6f5@aaronlane-forseti-test-3968.iam.gserviceaccount.com' --flatten='bindings[].members' --format='json(bindings.role)'`
✔ Command: `gcloud organizations get-iam-policy 826592752744 --filter='bindings.members:forseti-enforcer-gcp-qbx6f5@aaronlane-f
orseti-test-3968.iam.gserviceaccount.com' --flatten='bindings[].members' --format='json(bindings.role)'` permits the enforcer to view
and enforcer policy
✔ Command: `gcloud organizations get-iam-policy 826592752744 --filter='bindings.members:forseti-enforcer-gcp-qbx6f5@aaronlane-f
orseti-test-3968.iam.gserviceaccount.com' --flatten='bindings[].members' --format='json(bindings.role)'` exit_status should eq 0
✔ Command: `gcloud organizations get-iam-policy 826592752744 --filter='bindings.members:forseti-enforcer-gcp-qbx6f5@aaronlane-f
orseti-test-3968.iam.gserviceaccount.com' --flatten='bindings[].members' --format='json(bindings.role)'` stderr should eq ""
Profile Summary: 1 successful control, 0 control failures, 0 controls skipped
Test Summary: 3 successful, 0 failures, 0 skipped
Finished verifying <real-time-enforcer-local> (0m14.51s).
-----> Kitchen is finished. (0m31.59s)
Raw
shared-vpc-local
-----> Starting Kitchen (v1.24.0)
-----> Verifying <shared-vpc-local>...
$$$$$$ Running command `terraform workspace select kitchen-terraform-shared-vpc-local` in directory /cft/workdir/test/fixtures/shared_vpc
$$$$$$ Running command `terraform output -json` in directory /cft/workdir/test/fixtures/shared_vpc
shared_vpc: Verifying
Profile: GCP Forseti InSpec Profile (shared-vpc-profile)
Version: 0.1.0
Target: gcp://project-service-account@aaronlane-forseti-test-3968.iam.gserviceaccount.com
✔ forseti-service-project: Forseti service project
✔ Compute Project Info aaronlane-forseti-test-3968 xpn_project_status should eq "UNSPECIFIED_XPN_PROJECT_STATUS"
✔ Compute Project Info aaronlane-forseti-test-3968 name should eq "aaronlane-forseti-test-3968"
✔ forseti-shared-project: Forseti host project
✔ Compute Project Info aaronlane-f5i-test-host-dc83 xpn_project_status should eq "HOST"
✔ Compute Project Info aaronlane-f5i-test-host-dc83 name should eq "aaronlane-f5i-test-host-dc83"
✔ forseti: Forseti GCP resources
✔ Instance forseti-client-vm-b2b749bd should exist
✔ Instance forseti-client-vm-b2b749bd machine_size should eq "n1-standard-2"
✔ Instance forseti-server-vm-b2b749bd should exist
✔ Instance forseti-server-vm-b2b749bd machine_size should eq "n1-standard-2"
✔ google_sql_database_instances instance_names should include /forseti-server-db-*/
✔ Project IAM Binding roles/storage.objectViewer should exist
✔ Project IAM Binding roles/storage.objectViewer members should include "serviceAccount:forseti-server-gcp-b2b749bd@aaronlane-forseti-test-3968.iam.gserviceaccount.com"
✔ Project IAM Binding roles/storage.objectCreator should exist
✔ Project IAM Binding roles/storage.objectCreator members should include "serviceAccount:forseti-server-gcp-b2b749bd@aaronlane-forseti-test-3968.iam.gserviceaccount.com"
✔ Project IAM Binding roles/cloudsql.client should exist
✔ Project IAM Binding roles/cloudsql.client members should include "serviceAccount:forseti-server-gcp-b2b749bd@aaronlane-forseti-test-3968.iam.gserviceaccount.com"
✔ Project IAM Binding roles/cloudtrace.agent should exist
✔ Project IAM Binding roles/cloudtrace.agent members should include "serviceAccount:forseti-server-gcp-b2b749bd@aaronlane-forseti-test-3968.iam.gserviceaccount.com"
✔ Project IAM Binding roles/logging.logWriter should exist
✔ Project IAM Binding roles/logging.logWriter members should include "serviceAccount:forseti-server-gcp-b2b749bd@aaronlane-forseti-test-3968.iam.gserviceaccount.com"
✔ Project IAM Binding roles/iam.serviceAccountTokenCreator should exist
✔ Project IAM Binding roles/iam.serviceAccountTokenCreator members should include "serviceAccount:forseti-server-gcp-b2b749bd@aaronlane-forseti-test-3968.iam.gserviceaccount.com"
✔ google_storage_buckets bucket_names should include "forseti-server-b2b749bd"
✔ google_storage_buckets bucket_names should include "forseti-client-b2b749bd"
✔ google_storage_buckets bucket_names should include /forseti-cai-export/
✔ google_storage_bucket_objects object_names should include "rules/audit_logging_rules.yaml", "rules/bigquery_rules.yaml", "rules/blacklist_rules.yaml", "rules/bucket_rules.yaml", "rules/cloudsql_rules.yaml", "rules/enabled_apis_rules.yaml", "rules/external_project_access_rules.yaml", "rules/firewall_rules.yaml", "rules/forwarding_rules.yaml", "rules/group_rules.yaml", "rules/groups_settings_rules.yaml", "rules/iam_rules.yaml", "rules/iap_rules.yaml", "rules/instance_network_interface_rules.yaml", "rules/ke_rules.yaml", "rules/ke_scanner_rules.yaml", "rules/lien_rules.yaml", "rules/location_rules.yaml", "rules/log_sink_rules.yaml", "rules/resource_rules.yaml", "rules/retention_rules.yaml", "rules/role_rules.yaml", "rules/service_account_key_rules.yaml", and "rules/kms_rules.yaml"
