Quick Install of Forseti Security on Google Cloud Platform

Brett Curtis
Dec 9, 2017 · 4 min read

is security tool built for Google Cloud Platform. It can keep track of your environment, monitor your policies and even enforce in the future.

The install is pretty simple since it’s contained within a template. Deployment Manager automates infrastructure deployments of Google Cloud Platform resources. I’m going to highlight some of the notes from the official Forseti in this post for completeness.

You’ll need a GCP project dedicated to Forseti Security and an account with Organizational administrator role. Open up Google Cloud Shell and clone the repo:

$ git clone -b master --single-branch \ https://github.com/GoogleCloudPlatform/forseti-security

Navigate to the setup directory:

$ cd forseti-security/scripts/gcp_setup

Execute the script:

$ python setup_forseti.py

One thing to note, if you use groups in G Suite that align to members in IAM with roles the setup script will fail. Organizational administrator needs to be set at the user level. []

user@domain.com is Org Admin? False
You do not have the necessary roles to grant roles that Forseti needs. Please have someone who is an Org Admin and either Project Editor or Project Owner for this project to run this setup. Exiting.

Once the script is run you’ll be prompted for a API key. Google is working to support standard SMTP relay. [] & []

After this, the setup script will create all the needed resource to get up and running. You can check out all the resource in Deployment Manager. At a high level it creates a couple service accounts, Google Cloud SQL instance, Google Cloud SQL database, Storage Bucket and a Google Compute Engine VM instance.

Forseti can collect data on your G Suite groups. To do this you’ll need to enable G Suite Google Groups Collection. The documentation to do this is .

NOTE: Make sure you enable G Suite Domain-wide Delegation for the forseti-gsuite-reader service account, not seeing that in the python script.

If you don't have this setup correctly you’ll see a partial success on your inventory snapshot notifications.

You’ll know you’re good to go if you see a count for groups and groups_members:

Since we did this from cloud shell and if you want to modify your config you will edit locally there and push to your Google Cloud Storage bucket. First copy your config the setup created for you.

$ cd configs
$ cp forseti_conf_dm.yaml forseti_conf.yaml

Moving forward edit this file and copy it to your bucket:

$ vi forseti_conf.yaml
$ gsutil cp forseti_conf.yaml gs://forseti-prod-data-155241/configs/forseti_conf.yaml

SSH into the VM instance the deployment created for you and you’ll see that forseti simply runs via the ubuntu user cron and calls a script in /home/ubuntu called run_forseti.sh and that actually copies config and rules each run.

#!/bin/bash

# Put the config files in place.
gsutil cp gs://forseti-prod-data-155241/configs/forseti_conf.yaml \ /home/ubuntu/forseti-security/configs/forseti_conf.yaml
gsutil cp -r gs://forseti-prod-data-155241/rules \ /home/ubuntu/forseti-security/

if [ ! -f /home/ubuntu/forseti-security/configs/forseti_conf.yaml ]; then
echo Forseti conf not found, exiting.
exit 1
fi

# inventory command
/usr/local/bin/forseti_inventory --forseti_config \ /home/ubuntu/forseti-security/configs/forseti_conf.yaml
# scanner command
/usr/local/bin/forseti_scanner --forseti_config \ /home/ubuntu/forseti-security/configs/forseti_conf.yaml
# notifier command
/usr/local/bin/forseti_notifier --forseti_config \ /home/ubuntu/forseti-security/configs/forseti_conf.yaml

Updates to Forseti should be pretty easy as well. Simply run a git pull in the repo back on your cloud shell and update the deployment. The deployment file will be in the deployment-templates directory and named based on the deployment name. Check the newly pulled deploy-forseti.yaml.sample and update yours if it has anything new in it and deploy:

gcloud deployment-manager deployments update forseti-security-20171022155241 --config deploy-forseti-20171022155241.yaml

The bulk of the cost is here:

Next post will be around the data it’s generating and digging into the rules more to really understand what can be learned from a tool like this.

Google Cloud Platform - Community

A collection of technical articles published or curated by Google Cloud Platform Developer Advocates. The views expressed are those of the authors and don't necessarily reflect those of Google.

Brett Curtis

Written by

I drink coffee, do things with Google Cloud Platform and I dad…

Google Cloud Platform - Community

A collection of technical articles published or curated by Google Cloud Platform Developer Advocates. The views expressed are those of the authors and don't necessarily reflect those of Google.