diff --git a/README.md b/README.md index 7ccd3c0d..5ef6a54b 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@ [![CIS K8S](https://img.shields.io/badge/CIS-Kubernetes%20(74%25)-326CE5?logo=Kubernetes)](RULES.md#k8s-cis-benchmark) [![CIS EKS](https://img.shields.io/badge/CIS-Amazon%20EKS%20(60%25)-FF9900?logo=Amazon+EKS)](RULES.md#eks-cis-benchmark) [![CIS AWS](https://img.shields.io/badge/CIS-AWS%20(87%25)-232F3E?logo=Amazon+AWS)](RULES.md#aws-cis-benchmark) -[![CIS GCP](https://img.shields.io/badge/CIS-GCP%20(77%25)-4285F4?logo=Google+Cloud)](RULES.md#gcp-cis-benchmark) +[![CIS GCP](https://img.shields.io/badge/CIS-GCP%20(79%25)-4285F4?logo=Google+Cloud)](RULES.md#gcp-cis-benchmark) [![CIS AZURE](https://img.shields.io/badge/CIS-AZURE%20(1%25)-F00EE8?logo=Microsoft+Azure)](RULES.md#azure-cis-benchmark) ![Coverage Badge](https://img.shields.io/endpoint?url=https://gist.githubusercontent.com/oren-zohar/a7160df46e48dff45b24096de9302d38/raw/csp-security-policies_coverage.json) diff --git a/RULES.md b/RULES.md index 67b46ddf..a95b8ea5 100644 --- a/RULES.md +++ b/RULES.md @@ -275,9 +275,9 @@ ## GCP CIS Benchmark -### 65/84 implemented rules (77%) +### 66/84 implemented rules (79%) -#### Automated rules: 65/73 (89%) +#### Automated rules: 66/73 (90%) #### Manual rules: 0/11 (0%) @@ -310,7 +310,7 @@ | 2.15 | Logging and Monitoring | Ensure 'Access Approval' is 'Enabled' | :x: | Automated | | [2.16](bundle/compliance/cis_gcp/rules/cis_2_16) | Logging and Monitoring | Ensure Logging is enabled for HTTP(S) Load Balancer | :white_check_mark: | Automated | | 2.2 | Logging and Monitoring | Ensure That Sinks Are Configured for All Log Entries | :x: | Automated | -| 2.3 | Logging and Monitoring | Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock | :x: | Automated | +| [2.3](bundle/compliance/cis_gcp/rules/cis_2_3) | Logging and Monitoring | Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock | :white_check_mark: | Automated | | [2.4](bundle/compliance/cis_gcp/rules/cis_2_4) | Logging and Monitoring | Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes | :white_check_mark: | Automated | | [2.5](bundle/compliance/cis_gcp/rules/cis_2_5) | Logging and Monitoring | Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes | :white_check_mark: | Automated | | [2.6](bundle/compliance/cis_gcp/rules/cis_2_6) | Logging and Monitoring | Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes | :white_check_mark: | Automated | diff --git a/bundle/compliance/cis_gcp/rules/cis_2_3/data.yaml b/bundle/compliance/cis_gcp/rules/cis_2_3/data.yaml new file mode 100644 index 00000000..2a8186df --- /dev/null +++ b/bundle/compliance/cis_gcp/rules/cis_2_3/data.yaml @@ -0,0 +1,85 @@ +metadata: + id: 1e4f8b50-90e4-5e99-8a40-a21b142eb6b4 + name: |- + Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock + profile_applicability: '* Level 2' + description: |- + Enabling retention policies on log buckets will protect logs stored in cloud storage buckets from being overwritten or accidentally deleted. + It is recommended to set up retention policies and configure Bucket Lock on all storage buckets that are used as log sinks. + rationale: |- + Logs can be exported by creating one or more sinks that include a log filter and a destination. + As Cloud Logging receives new log entries, they are compared against each sink. + If a log entry matches a sink's filter, then a copy of the log entry is written to the destination. + + Sinks can be configured to export logs in storage buckets. + It is recommended to configure a data retention policy for these cloud storage buckets and to lock the data retention policy; thus permanently preventing the policy from being reduced or removed. + This way, if the system is ever compromised by an attacker or a malicious insider who wants to cover their tracks, the activity logs are definitely preserved for forensics and security investigations. + audit: |- + **From Google Cloud Console** + + 1. Open the Cloud Storage browser in the Google Cloud Console by visiting [https://console.cloud.google.com/storage/browser](https://console.cloud.google.com/storage/browser). + + 2. In the Column display options menu, make sure `Retention policy` is checked. + + 3. In the list of buckets, the retention period of each bucket is found in the `Retention policy` column. If the retention policy is locked, an image of a lock appears directly to the left of the retention period. + + **From Google Cloud CLI** + + 4. To list all sinks destined to storage buckets: + ``` + gcloud logging sinks list --folder=FOLDER_ID | --organization=ORGANIZATION_ID | --project=PROJECT_ID + ``` + 5. For every storage bucket listed above, verify that retention policies and Bucket Lock are enabled: + ``` + gsutil retention get gs://BUCKET_NAME + ``` + + For more information, see [https://cloud.google.com/storage/docs/using-bucket-lock#view-policy](https://cloud.google.com/storage/docs/using-bucket-lock#view-policy). + remediation: |- + **From Google Cloud Console** + + 1. If sinks are **not** configured, first follow the instructions in the recommendation: `Ensure that sinks are configured for all Log entries`. + + 2. For each storage bucket configured as a sink, go to the Cloud Storage browser at `https://console.cloud.google.com/storage/browser/`. + + 3. Select the Bucket Lock tab near the top of the page. + + 4. In the Retention policy entry, click the Add Duration link. The `Set a retention policy` dialog box appears. + + 5. Enter the desired length of time for the retention period and click `Save policy`. + + 6. Set the `Lock status` for this retention policy to `Locked`. + + **From Google Cloud CLI** + + 7. To list all sinks destined to storage buckets: + ``` + gcloud logging sinks list --folder=FOLDER_ID | --organization=ORGANIZATION_ID | --project=PROJECT_ID + ``` + 8. For each storage bucket listed above, set a retention policy and lock it: + ``` + gsutil retention set [TIME_DURATION] gs://[BUCKET_NAME] + gsutil retention lock gs://[BUCKET_NAME] + ``` + + For more information, visit [https://cloud.google.com/storage/docs/using-bucket-lock#set-policy](https://cloud.google.com/storage/docs/using-bucket-lock#set-policy). + impact: |- + Locking a bucket is an irreversible action. Once you lock a bucket, you cannot remove the retention policy from the bucket or decrease the retention period for the policy. You will then have to wait for the retention period for all items within the bucket before you can delete them, and then the bucket. + default_value: '' + references: |- + 1. https://cloud.google.com/storage/docs/bucket-lock + 2. https://cloud.google.com/storage/docs/using-bucket-lock + 3. https://cloud.google.com/storage/docs/bucket-lock + section: Logging and Monitoring + version: '1.0' + tags: + - CIS + - GCP + - CIS 2.3 + - Logging and Monitoring + benchmark: + name: CIS Google Cloud Platform Foundation + version: v2.0.0 + id: cis_gcp + rule_number: '2.3' + posture_type: cspm diff --git a/bundle/compliance/cis_gcp/rules/cis_2_3/rule.rego b/bundle/compliance/cis_gcp/rules/cis_2_3/rule.rego new file mode 100644 index 00000000..f2b8c722 --- /dev/null +++ b/bundle/compliance/cis_gcp/rules/cis_2_3/rule.rego @@ -0,0 +1,22 @@ +package compliance.cis_gcp.rules.cis_2_3 + +import data.compliance.lib.common +import data.compliance.policy.gcp.data_adapter +import future.keywords.if + +default is_retention_policy_valid = false + +# Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock. +finding = result if { + data_adapter.is_log_bucket + + result := common.generate_result_without_expected( + common.calculate_result(is_retention_policy_valid), + data_adapter.resource, + ) +} + +is_retention_policy_valid if { + data_adapter.resource.data.retentionDays > 0 + data_adapter.resource.data.locked == true +} diff --git a/bundle/compliance/cis_gcp/rules/cis_2_3/test.rego b/bundle/compliance/cis_gcp/rules/cis_2_3/test.rego new file mode 100644 index 00000000..0836ecba --- /dev/null +++ b/bundle/compliance/cis_gcp/rules/cis_2_3/test.rego @@ -0,0 +1,37 @@ +package compliance.cis_gcp.rules.cis_2_3 + +import data.cis_gcp.test_data +import data.compliance.policy.gcp.data_adapter +import data.lib.test + +type := "cloud-storage" + +subtype := "gcp-logging-log-bucket" + +test_violation { + # no retention policy + eval_fail with input as test_data.generate_gcp_asset(type, subtype, {"data": {}}, {}) + + # retention policy is not locked + eval_fail with input as test_data.generate_gcp_asset(type, subtype, {"data": {"retentionDays": 400}}, {}) +} + +test_pass { + eval_pass with input as test_data.generate_gcp_asset(type, subtype, {"data": {"retentionDays": 400, "locked": true}}, {}) +} + +test_not_evaluated { + not_eval with input as test_data.not_eval_resource +} + +eval_fail { + test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter +} + +eval_pass { + test.assert_pass(finding) with data.benchmark_data_adapter as data_adapter +} + +not_eval { + not finding with data.benchmark_data_adapter as data_adapter +} diff --git a/bundle/compliance/policy/gcp/data_adapter.rego b/bundle/compliance/policy/gcp/data_adapter.rego index 41e3576b..7244b2b4 100644 --- a/bundle/compliance/policy/gcp/data_adapter.rego +++ b/bundle/compliance/policy/gcp/data_adapter.rego @@ -107,3 +107,7 @@ is_sql_instance { is_subnetwork { input.subType == "gcp-compute-subnetwork" } + +is_log_bucket { + input.subType == "gcp-logging-log-bucket" +}