✔ Service Account "Forseti Client Service Account" email should eq "forseti-client-gcp-b2b749bd@aaronlane-forseti-test-3968.iam.gserviceaccount.com"
✔ Service Account "Forseti Client Service Account" display_name should eq "Forseti Client Service Account"
✔ Service Account "Forseti Server Service Account" email should eq "forseti-server-gcp-b2b749bd@aaronlane-forseti-test-3968.iam.gserviceaccount.com"
✔ Service Account "Forseti Server Service Account" display_name should eq "Forseti Server Service Account"
✔ Firewall Rule forseti-server-ssh-external-b2b749bd source_ranges should eq ["0.0.0.0/0"]
✔ Firewall Rule forseti-server-ssh-external-b2b749bd direction should eq "INGRESS"
✔ Firewall Rule forseti-server-ssh-external-b2b749bd allowed_ssh? should equal true
✔ Firewall Rule forseti-server-ssh-external-b2b749bd priority should eq 100
✔ Firewall Rule forseti-server-allow-grpc-b2b749bd allows gRPC traffic
✔ Firewall Rule forseti-server-allow-grpc-b2b749bd source_ranges should eq ["10.128.0.0/9"]
✔ Firewall Rule forseti-server-allow-grpc-b2b749bd direction should eq "INGRESS"
✔ Firewall Rule forseti-server-allow-grpc-b2b749bd priority should eq 100
✔ Firewall Rule forseti-server-deny-all-b2b749bd denies TCP, UDP, and ICMP
✔ Firewall Rule forseti-server-deny-all-b2b749bd source_ranges should eq ["0.0.0.0/0"]
✔ Firewall Rule forseti-server-deny-all-b2b749bd direction should eq "INGRESS"
✔ Firewall Rule forseti-server-deny-all-b2b749bd priority should eq 200
✔ Firewall Rule forseti-client-ssh-external-b2b749bd source_ranges should eq ["0.0.0.0/0"]
✔ Firewall Rule forseti-client-ssh-external-b2b749bd direction should eq "INGRESS"
✔ Firewall Rule forseti-client-ssh-external-b2b749bd allowed_ssh? should equal true
✔ Firewall Rule forseti-client-ssh-external-b2b749bd priority should eq 100
✔ Firewall Rule forseti-client-deny-all-b2b749bd denies TCP, UDP, and ICMP
✔ Firewall Rule forseti-client-deny-all-b2b749bd source_ranges should eq ["0.0.0.0/0"]
✔ Firewall Rule forseti-client-deny-all-b2b749bd direction should eq "INGRESS"
✔ Firewall Rule forseti-client-deny-all-b2b749bd priority should eq 200
Profile: Google Cloud Platform Resource Pack (inspec-gcp)
Version: 0.11.0
Target: gcp://project-service-account@aaronlane-forseti-test-3968.iam.gserviceaccount.com
No tests executed.
Profile Summary: 3 successful controls, 0 control failures, 0 controls skipped
Test Summary: 49 successful, 0 failures, 0 skipped
gcloud: Verifying
Skipping profile: 'inspec-gcp' on unsupported platform: 'alpine/3.9.4'.
Profile: GCP Forseti InSpec Profile (shared-vpc-profile)
Version: 0.1.0
Target: local://
✔ forseti-subnetwork: Check that forseti server and client are on a proper subnet
✔ Command: `gcloud compute instances describe forseti-server-vm-b2b749bd --project aaronlane-forseti-test-3968 --zone us-central1-c --format=json` forseti server should be on shared vpc subnetwork
✔ Command: `gcloud compute instances describe forseti-server-vm-b2b749bd --project aaronlane-forseti-test-3968 --zone us-central1-c --format=json` exit_status should eq 0
✔ Command: `gcloud compute instances describe forseti-server-vm-b2b749bd --project aaronlane-forseti-test-3968 --zone us-central1-c --format=json` stderr should eq ""
✔ Command: `gcloud compute instances describe forseti-client-vm-b2b749bd --project aaronlane-forseti-test-3968 --zone us-central1-c --format=json` forseti server should be on shared vpc subnetwork
✔ Command: `gcloud compute instances describe forseti-client-vm-b2b749bd --project aaronlane-forseti-test-3968 --zone us-central1-c --format=json` exit_status should eq 0
✔ Command: `gcloud compute instances describe forseti-client-vm-b2b749bd --project aaronlane-forseti-test-3968 --zone us-central1-c --format=json` stderr should eq ""
✔ forseti-org-iam: Validate organization roles of SA
✔ Command: `gcloud organizations get-iam-policy 826592752744 --filter='bindings.members:forseti-server-gcp-b2b749bd@aaronlane-forseti-test-3968.iam.gserviceaccount.com' --flatten='bindings[].members' --format='json(bindings.role)'` has all expected org roles
✔ Command: `gcloud organizations get-iam-policy 826592752744 --filter='bindings.members:forseti-server-gcp-b2b749bd@aaronlane-forseti-test-3968.iam.gserviceaccount.com' --flatten='bindings[].members' --format='json(bindings.role)'` exit_status should eq 0
✔ Command: `gcloud organizations get-iam-policy 826592752744 --filter='bindings.members:forseti-server-gcp-b2b749bd@aaronlane-forseti-test-3968.iam.gserviceaccount.com' --flatten='bindings[].members' --format='json(bindings.role)'` stderr should eq ""
Profile Summary: 2 successful controls, 0 control failures, 0 controls skipped
Test Summary: 9 successful, 0 failures, 0 skipped
server: Verifying host 10.129.0.9
Skipping profile: 'inspec-gcp' on unsupported platform: 'ubuntu/18.04'.
Profile: GCP Forseti InSpec Profile (shared-vpc-profile)
Version: 0.1.0
Target: ssh://ubuntu@10.129.0.9:22
✔ forseti-command-server: Check that forseti server is running
✔ Command: `sudo systemctl status forseti --no-page` exit_status should eq 0
✔ Command: `sudo systemctl status forseti --no-page` stderr should eq ""
✔ Command: `forseti config show` exit_status should eq 0
✔ Command: `forseti config show` stderr should eq ""
✔ Command: `forseti server configuration get` exit_status should eq 0
✔ Command: `forseti_server` should exist
✔ Command: `forseti_enforcer` should exist
✔ Command: `forseti` should exist
✔ server: Forseti server instance resources
✔ Command: `forseti` should exist
✔ Command: `forseti server configuration get` exit_status should eq 0
✔ Command: `forseti inventory list` exit_status should eq 0
✔ Command: `forseti_server` should exist
✔ Command: `forseti_enforcer` should exist
✔ Command: `python3 -m pip show forseti-security|grep Version` exit_status should eq 0
✔ Command: `python3 -m pip show forseti-security|grep Version` stdout should match "Version: 2.18.0"
✔ Command: `python3 -m pip show forseti-security|grep Version` stderr should cmp == ""
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml should exist
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml is valid YAML
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory configures cai_api_timeout
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory configures inventory_retention_days
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures admin_max_calls
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures admin_period
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures admin_disable_polling
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures appengine_max_calls
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures appengine_period
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures appengine_disable_polling
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures bigquery_max_calls
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures bigquery_period
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures bigquery_disable_polling
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures cloudasset_max_calls
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures cloudasset_period
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures cloudasset_disable_polling
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures cloudbilling_max_calls
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures cloudbilling_period
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures cloudbilling_disable_polling
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures compute_max_calls
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures compute_period
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures compute_disable_polling
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures container_max_calls
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures container_period
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures container_disable_polling
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures crm_max_calls
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures crm_period
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures crm_disable_polling
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures groups_settings_max_calls
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures groups_settings_period
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures groups_settings_disable_polling
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures iam_max_calls
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures iam_period
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures iam_disable_polling
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures logging_max_calls
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures logging_period
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures logging_disable_polling
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures securitycenter_max_calls
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures securitycenter_period
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures securitycenter_disable_polling
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures servicemanagement_max_calls
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures servicemanagement_period
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures servicemanagement_disable_polling
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures sqladmin_max_calls
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures sqladmin_period
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures sqladmin_disable_polling
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures storage_disable_polling
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures audit_logging_enabled
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures bigquery_enabled
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures blacklist_enabled
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures bucket_acl_enabled
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures cloudsql_acl_enabled
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures enabled_apis_enabled
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures firewall_rule_enabled
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures forwarding_rule_enabled
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures group_enabled
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures iam_policy_enabled
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures iap_enabled
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures instance_network_interface_enabled
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures ke_scanner_enabled
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures ke_version_scanner_enabled
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures kms_scanner_enabled
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures lien_enabled
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures location_enabled
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures log_sink_enabled
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures resource_enabled
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures service_account_key_enabled
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier configures cscc_violations_enabled
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier configures cscc_source_id
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier configures inventory_gcs_summary_enabled
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier configures inventory_email_summary_enabled
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures iam_policy_violations_should_notify
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures audit_logging_violations_should_notify
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures blacklist_violations_should_notify
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures bigquery_acl_violations_should_notify
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures buckets_acl_violations_should_notify
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures cloudsql_acl_violations_should_notify
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures enabled_apis_violations_should_notify
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures firewall_rule_violations_should_notify
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures forwarding_rule_violations_should_notify
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures ke_version_violations_should_notify
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures ke_violations_should_notify
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures kms_violations_should_notify
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures groups_violations_should_notify
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures instance_network_interface_violations_should_notify
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures iap_violations_should_notify
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures lien_violations_should_notify
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures location_violations_should_notify
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures log_sink_violations_should_notify
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures resource_violations_should_notify
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures service_account_key_violations_should_notify
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures external_project_access_violations_should_notify
✔ File /home/ubuntu/forseti-security/rules/audit_logging_rules.yaml should exist
✔ File /home/ubuntu/forseti-security/rules/audit_logging_rules.yaml is valid YAML
✔ File /home/ubuntu/forseti-security/rules/bigquery_rules.yaml should exist
✔ File /home/ubuntu/forseti-security/rules/bigquery_rules.yaml is valid YAML
✔ File /home/ubuntu/forseti-security/rules/blacklist_rules.yaml should exist
✔ File /home/ubuntu/forseti-security/rules/blacklist_rules.yaml is valid YAML
✔ File /home/ubuntu/forseti-security/rules/bucket_rules.yaml should exist
✔ File /home/ubuntu/forseti-security/rules/bucket_rules.yaml is valid YAML
✔ File /home/ubuntu/forseti-security/rules/cloudsql_rules.yaml should exist
✔ File /home/ubuntu/forseti-security/rules/cloudsql_rules.yaml is valid YAML
✔ File /home/ubuntu/forseti-security/rules/enabled_apis_rules.yaml should exist
✔ File /home/ubuntu/forseti-security/rules/enabled_apis_rules.yaml is valid YAML
✔ File /home/ubuntu/forseti-security/rules/external_project_access_rules.yaml should exist
✔ File /home/ubuntu/forseti-security/rules/external_project_access_rules.yaml is valid YAML
✔ File /home/ubuntu/forseti-security/rules/firewall_rules.yaml should exist
✔ File /home/ubuntu/forseti-security/rules/firewall_rules.yaml is valid YAML
✔ File /home/ubuntu/forseti-security/rules/forwarding_rules.yaml should exist
✔ File /home/ubuntu/forseti-security/rules/forwarding_rules.yaml is valid YAML
✔ File /home/ubuntu/forseti-security/rules/group_rules.yaml should exist
✔ File /home/ubuntu/forseti-security/rules/group_rules.yaml is valid YAML
✔ File /home/ubuntu/forseti-security/rules/iam_rules.yaml should exist
✔ File /home/ubuntu/forseti-security/rules/iam_rules.yaml is valid YAML
✔ File /home/ubuntu/forseti-security/rules/iap_rules.yaml should exist
✔ File /home/ubuntu/forseti-security/rules/iap_rules.yaml is valid YAML
✔ File /home/ubuntu/forseti-security/rules/instance_network_interface_rules.yaml should exist
✔ File /home/ubuntu/forseti-security/rules/instance_network_interface_rules.yaml is valid YAML
✔ File /home/ubuntu/forseti-security/rules/ke_rules.yaml should exist
✔ File /home/ubuntu/forseti-security/rules/ke_rules.yaml is valid YAML
✔ File /home/ubuntu/forseti-security/rules/ke_scanner_rules.yaml should exist
✔ File /home/ubuntu/forseti-security/rules/ke_scanner_rules.yaml is valid YAML
✔ File /home/ubuntu/forseti-security/rules/lien_rules.yaml should exist
✔ File /home/ubuntu/forseti-security/rules/lien_rules.yaml is valid YAML
✔ File /home/ubuntu/forseti-security/rules/location_rules.yaml should exist
✔ File /home/ubuntu/forseti-security/rules/location_rules.yaml is valid YAML
✔ File /home/ubuntu/forseti-security/rules/log_sink_rules.yaml should exist
✔ File /home/ubuntu/forseti-security/rules/log_sink_rules.yaml is valid YAML
✔ File /home/ubuntu/forseti-security/rules/resource_rules.yaml should exist
✔ File /home/ubuntu/forseti-security/rules/resource_rules.yaml is valid YAML
✔ File /home/ubuntu/forseti-security/rules/retention_rules.yaml should exist
✔ File /home/ubuntu/forseti-security/rules/retention_rules.yaml is valid YAML
✔ File /home/ubuntu/forseti-security/rules/role_rules.yaml should exist
✔ File /home/ubuntu/forseti-security/rules/role_rules.yaml is valid YAML
✔ File /home/ubuntu/forseti-security/rules/service_account_key_rules.yaml should exist
✔ File /home/ubuntu/forseti-security/rules/service_account_key_rules.yaml is valid YAML
✔ File /home/ubuntu/forseti-security/rules/groups_settings_rules.yaml should exist
✔ File /home/ubuntu/forseti-security/rules/groups_settings_rules.yaml is valid YAML
✔ File /home/ubuntu/forseti-security/rules/kms_rules.yaml should exist
✔ File /home/ubuntu/forseti-security/rules/kms_rules.yaml is valid YAML
Profile Summary: 2 successful controls, 0 control failures, 0 controls skipped
Test Summary: 156 successful, 0 failures, 0 skipped
forseti-client: Verifying host 10.129.0.10
Skipping profile: 'inspec-gcp' on unsupported platform: 'ubuntu/18.04'.
