Forseti Security installation

Please read the article before you start this guide: https://medium.com/forseti-security-how-to-install-it-in-secure-way/forseti-security-prerequisites-55f3fe5e2b3b

We are ready to install Forseti Security. You find the guide on the Forseti Security Project page: https://forsetisecurity.org/docs/latest/setup/index.html.

You will see that there are a set of options — you can install this tool using Compute Engine (GCE) or GKE Cluster. Here are additional guides, such as how to upgrade or migrate Forseti Security. There is the other guide on how to install the Real-Time Enforcer option. I will focus on the GCE setup.

The documentation provided by the Forseti Security community is not well prepared. There are gaps, and this document doesn’t cover security rules which I applied in my project during project configuration.

OK. Let’s do it. Let’s install Forseti Security.

What do we need before start:

  1. An account with proper rights — to start the installation you need Organization Admin role or service account with these rights https://forsetisecurity.org/docs/latest/setup/install/roles-and-required-apis.html
  2. Downloaded installation package — use git clone — branch modulerelease521 — depth 1 https://github.com/forseti-security/terraform-google-forseti.git to download version 5.21 (latest) — please check proper link on (it might be newer) https://forsetisecurity.org/docs/latest/setup/install/index.html
  3. The project :) — my project id is forsetisecurityprod

The instruction:

  1. Open Cloud Shell

2. Check that you are in the proper context. If the context is not proper (wrong project id) use command: gcloud config set project [PROJECT_ID]

3. Clone installation package using:

git clone — branch modulerelease521 — depth 1 https://github.com/forseti-security/terraform-google-forseti.git

4. Go to folder cd terraform-google-forseti/

5. Use helper.sh script to create service account which proper rights (Terraform will use service-account which will have rights to install/update Forseti Security — this account):

. ./helpers/setup.sh -p $DEVSHELL_PROJECT_ID -o [ORGANIZATION_ID] -e

where:

ORGAZNIZATION_ID = id of organization (in my example *********)

Tip: If you don’t know your Organization Id, you can find it using gcloud organizations list or in web console IAM&Admin -> Manage Resources.

This script runs a couple of minutes. During this time, the script will enable the necessary Google API’s and will create a service account for Terraform.

6. Enable Google Security Command Center API using gcloud services enable securitycenter.googleapis.com

7. Enable Forseti Cloud SCC Connector in Google SCC and remember source ID number (example: organizations/111111111111/sources/16292510545053912301). You must provide the service account ID — use any service account in this stage.

8. Create main.tf file. Create a folder before you start creating main.tf file mkdir forsetisecurityprod and go inside cd forsetisecurityprod. Now you can create main.tf file, you can use vim, nano or edit it using graphical interface built-in cloud shell:

You find all config options in the GitHub repository: https://github.com/forseti-security/terraform-google-forseti#inputs

Here is an example with my description:

module “forseti” {
source = “terraform-google-modules/forseti/google”
version = “~> 5.2.1”

gsuite_admin_email = “emil@xxxxxx.xxx” #GSuite admin account
domain = “xxxxxxx.xxx” #GSuite domain
project_id = “forsetisecurityprod” #[PROJECT_ID] where Forseti will be installed
org_id = “1111111111111” #[ORGANIZATION_ID]
server_type = “n1-standard-1” #type of server machine — n1-standard-1 is enough for tests
client_type = “n1-standard-1” #type of client machine — n1-standard-1 is enough for tests
cloudsql_type = “db-n1-standard-1” #type of CloudSQL machine — db-n1-standard-1 is enough for tests
inventory_email_summary_enabled = “true”
inventory_gcs_summary_enabled = “true”
server_region = “europe-west1” #use region where you created subnet
client_region = “europe-west1” #use region where you created subnet
cloudsql_region = “europe-west1” #use region where you created subnet
storage_bucket_location = “europe-west1” #use region where you created subnet
bucket_cai_location = “europe-west1” #use region where you created subnet
forseti_run_frequency = “0 0 */1 * *” #cron job config — the scanner will run every day at 00:00
network = “forseti-security”
subnetwork = “forseti-subnet”
server_private = “true” #it is important to set
client_private = “true” #it is important to set
cscc_violations_enabled = “true” #it is important to set
cscc_source_id = “organizations/111111111111/sources/16292510545053912301” #here is source ID number which you got in step 7.

9. Check that you are in the folder with main.tf file and run terraform init. You should see:

Adjust main.tf file if you got an error.

10. Now run terraform plan. You should see:

Adjust main.tf file if you got an error.

11. You are ready to install Forseti Security. Just run terraform apply and type yes when prompted.

12. Wait until done. It takes a few minutes.

13. Now you have to grant access to the GSuite domain. The first step is service account adjustment. Go to Cloud Web Console (context — a project where Forseti Server is installed, in my example forsetisecurityprod). Open IAM&Admin -> Service Accounts and find the account with the name forseti-server-gcp-xxxxxxx@[PROJECT_ID].iam.gserviceaccount.com. Click three dots in the line where this account is and choose Edit:

14. Click Show Domain Delegation and confirm Enable G Suite Domain Wide Delegation box.

15. Type the name (in my example forseti security) in Product name for the consent screen field.

16. Save changes.

17. Click on the name of the service account and SHOW DOMAIN-WIDE DELEGATION and copy Client ID:

18. Open G Suite admin panel https://admin.google.com. Click Security icon

19. Click Advanced Settings

20. Click Manage API client access

21. In the Client Name window paste the Client ID, in One or More API Scopes paste the following: https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/cloudplatformprojects.readonly,https://www.googleapis.com/auth/apps.groups.settings

22. Click Authorize.

23. Let’s configure Google SCC. Copy the name of the service account and open Security -> Security Command Center.

24. Select the organization name and click SELECT.

25. In the right-upper corner, click the SETTINGS icon.

26. Find Forseti SCC Connector in the list and edit it using the pencil icon.

27. Paste the proper name of the forseti server service account and SUBMIT changes.

28. Enable service connector if it is needed.

29. You are almost ready to use Forseti Security in your organization. You need just two steps to finish the configuration. First — secure CloudSQL. You need to change CloudSQL IP from the public to private. Why we used public IP instead of private? Because Forseti will be broken if you will install it with CloudSQL private IP.

30. Open Google Cloud Web Console and choose SQL. Next Click Instance ID which has name forseti-server-db-*

31. Click Connections. You will see a similar screen:

32. Unmark Public IP and mark Private IP. Follow the instruction.

33. Go to Compute Engine in Google Cloud Web Console.

34. Click triangle near SSH button in the line where forseti-server-vm-* is and click View gcloud command

35. Click RUN IN CLOUDSHELL. You will be logged in to the Linux machine. You need to reboot it using sudo reboot.

36. Repeat these steps with forseti-client-vm-*

37. Get coffee and wait for 5–10 minutes.

38. Go to Compute Engine in Google Cloud Web Console.

39. Click triangle near SSH button in the line where forseti-server-vm-* is and click View gcloud command

40. Click RUN IN CLOUDSHELL. You will be logged in to the Linux machine.

41. Now you will be able to create inventory. Type forseti inventory create and forseti inventory list when the first command finishes. You will see:

42. Next, you have to create a model using the command: forseti model create [MODEL_NAME] — inventory_index_id [INDEX_ID]

where:

MODEL_NAME is your model name

INDEX_ID is id which you find in step 41

43. Type forseti model use [MODEL_NAME]

44. Type forseti scanner run

45. Wait approximately one day, and you will see findings in Google Security Command Center.

Well done. You have installed Forseti Security. The next articles will show you how to customize Forseti Security, how to enable mail alerts, and how to run Forseti Visualiser.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store