The install is pretty simple since it’s contained within a Deployment Manager template. Deployment Manager automates infrastructure deployments of Google Cloud Platform resources. I’m going to highlight some of the notes from the official Forseti documentation in this post for completeness.
You’ll need a GCP project dedicated to Forseti Security and an account with Organizational administrator role. Open up Google Cloud Shell and clone the repo:
$ git clone -b master --single-branch \ https://github.com/GoogleCloudPlatform/forseti-security
Navigate to the setup directory:
$ cd forseti-security/scripts/gcp_setup
Execute the script:
$ python setup_forseti.py
One thing to note, if you use groups in G Suite that align to members in IAM with roles the setup script will fail. Organizational administrator needs to be set at the user level. [Setup fails to detect Org Admin role when Org Admin is a Google Group #780]
firstname.lastname@example.org is Org Admin? False
You do not have the necessary roles to grant roles that Forseti needs. Please have someone who is an Org Admin and either Project Editor or Project Owner for this project to run this setup. Exiting.
Once the script is run you’ll be prompted for a SendGrid API key. Google is working to support standard SMTP relay. [Enable email alerts via G Suite domain as alternative to SendGrid #749] & [Enable email alerts through arbitrary relaying mail servers (via hostname/port) #770]
After this, the setup script will create all the needed resource to get up and running. You can check out all the resource in Deployment Manager. At a high level it creates a couple service accounts, Google Cloud SQL instance, Google Cloud SQL database, Storage Bucket and a Google Compute Engine VM instance.
Forseti can collect data on your G Suite groups. To do this you’ll need to enable G Suite Google Groups Collection. The documentation to do this is here.
NOTE: Make sure you enable G Suite Domain-wide Delegation for the forseti-gsuite-reader service account, not seeing that in the python script.
If you don't have this setup correctly you’ll see a partial success on your inventory snapshot notifications.
You’ll know you’re good to go if you see a count for groups and groups_members:
Since we did this from cloud shell and if you want to modify your config you will edit locally there and push to your Google Cloud Storage bucket. First copy your config the setup created for you.
$ cd configs
$ cp forseti_conf_dm.yaml forseti_conf.yaml
Moving forward edit this file and copy it to your bucket:
$ vi forseti_conf.yaml
$ gsutil cp forseti_conf.yaml gs://forseti-prod-data-155241/configs/forseti_conf.yaml
SSH into the VM instance the deployment created for you and you’ll see that forseti simply runs via the ubuntu user cron and calls a script in /home/ubuntu called run_forseti.sh and that actually copies config and rules each run.
# Put the config files in place.
gsutil cp gs://forseti-prod-data-155241/configs/forseti_conf.yaml \ /home/ubuntu/forseti-security/configs/forseti_conf.yaml
gsutil cp -r gs://forseti-prod-data-155241/rules \ /home/ubuntu/forseti-security/
if [ ! -f /home/ubuntu/forseti-security/configs/forseti_conf.yaml ]; then
echo Forseti conf not found, exiting.
# inventory command
/usr/local/bin/forseti_inventory --forseti_config \ /home/ubuntu/forseti-security/configs/forseti_conf.yaml
# scanner command
/usr/local/bin/forseti_scanner --forseti_config \ /home/ubuntu/forseti-security/configs/forseti_conf.yaml
# notifier command
/usr/local/bin/forseti_notifier --forseti_config \ /home/ubuntu/forseti-security/configs/forseti_conf.yaml
Updates to Forseti should be pretty easy as well. Simply run a git pull in the repo back on your cloud shell and update the deployment. The deployment file will be in the deployment-templates directory and named based on the deployment name. Check the newly pulled deploy-forseti.yaml.sample and update yours if it has anything new in it and deploy:
gcloud deployment-manager deployments update forseti-security-20171022155241 --config deploy-forseti-20171022155241.yaml
The bulk of the cost is here:
Next post will be around the data it’s generating and digging into the rules more to really understand what can be learned from a tool like this.