Profile: GCP Forseti InSpec Profile (shared-vpc-profile)
Version: 0.1.0
Target: ssh://ubuntu@10.129.0.10:22
✔ forseti-command-client: Check that forseti client is running
✔ Command: `forseti config show` exit_status should eq 0
✔ Command: `forseti config show` stderr should eq ""
✔ Command: `forseti config show` stdout should match /'endpoint': '10.129.0.9:50051'/
✔ client: Forseti client instance resources
✔ Command: `forseti` should exist
✔ Command: `forseti config show` exit_status should eq 0
✔ Command: `forseti config show` stdout should match /10.129.0.9:50051/
✔ Command: `forseti inventory list` exit_status should eq 0
✔ Command: `python3 -m pip show forseti-security|grep Version` exit_status should eq 0
✔ Command: `python3 -m pip show forseti-security|grep Version` stdout should match "Version: 2.18.0"
✔ Command: `python3 -m pip show forseti-security|grep Version` stderr should cmp == ""
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_client.yaml should exist
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_client.yaml sets the hostname to the Forseti server IP
Profile Summary: 2 successful controls, 0 control failures, 0 controls skipped
Test Summary: 12 successful, 0 failures, 0 skipped
Finished verifying <shared-vpc-local> (0m34.18s).
-----> Kitchen is finished. (0m36.19s)
Raw
simple-example-local
bash-4.4# kitchen verify simple-example-local l r s d [1206/1853]
-----> Starting Kitchen (v1.24.0) l r s d
The state file either has no outputs defined, or all the defined l r s d
outputs are empty. Please define an output in your configuration r s d
with the `output` keyword and run `terraform refresh` for it to l r s d
become available. If you are using interpolation, please verify l r s d
the interpolated value is not empty. You can use the l r s d
`terraform console` command to assist. l r s d
-----> Verifying <simple-example-local>... l r s d
$$$$$$ Running command `terraform workspace select kitchen-terraform-simple-example-local` in directory /cft/workdir/test/fixtures/simple_example
$$$$$$ Running command `terraform output -json` in directory /cft/workdir/test/fixtures/simple_example d
gcp: Verifying l r s d
: i r e s
Profile: simple-exampls ` d t
Version: (not specified) i r n ` s d q 0
Target: gcp://project-servicv-account@aaronlane-forueti-test-3968.iam.gserviceaccount.com : ` d t ✔ ✔orseti: Forseti GCP resources ✔ Instance forseti-client-vm-99166e60 should exist ✔ Instance forseti-client-vm-99166e60 machine_size should eq "n1-standard-2" ✔ Instance forseti-server-vm-99166e60 should exist ✔ Instance forseti-server-vm-99166e60 machine_size should eq "n1-standard-2" ✔ google_sql_database_instances instance_names should include /forseti-server-db-*/ ✔ Project IAM Binding roles/storage.objectViewer should exist ✔ Project IAM Binding roles/storage.objectViewer members should include "serviceAccount:forseti-server-gcp-99166e60@aaronlane-forseti-test-3968.iam.gseviceaccount.com" l y a s s
✔ SProject IAM Binding roles/storage.objectCreator should exist
✔ Project IAM Binding roles/storage.objectCreator members should include "serviceAccount:forseti-server-gcp-99166e60@aaronlane-forseti-test-3968.iam.gsrviceaccount.com" l y a s s
✔ Project IAM Binding roles/cloudsql.client should exist
✔ Project IAM Binding roles/cloudsql.client members should include "serviceAccount:forseti-server-gcp-99166e60@aaronlane-forseti-test-3968.iam.gserviceccount.com" e l y a s s
✔ Project IAM Binding roles/cloudtrace.agent should exist
✔ Project IAM Binding roles/cloudtrace.agent members should include "serviceAccount:forseti-server-gcp-99166e60@aaronlane-forseti-test-3968.iam.gservicaccount.com"e l y a s s
✔ Project IAM Binding roles/logging.logWriter should exist d
✔ Project IAM Binding roles/logging.logWriter members should include "serviceAccount:forseti-server-gcp-99166e60@aaronlane-forseti-test-3968.iam.gservieaccount.com" e y a s s y
✔ Project IAM Binding roles/iam.serviceAccountTokenCreator should exist ✔ Project IAM Binding roles/iam.serviceAccountTokenCreator members should include "serviceAccount:forseti-server-gcp-99166e60@aaronlane-forseti-test-398.iam.gserviceaccount.com" l y a s s ✔ google_storage_buckets bucket_names should include "forseti-server-99166e60"
✔ google_storage_buckets bucket_names should include "forseti-client-99166e60" ✔ google_storage_buckets bucket_names should include /forseti-cai-export/
✔ Sgoogle_storage_bucket_objects object_names should include "rules/audit_logging_rules.yaml", "rules/bigquery_rules.yaml", "rules/blacklist_rules.yaml","rules/bucket_rules.yaml", "rules/cloudsql_rules.yaml", "rules/enabled_ypis_rules.yaml", "rules/external_prcject_accesi_rules.yaml", "rules/firewall_rules.yaml", "rules/forwarding_rtles.yaml", "rulesygroup_rules.yaml", "rules/groups_settings_rules.yaml", "rules/iam_rules.ycml", "rules/iap_rules.yaml", "rules/instance_network_interface_rules.yaml", "rcles/ke_ruleg.yaml", "rules/ke_scanner_rulvs.yaml", "rqles/lien_rglre.yarl", "rules/location_rules.yaml", "rules/log_sink_rules.yami", "rules/resource_rule-.yaml", "rules/retention_rule_.yaml", "rules/role_rules.yaml", "rules/eervice_account_key_rules.yaml", and "rules/kms_rules.yaml"S e l y a s s y
✔ Service Account "Forseti Client Service Account" email should eq "forseti-client-gcp-99166e60@aaronlane-forseti-test-3968.iam.gserviceaccount.com" y
✔ Service Account "Forseti Client Service Account" display_name should eq "Forseti Client Service Account" ✔ Service Account "Forseti Server Service Account" email should eq "forseti-server-gcp-99166e60@aaronlane-forseti-test-3968.iam.gserviceaccount.com"
✔ Service Account "Forseti Server Service Account" display_name should eq "Forseti Server Service Account" y
