inspec-gcp icon indicating copy to clipboard operation
inspec-gcp copied to clipboard
verified publisher icon inspec

Allow inspec to query cloud armor security policies

Open pburnet-lbg opened this issue 5 years ago • 3 comments

General summary

I would like to query the cloud armor security policy so that can evaluate the correct rules are being enforced.

Detailed Description

We want to check the configuration of a cloud armor security policy.

In gcloud i would use the following commands:

To get a list of policies:

command: gcloud beta compute security-policies list

response:

NAME my-policy

then:

command: gcloud compute security-policies describe my-policy

response: creationTimestamp: '2020-02-27T05:19:22.589-08:00' description: block bad traffic fingerprint: WDKha0Ove8k= id: '3235253576087011125' kind: compute#securityPolicy name: my-policy rules:

  • action: deny(403) description: '' kind: compute#securityPolicyRule match: expr: expression: evaluatePreconfiguredExpr('xss-stable') preview: false priority: 1000
  • action: deny(403) description: '' kind: compute#securityPolicyRule match: expr: expression: evaluatePreconfiguredExpr('sqli-stable') preview: false priority: 1001
  • action: deny(404) description: default rule kind: compute#securityPolicyRule match: config: srcIpRanges: - '*' versionedExpr: SRC_IPS_V1 preview: false priority: 2147483647 selfLink: https://www.googleapis.com/compute/v1/projects/compliance1-infraprov-9cc2/global/securityPolicies/my-policy

i would then be able to test the rules that are in place to see if then have the correct expression,priority,scope, ip ranges allowed e.t.c

Context

We require this to be able to confirm that the load balancers that we have provisioned have the correct settings so we are not exposed to sql injection attacks or XSS attacks. We would also like to confirm that a load balancer only allow connections from a defined ip whitelist.

Possible Implementation

Adding a module for gcloud compute security-policies should fix it.

pburnet-lbg avatar Feb 27 '20 16:02 pburnet-lbg

@slevenick any estimate from your side as to when this could be added? Cheers Adrian

lhasadreams avatar Mar 02 '20 10:03 lhasadreams

Looks like a relatively normal API: https://cloud.google.com/compute/docs/reference/rest/v1/securityPolicies/get

It shouldn't be too hard for me to add support for this once https://github.com/inspec/inspec-gcp/pull/226 goes in.

I'd guess 1-2 weeks after that gets merged, given there are a decent number of requests currently waiting on that

slevenick avatar Mar 02 '20 17:03 slevenick

https://github.com/GoogleCloudPlatform/magic-modules/pull/3372 addresses this. Expected soon

slevenick avatar Apr 13 '20 21:04 slevenick