Forseti Visualizer — must-have.
--
This story describes how to install Forseti Visualizer. The Forseti Visualizer is the application that delivers the graphical interface to Forseti findings. More information about it you will find at:
Here is a guide on how to install Forseti Visualizer securely. Before you start this instruction, you should perform prerequisites steps, and Forseti Installation:
OK. Let’s start if you are ready. What do we need:
- The service account for the connection to Google CloudSQL and run a virtual machine.
- Debian server for the application (NodeJs 10).
- A certificate with associated DNS records.
- Google HTTPS LoadBalancer.
- Google IAP Proxy.
- The first step — let’s create a service account. You can use Google Web Console or Google Cloud SDK. I am showing how to do that using SDK:
gcloud iam service-accounts create forseti-visualiser --project [PROJECT_ID]In my example:
2. Add proper rights (CloudSQL User) to forseti-visualiser account, and generate key.json for sql-proxy authentication:
gcloud projects add-iam-policy-binding [PROJECT_ID] -- member serviceAccount:forseti-visualiser@[PROJECT_ID].iam.gserviceaccount.com --role roles/cloudsql.clientgcloud iam service-accounts keys create key.json --iam-account=forseti-visualiser@forsetisecurityprod.iam.gserviceaccount.com
In my example:
3. Let’s create Linux server for application hosting:
gcloud beta compute --project=[PROJECT_ID] \
instances create forseti-visualiser \
--zone=[ZONE] --machine-type=n1-standard-1 \
--service-account=forseti-visualiser@[PROJECT_ID].iam.gserviceaccount.com \
--image-project=debian-cloud \
--no-address \
--image=debian-9-stretch-v20200618 \
--subnet=[SUBNET]Where:
[ZONE] — a zone where the Forseti Server is installed (in my example: europe-west1-c)
[SUBNET] — subnet where Forseti Security is installed (in my example: forseti-subnet)
4. Before login to the new machine, you have to get a connection name to CloudSQL. First of all, you have to get CloudSQL Server name:
gcloud sql instances listIn my example:
5. Find an instance called forseti-server-db-xxx [DB_SERVER]and call:
gcloud sql instances describe [DB_SERVER] |grep connectionNameIn my example:
Remember this value (used as [DB_CONNECTION])
6. Login to the new machine from Cloud Shell using:
gcloud beta compute ssh --zone [ZONE] forseti-visualiser --tunnel-through-iap --project [PROJECT_ID]In my example:
7. Elevate privileges to root and create the folder named cloudsqlproxy using:
sudo su
mkdir /cloudsqlproxy
cd /cloudsqlproxy8. Copy key.json file, which was created in point 2. You can use any tool to do it; here is my example using Cloud Shell:
gcloud beta compute scp key.json \
[YOUR_LOGIN]@forseti-visualiser:key.json \
--tunnel-through-iap --project [PROJECT_ID] \
--zone [ZONE]in my example:
Next, go to the forseti-visualiser machine and move key.json to /cloudsqlproxy folder:
mv /home/[YOUR_LOGIN]/key.json /cloudsqlproxy/9. Download CloudSQL Proxy app (source: https://cloud.google.com/sql/docs/mysql/connect-external-app#proxy):
wget https://dl.google.com/cloudsql/cloud_sql_proxy.linux.amd64 -O cloud_sql_proxychmod +x cloud_sql_proxy
10. Create cloudsqlproxy service:
cat > /lib/systemd/system/cloud-sql-proxy.service << EOF
[Install]
WantedBy=multi-user.target
[Unit]
Description=Google Cloud Compute Engine SQL Proxy
Requires=networking.service
After=networking.service
[Service]
Type=simple
WorkingDirectory=/cloudsqlproxy
ExecStart=/cloudsqlproxy/cloud_sql_proxy -dir=/cloudsqlproxy/cloud-sql-proxy -instances=[DB_CONNECTION]=tcp:3306 -credential_file=/cloudsqlproxy/key.json
Restart=always
StandardOutput=journal
User=root
EOF11. Register and run service:
systemctl daemon-reload
systemctl enable cloud-sql-proxy.service
systemctl start cloud-sql-proxy12. Now, you have to install the nodeJS framework and libraries:
curl -sL https://deb.nodesource.com/setup_10.x | bash -
apt-get install -y nodejs
npm install -g @vue/cli
npm install d3
cd /13. You need Forseti Visualizer binaries:
apt install git
git clone https://github.com/forseti-security/forseti-visualizer.git
cd forseti-visualizer/forseti-visualizer-ui/14. Now, you need to install Forsetii Visualizer:
npm install
npm audit fix
npm update yargs-parser
npm auditYou should see the following:
15. Run build:
npm run buildYou should see:
16. No, you will configure backend. You need MySQL user and password. You can create a new one and grant access to databases, or you might use current forseti MySQL user named forseti_security_user. How to get the password? Login to Forseti Security Server — open new Cloud Shell window and using SSH -> View cloud command copy and paste into new Cloud Shell window
In my example:
17. Use the following command after login:
sudo more /lib/systemd/system/forseti.service |grep forseti_security_userin my example:
18. Copy the string after forseti_security_user:[DB_PASSWORD]
19. Go back to forseti-visualiser and continue installation, replace [DB_PASSWORD] and [PROJECT_ID]:
cd ../forseti-api/cat > source.env << EOF
export API_HOST="0.0.0.0"
export API_PORT="80"
export CLOUDSQL_HOSTNAME="127.0.0.1"
export CLOUDSQL_USERNAME="forseti_security_user"
export CLOUDSQL_PASSWORD=[DB_PASSWORD]
export CLOUDSQL_SCHEMA="forseti_security"
export PROJECT_ID=[PROJECT_ID]
EOFsudo npm install
sudo npm audit fixsource source.env
npm start
20. Now you have to create Unmanaged Instance Group and add forseti-visualiser server tot this group:
gcloud compute --project=[PROJECT_ID] instance-groups unmanaged create forseti-visualiser-ig --zone=[ZONE]gcloud compute --project=[PROJECT_ID] instance-groups unmanaged add-instances forseti-visualiser-ig --zone=[ZONE] --instances=forseti-visualiser
in my example:
21. The Forseti Visualizer is running now, but you haven’t access to it. I will show you how to build a secured channel using Google IAP and LB. Open Google Cloud Shell and create a static IP:
gcloud compute addresses create forseti-visualiser --global --project [PROJECT_ID]
gcloud compute addresses listIn my example:
21. Register the address in your DNS provider as A record [FQDN]
22. Now create a certificate:
gcloud beta compute ssl-certificates create forseti-visualiser --domains=[FQDN] --global --project=[PROJECT_ID]Where [FQDN] is the fully qualified domain name, registered in point 21
in my example:
23. You need firewall rule, which allows LB to connect the server on port 80.
gcloud compute --project=[PROJECT_ID] \
firewall-rules create lb-to-forseti-visualiser \
--direction=INGRESS --priority=100 --network=[NETWORK] \
--action=ALLOW --rules=tcp:80 \
--source-ranges=130.211.0.0/22,35.191.0.0/16 \
--target-service-accounts=forseti-visualiser@[PROJECT_ID].iam.gserviceaccount.comin my example:
24. It is time to create a Load Balancer. Execute these instructions:
gcloud compute health-checks create http forseti-visualiser-hc --port 80 --project [PROJECT_ID]gcloud compute backend-services create forseti-visualiser-backend \
--protocol HTTP \
--health-checks forseti-visualiser-hc \
--global \
--project [PROJECT_ID]
in my example:
gcloud compute backend-services add-backend forseti-visualiser-backend \
--instance-group=forseti-visualiser-ig \
--instance-group-zone=[ZONE] \
--global \
--project [PROJECT_ID]gcloud compute url-maps create forseti-https \
--default-service forseti-visualiser-backend \
--project [PROJECT_ID]gcloud compute target-https-proxies create \
forseti-visualiser-proxy --url-map forseti-https \
--ssl-certificates forseti-visualiser \
--project [PROJECT_ID]
in my example:
gcloud compute addresses listgcloud compute forwarding-rules create forseti-frontend \
--address=lb-ipv4-1 \
--global \
--target-https-proxy=forseti-visualiser-proxy \
--ports=443 \
--address=[IP_ADDRESS] \
--project=forsetisecurityprod
in my example:
25. Now you can open a web browser and connect to your Forseti Visualiser. DO not be confused if you will see CIPHER_ERROR — check your certificate using:
gcloud compute ssl-certificates list
Wait approximately 10 minutes if you see that your certificate is active.
26. Now you have to secure access to Forseti Visualizer using Google Identity Aware Proxy. First of all, enable IAP API:
gcloud services enable iap.googleapis.com --project [PROJECT_ID]27. Open Google Web Console and click Security -> Identity Aware Proxy
28. Click the radio button in the line where is forseti-visualiser-backend
29. Mark checkbox and click CONFIGURE
30. Check the screen — if all is correct mark checkbox.
31. Click TURN ON
32. Select forseti-visualiser-backend and click ADD MEMBER
33. Type google group with people who should have access to Forsetii Visualizer and grand role IAP-secured Web App User.
34. Well done! You have installed and secured Forseti Visualizer.