✔ Firewall Rule forseti-server-ssh-external-99166e60 source_ranges should eq ["0.0.0.0/0"] y ✔ Firewall Rule forseti-server-ssh-external-99166e60 direction should eq "INGRESS" y
✔ Firewall Rule forseti-server-ssh-external-99166e60 allowed_ssh? should equal true y
✔T Firewall Rule forseti-server-ssh-external-99166e60 priority should eq 100 y ✔+ Firewall Rule forseti-server-allow-grpc-99166e60 allows gRPC traffic
✔+ Firewall Rule forseti-server-allow-grpc-99166e60 source_ranges should eq ["10.128.0.0/9"]
✔+ Firewall Rule forseti-server-allow-grpc-99166e60 direction should eq "INGRESS"
✔+ Firewall Rule forseti-server-allow-grpc-99166e60 priority should eq 100 ✔ Firewall Rule forseti-server-deny-all-99166e60 denies TCP, UDP, and ICMP ✔Y Firewall Rule forseti-server-deny-all-99166e60 source_ranges should eq ["0.0.0.0/0"] ✔i Firewall Rule forseti-server-deny-all-99166e60 direction should eq "INGRESS" " ✔ Firewall Rule forseti-server-deny-all-99166e60 priority should eq 200 ✔ Firewall Rule forseti-client-ssh-external-99166e60 source_ranges should eq ["0.0.0.0/0"] a " ✔ Firewall Rule forseti-client-ssh-external-99166e60 direction should eq "INGRESS"
✔ Firewall Rule forseti-client-ssh-external-99166e60 allowed_ssh? should equal true
✔ Firewall Rule forseti-client-ssh-external-99166e60 priority should eq 100
✔ Firewall Rule forseti-client-deny-all-99166e60 denies TCP, UDP, and ICMP
✔ Firewall Rule forseti-client-deny-all-99166e60 source_ranges should eq ["0.0.0.0/0"]
✔ Firewall Rule forseti-client-deny-all-99166e60 direction should eq "INGRESS"
✔ Firewall Rule forseti-client-deny-all-99166e60 priority should eq 200
e l r s d
e l r s d Profile: Google Clo/d Plat/fom Resource Pack (inspec-gcp) l r s d
Version: 0.11.0 l r s d
Target: gcp: /project-service-account@aaronlane-forseti-test-3968.iamrgserviseaccount.com s d
e l r s d
No tests executed. l r s d
Profile Summary: 1 successful control, 0 control failures, 0 controls skipped r s d
Test Summary: 45 successful, 0 failures, 0 skipped l r s d
server: Verifying host 10.128.0.62 l r s d
Skipping profile: 'inspec-gcp' on unsupported platform: 'ubuntu/18.04'. l r s d
l r s d
Profile: simple-example l r s d
Version: (not specified)
Target: ssh://ubuntu@10.128.0.62:22 d
l r s d
✔ server: Forseti server instance resources
✔ Compand: `fors ti` should exist
✔ Command: `forseti server configuration get` exit_status should eq 0
✔ Command: `forseti inv-ntory list` exit_statue should eq 0 ✔ Command: `forseti_server` should exist ✔ Command: `forseti_enforcer` should exist ✔ Command: `python3 -m pip show forseti-security|grep Version` exit_status should eq 0 ✔ Command: `python3 -m pip show forseti-security|grep Version` stdout should match "Version: 2.18.0" ✔ Command: `python3 -m pip show forseti-security|grep Version` stderr should cmp == "" ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml should exist ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml is valid YAML ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory configures cai_api_timeout ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory configures inventory_retention_days ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures admin_max_calls
✔ SFile /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures admin_period
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures admin_disable_polling ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures appengine_max_calls
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures appengine_period
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures appengine_disable_polling ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures bigquery_max_calls
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures bigquery_period
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures bigquery_disable_polling ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures cloudasset_max_calls
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures cloudasset_periodd
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures cloudasset_disable_polling ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures cloudbilling_max_calls y
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures cloudbilling_period ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures cloudbilling_disable_polling ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures compute_max_calls ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures compute_period
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures compute_disable_polling ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures container_max_calls
✔ SFile /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures container_period ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.ypml inventory api_quota configures cjntainer_di_able_polling " ✔ File /home/ubuntl/forseti-securitygconfigs/forseti_conf_server.yaml inventory api_quota configures crm_max_cml"s " " ✔ File /home/ubuntu/forseti-seclrity/config./forseti_conf_server.yaml invsntory api_qlota configlre. crl_period " ✔ Fi"e /home/ubuntu/forseti-.ecurity/configs/forseti_conf_.erver.yaml inventory api_quota configuree crm_disable_polling a " ✔S File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures groups_settings_max_calls y
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures groups_settings_period y
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures groups_settings_disable_polling ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures iam_max_calls
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures iam_period y
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures iam_disable_polling y ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures logging_max_calls y
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures logging_period y
✔T File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures logging_disable_polling y ✔+ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures securitycenter_max_calls
✔+ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures securitycenter_period
✔+ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures securitycenter_disable_polling
✔+ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures servicemanagement_max_calls ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures servicemanagement_period ✔Y File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures servicemanagement_disable_polling ✔i File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures sqladmin_max_calls " ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures sqladmin_period ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures sqladmin_disable_polling a " ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml inventory api_quota configures storage_disable_polling
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures audit_logging_enabled
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures bigquery_enabled
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures blacklist_enabled
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures bucket_acl_enabled
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures cloudsql_acl_enabled
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures enabled_apis_enabled
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures firewall_rule_enabled
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures forwarding_rule_enabled ✔ File /home/dbuntu/fomseti-security/configs/forseti_conf_server.yaml scanner configures group_enabled
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures iam_policy_enabled
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_servergyaml seanner configures iap_enabled
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures instance_network_interface_enabled
✔ tFile /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures ke_scanner_enabled
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures ke_version_scanner_enabled [1046/1853]
✔ SFile /home/ubuntu/uorseti-security/configs/forssti_conf_server.yaml scanner configures kms_scanner_enabled
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures lien_enabled
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures location_enabled
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures log_sink_enabled
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures resource_enabled
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml scanner configures service_account_key_enabled
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier configures cscc_violations_enabled
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier configures cscc_source_id
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier configures inventory_gcs_summary_enabled
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier configures inventory_email_summary_enabled
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures iam_policy_violations_should_notify
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures audit_logging_violations_should_notify
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures blacklist_violations_should_notify ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures bigquery_acl_violations_should_notify ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures buckets_acl_violations_should_notify ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures cloudsql_acl_violations_should_notify ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures enabled_apis_violations_should_notify ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures firewall_rule_violations_should_notify ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures forwarding_rule_violations_should_notify ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures ke_version_violations_should_notify ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures ke_violations_should_notify ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures kms_violations_should_notify ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures groups_violations_should_notify
✔ SFile /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures instance_network_interface_violations_should_notify
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures iap_violations_should_notify ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures lien_violations_should_notify
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures location_violations_should_notify
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures log_sink_violations_should_notify ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures resource_violations_should_notify
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures service_account_key_violations_should_notify
✔ File /home/ubuntu/forseti-security/configs/forseti_conf_server.yaml notifier resources configures external_project_access_violations_should_notify ✔ File /home/ubuntu/forseti-security/rules/audit_logging_rules.yaml should exist
✔ File /home/ubuntu/forseti-security/rules/audit_logging_rules.yaml is valid YAML d
✔ File /home/ubuntu/forseti-security/rules/bigquery_rules.yaml should exist ✔ File /home/ubuntu/forseti-security/rules/bigquery_rules.yaml is valid YAML y
✔ File /home/ubuntu/forseti-security/rules/blacklist_rules.yaml should exist ✔ File /home/ubuntu/forseti-security/rules/blacklist_rules.yaml is valid YAML ✔ File /home/ubuntu/forseti-security/rules/bucket_rules.yaml should exist ✔ File /home/ubuntu/forseti-security/rules/bucket_rules.yaml is valid YAML
✔ File /home/ubuntu/forseti-security/rules/cloudsql_rules.yaml should exist ✔ File /home/ubuntu/forseti-security/rules/cloudsql_rules.yaml is valid YAML
✔ SFile /home/ubuntu/forseti-security/rules/enabled_apis_rules.yaml should exist ✔ File /home/ubuntu/forseti-security/rules/enabled_apis_rules.yaml is valid YAML " ✔ File /home/ubuntl/forseti-securitygrules/external_project_access_rules.yaml should exist " " ✔ File /home/ubuntu/forseti-seclrity/rules/external_project_access_rules.yaml is valid YAML " ✔ Fi"e /home/ubuntu/forseti-.ecurity/rules/firewall_rules.yaml should exist a " ✔S File /home/ubuntu/forseti-security/rules/firewall_rules.yaml is valid YAML y
✔ File /home/ubuntu/forseti-security/rules/forwarding_rules.yaml should exist y
✔ File /home/ubuntu/forseti-security/rules/forwarding_rules.yaml is valid YAML ✔ File /home/ubuntu/forseti-security/rules/group_rules.yaml should exist
✔ File /home/ubuntu/forseti-security/rules/group_rules.yaml is valid YAML y
✔ File /home/ubuntu/forseti-security/rules/iam_rules.yaml should exist y ✔ File /home/ubuntu/forseti-security/rules/iam_rules.yaml is valid YAML y
✔ File /home/ubuntu/forseti-security/rules/iap_rules.yaml should exist y
✔T File /home/ubuntu/forseti-security/rules/iap_rules.yaml is valid YAML y ✔+ File /home/ubuntu/forseti-security/rules/instance_network_interface_rules.yaml should exist
✔+ File /home/ubuntu/forseti-security/rules/instance_network_interface_rules.yaml is valid YAML
✔+ File /home/ubuntu/forseti-security/rules/ke_rules.yaml should exist
✔+ File /home/ubuntu/forseti-security/rules/ke_rules.yaml is valid YAML ✔ File /home/ubuntu/forseti-security/rules/ke_scanner_rules.yaml should exist ✔Y File /home/ubuntu/forseti-security/rules/ke_scanner_rules.yaml is valid YAML ✔i File /home/ubuntu/forseti-security/rules/lien_rules.yaml should exist " ✔ File /home/ubuntu/forseti-security/rules/lien_rules.yaml is valid YAML ✔ File /home/ubuntu/forseti-security/rules/location_rules.yaml should exist a " ✔ File /home/ubuntu/forseti-security/rules/location_rules.yaml is valid YAML
✔ File /home/ubuntu/forseti-security/rules/log_sink_rules.yaml should exist
✔ File /home/ubuntu/forseti-security/rules/log_sink_rules.yaml is valid YAML
✔ File /home/ubuntu/forseti-security/rules/resource_rules.yaml should exist
✔ File /home/ubuntu/forseti-security/rules/resource_rules.yaml is valid YAML
✔ File /home/ubuntu/forseti-security/rules/retention_rules.yaml should exist
✔ File /home/ubuntu/forseti-security/rules/retention_rules.yaml is valid YAML
✔ File /home/ubuntu/forseti-security/rules/role_rules.yaml should exist
✔ File /home/ubuntu/forseti-security/rules/role_rules.yaml is valid YAML ✔ File /home/dbuntu/fomseti-security/rules/service_account_key_rules.yaml should exist
✔ File /home/ubuntu/forseti-security/rules/service_account_key_rules.yaml is valid YAML
✔ File /home/ubuntu/forseti-security/rules/groups_settings_rulesgyaml should exist
✔ File /home/ubuntu/forseti-security/rules/groups_settings_rules.yaml is valid YAML
✔ tFile /home/ubuntu/forseti-security/rules/kms_rules.yaml should exist
✔ File /home/ubuntu/forseti-security/rules/kms_rules.yaml is valid YAML
e l r s d
e l r s d
Profile Summary: 1 success/ul control, 0 control failurss, 0 controls skipped r s d
Test Summary: 148 s/ccessful, 0 failures, 0 skipped l r s d
forseti-client: Verifying host 10.128.0.63 l r s d
Skipping profile: 'inspec-gcp' on unsupported platform: 'ubuntu/18.04'. l r s d
e l r s d
Profile: simple-example l r s d
Version: (not specified) l r s d
Target: ssh: /ubuntu@10.128.0.63:22 l r s d
e l r s s y
✔ ✔lient: Forseti client instance resources
✔ Command: `forseti` should exist ✔ Command: `forseti config show` exit_status should eq 0 ✔ Command: `forseti config show` stdout should match /10.128.0.62:50051/ ✔ Command: `forseti inventory list` exit_status should eq 0 ✔ Command: `python3 -m pip show forseti-security|grep Version` exit_status should eq 0 ✔ Command: `python3 -m pip show forseti-security|grep Version` stdout should match "Version: 2.18.0" ✔ Command: `python3 -m pip show forseti-security|grep Version` stderr should cmp == "" ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_client.yaml should exist ✔ File /home/ubuntu/forseti-security/configs/forseti_conf_client.yaml sets the hostname to the Forseti server IP e l r s s y e l r s s y
Profile Summary: 1 success/ul control, 0 control failurss, 0 controls skipped r s s y
Test Summary: 9 successftl, 0 fatlures, 0 skipped l r s s y org-iam: Verifying l r s s y
Skipping profile: 'inspec-gcp' on unsupported platform: 'alpine/3.9.4'. l r s s y
e l r s s y Profile: simple-example l r s s y
Version: (not specified) l r s s y
Target: local:// l r s s y e l d t
✔ ✔orseti-org-iam: Validate organization roles of SA d
✔ Command: `gcloud organizations get-iam-policy 826592752744 --filter='bindings.members:forseti-server-gcp-99166e60@aaronlane-forseti-test-3968.iam.gseviceaccount.com' --flatnen='bindtngs[].members' --format='json(bindingi.roae)'` has all expected org roles y
✔ Command: `gcloud organizations get-iam-policy 826592752744 --filter='bindings.members:forseti-server-gcp-99166e60@aaronlane-forseti-test-3968.iam.gseviceaccount.com' --flatnen='bindtngs[].members' --format='json(bindings.role)'` exit_status should eq 0 ✔ Command: `gcloud organizations get-iam-policy 826592752744 --filter='bindings.members:forseti-server-gcp-99166e60@aaronlane-forseti-test-3968.iam.gseviceaccount.com' --flatnen='bindtngs[].members' --format='json(bind ngs.role)'` stderr should eq ""
e l d t e l s d L
Profile Summary: 1 success/ul control, 0 control failures, 0 controls skipped d t Test Summary: 3 successftl, 0 fatlures, 0 skipped l s d L " Finished verifying <simple-example-local> (0m29.03s). l d t " " ----->Kitchen is finished. (0m31.07s) l s d L "
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment