-
Notifications
You must be signed in to change notification settings - Fork 16
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
6 changed files
with
286 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,123 @@ | ||
| metadata: | ||
| id: fe083488-fa0f-5408-9624-ac27607ac2ff | ||
| name: Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network | ||
| profile_applicability: '* Level 2' | ||
| description: |- | ||
| Flow Logs is a feature that enables users to capture information about the IP traffic going to and from network interfaces in the organization's VPC Subnets. | ||
| Once a flow log is created, the user can view and retrieve its data in Stackdriver Logging. | ||
| It is recommended that Flow Logs be enabled for every business-critical VPC subnet. | ||
| rationale: |- | ||
| VPC networks and subnetworks not reserved for internal HTTP(S) load balancing provide logically isolated and secure network partitions where GCP resources can be launched. | ||
| When Flow Logs are enabled for a subnet, VMs within that subnet start reporting on all Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) flows. | ||
| Each VM samples the TCP and UDP flows it sees, inbound and outbound, whether the flow is to or from another VM, a host in the on-premises datacenter, a Google service, or a host on the Internet. | ||
| If two GCP VMs are communicating, and both are in subnets that have VPC Flow Logs enabled, both VMs report the flows. | ||
| Flow Logs supports the following use cases: | ||
| - Network monitoring | ||
| - Understanding network usage and optimizing network traffic expenses | ||
| - Network forensics | ||
| - Real-time security analysis | ||
| Flow Logs provide visibility into network traffic for each VM inside the subnet and can be used to detect anomalous traffic or provide insight during security workflows. | ||
| The Flow Logs must be configured such that all network traffic is logged, the interval of logging is granular to provide detailed information on the connections, no logs are filtered, and metadata to facilitate investigations are included. | ||
| **Note**: Subnets reserved for use by internal HTTP(S) load balancers do not support VPC flow logs. | ||
| audit: |- | ||
| **From Google Cloud Console** | ||
| 1. Go to the VPC network GCP Console visiting `https://console.cloud.google.com/networking/networks/list` | ||
| 2. From the list of network subnets, make sure for each subnet: | ||
| - `Flow Logs` is set to `On` | ||
| - `Aggregation Interval` is set to `5 sec` | ||
| - `Include metadata` checkbox is checked | ||
| - `Sample rate` is set to `100%` | ||
| **Note**: It is not possible to determine if a Log filter has been defined from the console. | ||
| **From Google Cloud CLI** | ||
| ``` | ||
| gcloud compute networks subnets list --format json | \ | ||
| jq -r '(["Subnet","Purpose","Flow_Logs","Aggregation_Interval","Flow_Sampling","Metadata","Logs_Filtered"] | (., map(length*"-"))), | ||
| (.[] | | ||
| [ | ||
| .name, | ||
| .purpose, | ||
| (if has("enableFlowLogs") and .enableFlowLogs == true then "Enabled" else "Disabled" end), | ||
| (if has("logConfig") then .logConfig.aggregationInterval else "N/A" end), | ||
| (if has("logConfig") then .logConfig.flowSampling else "N/A" end), | ||
| (if has("logConfig") then .logConfig.metadata else "N/A" end), | ||
| (if has("logConfig") then (.logConfig | has("filterExpr")) else "N/A" end) | ||
| ] | ||
| ) | | ||
| @tsv' | \ | ||
| column -t | ||
| ``` | ||
| The output of the above command will list: | ||
| - each subnet | ||
| - the subnet's purpose | ||
| - a `Enabled` or `Disabled` value if `Flow Logs` are enabled | ||
| - the value for `Aggregation Interval` or `N/A` if disabled, the value for `Flow Sampling` or `N/A` if disabled | ||
| - the value for `Metadata` or `N/A` if disabled | ||
| - 'true' or 'false' if a Logging Filter is configured or 'N/A' if disabled. | ||
| If the subnet's purpose is `PRIVATE` then `Flow Logs` should be `Enabled`. | ||
| If `Flow Logs` is enabled then: | ||
| - `Aggregation_Interval` should be `INTERVAL_5_SEC` | ||
| - `Flow_Sampling` should be 1 | ||
| - `Metadata` should be `INCLUDE_ALL_METADATA` | ||
| - `Logs_Filtered` should be `false`. | ||
| remediation: |- | ||
| **From Google Cloud Console** | ||
| 1. Go to the VPC network GCP Console visiting `https://console.cloud.google.com/networking/networks/list` | ||
| 2. Click the name of a subnet, The `Subnet details` page displays. | ||
| 3. Click the `EDIT` button. | ||
| 4. Set `Flow Logs` to `On`. | ||
| 5. Expand the `Configure Logs` section. | ||
| 6. Set `Aggregation Interval` to `5 SEC`. | ||
| 7. Check the box beside `Include metadata`. | ||
| 8. Set `Sample rate` to `100`. | ||
| 9. Click Save. | ||
| **Note**: It is not possible to configure a Log filter from the console. | ||
| **From Google Cloud CLI** | ||
| To enable VPC Flow Logs for a network subnet, run the following command: | ||
| ``` | ||
| gcloud compute networks subnets update [SUBNET_NAME] --region [REGION] --enable-flow-logs --logging-aggregation-interval=interval-5-sec --logging-flow-sampling=1 --logging-metadata=include-all | ||
| ``` | ||
| impact: |- | ||
| Standard pricing for Stackdriver Logging, BigQuery, or Cloud Pub/Sub applies. VPC Flow Logs generation will be charged starting in GA as described in reference: https://cloud.google.com/vpc/ | ||
| default_value: '' | ||
| references: |- | ||
| 1. https://cloud.google.com/vpc/docs/using-flow-logs#enabling_vpc_flow_logging | ||
| 2. https://cloud.google.com/vpc/ | ||
| section: Networking | ||
| version: '1.0' | ||
| tags: | ||
| - CIS | ||
| - GCP | ||
| - CIS 3.8 | ||
| - Networking | ||
| benchmark: | ||
| name: CIS Google Cloud Platform Foundation | ||
| version: v2.0.0 | ||
| id: cis_gcp | ||
| rule_number: '3.8' | ||
| posture_type: cspm |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| package compliance.cis_gcp.rules.cis_3_8 | ||
|
|
||
| import data.compliance.lib.common | ||
| import data.compliance.policy.gcp.data_adapter | ||
| import future.keywords.if | ||
|
|
||
| finding = result if { | ||
| data_adapter.is_subnetwork | ||
| not_internal_https_load_balancer | ||
|
|
||
| result := common.generate_result_without_expected( | ||
| common.calculate_result(is_flow_log_configured), | ||
| data_adapter.resource, | ||
| ) | ||
| } | ||
|
|
||
| is_flow_log_configured if { | ||
| data_adapter.resource.data.enableFlowLogs == true | ||
| data_adapter.resource.data.logConfig.metadata == "INCLUDE_ALL_METADATA" | ||
| data_adapter.resource.data.logConfig.aggregationInterval == "INTERVAL_5_SEC" | ||
| data_adapter.resource.data.logConfig.flowSampling == 1 | ||
| data_adapter.resource.data.logConfig.enable == true | ||
| } else = false | ||
|
|
||
| not_internal_https_load_balancer if { | ||
| not data_adapter.resource.data.purpose == "INTERNAL_HTTPS_LOAD_BALANCER" | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,128 @@ | ||
| package compliance.cis_gcp.rules.cis_3_8 | ||
|
|
||
| import data.cis_gcp.test_data | ||
|
|
||
| import data.compliance.policy.gcp.data_adapter | ||
| import data.lib.test | ||
|
|
||
| type := "cloud-compute" | ||
|
|
||
| subtype := "gcp-compute-subnetwork" | ||
|
|
||
| test_violation { | ||
| # fail when enableFlowLogs is missing | ||
| eval_fail with input as test_data.generate_gcp_asset( | ||
| type, | ||
| subtype, | ||
| {"data": {}}, | ||
| null, | ||
| ) | ||
|
|
||
| # fail when enableFlowLogs is set to false | ||
| eval_fail with input as test_data.generate_gcp_asset( | ||
| type, | ||
| subtype, | ||
| {"data": {"enableFlowLogs": false}}, | ||
| null, | ||
| ) | ||
|
|
||
| # fail when aggregationInterval is not set to INTERVAL_5_SEC | ||
| eval_fail with input as test_data.generate_gcp_asset( | ||
| type, | ||
| subtype, | ||
| {"data": { | ||
| "purpose": "PRIVATE", | ||
| "enableFlowLogs": true, | ||
| "logConfig": {"aggregationInterval": "INTERVAL_15_SEC"}, | ||
| }}, | ||
| null, | ||
| ) | ||
|
|
||
| # fail when metadata is not set to INCLUDE_ALL_METADATA | ||
| eval_fail with input as test_data.generate_gcp_asset( | ||
| type, | ||
| subtype, | ||
| {"data": { | ||
| "purpose": "PRIVATE", | ||
| "enableFlowLogs": true, | ||
| "logConfig": { | ||
| "aggregationInterval": "INTERVAL_5_SEC", | ||
| "metadata": "foo", | ||
| }, | ||
| }}, | ||
| null, | ||
| ) | ||
|
|
||
| # fail when flowSampling is not set to 1 | ||
| eval_fail with input as test_data.generate_gcp_asset( | ||
| type, | ||
| subtype, | ||
| {"data": { | ||
| "purpose": "PRIVATE", | ||
| "enableFlowLogs": true, | ||
| "logConfig": { | ||
| "aggregationInterval": "INTERVAL_5_SEC", | ||
| "metadata": "INCLUDE_ALL_METADATA", | ||
| "flowSampling": 0.5, | ||
| }, | ||
| }}, | ||
| null, | ||
| ) | ||
|
|
||
| # fail when logConfig.enable is not set to true | ||
| eval_fail with input as test_data.generate_gcp_asset( | ||
| type, | ||
| subtype, | ||
| {"data": { | ||
| "purpose": "PRIVATE", | ||
| "enableFlowLogs": true, | ||
| "logConfig": { | ||
| "aggregationInterval": "INTERVAL_5_SEC", | ||
| "metadata": "INCLUDE_ALL_METADATA", | ||
| "flowSampling": 1, | ||
| "enable": false, | ||
| }, | ||
| }}, | ||
| null, | ||
| ) | ||
| } | ||
|
|
||
| test_pass { | ||
| eval_pass with input as test_data.generate_gcp_asset( | ||
| type, | ||
| subtype, | ||
| {"data": { | ||
| "purpose": "PRIVATE", | ||
| "enableFlowLogs": true, | ||
| "logConfig": { | ||
| "aggregationInterval": "INTERVAL_5_SEC", | ||
| "metadata": "INCLUDE_ALL_METADATA", | ||
| "flowSampling": 1, | ||
| "enable": true, | ||
| }, | ||
| }}, | ||
| null, | ||
| ) | ||
| } | ||
|
|
||
| test_not_evaluated { | ||
| not_eval with input as test_data.not_eval_resource | ||
| not_eval with input as test_data.generate_gcp_asset( | ||
| type, | ||
| subtype, | ||
| {"data": {"purpose": "INTERNAL_HTTPS_LOAD_BALANCER"}}, | ||
| null, | ||
| ) | ||
| } | ||
|
|
||
| eval_fail { | ||
| test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter | ||
| } | ||
|
|
||
| eval_pass { | ||
| test.assert_pass(finding) with data.benchmark_data_adapter as data_adapter | ||
| } | ||
|
|
||
| not_eval { | ||
| not finding with data.benchmark_data_adapter as data_adapter | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters