From 6e68032e432d9c6b10c775d31b05c1535f2f34d9 Mon Sep 17 00:00:00 2001 From: Or Ouziel Date: Tue, 15 Aug 2023 13:51:14 +0300 Subject: [PATCH 1/2] add templates --- .../0e318770-7077-5996-afd8-27ca34fc5446.json | 38 +++++++++++++++++++ .../1316108c-33a8-5198-9529-45716c5a87b1.json | 38 +++++++++++++++++++ .../15c6f217-2ae2-5bb4-8ebe-f40adf02910d.json | 2 +- .../23e5f81e-ca05-53bf-8109-7e676feecee3.json | 38 +++++++++++++++++++ .../2b7b51e2-7e54-5b24-bc9c-6d09416fd5dc.json | 38 +++++++++++++++++++ .../33299b3d-68da-5604-8c62-62690fd40c49.json | 38 +++++++++++++++++++ .../3bfcca47-de6a-57d4-961f-3c7f5b5f699c.json | 38 +++++++++++++++++++ .../3ed0b9d8-c5f2-55e2-92a5-2531868e79ca.json | 2 +- .../40ab36e3-7438-5c36-afcd-bf5f5401366e.json | 38 +++++++++++++++++++ .../421191d6-a13c-5c78-8c5b-102e1229655f.json | 38 +++++++++++++++++++ .../4931d684-a386-5545-b2c4-47b836e0149b.json | 38 +++++++++++++++++++ .../4a6a8b7a-d7a2-5a52-af5c-70009500bbc5.json | 38 +++++++++++++++++++ .../4b11956d-7985-524e-900e-20405e2baaca.json | 38 +++++++++++++++++++ .../4da6e870-fed1-5822-bb2d-f6a1714bc4a8.json | 2 +- .../4eb0d962-c123-575e-8c0c-9d10a2fbe5d1.json | 38 +++++++++++++++++++ .../5d7e7fce-64fb-5b7b-beeb-920496c2e333.json | 38 +++++++++++++++++++ .../5de29f7b-ba03-5c77-81d9-7ea65ebd6a0f.json | 38 +++++++++++++++++++ .../5ee69b99-8f70-5daf-b784-866131aca3ba.json | 2 +- .../64d37675-473f-5edc-882e-5b8b85b789c3.json | 38 +++++++++++++++++++ .../67909c46-649c-52c1-a464-b3e81615d938.json | 38 +++++++++++++++++++ .../68cfd04b-fc79-5877-8638-af3aa82d92db.json | 38 +++++++++++++++++++ .../68f9d23f-882f-55d1-86c6-711413c31129.json | 38 +++++++++++++++++++ .../756e1a54-b2ce-56b9-a13f-17f652d7767c.json | 38 +++++++++++++++++++ .../7e584486-4d0f-5edb-8a64-7ee0b59333b8.json | 38 +++++++++++++++++++ .../84862c2c-4aba-5458-9c5f-12855091617b.json | 38 +++++++++++++++++++ .../873e6387-218d-587a-8fa1-3d65f4a77802.json | 38 +++++++++++++++++++ .../89cc8ff0-be81-55f2-b1cf-d7db1e214741.json | 38 +++++++++++++++++++ .../8a985fda-fc4c-5435-b7f0-c4d40bb1307a.json | 38 +++++++++++++++++++ .../8c36c21b-3c8f-5a92-bc7e-62871428f4d2.json | 38 +++++++++++++++++++ .../8f2644ed-70b5-576f-b9b9-aabea6821749.json | 38 +++++++++++++++++++ .../9126cd85-611c-5b06-b2f2-a18338e26ae1.json | 38 +++++++++++++++++++ .../91d52d43-da61-5ba2-a4d4-1018fee84559.json | 4 +- .../92077c86-0322-5497-b94e-38ef356eadd6.json | 38 +++++++++++++++++++ .../9259a915-0294-54d6-b379-162ceb36e875.json | 38 +++++++++++++++++++ .../92ab0102-d825-52ce-87a8-1d0b4e06166c.json | 38 +++++++++++++++++++ .../936ea3f4-b4bc-5f3a-a7a0-dec9bda0a48c.json | 38 +++++++++++++++++++ .../a1f327c0-3e4b-5b55-891a-b91e720cd535.json | 38 +++++++++++++++++++ .../a7c6b368-29db-53e6-8b86-dfaddf719f59.json | 38 +++++++++++++++++++ .../b0ed2847-4db1-57c3-b2b6-49b0576a2506.json | 38 +++++++++++++++++++ .../b190337a-56a7-5906-8960-76fd05283599.json | 38 +++++++++++++++++++ .../b64386ab-20fa-57d2-9b5b-631d64181531.json | 38 +++++++++++++++++++ .../b8c40039-034b-5299-8660-a7c8d34efe36.json | 38 +++++++++++++++++++ .../bac65dd0-771b-5bfb-8e5f-3b1dc8962684.json | 38 +++++++++++++++++++ .../be1197db-90d0-58db-b780-f0a939264bd0.json | 38 +++++++++++++++++++ .../c2d65e60-221b-5748-a545-579a69ad4a93.json | 38 +++++++++++++++++++ .../d63a2fd8-7ba2-5589-9899-23f99fd8c846.json | 38 +++++++++++++++++++ .../dbd6a799-b6c3-5768-ab68-9bd6f63bbd48.json | 38 +++++++++++++++++++ .../e2306922-4f95-5660-bf2e-9610f556de69.json | 38 +++++++++++++++++++ .../e833e6a8-673d-56b2-a979-f9aa4e52cb71.json | 38 +++++++++++++++++++ .../e83a8e8a-e34b-5a01-8142-82d5aef60cab.json | 38 +++++++++++++++++++ .../ec7949d4-9e55-5f44-8c4a-a0e674a2a46f.json | 38 +++++++++++++++++++ .../f44d0940-2e62-5993-9028-d3e63ae23960.json | 38 +++++++++++++++++++ .../f62488d2-4b52-57d4-8ecd-d8f47dcb3dda.json | 38 +++++++++++++++++++ .../fdff0b83-dc73-5d60-9ad3-b98ed139a1b4.json | 38 +++++++++++++++++++ .../fe083488-fa0f-5408-9624-ac27607ac2ff.json | 38 +++++++++++++++++++ .../ff3a8287-e4ac-5a3c-b0d7-4f349e0ab077.json | 38 +++++++++++++++++++ .../ffc9fb91-dc44-512b-a558-036e8ce11282.json | 38 +++++++++++++++++++ 57 files changed, 1982 insertions(+), 6 deletions(-) create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/0e318770-7077-5996-afd8-27ca34fc5446.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/1316108c-33a8-5198-9529-45716c5a87b1.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/23e5f81e-ca05-53bf-8109-7e676feecee3.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/2b7b51e2-7e54-5b24-bc9c-6d09416fd5dc.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/33299b3d-68da-5604-8c62-62690fd40c49.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/3bfcca47-de6a-57d4-961f-3c7f5b5f699c.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/40ab36e3-7438-5c36-afcd-bf5f5401366e.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/421191d6-a13c-5c78-8c5b-102e1229655f.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/4931d684-a386-5545-b2c4-47b836e0149b.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/4a6a8b7a-d7a2-5a52-af5c-70009500bbc5.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/4b11956d-7985-524e-900e-20405e2baaca.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/4eb0d962-c123-575e-8c0c-9d10a2fbe5d1.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/5d7e7fce-64fb-5b7b-beeb-920496c2e333.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/5de29f7b-ba03-5c77-81d9-7ea65ebd6a0f.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/64d37675-473f-5edc-882e-5b8b85b789c3.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/67909c46-649c-52c1-a464-b3e81615d938.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/68cfd04b-fc79-5877-8638-af3aa82d92db.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/68f9d23f-882f-55d1-86c6-711413c31129.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/756e1a54-b2ce-56b9-a13f-17f652d7767c.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/7e584486-4d0f-5edb-8a64-7ee0b59333b8.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/84862c2c-4aba-5458-9c5f-12855091617b.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/873e6387-218d-587a-8fa1-3d65f4a77802.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/89cc8ff0-be81-55f2-b1cf-d7db1e214741.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/8a985fda-fc4c-5435-b7f0-c4d40bb1307a.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/8c36c21b-3c8f-5a92-bc7e-62871428f4d2.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/8f2644ed-70b5-576f-b9b9-aabea6821749.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/9126cd85-611c-5b06-b2f2-a18338e26ae1.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/92077c86-0322-5497-b94e-38ef356eadd6.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/9259a915-0294-54d6-b379-162ceb36e875.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/92ab0102-d825-52ce-87a8-1d0b4e06166c.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/936ea3f4-b4bc-5f3a-a7a0-dec9bda0a48c.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/a1f327c0-3e4b-5b55-891a-b91e720cd535.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/a7c6b368-29db-53e6-8b86-dfaddf719f59.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/b0ed2847-4db1-57c3-b2b6-49b0576a2506.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/b190337a-56a7-5906-8960-76fd05283599.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/b64386ab-20fa-57d2-9b5b-631d64181531.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/b8c40039-034b-5299-8660-a7c8d34efe36.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/bac65dd0-771b-5bfb-8e5f-3b1dc8962684.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/be1197db-90d0-58db-b780-f0a939264bd0.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/c2d65e60-221b-5748-a545-579a69ad4a93.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/d63a2fd8-7ba2-5589-9899-23f99fd8c846.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/dbd6a799-b6c3-5768-ab68-9bd6f63bbd48.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/e2306922-4f95-5660-bf2e-9610f556de69.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/e833e6a8-673d-56b2-a979-f9aa4e52cb71.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/e83a8e8a-e34b-5a01-8142-82d5aef60cab.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/ec7949d4-9e55-5f44-8c4a-a0e674a2a46f.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/f44d0940-2e62-5993-9028-d3e63ae23960.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/f62488d2-4b52-57d4-8ecd-d8f47dcb3dda.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/fdff0b83-dc73-5d60-9ad3-b98ed139a1b4.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/fe083488-fa0f-5408-9624-ac27607ac2ff.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/ff3a8287-e4ac-5a3c-b0d7-4f349e0ab077.json create mode 100644 packages/cloud_security_posture/kibana/csp_rule_template/ffc9fb91-dc44-512b-a558-036e8ce11282.json diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/0e318770-7077-5996-afd8-27ca34fc5446.json b/packages/cloud_security_posture/kibana/csp_rule_template/0e318770-7077-5996-afd8-27ca34fc5446.json new file mode 100644 index 00000000000..bec1996b82e --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/0e318770-7077-5996-afd8-27ca34fc5446.json @@ -0,0 +1,38 @@ +{ + "id": "0e318770-7077-5996-afd8-27ca34fc5446", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Enabling of logging may result in your project being charged for the additional logs usage. These charges could be significant depending on the size of the organization.", + "default_value": "", + "references": "1. https://cloud.google.com/logging/docs/logs-based-metrics/\n2. https://cloud.google.com/monitoring/custom-metrics/\n3. https://cloud.google.com/monitoring/alerts/\n4. https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n5. https://cloud.google.com/vpc/docs/firewalls", + "id": "0e318770-7077-5996-afd8-27ca34fc5446", + "name": "Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes", + "profile_applicability": "* Level 2", + "description": "It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) Network Firewall rule changes.", + "rationale": "Monitoring for Create or Update Firewall rule events gives insight to network access changes and may reduce the time it takes to detect suspicious activity.", + "audit": "**From Google Cloud Console**\n\n**Ensure that the prescribed log metric is present:**\n\n1. Go to `Logging/Logs-based Metrics` by visiting [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics).\n\n2. In the `User-defined Metrics` section, ensure at least one metric `` is present with this filter text:\n\n```\nresource.type=\"gce_firewall_rule\" \nAND (protoPayload.methodName:\"compute.firewalls.patch\" \nOR protoPayload.methodName:\"compute.firewalls.insert\"\nOR protoPayload.methodName:\"compute.firewalls.delete\")\n```\n\n**Ensure that the prescribed alerting policy is present:**\n\n3. Go to `Alerting` by visiting [https://console.cloud.google.com/monitoring/alerting](https://console.cloud.google.com/monitoring/alerting).\n\n4. Under the `Policies` section, ensure that at least one alert policy exists for the log metric above. Clicking on the policy should show that it is configured with a condition. For example, `Violates when: Any logging.googleapis.com/user/ stream` `is above a threshold of zero(0) for greater than zero(0) seconds` means that the alert will trigger for any new owner change. Verify that the chosen alerting thresholds make sense for the user's organization.\n\n5. Ensure that appropriate notification channels have been set up.\n\n**From Google Cloud CLI**\n\n**Ensure that the prescribed log metric is present:**\n\n6. List the log metrics:\n```\ngcloud logging metrics list --format json\n```\n7. Ensure that the output contains at least one metric with the filter set to: \n\n```\nresource.type=\"gce_firewall_rule\" \nAND (protoPayload.methodName:\"compute.firewalls.patch\" \nOR protoPayload.methodName:\"compute.firewalls.insert\"\nOR protoPayload.methodName:\"compute.firewalls.delete\")\n```\n\n8. Note the value of the property `metricDescriptor.type` for the identified metric, in the format `logging.googleapis.com/user/`.\n\n**Ensure that the prescribed alerting policy is present:**\n\n9. List the alerting policies:\n```\ngcloud alpha monitoring policies list --format json\n```\n10. Ensure that the output contains an least one alert policy where:\n- `conditions.conditionThreshold.filter` is set to `metric.type=\\\"logging.googleapis.com/user/\\\"`\n- AND `enabled` is set to `true`", + "remediation": "**From Google Cloud Console**\n\n**Create the prescribed log metric:**\n\n1. Go to `Logging/Logs-based Metrics` by visiting [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics) and click \"CREATE METRIC\".\n\n2. Click the down arrow symbol on the `Filter Bar` at the rightmost corner and select `Convert to Advanced Filter`.\n\n3. Clear any text and add: \n\n```\nresource.type=\"gce_firewall_rule\" \nAND (protoPayload.methodName:\"compute.firewalls.patch\" \nOR protoPayload.methodName:\"compute.firewalls.insert\"\nOR protoPayload.methodName:\"compute.firewalls.delete\")\n```\n\n4. Click `Submit Filter`. Display logs appear based on the filter text entered by the user.\n\n5. In the `Metric Editor` menu on the right, fill out the name field. Set `Units` to `1` (default) and `Type` to `Counter`. This ensures that the log metric counts the number of log entries matching the advanced logs query.\n\n6. Click `Create Metric`. \n\n**Create the prescribed Alert Policy:** \n\n7. Identify the newly created metric under the section `User-defined Metrics` at [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics).\n\n8. Click the 3-dot icon in the rightmost column for the new metric and select `Create alert from Metric`. A new page displays.\n\n9. Fill out the alert policy configuration and click `Save`. Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value ensures that a notification is triggered for every owner change in the project:\n```\nSet `Aggregator` to `Count`\n\nSet `Configuration`:\n\n- Condition: above\n\n- Threshold: 0\n\n- For: most recent value\n```\n\n10. Configure the desired notifications channels in the section `Notifications`.\n\n11. Name the policy and click `Save`.\n\n**From Google Cloud CLI**\n\nCreate the prescribed Log Metric\n- Use the command: gcloud logging metrics create \n\nCreate the prescribed alert policy: \n- Use the command: gcloud alpha monitoring policies create", + "section": "Logging and Monitoring", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 2.7", + "Logging and Monitoring" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "2.7", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_2_7" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/1316108c-33a8-5198-9529-45716c5a87b1.json b/packages/cloud_security_posture/kibana/csp_rule_template/1316108c-33a8-5198-9529-45716c5a87b1.json new file mode 100644 index 00000000000..aefaf53fc81 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/1316108c-33a8-5198-9529-45716c5a87b1.json @@ -0,0 +1,38 @@ +{ + "id": "1316108c-33a8-5198-9529-45716c5a87b1", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Turning on logging will increase the required storage over time. Mismanaged logs may cause your storage costs to increase. Setting custom flags via command line on certain instances will cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flags changes during a period of low usage.", + "default_value": "", + "references": "1. https://cloud.google.com/sql/docs/postgres/flags\n2. https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT", + "id": "1316108c-33a8-5198-9529-45716c5a87b1", + "name": "Ensure That the \u2018Log_min_duration_statement\u2019 Database Flag for Cloud SQL PostgreSQL Instance Is Set to \u2018-1\u2032 (Disabled)", + "profile_applicability": "* Level 1", + "description": "The `log_min_duration_statement` flag defines the minimum amount of execution time of a statement in milliseconds where the total duration of the statement is logged.\nEnsure that `log_min_duration_statement` is disabled, i.e., a value of `-1` is set.", + "rationale": "Logging SQL statements may include sensitive information that should not be recorded in logs.\nThis recommendation is applicable to PostgreSQL database instances.", + "audit": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the instance to open its `Instance Overview` page.\n3. Go to the `Configuration` card.\n4. Under `Database flags`, check that the value of `log_min_duration_statement` flag is set to `-1`.\n\n**From Google Cloud CLI**\n\n5. Use the below command for every Cloud SQL PostgreSQL database instance to verify the value of `log_min_duration_statement` is set to `-1`.\n```\ngcloud sql instances list --format=json| jq '.settings.databaseFlags[] | select(.name==\"log_min_duration_statement\")|.value'\n```", + "remediation": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the PostgreSQL instance where the database flag needs to be enabled.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `log_min_duration_statement` from the drop-down menu and set a value of `-1`.\n6. Click `Save`.\n7. Confirm the changes under `Flags` on the Overview page.\n\n**From Google Cloud CLI**\n\n8. List all Cloud SQL database instances using the following command:\n```\ngcloud sql instances list\n```\n9. Configure the `log_min_duration_statement` flag for every Cloud SQL PosgreSQL database instance using the below command:\n```\ngcloud sql instances patch --database-flags log_min_duration_statement=-1\n```\n```\nNote: This command will overwrite all database flags previously set.\nTo keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.\nFor flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n```", + "section": "PostgreSQL Database", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 6.2.7", + "PostgreSQL Database" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "6.2.7", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_6_2_7" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/15c6f217-2ae2-5bb4-8ebe-f40adf02910d.json b/packages/cloud_security_posture/kibana/csp_rule_template/15c6f217-2ae2-5bb4-8ebe-f40adf02910d.json index 76b8ef4c47b..ac3aefc25b6 100644 --- a/packages/cloud_security_posture/kibana/csp_rule_template/15c6f217-2ae2-5bb4-8ebe-f40adf02910d.json +++ b/packages/cloud_security_posture/kibana/csp_rule_template/15c6f217-2ae2-5bb4-8ebe-f40adf02910d.json @@ -12,7 +12,7 @@ "description": "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events.\nBy default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.", "rationale": "Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity using Amazon CloudWatch Events.", "audit": "**From Console:**\n\n1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/`\n2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine.\n3. Click `Properties` tab to see in detail bucket configuration.\n4. If the current status for `Object-level` logging is set to `Disabled`, then object-level logging of read events for the selected s3 bucket is not set.\n5. If the current status for `Object-level` logging is set to `Enabled`, but the Read event check-box is unchecked, then object-level logging of read events for the selected s3 bucket is not set.\n6. Repeat steps 2 to 5 to verify `object-level` logging for `read` events of your other S3 buckets.\n\n**From Command Line:**\n7. Run `describe-trails` command to list the names of all Amazon CloudTrail trails currently available in the selected AWS region:\n```\naws cloudtrail describe-trails --region --output table --query trailList[*].Name\n```\n8. The command output will be table of the requested trail names.\n9. Run `get-event-selectors` command using the name of the trail returned at the previous step and custom query filters to determine if Data events logging feature is enabled within the selected CloudTrail trail configuration for s3 bucket resources:\n```\naws cloudtrail get-event-selectors --region --trail-name --query EventSelectors[*].DataResources[]\n```\n10. The command output should be an array that contains the configuration of the AWS resource(S3 bucket) defined for the Data events selector.\n11. If the `get-event-selectors` command returns an empty array, the Data events are not included into the selected AWS Cloudtrail trail logging configuration, therefore the S3 object-level API operations performed within your AWS account are not recorded.\n12. Repeat steps 1 to 5 for auditing each s3 bucket to identify other trails that are missing the capability to log Data events.\n13. Change the AWS region by updating the `--region` command parameter and perform the audit process for other regions.", - "remediation": "**From Console:**\n\n1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/`\n2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine.\n3. Click `Properties` tab to see in detail bucket configuration.\n4. Click on the `Object-level` logging setting, enter the CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a new one by navigating to the Cloudtrail console link `https://console.aws.amazon.com/cloudtrail/`\n5. Once the Cloudtrail is selected, check the Read event checkbox, so that `object-level` logging for `Read` events is enabled.\n6. Repeat steps 2 to 5 to enable `object-level` logging of read events for other S3 buckets.\n\n**From Command Line:**\n7. To enable `object-level` data events logging for S3 buckets within your AWS account, run `put-event-selectors` command using the name of the trail that you want to reconfigure as identifier:\n```\naws cloudtrail put-event-selectors --region --trail-name --event-selectors '[{ \"ReadWriteType\": \"ReadOnly\", \"IncludeManagementEvents\":true, \"DataResources\": [{ \"Type\": \"AWS::S3::Object\", \"Values\": [\"arn:aws:s3:::/\"] }] }]'\n```\n8. The command output will be `object-level` event trail configuration.\n9. If you want to enable it for all buckets at ones then change Values parameter to `[\"arn:aws:s3\"]` in command given above.\n10. Repeat step 1 for each s3 bucket to update `object-level` logging of read events.\n11. Change the AWS region by updating the `--region` command parameter and perform the process for other regions.", + "remediation": "**From Console:**\n\n1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/`\n2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine.\n3. Click `Properties` tab to see in detail bucket configuration.\n4. Click on the `Object-level` logging setting, enter the CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a new one by navigating to the Cloudtrail console link `https://console.aws.amazon.com/cloudtrail/`\n5. Once the Cloudtrail is selected, check the Read event checkbox, so that `object-level` logging for `Read` events is enabled.\n6. Repeat steps 2 to 5 to enable `object-level` logging of read events for other S3 buckets.\n\n**From Command Line:**\n7. To enable `object-level` data events logging for S3 buckets within your AWS account, run `put-event-selectors` command using the name of the trail that you want to reconfigure as identifier:\n```\naws cloudtrail put-event-selectors --region --trail-name --event-selectors '[{\n \"ReadWriteType\": \"ReadOnly\",\n \"IncludeManagementEvents\": true,\n \"DataResources\": [\n {\n \"Type\": \"AWS::S3::Object\",\n \"Values\": [\n \"arn:aws:s3:::/\"\n ]\n }\n ]\n}]'\n```\n8. The command output will be `object-level` event trail configuration.\n9. If you want to enable it for all buckets at ones then change Values parameter to `[\"arn:aws:s3\"]` in command given above.\n10. Repeat step 1 for each s3 bucket to update `object-level` logging of read events.\n11. Change the AWS region by updating the `--region` command parameter and perform the process for other regions.", "section": "Logging", "version": "1.0", "tags": [ diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/23e5f81e-ca05-53bf-8109-7e676feecee3.json b/packages/cloud_security_posture/kibana/csp_rule_template/23e5f81e-ca05-53bf-8109-7e676feecee3.json new file mode 100644 index 00000000000..93ff774cb3a --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/23e5f81e-ca05-53bf-8109-7e676feecee3.json @@ -0,0 +1,38 @@ +{ + "id": "23e5f81e-ca05-53bf-8109-7e676feecee3", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "All Secure Shell (SSH) connections from outside of the network to the concerned VPC(s) will be blocked. There could be a business need where SSH access is required from outside of the network to access resources associated with the VPC. In that case, specific source IP(s) should be mentioned in firewall rules to white-list access to SSH port for the concerned VPC(s).", + "default_value": "", + "references": "1. https://cloud.google.com/vpc/docs/firewalls#blockedtraffic\n2. https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts", + "id": "23e5f81e-ca05-53bf-8109-7e676feecee3", + "name": "Ensure That SSH Access Is Restricted From the Internet", + "profile_applicability": "* Level 2", + "description": "GCP `Firewall Rules` are specific to a `VPC Network`.\nEach rule either `allows` or `denies` traffic when its conditions are met.\nIts conditions allow the user to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances.\n\nFirewall rules are defined at the VPC network level and are specific to the network in which they are defined.\nThe rules themselves cannot be shared among networks.\nFirewall rules only support IPv4 traffic.\nWhen specifying a source for an ingress rule or a destination for an egress rule by address, only an `IPv4` address or `IPv4 block in CIDR` notation can be used.\nGeneric `(0.0.0.0/0)` incoming traffic from the internet to VPC or VM instance using `SSH` on `Port 22` can be avoided.", + "rationale": "GCP `Firewall Rules` within a `VPC Network` apply to outgoing (egress) traffic from instances and incoming (ingress) traffic to instances in the network.\nEgress and ingress traffic flows are controlled even if the traffic stays within the network (for example, instance-to-instance communication).\nFor an instance to have outgoing Internet access, the network must have a valid Internet gateway route or custom route whose destination IP is specified.\nThis route simply defines the path to the Internet, to avoid the most general `(0.0.0.0/0)` destination `IP Range` specified from the Internet through `SSH` with the default `Port 22`.\nGeneric access from the Internet to a specific IP Range needs to be restricted.", + "audit": "**From Google Cloud Console**\n\n1. Go to `VPC network`.\n2. Go to the `Firewall Rules`.\n3. Ensure that `Port` is not equal to `22` and `Action` is not set to `Allow`.\n4. Ensure `IP Ranges` is not equal to `0.0.0.0/0` under `Source filters`.\n\n**From Google Cloud CLI**\n\n gcloud compute firewall-rules list --format=table'(name,direction,sourceRanges,allowed)'\n\nEnsure that there is no rule matching the below criteria:\n- `SOURCE_RANGES` is `0.0.0.0/0`\n- AND `DIRECTION` is `INGRESS`\n- AND IPProtocol is `tcp` or `ALL`\n- AND `PORTS` is set to `22` or `range containing 22` or `Null (not set)`\n\nNote: \n- When ALL TCP ports are allowed in a rule, PORT does not have any value set (`NULL`)\n- When ALL Protocols are allowed in a rule, PORT does not have any value set (`NULL`)", + "remediation": "**From Google Cloud Console**\n\n1. Go to `VPC Network`.\n2. Go to the `Firewall Rules`.\n3. Click the `Firewall Rule` you want to modify.\n4. Click `Edit`.\n5. Modify `Source IP ranges` to specific `IP`.\n6. Click `Save`.\n\n**From Google Cloud CLI**\n\n7. 1.Update the Firewall rule with the new `SOURCE_RANGE` from the below command:\n\n gcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[-PORT]],...] --source-ranges=[CIDR_RANGE,...]", + "section": "Networking", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 3.6", + "Networking" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "3.6", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_3_6" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/2b7b51e2-7e54-5b24-bc9c-6d09416fd5dc.json b/packages/cloud_security_posture/kibana/csp_rule_template/2b7b51e2-7e54-5b24-bc9c-6d09416fd5dc.json new file mode 100644 index 00000000000..8e77d7b5ad4 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/2b7b51e2-7e54-5b24-bc9c-6d09416fd5dc.json @@ -0,0 +1,38 @@ +{ + "id": "2b7b51e2-7e54-5b24-bc9c-6d09416fd5dc", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "`Regenerating Key` may break existing client connectivity as the client will try to connect with older API keys they have stored on devices.", + "default_value": "", + "references": "1. https://developers.google.com/maps/api-security-best-practices#regenerate-apikey\n2. https://cloud.google.com/sdk/gcloud/reference/alpha/services/api-keys", + "id": "2b7b51e2-7e54-5b24-bc9c-6d09416fd5dc", + "name": "Ensure API Keys Are Rotated Every 90 Days", + "profile_applicability": "* Level 2", + "description": "API Keys should only be used for services in cases where other authentication methods are unavailable.\nIf they are in use it is recommended to rotate API keys every 90 days.", + "rationale": "Security risks involved in using API-Keys are listed below:\n\n- API keys are simple encrypted strings\n\n- API keys do not identify the user or the application making the API request\n\n- API keys are typically accessible to clients, making it easy to discover and steal an API key\n\nBecause of these potential risks, Google recommends using the standard authentication flow instead of API Keys.\nHowever, there are limited cases where API keys are more appropriate.\nFor example, if there is a mobile application that needs to use the Google Cloud Translation API, but doesn't otherwise need a backend server, API keys are the simplest way to authenticate to that API.\n\nOnce a key is stolen, it has no expiration, meaning it may be used indefinitely unless the project owner revokes or regenerates the key.\n\nRotating API keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used.\n\n\nAPI keys should be rotated to ensure that data cannot be accessed with an old key that might have been lost, cracked, or stolen.", + "audit": "**From Google Cloud Console**\n\n1. Go to `APIs & Services\\Credentials` using `https://console.cloud.google.com/apis/credentials`\n\n2. In the section `API Keys`, for every key ensure the `creation date` is less than 90 days.\n\n**From Google Cloud CLI**\n\nTo list keys, use the command\n\n```\ngcloud services api-keys list\n```\nEnsure the date in `createTime` is within 90 days.", + "remediation": "**From Google Cloud Console**\n\n1. Go to `APIs & Services\\Credentials` using `https://console.cloud.google.com/apis/credentials`\n\n2. In the section `API Keys`, Click the `API Key Name`. The API Key properties display on a new page.\n\n3. Click `REGENERATE KEY` to rotate API key.\n\n4. Click `Save`.\n\n5. Repeat steps 2,3,4 for every API key that has not been rotated in the last 90 days.\n\n**Note:** Do not set `HTTP referrers` to wild-cards (* or *.[TLD] or *.[TLD]/*) allowing access to any/wide HTTP referrer(s)\nDo not set `IP addresses` and referrer to `any host (0.0.0.0 or 0.0.0.0/0 or ::0)`\n\n**From Google Cloud CLI**\n\nThere is not currently a way to regenerate and API key using gcloud commands.\nTo 'regenerate' a key you will need to create a new one, duplicate the restrictions from the key being rotated, and delete the old key.\n\n6. List existing keys.\n```\ngcloud services api-keys list\n```\n7. Note the `UID` and restrictions of the key to regenerate.\n\n8. Run this command to create a new API key. is the display name of the new key.\n````\ngcloud alpha services api-keys create --display-name=\"\"\n````\nNote the `UID` of the newly created key\n\n9. Run the update command to add required restrictions. \n\nNote - the restriction may vary for each key.\nRefer to this documentation for the appropriate flags.\nhttps://cloud.google.com/sdk/gcloud/reference/alpha/services/api-keys/update\n```\ngcloud alpha services api-keys update \n```\n10. Delete the old key.\n```\ngcloud alpha services api-keys delete \n```", + "section": "Identity and Access Management", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 1.15", + "Identity and Access Management" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "1.15", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_1_15" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/33299b3d-68da-5604-8c62-62690fd40c49.json b/packages/cloud_security_posture/kibana/csp_rule_template/33299b3d-68da-5604-8c62-62690fd40c49.json new file mode 100644 index 00000000000..12e8454c81a --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/33299b3d-68da-5604-8c62-62690fd40c49.json @@ -0,0 +1,38 @@ +{ + "id": "33299b3d-68da-5604-8c62-62690fd40c49", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Setting custom flags via command line on certain instances will cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flags changes during a period of low usage.", + "default_value": "", + "references": "1. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/external-scripts-enabled-server-configuration-option?view=sql-server-ver15\n2. https://cloud.google.com/sql/docs/sqlserver/flags\n3. https://docs.microsoft.com/en-us/sql/advanced-analytics/concepts/security?view=sql-server-ver15\n4. https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79347", + "id": "33299b3d-68da-5604-8c62-62690fd40c49", + "name": "Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'", + "profile_applicability": "* Level 1", + "description": "It is recommended to set `external scripts enabled` database flag for Cloud SQL SQL Server instance to `off`", + "rationale": "`external scripts enabled` enable the execution of scripts with certain remote language extensions.\nThis property is OFF by default.\nWhen Advanced Analytics Services is installed, setup can optionally set this property to true.\nAs the External Scripts Enabled feature allows scripts external to SQL such as files located in an R library to be executed, which could adversely affect the security of the system, hence this should be disabled.\nThis recommendation is applicable to SQL Server database instances.", + "audit": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the instance to open its `Instance Overview` page\n3. Ensure the database flag `external scripts enabled` that has been set is listed under the `Database flags` section.\n\n**From Google Cloud CLI**\n\n4. Ensure the below command returns `off` for every Cloud SQL SQL Server database instance\n```\ngcloud sql instances list --format=json | jq '.settings.databaseFlags[] | select(.name==\"external scripts enabled\")|.value'\n```", + "remediation": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the SQL Server instance for which you want to enable to database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `external scripts enabled` from the drop-down menu, and set its value to `off`.\n6. Click `Save` to save your changes.\n7. Confirm your changes under `Flags` on the Overview page.\n\n**From Google Cloud CLI**\n\n8. Configure the `external scripts enabled` database flag for every Cloud SQL SQL Server database instance using the below command.\n```\ngcloud sql instances patch --database-flags \"external scripts enabled=off\"\n```\n\n```\nNote : \n\nThis command will overwrite all database flags previously set.\nTo keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value.\nFor flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n```", + "section": "SQL Server", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 6.3.1", + "SQL Server" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "6.3.1", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_6_3_1" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/3bfcca47-de6a-57d4-961f-3c7f5b5f699c.json b/packages/cloud_security_posture/kibana/csp_rule_template/3bfcca47-de6a-57d4-961f-3c7f5b5f699c.json new file mode 100644 index 00000000000..21ad4d87fe1 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/3bfcca47-de6a-57d4-961f-3c7f5b5f699c.json @@ -0,0 +1,38 @@ +{ + "id": "3bfcca47-de6a-57d4-961f-3c7f5b5f699c", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Turning on logging will increase the required storage over time. Mismanaged logs may cause your storage costs to increase. Setting custom flags via command line on certain instances will cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flags changes during a period of low usage.", + "default_value": "", + "references": "1. https://cloud.google.com/sql/docs/postgres/flags\n2. https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT", + "id": "3bfcca47-de6a-57d4-961f-3c7f5b5f699c", + "name": "Ensure \u2018Log_statement\u2019 Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately", + "profile_applicability": "* Level 2", + "description": "The value of `log_statement` flag determined the SQL statements that are logged.\nValid values are:\n- `none`\n- `ddl`\n- `mod`\n- `all`\n\nThe value `ddl` logs all data definition statements.\nThe value `mod` logs all ddl statements, plus data-modifying statements.\n\nThe statements are logged after a basic parsing is done and statement type is determined, thus this does not logs statements with errors.\nWhen using extended query protocol, logging occurs after an Execute message is received and values of the Bind parameters are included.\n\nA value of 'ddl' is recommended unless otherwise directed by your organization's logging policy.", + "rationale": "Auditing helps in forensic analysis.\nIf `log_statement` is not set to the correct value, too many statements may be logged leading to issues in finding the relevant information from the logs, or too few statements may be logged with relevant information missing from the logs.\nSetting log_statement to align with your organization's security and logging policies facilitates later auditing and review of database activities.\nThis recommendation is applicable to PostgreSQL database instances.", + "audit": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the instance to open its `Instance Overview` page\n3. Go to `Configuration` card\n4. Under `Database flags`, check the value of `log_statement` flag is set to appropriately.\n\n**From Google Cloud CLI**\n\n5. Use the below command for every Cloud SQL PostgreSQL database instance to verify the value of `log_statement`\n```\ngcloud sql instances list --format=json | jq '.[].settings.databaseFlags[] | select(.name==\"log_statement\")|.value'\n```", + "remediation": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `log_statement` from the drop-down menu and set appropriate value.\n6. Click `Save` to save your changes.\n7. Confirm your changes under `Flags` on the Overview page.\n\n**From Google Cloud CLI**\n\n8. Configure the `log_statement` database flag for every Cloud SQL PosgreSQL database instance using the below command.\n```\ngcloud sql instances patch --database-flags log_statement=\n```\n```\nNote: This command will overwrite all database flags previously set.\nTo keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value.\nFor flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n```", + "section": "PostgreSQL Database", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 6.2.4", + "PostgreSQL Database" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "6.2.4", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_6_2_4" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/3ed0b9d8-c5f2-55e2-92a5-2531868e79ca.json b/packages/cloud_security_posture/kibana/csp_rule_template/3ed0b9d8-c5f2-55e2-92a5-2531868e79ca.json index 87554772a07..eeb6c76bcda 100644 --- a/packages/cloud_security_posture/kibana/csp_rule_template/3ed0b9d8-c5f2-55e2-92a5-2531868e79ca.json +++ b/packages/cloud_security_posture/kibana/csp_rule_template/3ed0b9d8-c5f2-55e2-92a5-2531868e79ca.json @@ -12,7 +12,7 @@ "description": "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events.\nBy default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.", "rationale": "Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity within your S3 Buckets using Amazon CloudWatch Events.", "audit": "**From Console:**\n\n1. Login to the AWS Management Console and navigate to CloudTrail dashboard at `https://console.aws.amazon.com/cloudtrail/`\n2. In the left panel, click `Trails` and then click on the CloudTrail Name that you want to examine.\n3. Review `General details`\n4. Confirm that `Multi-region trail` is set to `Yes`\n5. Scroll down to `Data events`\n6. Confirm that it reads:\nData events: S3\nBucket Name: All current and future S3 buckets\nRead: Enabled\nWrite: Enabled\n7. Repeat steps 2 to 6 to verify that Multi-region trail and Data events logging of S3 buckets in CloudTrail.\nIf the CloudTrails do not have multi-region and data events configured for S3 refer to the remediation below.\n\n**From Command Line:**\n\n8. Run `list-trails` command to list the names of all Amazon CloudTrail trails currently available in all AWS regions:\n```\naws cloudtrail list-trails\n```\n9. The command output will be a list of all the trail names to include.\n\"TrailARN\": \"arn:aws:cloudtrail:::trail/\",\n\"Name\": \"\",\n\"HomeRegion\": \"\"\n10. Next run 'get-trail- command to determine Multi-region.\n```\naws cloudtrail get-trail --name --region \n```\n11. The command output should include:\n\"IsMultiRegionTrail\": true,\n12. Next run `get-event-selectors` command using the `Name` of the trail and the `region` returned in step 2 to determine if Data events logging feature is enabled within the selected CloudTrail trail for all S3 buckets:\n```\naws cloudtrail get-event-selectors --region --trail-name --query EventSelectors[*].DataResources[]\n```\n13. The command output should be an array that contains the configuration of the AWS resource(S3 bucket) defined for the Data events selector.\n\"Type\": \"AWS::S3::Object\",\n \"Values\": [\n \"arn:aws:s3\"\n14. If the `get-event-selectors` command returns an empty array '[]', the Data events are not included in the selected AWS Cloudtrail trail logging configuration, therefore the S3 object-level API operations performed within your AWS account are not recorded.\n15. Repeat steps 1 to 5 for auditing each CloudTrail to determine if Data events for S3 are covered.\nIf Multi-region is not set to true and the Data events does not show S3 defined as shown refer to the remediation procedure below.", - "remediation": "**From Console:**\n\n1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/`\n2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine.\n3. Click `Properties` tab to see in detail bucket configuration.\n4. Click on the `Object-level` logging setting, enter the CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a new one by navigating to the Cloudtrail console link `https://console.aws.amazon.com/cloudtrail/`\n5. Once the Cloudtrail is selected, check the `Write` event checkbox, so that `object-level` logging for Write events is enabled.\n6. Repeat steps 2 to 5 to enable object-level logging of write events for other S3 buckets.\n\n**From Command Line:**\n\n7. To enable `object-level` data events logging for S3 buckets within your AWS account, run `put-event-selectors` command using the name of the trail that you want to reconfigure as identifier:\n```\naws cloudtrail put-event-selectors --region --trail-name --event-selectors '[{ \"ReadWriteType\": \"WriteOnly\", \"IncludeManagementEvents\":true, \"DataResources\": [{ \"Type\": \"AWS::S3::Object\", \"Values\": [\"arn:aws:s3:::/\"] }] }]'\n```\n8. The command output will be `object-level` event trail configuration.\n9. If you want to enable it for all buckets at once then change Values parameter to `[\"arn:aws:s3\"]` in command given above.\n10. Repeat step 1 for each s3 bucket to update `object-level` logging of write events.\n11. Change the AWS region by updating the `--region` command parameter and perform the process for other regions.", + "remediation": "**From Console:**\n\n1. Login to the AWS Management Console and navigate to S3 dashboard at `https://console.aws.amazon.com/s3/`\n2. In the left navigation panel, click `buckets` and then click on the S3 Bucket Name that you want to examine.\n3. Click `Properties` tab to see in detail bucket configuration.\n4. Click on the `Object-level` logging setting, enter the CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a new one by navigating to the Cloudtrail console link `https://console.aws.amazon.com/cloudtrail/`\n5. Once the Cloudtrail is selected, check the `Write` event checkbox, so that `object-level` logging for Write events is enabled.\n6. Repeat steps 2 to 5 to enable object-level logging of write events for other S3 buckets.\n\n**From Command Line:**\n\n7. To enable `object-level` data events logging for S3 buckets within your AWS account, run `put-event-selectors` command using the name of the trail that you want to reconfigure as identifier:\n```\naws cloudtrail put-event-selectors --region --trail-name --event-selectors '[{\n \"ReadWriteType\": \"WriteOnly\",\n \"IncludeManagementEvents\": true,\n \"DataResources\": [\n {\n \"Type\": \"AWS::S3::Object\",\n \"Values\": [\n \"arn:aws:s3:::/\"\n ]\n }\n ]\n}]'\n```\n8. The command output will be `object-level` event trail configuration.\n9. If you want to enable it for all buckets at once then change Values parameter to `[\"arn:aws:s3\"]` in command given above.\n10. Repeat step 1 for each s3 bucket to update `object-level` logging of write events.\n11. Change the AWS region by updating the `--region` command parameter and perform the process for other regions.", "section": "Logging", "version": "1.0", "tags": [ diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/40ab36e3-7438-5c36-afcd-bf5f5401366e.json b/packages/cloud_security_posture/kibana/csp_rule_template/40ab36e3-7438-5c36-afcd-bf5f5401366e.json new file mode 100644 index 00000000000..f0099606fd7 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/40ab36e3-7438-5c36-afcd-bf5f5401366e.json @@ -0,0 +1,38 @@ +{ + "id": "40ab36e3-7438-5c36-afcd-bf5f5401366e", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Turning on logging will increase the required storage over time. Mismanaged logs may cause your storage costs to increase. Setting custom flags via command line on certain instances will cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flags changes during a period of low usage.", + "default_value": "", + "references": "1. https://cloud.google.com/sql/docs/postgres/flags\n2. https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN", + "id": "40ab36e3-7438-5c36-afcd-bf5f5401366e", + "name": "Ensure \u2018Log_min_error_statement\u2019 Database Flag for Cloud SQL PostgreSQL Instance Is Set to \u2018Error\u2019 or Stricter", + "profile_applicability": "* Level 1", + "description": "The `log_min_error_statement` flag defines the minimum message severity level that are considered as an error statement.\nMessages for error statements are logged with the SQL statement.\nValid values include `DEBUG5`, `DEBUG4`, `DEBUG3`, `DEBUG2`, `DEBUG1`, `INFO`, `NOTICE`, `WARNING`, `ERROR`, `LOG`, `FATAL`, and `PANIC`.\nEach severity level includes the subsequent levels mentioned above.\nEnsure a value of `ERROR` or stricter is set.", + "rationale": "Auditing helps in troubleshooting operational problems and also permits forensic analysis.\nIf `log_min_error_statement` is not set to the correct value, messages may not be classified as error messages appropriately.\nConsidering general log messages as error messages would make is difficult to find actual errors and considering only stricter severity levels as error messages may skip actual errors to log their SQL statements.\nThe `log_min_error_statement` flag should be set to `ERROR` or stricter.\nThis recommendation is applicable to PostgreSQL database instances.", + "audit": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the instance to open its `Instance Overview` page\n3. Go to `Configuration` card\n4. Under `Database flags`, check the value of `log_min_error_statement` flag is configured as to `ERROR` or stricter.\n\n**From Google Cloud CLI**\n\n5. Use the below command for every Cloud SQL PostgreSQL database instance to verify the value of `log_min_error_statement` is set to `ERROR` or stricter.\n```\ngcloud sql instances list --format=json | jq '.[].settings.databaseFlags[] | select(.name==\"log_min_error_statement\")|.value'\n```", + "remediation": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `log_min_error_statement` from the drop-down menu and set appropriate value.\n6. Click `Save` to save your changes.\n7. Confirm your changes under `Flags` on the Overview page.\n\n**From Google Cloud CLI**\n\n8. Configure the `log_min_error_statement` database flag for every Cloud SQL PosgreSQL database instance using the below command.\n```\ngcloud sql instances patch --database-flags log_min_error_statement=\n```\n```\nNote: This command will overwrite all database flags previously set.\nTo keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value.\nFor flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n```", + "section": "PostgreSQL Database", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 6.2.6", + "PostgreSQL Database" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "6.2.6", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_6_2_6" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/421191d6-a13c-5c78-8c5b-102e1229655f.json b/packages/cloud_security_posture/kibana/csp_rule_template/421191d6-a13c-5c78-8c5b-102e1229655f.json new file mode 100644 index 00000000000..217c5d42f3d --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/421191d6-a13c-5c78-8c5b-102e1229655f.json @@ -0,0 +1,38 @@ +{ + "id": "421191d6-a13c-5c78-8c5b-102e1229655f", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "The removed role should be assigned to a different user based on business needs.", + "default_value": "", + "references": "1. https://cloud.google.com/iam/docs/service-accounts\n2. https://cloud.google.com/iam/docs/understanding-roles\n3. https://cloud.google.com/iam/docs/granting-roles-to-service-accounts", + "id": "421191d6-a13c-5c78-8c5b-102e1229655f", + "name": "Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users", + "profile_applicability": "* Level 2", + "description": "It is recommended that the principle of 'Separation of Duties' is enforced while assigning service-account related roles to users.", + "rationale": "The built-in/predefined IAM role `Service Account admin` allows the user/identity to create, delete, and manage service account(s).\nThe built-in/predefined IAM role `Service Account User` allows the user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute Instances.\n\nSeparation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action.\nIn Cloud IAM - service accounts, this could be an action such as using a service account to access resources that user should not normally have access to.\n\nSeparation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors.\nIt is considered best practice.\n\nNo user should have `Service Account Admin` and `Service Account User` roles assigned at the same time.", + "audit": "**From Google Cloud Console**\n\n1. Go to `IAM & Admin/IAM` using `https://console.cloud.google.com/iam-admin/iam`.\n\n2. Ensure no member has the roles `Service Account Admin` and `Service account User` assigned together.\n\n**From Google Cloud CLI**\n\n3. List all users and role assignments:\n\n```\ngcloud projects get-iam-policy [Project_ID] --format json | \\\n jq -r '[\n ([\"Service_Account_Admin_and_User\"] | (., map(length*\"-\"))), \n (\n [\n .bindings[] | \n select(.role == \"roles/iam.serviceAccountAdmin\" or .role == \"roles/iam.serviceAccountUser\").members[]\n ] | \n group_by(.) | \n map({User: ., Count: length}) | \n .[] | \n select(.Count == 2).User | \n unique\n )\n ] | \n .[] | \n @tsv'\n```\n\n4. All common users listed under `Service_Account_Admin_and_User` are assigned both the `roles/iam.serviceAccountAdmin` and `roles/iam.serviceAccountUser` roles.", + "remediation": "**From Google Cloud Console**\n\n1. Go to `IAM & Admin/IAM` using `https://console.cloud.google.com/iam-admin/iam`.\n\n2. For any member having both `Service Account Admin` and `Service account User` roles granted/assigned, click the `Delete Bin` icon to remove either role from the member.\nRemoval of a role should be done based on the business requirements.", + "section": "Identity and Access Management", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 1.8", + "Identity and Access Management" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "1.8", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_1_8" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/4931d684-a386-5545-b2c4-47b836e0149b.json b/packages/cloud_security_posture/kibana/csp_rule_template/4931d684-a386-5545-b2c4-47b836e0149b.json new file mode 100644 index 00000000000..e04565b3c28 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/4931d684-a386-5545-b2c4-47b836e0149b.json @@ -0,0 +1,38 @@ +{ + "id": "4931d684-a386-5545-b2c4-47b836e0149b", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Automated Backups will increase required size of storage and costs associated with it.", + "default_value": "", + "references": "1. https://cloud.google.com/sql/docs/mysql/backup-recovery/backups\n2. https://cloud.google.com/sql/docs/postgres/backup-recovery/backing-up", + "id": "4931d684-a386-5545-b2c4-47b836e0149b", + "name": "Ensure That Cloud SQL Database Instances Are Configured With Automated Backups", + "profile_applicability": "* Level 1", + "description": "It is recommended to have all SQL database instances set to enable automated backups.", + "rationale": "Backups provide a way to restore a Cloud SQL instance to recover lost data or recover from a problem with that instance.\nAutomated backups need to be set for any instance that contains data that should be protected from loss or damage.\nThis recommendation is applicable for SQL Server, PostgreSql, MySql generation 1 and MySql generation 2 instances.", + "audit": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Click the instance name to open its instance details page.\n3. Go to the `Backups` menu.\n4. Ensure that `Automated backups` is set to `Enabled` and `Backup time` is mentioned.\n\n**From Google Cloud CLI**\n\n5. List all Cloud SQL database instances using the following command:\n```\ngcloud sql instances list\n```\n\n6. Ensure that the below command returns `True` for every Cloud SQL database instance.\n```\ngcloud sql instances describe --format=\"value('Enabled':settings.backupConfiguration.enabled)\"\n```", + "remediation": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the instance where the backups need to be configured.\n3. Click `Edit`.\n4. In the `Backups` section, check `Enable automated backups', and choose a backup window.\n5. Click `Save`.\n\n**From Google Cloud CLI**\n\n6. List all Cloud SQL database instances using the following command:\n```\ngcloud sql instances list\n```\n\n7. Enable `Automated backups` for every Cloud SQL database instance using the below command:\n```\ngcloud sql instances patch --backup-start-time <[HH:MM]>\n```\nThe `backup-start-time` parameter is specified in 24-hour time, in the UTC\u00b100 time zone, and specifies the start of a 4-hour backup window.\nBackups can start any time during the backup window.", + "section": "Cloud SQL Database Services", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 6.7", + "Cloud SQL Database Services" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "6.7", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_6_7" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/4a6a8b7a-d7a2-5a52-af5c-70009500bbc5.json b/packages/cloud_security_posture/kibana/csp_rule_template/4a6a8b7a-d7a2-5a52-af5c-70009500bbc5.json new file mode 100644 index 00000000000..b71fa320890 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/4a6a8b7a-d7a2-5a52-af5c-70009500bbc5.json @@ -0,0 +1,38 @@ +{ + "id": "4a6a8b7a-d7a2-5a52-af5c-70009500bbc5", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Removing the external IP address from your Compute instance may cause some applications to stop working.", + "default_value": "", + "references": "1. https://cloud.google.com/load-balancing/docs/backend-service#backends_and_external_ip_addresses\n2. https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances\n3. https://cloud.google.com/compute/docs/instances/connecting-to-instance\n4. https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address#unassign_ip\n5. https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints", + "id": "4a6a8b7a-d7a2-5a52-af5c-70009500bbc5", + "name": "Ensure That Compute Instances Do Not Have Public IP Addresses", + "profile_applicability": "* Level 2", + "description": "Compute instances should not be configured to have external IP addresses.", + "rationale": "To reduce your attack surface, Compute instances should not have public IP addresses.\nInstead, instances should be configured behind load balancers, to minimize the instance's exposure to the internet.", + "audit": "**From Google Cloud Console**\n\n1. Go to the `VM instances` page by visiting: [https://console.cloud.google.com/compute/instances](https://console.cloud.google.com/compute/instances).\n\n2. For every VM, ensure that there is no `External IP` configured.\n\n**From Google Cloud CLI**\n\n```\ngcloud compute instances list --format=json\n```\n\n3. The output should not contain an `accessConfigs` section under `networkInterfaces`. Note that the `natIP` value is present only for instances that are running or for instances that are stopped but have a static IP address. For instances that are stopped and are configured to have an ephemeral public IP address, the `natIP` field will not be present. Example output:\n\n```\nnetworkInterfaces:\n- accessConfigs:\n - kind: compute#accessConfig\n name: External NAT\n networkTier: STANDARD\n type: ONE_TO_ONE_NAT\n```\n\n**Exception:**\nInstances created by GKE should be excluded because some of them have external IP addresses and cannot be changed by editing the instance settings.\nInstances created by GKE should be excluded.\nThese instances have names that start with \"gke-\" and are labeled \"goog-gke-node\".", + "remediation": "**From Google Cloud Console**\n\n1. Go to the `VM instances` page by visiting: [https://console.cloud.google.com/compute/instances](https://console.cloud.google.com/compute/instances).\n\n2. Click on the instance name to go the the `Instance detail page`.\n\n3. Click `Edit`.\n\n4. For each Network interface, ensure that `External IP` is set to `None`.\n\n5. Click `Done` and then click `Save`.\n\n**From Google Cloud CLI**\n\n6. Describe the instance properties:\n```\ngcloud compute instances describe --zone=\n```\n\n7. Identify the access config name that contains the external IP address. This access config appears in the following format:\n\n```\nnetworkInterfaces:\n- accessConfigs:\n - kind: compute#accessConfig\n name: External NAT\n natIP: 130.211.181.55\n type: ONE_TO_ONE_NAT\n```\n\n8. Delete the access config. \n```\ngcloud compute instances delete-access-config --zone= --access-config-name \n```\n\nIn the above example, the `ACCESS_CONFIG_NAME` is `External NAT`.\nThe name of your access config might be different.\n\n**Prevention:**\nYou can configure the `Define allowed external IPs for VM instances` Organization Policy to prevent VMs from being configured with public IP addresses.\nLearn more at: [https://console.cloud.google.com/orgpolicies/compute-vmExternalIpAccess](https://console.cloud.google.com/orgpolicies/compute-vmExternalIpAccess)", + "section": "Virtual Machines", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 4.9", + "Virtual Machines" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "4.9", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_4_9" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/4b11956d-7985-524e-900e-20405e2baaca.json b/packages/cloud_security_posture/kibana/csp_rule_template/4b11956d-7985-524e-900e-20405e2baaca.json new file mode 100644 index 00000000000..0a405c84bee --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/4b11956d-7985-524e-900e-20405e2baaca.json @@ -0,0 +1,38 @@ +{ + "id": "4b11956d-7985-524e-900e-20405e2baaca", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Deleting an API key will break dependent applications (if any).", + "default_value": "", + "references": "1. https://cloud.google.com/docs/authentication/api-keys\n2. https://cloud.google.com/sdk/gcloud/reference/services/api-keys/list\n3. https://cloud.google.com/docs/authentication\n4. https://cloud.google.com/sdk/gcloud/reference/alpha/services/api-keys/delete", + "id": "4b11956d-7985-524e-900e-20405e2baaca", + "name": "Ensure API Keys Only Exist for Active Services", + "profile_applicability": "* Level 2", + "description": "API Keys should only be used for services in cases where other authentication methods are unavailable.\nUnused keys with their permissions in tact may still exist within a project.\nKeys are insecure because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides.\nIt is recommended to use standard authentication flow instead.", + "rationale": "To avoid the security risk in using API keys, it is recommended to use standard authentication flow instead.\nSecurity risks involved in using API-Keys appear below:\n\n- API keys are simple encrypted strings\n\n- API keys do not identify the user or the application making the API request\n\n- API keys are typically accessible to clients, making it easy to discover and steal an API key", + "audit": "**From Console:**\n\n1. From within the Project you wish to audit Go to `APIs & Services\\Credentials`. \n\n2. In the section `API Keys`, no API key should be listed.\n\n**From Google Cloud Command Line**\n\n3. Run the following from within the project you wish to audit **`gcloud services api-keys list --filter`**.\n\n4. There should be no keys listed at the project level.", + "remediation": "**From Console:**\n\n1. Go to `APIs & Services\\Credentials` using\n\n2. In the section `API Keys`, to delete API Keys: Click the `Delete Bin Icon` in front of every `API Key Name`.\n\n**From Google Cloud Command Line**\n\n3. Run the following from within the project you wish to audit **`gcloud services api-keys list --filter`**\n\n4. **Pipe the results into ** \n``gcloud alpha services api-keys delete``", + "section": "Identity and Access Management", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 1.12", + "Identity and Access Management" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "1.12", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_1_12" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/4da6e870-fed1-5822-bb2d-f6a1714bc4a8.json b/packages/cloud_security_posture/kibana/csp_rule_template/4da6e870-fed1-5822-bb2d-f6a1714bc4a8.json index 94b1f219ff2..fa324783c1c 100644 --- a/packages/cloud_security_posture/kibana/csp_rule_template/4da6e870-fed1-5822-bb2d-f6a1714bc4a8.json +++ b/packages/cloud_security_posture/kibana/csp_rule_template/4da6e870-fed1-5822-bb2d-f6a1714bc4a8.json @@ -11,7 +11,7 @@ "profile_applicability": "* Level 2", "description": "AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you.\nThe recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources.\nIt is recommended AWS Config be enabled in all regions.", "rationale": "The AWS configuration item history captured by AWS Config enables security analysis, resource change tracking, and compliance auditing.", - "audit": "Process to evaluate AWS Config configuration per region\n\n**From Console:**\n\n1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/](https://console.aws.amazon.com/config/).\n2. On the top right of the console select target Region.\n3. If presented with Setup AWS Config - follow remediation procedure:\n4. On the Resource inventory page, Click on edit (the gear icon). The Set Up AWS Config page appears.\n5. Ensure 1 or both check-boxes under \"All Resources\" is checked.\n - Include global resources related to IAM resources - which needs to be enabled in 1 region only\n6. Ensure the correct S3 bucket has been defined.\n7. Ensure the correct SNS topic has been defined.\n8. Repeat steps 2 to 7 for each region.\n\n**From Command Line:**\n\n9. Run this command to show all AWS Config recorders and their properties:\n```\naws configservice describe-configuration-recorders\n```\n10. Evaluate the output to ensure that there's at least one recorder for which `recordingGroup` object includes `\"allSupported\": true` AND `\"includeGlobalResourceTypes\": true`\n\nNote: There is one more parameter \"ResourceTypes\" in recordingGroup object.\nWe don't need to check the same as whenever we set \"allSupported\": true, AWS enforces resource types to be empty (\"ResourceTypes\":[])\n\nSample Output:\n\n```\n{\n \"ConfigurationRecorders\": [\n {\n \"recordingGroup\": {\n \"allSupported\": true,\n \"resourceTypes\": [],\n \"includeGlobalResourceTypes\": true\n },\n \"roleARN\": \"arn:aws:iam:::role/service-role/\",\n \"name\": \"default\"\n }\n ]\n}\n```\n\n11. Run this command to show the status for all AWS Config recorders:\n```\naws configservice describe-configuration-recorder-status\n```\n12. In the output, find recorders with `name` key matching the recorders that met criteria in step 2. Ensure that at least one of them includes `\"recording\": true` and `\"lastStatus\": \"SUCCESS\"`", + "audit": "Process to evaluate AWS Config configuration per region\n\n**From Console:**\n\n1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/](https://console.aws.amazon.com/config/).\n2. On the top right of the console select target Region.\n3. If presented with Setup AWS Config - follow remediation procedure:\n4. On the Resource inventory page, Click on edit (the gear icon). The Set Up AWS Config page appears.\n5. Ensure 1 or both check-boxes under \"All Resources\" is checked.\n - Include global resources related to IAM resources - which needs to be enabled in 1 region only\n6. Ensure the correct S3 bucket has been defined.\n7. Ensure the correct SNS topic has been defined.\n8. Repeat steps 2 to 7 for each region.\n\n**From Command Line:**\n\n9. Run this command to show all AWS Config recorders and their properties:\n```\naws configservice describe-configuration-recorders\n```\n10. Evaluate the output to ensure that there's at least one recorder for which `recordingGroup` object includes `\"allSupported\": true` AND `\"includeGlobalResourceTypes\": true`\n\nNote: There is one more parameter \"ResourceTypes\" in recordingGroup object.\nWe don't need to check the same as whenever we set \"allSupported\": true, AWS enforces resource types to be empty (\"ResourceTypes\":[])\n\nSample Output:\n\n```\n{\n \"ConfigurationRecorders\": [\n {\n \"recordingGroup\": {\n \"allSupported\": true,\n \"resourceTypes\": [],\n \"includeGlobalResourceTypes\": true\n },\n \"roleARN\": \"arn:aws:iam:::role/service-role/\",\n \"name\": \"default\"\n }\n ]\n}\n```\n\n11. Run this command to show the status for all AWS Config recorders:\n```\naws configservice describe-configuration-recorder-status\n```\n12. In the output, find recorders with `name` key matching the recorders that met criteria in step 2. Ensure that at least one of them includes `\"recording\": true` and `\"lastStatus\": \"SUCCESS\"`", "remediation": "To implement AWS Config configuration:\n\n**From Console:**\n\n1. Select the region you want to focus on in the top right of the console\n2. Click `Services` \n3. Click `Config` \n4. Define which resources you want to record in the selected region\n5. Choose to include global resources (IAM resources)\n6. Specify an S3 bucket in the same account or in another managed AWS account\n7. Create an SNS Topic from the same AWS account or another managed AWS account\n\n**From Command Line:**\n\n8. Ensure there is an appropriate S3 bucket, SNS topic, and IAM role per the [AWS Config Service prerequisites](http://docs.aws.amazon.com/config/latest/developerguide/gs-cli-prereq.html).\n9. Run this command to set up the configuration recorder\n```\naws configservice subscribe --s3-bucket my-config-bucket --sns-topic arn:aws:sns:us-east-1:012345678912:my-config-notice --iam-role arn:aws:iam::012345678912:role/myConfigRole\n```\n10. Run this command to start the configuration recorder:\n```\nstart-configuration-recorder --configuration-recorder-name \n```", "section": "Logging", "version": "1.0", diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/4eb0d962-c123-575e-8c0c-9d10a2fbe5d1.json b/packages/cloud_security_posture/kibana/csp_rule_template/4eb0d962-c123-575e-8c0c-9d10a2fbe5d1.json new file mode 100644 index 00000000000..00396183c3e --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/4eb0d962-c123-575e-8c0c-9d10a2fbe5d1.json @@ -0,0 +1,38 @@ +{ + "id": "4eb0d962-c123-575e-8c0c-9d10a2fbe5d1", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Setting the threshold too low will might result in increased log storage size and length, making it difficult to find actual errors. Setting the threshold to 'Warning' will log messages for the most needed error messages. Higher severity levels may cause errors needed to troubleshoot to not be logged.\n\nNote: To effectively turn off logging failing statements, set this parameter to PANIC.", + "default_value": "", + "references": "1. https://cloud.google.com/sql/docs/postgres/flags\n2. https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN", + "id": "4eb0d962-c123-575e-8c0c-9d10a2fbe5d1", + "name": "Ensure that the \u2018Log_min_messages\u2019 Flag for a Cloud SQL PostgreSQL Instance is set at minimum to 'Warning'", + "profile_applicability": "* Level 1", + "description": "The `log_min_messages` flag defines the minimum message severity level that is considered as an error statement.\nMessages for error statements are logged with the SQL statement.\nValid values include `DEBUG5`, `DEBUG4`, `DEBUG3`, `DEBUG2`, `DEBUG1`, `INFO`, `NOTICE`, `WARNING`, `ERROR`, `LOG`, `FATAL`, and `PANIC`.\nEach severity level includes the subsequent levels mentioned above.\nERROR is considered the best practice setting.\nChanges should only be made in accordance with the organization's logging policy.", + "rationale": "Auditing helps in troubleshooting operational problems and also permits forensic analysis.\nIf `log_min_messages` is not set to the correct value, messages may not be classified as error messages appropriately.\nAn organization will need to decide their own threshold for logging `log_min_messages` flag.\n\nThis recommendation is applicable to PostgreSQL database instances.", + "audit": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the instance to open its `Instance Overview` page.\n3. Go to the `Configuration` card.\n4. Under `Database flags`, check the value of `log_min_messages` flag is in accordance with the organization's logging policy.\n\n**From Google Cloud CLI**\n\n5. Use the below command for every Cloud SQL PostgreSQL database instance to verify that the value of `log_min_messages` is in accordance with the organization's logging policy.\n```\ngcloud sql instances list --format=json | jq '.settings.databaseFlags[] | select(.name==\"log_min_messages\")|.value'\n```", + "remediation": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances)\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `log_min_messages` from the drop-down menu and set appropriate value.\n6. Click `Save` to save the changes.\n7. Confirm the changes under `Flags` on the Overview page.\n\n**From Google Cloud CLI**\n\n8. Configure the `log_min_messages` database flag for every Cloud SQL PosgreSQL database instance using the below command.\n```\ngcloud sql instances patch --database-flags log_min_messages=\n```\n```\nNote: This command will overwrite all database flags previously set.\nTo keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.\nFor flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n```", + "section": "PostgreSQL Database", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 6.2.5", + "PostgreSQL Database" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "6.2.5", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_6_2_5" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/5d7e7fce-64fb-5b7b-beeb-920496c2e333.json b/packages/cloud_security_posture/kibana/csp_rule_template/5d7e7fce-64fb-5b7b-beeb-920496c2e333.json new file mode 100644 index 00000000000..13cad00cbf0 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/5d7e7fce-64fb-5b7b-beeb-920496c2e333.json @@ -0,0 +1,38 @@ +{ + "id": "5d7e7fce-64fb-5b7b-beeb-920496c2e333", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Setting custom flags via command line on certain instances will cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flags changes during a period of low usage.", + "default_value": "", + "references": "1. https://cloud.google.com/sql/docs/sqlserver/flags\n2. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-connections-server-configuration-option?view=sql-server-ver15\n3. https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79119", + "id": "5d7e7fce-64fb-5b7b-beeb-920496c2e333", + "name": "Ensure 'user Connections' Database Flag for Cloud Sql Sql Server Instance Is Set to a Non-limiting Value", + "profile_applicability": "* Level 1", + "description": "It is recommended to check the `user connections` for a Cloud SQL SQL Server instance to ensure that it is not artificially limiting connections.", + "rationale": "The `user connections` option specifies the maximum number of simultaneous user connections that are allowed on an instance of SQL Server.\nThe actual number of user connections allowed also depends on the version of SQL Server that you are using, and also the limits of your application or applications and hardware.\nSQL Server allows a maximum of 32,767 user connections.\nBecause user connections is by default a self-configuring value, with SQL Server adjusting the maximum number of user connections automatically as needed, up to the maximum value allowable.\nFor example, if only 10 users are logged in, 10 user connection objects are allocated.\nIn most cases, you do not have to change the value for this option.\nThe default is 0, which means that the maximum (32,767) user connections are allowed.\nHowever if there is a number defined here that limits connections, SQL Server will not allow anymore above this limit.\nIf the connections are at the limit, any new requests will be dropped, potentially causing lost data or outages for those using the database.", + "audit": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the instance to open its `Instance Overview` page\n3. Ensure the database flag `user connections` listed under the `Database flags` section is 0.\n\n**From Google Cloud CLI**\n\n4. Ensure the below command returns a value of 0, for every Cloud SQL SQL Server database instance.\n```\ngcloud sql instances list --format=json | jq '.settings.databaseFlags[] | select(.name==\"user connections\")|.value'\n```", + "remediation": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the SQL Server instance for which you want to enable to database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `user connections` from the drop-down menu, and set its value to your organization recommended value.\n6. Click `Save` to save your changes.\n7. Confirm your changes under `Flags` on the Overview page.\n\n**From Google Cloud CLI**\n\n8. Configure the `user connections` database flag for every Cloud SQL SQL Server database instance using the below command.\n```\ngcloud sql instances patch --database-flags \"user connections=[0-32,767]\"\n```\n\n```\nNote : \n\nThis command will overwrite all database flags previously set.\nTo keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value.\nFor flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n```", + "section": "SQL Server", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 6.3.3", + "SQL Server" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "6.3.3", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_6_3_3" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/5de29f7b-ba03-5c77-81d9-7ea65ebd6a0f.json b/packages/cloud_security_posture/kibana/csp_rule_template/5de29f7b-ba03-5c77-81d9-7ea65ebd6a0f.json new file mode 100644 index 00000000000..5cccd8751d2 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/5de29f7b-ba03-5c77-81d9-7ea65ebd6a0f.json @@ -0,0 +1,38 @@ +{ + "id": "5de29f7b-ba03-5c77-81d9-7ea65ebd6a0f", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Changing flags on a database may cause it to be restarted. The best time to do this is at a time where there is low usage.", + "default_value": "", + "references": "1. https://cloud.google.com/sql/docs/sqlserver/flags\n2. https://docs.microsoft.com/en-us/sql/t-sql/database-console-commands/dbcc-traceon-trace-flags-transact-sql?view=sql-server-ver15#trace-flags\n3. https://github.com/ktaranov/sqlserver-kit/blob/master/SQL%20Server%20Trace%20Flag.md", + "id": "5de29f7b-ba03-5c77-81d9-7ea65ebd6a0f", + "name": "Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'on'", + "profile_applicability": "* Level 1", + "description": "It is recommended to set `3625 (trace flag)` database flag for Cloud SQL SQL Server instance to `on`.", + "rationale": "Microsoft SQL Trace Flags are frequently used to diagnose performance issues or to debug stored procedures or complex computer systems, but they may also be recommended by Microsoft Support to address behavior that is negatively impacting a specific workload.\nAll documented trace flags and those recommended by Microsoft Support are fully supported in a production environment when used as directed.\n`3625(trace log)` Limits the amount of information returned to users who are not members of the sysadmin fixed server role, by masking the parameters of some error messages using '******'.\nSetting this in a Google Cloud flag for the instance allows for security through obscurity and prevents the disclosure of sensitive information, hence this is recommended to set this flag globally to on to prevent the flag having been left off, or changed by bad actors.\nThis recommendation is applicable to SQL Server database instances.", + "audit": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the instance to open its `Instance Overview` page\n3. Ensure the database flag `3625` that has been set is listed under the `Database flags` section.\n\n**From Google Cloud CLI**\n\n4. Ensure the below command returns `on` for every Cloud SQL SQL Server database instance\n\n```\ngcloud sql instances list --format=json | jq '.settings.databaseFlags[] | select(.name==\"3625\")|.value'\n```", + "remediation": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the SQL Server instance for which you want to enable to database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `3625` from the drop-down menu, and set its value to `on`.\n6. Click `Save` to save your changes.\n7. Confirm your changes under `Flags` on the Overview page.\n\n**From Google Cloud CLI**\n\n8. Configure the `3625` database flag for every Cloud SQL SQL Server database instance using the below command.\n```\ngcloud sql instances patch --database-flags \"3625=on\"\n```\nNote : \n\nThis command will overwrite all database flags previously set.\nTo keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value.\nFor flags that do not take a value, specify the flag name followed by an equals sign (\"=\").", + "section": "SQL Server", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 6.3.6", + "SQL Server" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "6.3.6", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_6_3_6" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/5ee69b99-8f70-5daf-b784-866131aca3ba.json b/packages/cloud_security_posture/kibana/csp_rule_template/5ee69b99-8f70-5daf-b784-866131aca3ba.json index 5c3f94bdcdd..c37e4bdb544 100644 --- a/packages/cloud_security_posture/kibana/csp_rule_template/5ee69b99-8f70-5daf-b784-866131aca3ba.json +++ b/packages/cloud_security_posture/kibana/csp_rule_template/5ee69b99-8f70-5daf-b784-866131aca3ba.json @@ -12,7 +12,7 @@ "description": "AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services.\nCreate an IAM Role to allow authorized users to manage incidents with AWS Support.", "rationale": "By implementing least privilege for access control, an IAM Role will require an appropriate IAM Policy to allow Support Center Access in order to manage Incidents with AWS Support.", "audit": "**From Command Line:**\n\n1. List IAM policies, filter for the 'AWSSupportAccess' managed policy, and note the \"Arn\" element value:\n```\naws iam list-policies --query \"Policies[?PolicyName == 'AWSSupportAccess']\"\n```\n2. Check if the 'AWSSupportAccess' policy is attached to any role:\n\n```\naws iam list-entities-for-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess\n```\n\n3. In Output, Ensure `PolicyRoles` does not return empty. 'Example: Example: PolicyRoles: [ ]'\n\nIf it returns empty refer to the remediation below.", - "remediation": "**From Command Line:**\n\n1. Create an IAM role for managing incidents with AWS:\n - Create a trust relationship policy document that allows to manage AWS incidents, and save it locally as /tmp/TrustPolicy.json:\n```\n {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"\"\n },\n \"Action\": \"sts:AssumeRole\"\n }\n ]\n }\n```\n2. Create the IAM role using the above trust policy:\n```\naws iam create-role --role-name --assume-role-policy-document file:///tmp/TrustPolicy.json\n```\n3. Attach 'AWSSupportAccess' managed policy to the created IAM role:\n```\naws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess --role-name \n```", + "remediation": "**From Command Line:**\n\n1. Create an IAM role for managing incidents with AWS:\n - Create a trust relationship policy document that allows to manage AWS incidents, and save it locally as /tmp/TrustPolicy.json:\n```\n {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"\"\n },\n \"Action\": \"sts:AssumeRole\"\n }\n ]\n}\n```\n2. Create the IAM role using the above trust policy:\n```\naws iam create-role --role-name --assume-role-policy-document file:///tmp/TrustPolicy.json\n```\n3. Attach 'AWSSupportAccess' managed policy to the created IAM role:\n```\naws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AWSSupportAccess --role-name \n```", "section": "Identity and Access Management", "version": "1.0", "tags": [ diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/64d37675-473f-5edc-882e-5b8b85b789c3.json b/packages/cloud_security_posture/kibana/csp_rule_template/64d37675-473f-5edc-882e-5b8b85b789c3.json new file mode 100644 index 00000000000..c64c8c7f3dd --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/64d37675-473f-5edc-882e-5b8b85b789c3.json @@ -0,0 +1,38 @@ +{ + "id": "64d37675-473f-5edc-882e-5b8b85b789c3", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "After enforcing SSL connection, existing client will not be able to communicate with SQL server unless configured with appropriate client-certificates to communicate to SQL database instance.", + "default_value": "", + "references": "1. https://cloud.google.com/sql/docs/postgres/configure-ssl-instance/", + "id": "64d37675-473f-5edc-882e-5b8b85b789c3", + "name": "Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL", + "profile_applicability": "* Level 1", + "description": "It is recommended to enforce all incoming connections to SQL database instance to use SSL.", + "rationale": "SQL database connections if successfully trapped (MITM); can reveal sensitive data like credentials, database queries, query outputs etc.\nFor security, it is recommended to always use SSL encryption when connecting to your instance.\nThis recommendation is applicable for Postgresql, MySql generation 1, MySql generation 2 and SQL Server 2017 instances.", + "audit": "**From Google Cloud Console**\n\n1. Go to [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n\n2. Click on an instance name to see its configuration overview.\n\n3. In the left-side panel, select `Connections`.\n\n4. In the `SSL connections` section, ensure that `Only secured connections are allowed to connect to this instance.`.\n\n**From Google Cloud CLI**\n\n5. Get the detailed configuration for every SQL database instance using the following command:\n\n```\ngcloud sql instances list --format=json\n```\n\nEnsure that section `settings: ipConfiguration` has the parameter `requireSsl` set to `true`.", + "remediation": "**From Google Cloud Console**\n\n1. Go to [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n\n2. Click on an instance name to see its configuration overview.\n\n3. In the left-side panel, select `Connections`.\n\n4. In the `SSL connections` section, click `Allow only SSL connections`.\n\n5. Under `Configure SSL server certificates` click `Create new certificate`.\n\n6. Under `Configure SSL client certificates` click `Create a client certificate`. \n\n7. Follow the instructions shown to learn how to connect to your instance. \n\n**From Google Cloud CLI**\n\nTo enforce SSL encryption for an instance run the command:\n\n```\ngcloud sql instances patch --require-ssl\n```\n\nNote:\n`RESTART` is required for type MySQL Generation 1 Instances (`backendType: FIRST_GEN`) to get this configuration in effect.", + "section": "Cloud SQL Database Services", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 6.4", + "Cloud SQL Database Services" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "6.4", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_6_4" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/67909c46-649c-52c1-a464-b3e81615d938.json b/packages/cloud_security_posture/kibana/csp_rule_template/67909c46-649c-52c1-a464-b3e81615d938.json new file mode 100644 index 00000000000..dddb156f11c --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/67909c46-649c-52c1-a464-b3e81615d938.json @@ -0,0 +1,38 @@ +{ + "id": "67909c46-649c-52c1-a464-b3e81615d938", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Using Customer Managed Keys involves additional overhead in maintenance by administrators.", + "default_value": "", + "references": "1. https://cloud.google.com/docs/security/encryption/default-encryption", + "id": "67909c46-649c-52c1-a464-b3e81615d938", + "name": "Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key", + "profile_applicability": "* Level 2", + "description": "When you use Dataproc, cluster and job data is stored on Persistent Disks (PDs) associated with the Compute Engine VMs in your cluster and in a Cloud Storage staging bucket.\nThis PD and bucket data is encrypted using a Google-generated data encryption key (DEK) and key encryption key (KEK).\nThe CMEK feature allows you to create, use, and revoke the key encryption key (KEK).\nGoogle still controls the data encryption key (DEK).", + "rationale": "\"Cloud services offer the ability to protect data related to those services using encryption keys managed by the customer within Cloud KMS.\nThese encryption keys are called customer-managed encryption keys (CMEK).\nWhen you protect data in Google Cloud services with CMEK, the CMEK key is within your control.", + "audit": "**From Google Cloud Console**\n\n1. Login to the GCP Console and navigate to the Dataproc Cluster page by visiting https://console.cloud.google.com/dataproc/clusters.\n2. Select the project from the project dropdown list.\n3. On the `Dataproc Clusters` page, select the cluster and click on the Name attribute value that you want to examine.\n4. On the `details` page, select the `Configurations` tab.\n5. On the `Configurations` tab, check the `Encryption type` configuration attribute value. If the value is set to `Google-managed key`, then Dataproc Cluster is not encrypted with Customer managed encryption keys.\n\nRepeat step no.\n3 - 5 for other Dataproc Clusters available in the selected project.\n\n6. Change the project from the project dropdown list and repeat the audit procedure for other projects.\n\n**From Google Cloud CLI**\n\n7. Run clusters list command to list all the Dataproc Clusters available in the region:\n```\ngcloud dataproc clusters list --region='us-central1'\n```\n8. Run clusters describe command to get the key details of the selected cluster:\n```\ngcloud dataproc clusters describe --region=us-central1 --flatten=config.encryptionConfig.gcePdKmsKeyName\n```\n9. If the above command output return \"null\", then the selected cluster is not encrypted with Customer managed encryption keys.\n10. Repeat step no. 2 and 3 for other Dataproc Clusters available in the selected region. Change the region by updating --region and repeat step no. 2 for other clusters available in the project. Change the project by running the below command and repeat the audit procedure for other Dataproc clusters available in other projects:\n```\ngcloud config set project \"\n```", + "remediation": "**From Google Cloud Console**\n\n1. Login to the GCP Console and navigate to the Dataproc Cluster page by visiting https://console.cloud.google.com/dataproc/clusters.\n2. Select the project from the projects dropdown list.\n3. On the `Dataproc Cluster` page, click on the `Create Cluster` to create a new cluster with Customer managed encryption keys.\n4. On `Create a cluster` page, perform below steps:\n - Inside `Set up cluster` section perform below steps:\n -In the `Name` textbox, provide a name for your cluster.\n - From `Location` select the location in which you want to deploy a cluster.\n - Configure other configurations as per your requirements.\n - Inside `Configure Nodes` and `Customize cluster` section configure the settings as per your requirements.\n - Inside `Manage security` section, perform below steps:\n - From `Encryption`, select `Customer-managed key`.\n - Select a customer-managed key from dropdown list.\n - Ensure that the selected KMS Key have Cloud KMS CryptoKey Encrypter/Decrypter role assign to Dataproc Cluster service account (\"serviceAccount:service-@compute-system.iam.gserviceaccount.com\").\n - Click on `Create` to create a cluster.\n - Once the cluster is created migrate all your workloads from the older cluster to the new cluster and delete the old cluster by performing the below steps:\n - On the `Clusters` page, select the old cluster and click on `Delete cluster`.\n - On the `Confirm deletion` window, click on `Confirm` to delete the cluster.\n - Repeat step above for other Dataproc clusters available in the selected project.\n - Change the project from the project dropdown list and repeat the remediation procedure for other Dataproc clusters available in other projects.\n\n**From Google Cloud CLI**\n\nBefore creating cluster ensure that the selected KMS Key have Cloud KMS CryptoKey Encrypter/Decrypter role assign to Dataproc Cluster service account (\"serviceAccount:service-@compute-system.iam.gserviceaccount.com\").\nRun clusters create command to create new cluster with customer-managed key:\n```\ngcloud dataproc clusters create --region=us-central1 --gce-pd-kms-key=\n```\nThe above command will create a new cluster in the selected region.\n\nOnce the cluster is created migrate all your workloads from the older cluster to the new cluster and Run clusters delete command to delete cluster:\n```\ngcloud dataproc clusters delete --region=us-central1\n```\nRepeat step no.\n1 to create a new Dataproc cluster.\nChange the project by running the below command and repeat the remediation procedure for other projects:\n```\ngcloud config set project \"\n```", + "section": "Identity and Access Management", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 1.17", + "Identity and Access Management" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "1.17", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_1_17" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/68cfd04b-fc79-5877-8638-af3aa82d92db.json b/packages/cloud_security_posture/kibana/csp_rule_template/68cfd04b-fc79-5877-8638-af3aa82d92db.json new file mode 100644 index 00000000000..55e1baec0f1 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/68cfd04b-fc79-5877-8638-af3aa82d92db.json @@ -0,0 +1,38 @@ +{ + "id": "68cfd04b-fc79-5877-8638-af3aa82d92db", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "If you set a database IP to private, only host from the same network will have the ability to connect your database.\n\nConfiguring an existing Cloud SQL instance to use private IP causes the instance to restart.", + "default_value": "", + "references": "1. https://cloud.google.com/sql/docs/postgres/configure-private-ip\n2. https://cloud.google.com/vpc/docs/configure-private-services-access#procedure\n3. https://cloud.google.com/vpc/docs/configure-private-services-access#creating-connection", + "id": "68cfd04b-fc79-5877-8638-af3aa82d92db", + "name": "Ensure Instance IP assignment is set to private", + "profile_applicability": "* Level 1", + "description": "Instance addresses can be public IP or private IP.\nPublic IP means that the instance is accessible through the public internet.\nIn contrast, instances using only private IP are not accessible through the public internet, but are accessible through a Virtual Private Cloud (VPC).\n\nLimiting network access to your database will limit potential attacks.", + "rationale": "Setting databases access only to private will reduce attack surface.", + "audit": "**From Google Cloud Console**\n\n1. In the Google Cloud console, go to the `Cloud SQL Instances` page.\n2. Open the `Overview page` of an instance by clicking the instance name.\n3. Look for a field labeled `Private IP address` This field will only show if the Private IP option is checked. The IP listed should be in the private IP space.\n\n**From Google Cloud CLI**\n4. List cloud SQL instances\n```\ngcloud sql instances list --format=\"json\" | jq '.[] | .connectionName,.ipAddresses'\n```\nEach instance listed should have a `type` of `PRIVATE`.\n\n5. If you want to view a specific instance, note the (s) listed and run the following.\n```\ngcloud sql instances describe --format=\"json\" | jq '.ipAddresses'\n```\n`Type` should be `\"PRIVATE\"`\n```\n {\n \"ipAddress\": \"10.21.0.2\",\n \"type\": \"PRIVATE\"\n}\n```", + "remediation": "**From Google Cloud Console**\n\n1. In the Google Cloud console, go to the `Cloud SQL Instances` page.\n2. Open the `Overview page` of an instance by clicking the instance name.\n3. Select `Connections` from the SQL navigation menu.\n4. Check the `Private IP` checkbox. A drop-down list shows the available networks in your project.\n5. Select the VPC network you want to use:\n If you see `Private service connection required`:\n 1.\nClick `Set up connection`.\n 1.\nIn the `Allocate an IP range` section, choose one of the following options:\n - Select one or more existing IP ranges or create a new one from the dropdown.\nThe dropdown includes previously allocated ranges, if there are any, or you can select Allocate a new IP range and enter a new range and name.\n - Use an automatically allocated IP range in your network.\n Note: You can specify an address range only for a primary instance, not for a read replica or clone.\n 3.\nClick Continue.\n 1.\nClick Create connection.\n 1.\nVerify that you see the Private service connection for network VPC_NETWORK_NAME has been successfully created status.\n6. [Optional step for Private Services Access - review reference links to VPC documents for additional detail] If you want to allow other Google Cloud services such as BigQuery to access data in Cloud SQL and make queries against this data over a private IP connection, then select the Private path for Google Cloud services check box.\n7. Click Save\n\n**From Google Cloud CLI**\n\n8. List cloud SQL instances\n```\ngcloud sql instances list --format=\"json\" | jq '.[] | .connectionName,.ipAddresses'\n```\nNote the `project name` of the instance you want to set to a private IP, this will be \n\nNote the `instance name` of the instance you want to set to a private IP, this will be \n\nExample public instance output:\n\n```\n\"my-project-123456:us-central1:my-instance\"\n[\n {\n \"ipAddress\": \"0.0.0.0\",\n \"type\": \"PRIMARY\"\n },\n {\n \"ipAddress\": \"0.0.0.0\",\n \"type\": \"OUTGOING\"\n }\n```\n\n9. run the following command to list the available VPCs \n```\ngcloud compute networks list --format=\"json\" | jq '.[].name'\n```\nNote the name of the VPC to use for the instance private IP, this will be \n\n10. run the following to set instance to a private IP\n```\ngcloud beta sql instances patch \\\n--project= \\\n--network=projects//global/networks/ \\\n--no-assign-ip\n```", + "section": "PostgreSQL Database", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 6.2.9", + "PostgreSQL Database" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "6.2.9", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_6_2_9" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/68f9d23f-882f-55d1-86c6-711413c31129.json b/packages/cloud_security_posture/kibana/csp_rule_template/68f9d23f-882f-55d1-86c6-711413c31129.json new file mode 100644 index 00000000000..6f179b36b50 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/68f9d23f-882f-55d1-86c6-711413c31129.json @@ -0,0 +1,38 @@ +{ + "id": "68f9d23f-882f-55d1-86c6-711413c31129", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Setting custom flags via command line on certain instances will cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flags changes during a period of low usage.", + "default_value": "", + "references": "1. https://cloud.google.com/sql/docs/sqlserver/flags\n2. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-remote-access-server-configuration-option?view=sql-server-ver15\n3. https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79337", + "id": "68f9d23f-882f-55d1-86c6-711413c31129", + "name": "Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'", + "profile_applicability": "* Level 1", + "description": "It is recommended to set `remote access` database flag for Cloud SQL SQL Server instance to `off`.", + "rationale": "The `remote access` option controls the execution of stored procedures from local or remote servers on which instances of SQL Server are running.\nThis default value for this option is 1.\nThis grants permission to run local stored procedures from remote servers or remote stored procedures from the local server.\nTo prevent local stored procedures from being run from a remote server or remote stored procedures from being run on the local server, this must be disabled.\nThe Remote Access option controls the execution of local stored procedures on remote servers or remote stored procedures on local server.\n'Remote access' functionality can be abused to launch a Denial-of-Service (DoS) attack on remote servers by off-loading query processing to a target, hence this should be disabled.\nThis recommendation is applicable to SQL Server database instances.", + "audit": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the instance to open its `Instance Overview` page\n3. Ensure the database flag `remote access` that has been set is listed under the `Database flags` section.\n\n**From Google Cloud CLI**\n\n4. Ensure the below command returns `off` for every Cloud SQL SQL Server database instance\n```\ngcloud sql instances list --format=json | jq '.settings.databaseFlags[] | select(.name==\"remote access\")|.value'\n```", + "remediation": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the SQL Server instance for which you want to enable to database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `remote access` from the drop-down menu, and set its value to `off`.\n6. Click `Save` to save your changes.\n7. Confirm your changes under `Flags` on the Overview page.\n\n**From Google Cloud CLI**\n\n8. Configure the `remote access` database flag for every Cloud SQL SQL Server database instance using the below command\n```\ngcloud sql instances patch --database-flags \"remote access=off\"\n```\n\n```\nNote : \n\nThis command will overwrite all database flags previously set.\nTo keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value.\nFor flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n```", + "section": "SQL Server", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 6.3.5", + "SQL Server" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "6.3.5", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_6_3_5" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/756e1a54-b2ce-56b9-a13f-17f652d7767c.json b/packages/cloud_security_posture/kibana/csp_rule_template/756e1a54-b2ce-56b9-a13f-17f652d7767c.json new file mode 100644 index 00000000000..cefc00d3e53 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/756e1a54-b2ce-56b9-a13f-17f652d7767c.json @@ -0,0 +1,38 @@ +{ + "id": "756e1a54-b2ce-56b9-a13f-17f652d7767c", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Enabling of logging may result in your project being charged for the additional logs usage.", + "default_value": "", + "references": "1. https://cloud.google.com/logging/docs/logs-based-metrics/\n2. https://cloud.google.com/monitoring/custom-metrics/\n3. https://cloud.google.com/monitoring/alerts/\n4. https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n5. https://cloud.google.com/logging/docs/audit/configure-data-access#getiampolicy-setiampolicy", + "id": "756e1a54-b2ce-56b9-a13f-17f652d7767c", + "name": "Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes", + "profile_applicability": "* Level 1", + "description": "Google Cloud Platform (GCP) services write audit log entries to the Admin Activity and Data Access logs to help answer the questions of, \"who did what, where, and when?\" within GCP projects.\n\nCloud audit logging records information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by GCP services.\nCloud audit logging provides a history of GCP API calls for an account, including API calls made via the console, SDKs, command-line tools, and other GCP services.", + "rationale": "Admin activity and data access logs produced by cloud audit logging enable security analysis, resource change tracking, and compliance auditing.\n\nConfiguring the metric filter and alerts for audit configuration changes ensures the recommended state of audit configuration is maintained so that all activities in the project are audit-able at any point in time.", + "audit": "**From Google Cloud Console**\n\n**Ensure the prescribed log metric is present:**\n\n1. Go to `Logging/Logs-based Metrics` by visiting [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics).\n\n2. In the `User-defined Metrics` section, ensure that at least one metric `` is present with the filter text:\n```\nprotoPayload.methodName=\"SetIamPolicy\" AND\nprotoPayload.serviceData.policyDelta.auditConfigDeltas:*\n```\n**Ensure that the prescribed alerting policy is present:**\n\n3. Go to `Alerting` by visiting [https://console.cloud.google.com/monitoring/alerting](https://console.cloud.google.com/monitoring/alerting).\n\n4. Under the `Policies` section, ensure that at least one alert policy exists for the log metric above. Clicking on the policy should show that it is configured with a condition. For example, `Violates when: Any logging.googleapis.com/user/ stream` `is above a threshold of 0 for greater than zero(0) seconds`, means that the alert will trigger for any new owner change. Verify that the chosen alerting thresholds make sense for the user's organization.\n\n5. Ensure that appropriate notifications channels have been set up.\n\n**From Google Cloud CLI**\n\n**Ensure that the prescribed log metric is present:**\n\n6. List the log metrics:\n```\ngcloud beta logging metrics list --format json\n```\n7. Ensure that the output contains at least one metric with the filter set to: \n```\nprotoPayload.methodName=\"SetIamPolicy\" AND\nprotoPayload.serviceData.policyDelta.auditConfigDeltas:*\n```\n8. Note the value of the property `metricDescriptor.type` for the identified metric, in the format `logging.googleapis.com/user/`.\n\n**Ensure that the prescribed alerting policy is present:**\n\n9. List the alerting policies:\n```\ngcloud alpha monitoring policies list --format json\n```\n10. Ensure that the output contains at least one alert policy where:\n- `conditions.conditionThreshold.filter` is set to `metric.type=\\\"logging.googleapis.com/user/\\\"`\n- AND `enabled` is set to `true`", + "remediation": "**From Google Cloud Console**\n\n**Create the prescribed log metric:**\n\n1. Go to `Logging/Logs-based Metrics` by visiting [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics) and click \"CREATE METRIC\".\n\n2. Click the down arrow symbol on the `Filter Bar` at the rightmost corner and select `Convert to Advanced Filter`.\n\n3. Clear any text and add: \n```\nprotoPayload.methodName=\"SetIamPolicy\" AND\nprotoPayload.serviceData.policyDelta.auditConfigDeltas:*\n```\n4. Click `Submit Filter`. Display logs appear based on the filter text entered by the user.\n\n5. In the `Metric Editor` menu on the right, fill out the name field. Set `Units` to `1` (default) and `Type` to `Counter`. This will ensure that the log metric counts the number of log entries matching the user's advanced logs query.\n\n6. Click `Create Metric`. \n\n**Create a prescribed Alert Policy:** \n\n7. Identify the new metric the user just created, under the section `User-defined Metrics` at [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics).\n\n8. Click the 3-dot icon in the rightmost column for the new metric and select `Create alert from Metric`. A new page opens.\n\n9. Fill out the alert policy configuration and click `Save`. Choose the alerting threshold and configuration that makes sense for the organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:\n```\nSet `Aggregator` to `Count`\n\nSet `Configuration`:\n\n- Condition: above\n\n- Threshold: 0\n\n- For: most recent value\n```\n10. Configure the desired notifications channels in the section `Notifications`.\n\n11. Name the policy and click `Save`.\n\n**From Google Cloud CLI**\n\nCreate a prescribed Log Metric:\n- Use the command: gcloud beta logging metrics create \n- Reference for command usage: [https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create\n](https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create)\nCreate prescribed Alert Policy \n- Use the command: gcloud alpha monitoring policies create\n- Reference for command usage: [https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create](https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create)", + "section": "Logging and Monitoring", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 2.5", + "Logging and Monitoring" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "2.5", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_2_5" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/7e584486-4d0f-5edb-8a64-7ee0b59333b8.json b/packages/cloud_security_posture/kibana/csp_rule_template/7e584486-4d0f-5edb-8a64-7ee0b59333b8.json new file mode 100644 index 00000000000..84a61616e70 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/7e584486-4d0f-5edb-8a64-7ee0b59333b8.json @@ -0,0 +1,38 @@ +{ + "id": "7e584486-4d0f-5edb-8a64-7ee0b59333b8", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Enabling of logging may result in your project being charged for the additional logs usage. These charges could be significant depending on the size of the organization.", + "default_value": "", + "references": "1. https://cloud.google.com/logging/docs/logs-based-metrics/\n2. https://cloud.google.com/monitoring/custom-metrics/\n3. https://cloud.google.com/monitoring/alerts/\n4. https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n5. https://cloud.google.com/vpc/docs/overview", + "id": "7e584486-4d0f-5edb-8a64-7ee0b59333b8", + "name": "Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes", + "profile_applicability": "* Level 2", + "description": "It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) network changes.", + "rationale": "It is possible to have more than one VPC within a project.\nIn addition, it is also possible to create a peer connection between two VPCs enabling network traffic to route between VPCs.\n\n\nMonitoring changes to a VPC will help ensure VPC traffic flow is not getting impacted.", + "audit": "**From Google Cloud Console**\n\n**Ensure the prescribed log metric is present:**\n\n1. Go to `Logging/Logs-based Metrics` by visiting [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics).\n\n2. In the `User-defined Metrics` section, ensure at least one metric `` is present with filter text:\n\n```\nresource.type=\"gce_network\" \nAND (protoPayload.methodName:\"compute.networks.insert\" \nOR protoPayload.methodName:\"compute.networks.patch\" \nOR protoPayload.methodName:\"compute.networks.delete\" \nOR protoPayload.methodName:\"compute.networks.removePeering\" \nOR protoPayload.methodName:\"compute.networks.addPeering\")\n```\n\n**Ensure the prescribed alerting policy is present:**\n\n3. Go to `Alerting` by visiting [https://console.cloud.google.com/monitoring/alerting](https://console.cloud.google.com/monitoring/alerting).\n\n4. Under the `Policies` section, ensure that at least one alert policy exists for the log metric above. Clicking on the policy should show that it is configured with a condition. For example, `Violates when: Any logging.googleapis.com/user/ stream` `is above a threshold of 0 for greater than 0 seconds` means that the alert will trigger for any new owner change. Verify that the chosen alerting thresholds make sense for the user's organization.\n\n5. Ensure that appropriate notification channels have been set up.\n\n**From Google Cloud CLI**\n\n**Ensure the log metric is present:**\n\n6. List the log metrics:\n```\ngcloud logging metrics list --format json\n```\n7. Ensure that the output contains at least one metric with filter set to: \n```\nresource.type=\"gce_network\" \nAND protoPayload.methodName=\"beta.compute.networks.insert\" \nOR protoPayload.methodName=\"beta.compute.networks.patch\" \nOR protoPayload.methodName=\"v1.compute.networks.delete\" \nOR protoPayload.methodName=\"v1.compute.networks.removePeering\" \nOR protoPayload.methodName=\"v1.compute.networks.addPeering\"\n```\n\n8. Note the value of the property `metricDescriptor.type` for the identified metric, in the format `logging.googleapis.com/user/`.\n\n**Ensure the prescribed alerting policy is present:**\n\n9. List the alerting policies:\n```\ngcloud alpha monitoring policies list --format json\n```\n10. Ensure that the output contains at least one alert policy where:\n- `conditions.conditionThreshold.filter` is set to `metric.type=\\\"logging.googleapis.com/user/\\\"`\n- AND `enabled` is set to `true`", + "remediation": "**From Google Cloud Console**\n\n**Create the prescribed log metric:**\n\n1. Go to `Logging/Logs-based Metrics` by visiting [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics) and click \"CREATE METRIC\".\n\n2. Click the down arrow symbol on `Filter Bar` at the rightmost corner and select `Convert to Advanced Filter`.\n\n3. Clear any text and add: \n\n```\nresource.type=\"gce_network\" \nAND (protoPayload.methodName:\"compute.networks.insert\" \nOR protoPayload.methodName:\"compute.networks.patch\" \nOR protoPayload.methodName:\"compute.networks.delete\" \nOR protoPayload.methodName:\"compute.networks.removePeering\" \nOR protoPayload.methodName:\"compute.networks.addPeering\")\n```\n\n4. Click `Submit Filter`. Display logs appear based on the filter text entered by the user.\n\n5. In the `Metric Editor` menu on the right, fill out the name field. Set `Units` to `1` (default) and `Type` to `Counter`. This ensures that the log metric counts the number of log entries matching the user's advanced logs query.\n\n6. Click `Create Metric`. \n\n**Create the prescribed alert policy:** \n\n7. Identify the newly created metric under the section `User-defined Metrics` at [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics).\n\n8. Click the 3-dot icon in the rightmost column for the new metric and select `Create alert from Metric`. A new page appears.\n\n9. Fill out the alert policy configuration and click `Save`. Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of 0 for the most recent value will ensure that a notification is triggered for every owner change in the project:\n```\nSet `Aggregator` to `Count`\n\nSet `Configuration`:\n\n- Condition: above\n\n- Threshold: 0\n\n- For: most recent value\n```\n\n10. Configure the desired notification channels in the section `Notifications`.\n\n11. Name the policy and click `Save`.\n\n**From Google Cloud CLI**\n\nCreate the prescribed Log Metric:\n- Use the command: gcloud logging metrics create \n\nCreate the prescribed alert policy: \n- Use the command: gcloud alpha monitoring policies create", + "section": "Logging and Monitoring", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 2.9", + "Logging and Monitoring" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "2.9", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_2_9" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/84862c2c-4aba-5458-9c5f-12855091617b.json b/packages/cloud_security_posture/kibana/csp_rule_template/84862c2c-4aba-5458-9c5f-12855091617b.json new file mode 100644 index 00000000000..f34d1b59030 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/84862c2c-4aba-5458-9c5f-12855091617b.json @@ -0,0 +1,38 @@ +{ + "id": "84862c2c-4aba-5458-9c5f-12855091617b", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Enabling of logging may result in your project being charged for the additional logs usage. These charges could be significant depending on the size of the organization.", + "default_value": "", + "references": "1. https://cloud.google.com/logging/docs/logs-based-metrics/\n2. https://cloud.google.com/monitoring/custom-metrics/\n3. https://cloud.google.com/monitoring/alerts/\n4. https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n5. https://cloud.google.com/storage/docs/overview\n6. https://cloud.google.com/sql/docs/\n7. https://cloud.google.com/sql/docs/mysql/\n8. https://cloud.google.com/sql/docs/postgres/", + "id": "84862c2c-4aba-5458-9c5f-12855091617b", + "name": "Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes", + "profile_applicability": "* Level 2", + "description": "It is recommended that a metric filter and alarm be established for SQL instance configuration changes.", + "rationale": "Monitoring changes to SQL instance configuration changes may reduce the time needed to detect and correct misconfigurations done on the SQL server.\n\n\nBelow are a few of the configurable options which may the impact security posture of an SQL instance:\n\n- Enable auto backups and high availability: Misconfiguration may adversely impact business continuity, disaster recovery, and high availability \n\n- Authorize networks: Misconfiguration may increase exposure to untrusted networks", + "audit": "**From Google Cloud Console**\n\n**Ensure the prescribed log metric is present:**\n\n1. For each project that contains Cloud SQL instances, go to `Logging/Logs-based Metrics` by visiting [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics).\n\n2. In the `User-defined Metrics` section, ensure that at least one metric `` is present with the filter text:\n\n```\nprotoPayload.methodName=\"cloudsql.instances.update\"\n```\n\n**Ensure that the prescribed alerting policy is present:**\n\n3. Go to `Alerting` by visiting [https://console.cloud.google.com/monitoring/alerting](https://console.cloud.google.com/monitoring/alerting).\n\n4. Under the `Policies` section, ensure that at least one alert policy exists for the log metric above. Clicking on the policy should show that it is configured with a condition. For example, `Violates when: Any logging.googleapis.com/user/ stream` `is above a threshold of zero(0) for greater than zero(0) seconds` means that the alert will trigger for any new owner change. Verify that the chosen alerting thresholds make sense for the user's organization.\n\n5. Ensure that the appropriate notifications channels have been set up.\n\n**From Google Cloud CLI**\n\n**Ensure that the prescribed log metric is present:**\n\n6. List the log metrics:\n```\ngcloud logging metrics list --format json\n```\n7. Ensure that the output contains at least one metric with the filter set to \n```\nprotoPayload.methodName=\"cloudsql.instances.update\"\n```\n\n8. Note the value of the property `metricDescriptor.type` for the identified metric, in the format `logging.googleapis.com/user/`.\n\n**Ensure that the prescribed alerting policy is present:**\n\n9. List the alerting policies:\n```\ngcloud alpha monitoring policies list --format json\n```\n10. Ensure that the output contains at least one alert policy where:\n- `conditions.conditionThreshold.filter` is set to `metric.type=\\\"logging.googleapis.com/user/\\\"`\n- AND `enabled` is set to `true`", + "remediation": "**From Google Cloud Console**\n\n**Create the prescribed Log Metric:**\n\n1. Go to `Logging/Logs-based Metrics` by visiting [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics) and click \"CREATE METRIC\".\n\n2. Click the down arrow symbol on the `Filter Bar` at the rightmost corner and select `Convert to Advanced Filter`.\n\n3. Clear any text and add: \n\n```\nprotoPayload.methodName=\"cloudsql.instances.update\"\n```\n\n4. Click `Submit Filter`. Display logs appear based on the filter text entered by the user.\n\n5. In the `Metric Editor` menu on right, fill out the name field. Set `Units` to `1` (default) and `Type` to `Counter`. This ensures that the log metric counts the number of log entries matching the user's advanced logs query.\n\n6. Click `Create Metric`. \n\n**Create the prescribed alert policy:** \n\n7. Identify the newly created metric under the section `User-defined Metrics` at [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics).\n\n8. Click the 3-dot icon in the rightmost column for the new metric and select `Create alert from Metric`. A new page appears.\n\n9. Fill out the alert policy configuration and click `Save`. Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the user's project:\n```\nSet `Aggregator` to `Count`\n\nSet `Configuration`:\n\n- Condition: above\n\n- Threshold: 0\n\n- For: most recent value\n```\n\n10. Configure the desired notification channels in the section `Notifications`.\n\n11. Name the policy and click `Save`.\n\n**From Google Cloud CLI**\n\nCreate the prescribed log metric:\n- Use the command: gcloud logging metrics create \n\nCreate the prescribed alert policy: \n- Use the command: gcloud alpha monitoring policies create\n- Reference for command usage: [https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create](https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create)", + "section": "Logging and Monitoring", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 2.11", + "Logging and Monitoring" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "2.11", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_2_11" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/873e6387-218d-587a-8fa1-3d65f4a77802.json b/packages/cloud_security_posture/kibana/csp_rule_template/873e6387-218d-587a-8fa1-3d65f4a77802.json new file mode 100644 index 00000000000..e117a121b70 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/873e6387-218d-587a-8fa1-3d65f4a77802.json @@ -0,0 +1,38 @@ +{ + "id": "873e6387-218d-587a-8fa1-3d65f4a77802", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Enabling of logging may result in your project being charged for the additional logs usage. These charges could be significant depending on the size of the organization.", + "default_value": "", + "references": "1. https://cloud.google.com/logging/docs/logs-based-metrics/\n2. https://cloud.google.com/monitoring/custom-metrics/\n3. https://cloud.google.com/monitoring/alerts/\n4. https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n5. https://cloud.google.com/storage/docs/access-control/iam\n6. https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create\n7. https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create", + "id": "873e6387-218d-587a-8fa1-3d65f4a77802", + "name": "Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes", + "profile_applicability": "* Level 2", + "description": "It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) network route changes.", + "rationale": "Google Cloud Platform (GCP) routes define the paths network traffic takes from a VM instance to another destination.\nThe other destination can be inside the organization VPC network (such as another VM) or outside of it.\nEvery route consists of a destination and a next hop.\nTraffic whose destination IP is within the destination range is sent to the next hop for delivery.\n\n\nMonitoring changes to route tables will help ensure that all VPC traffic flows through an expected path.", + "audit": "**From Google Cloud Console**\n\n**Ensure that the prescribed Log metric is present:**\n\n1. Go to `Logging/Logs-based Metrics` by visiting [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics).\n\n2. In the `User-defined Metrics` section, ensure that at least one metric `` is present with the filter text:\n\n```\nresource.type=\"gce_route\" \nAND (protoPayload.methodName:\"compute.routes.delete\" \nOR protoPayload.methodName:\"compute.routes.insert\")\n```\n\n**Ensure the prescribed alerting policy is present:**\n\n3. Go to `Alerting` by visiting: [https://console.cloud.google.com/monitoring/alerting](https://console.cloud.google.com/monitoring/alerting).\n\n4. Under the `Policies` section, ensure that at least one alert policy exists for the log metric above. Clicking on the policy should show that it is configured with a condition. For example, `Violates when: Any logging.googleapis.com/user/ stream` `is above a threshold of 0 for greater than zero(0) seconds` means that the alert will trigger for any new owner change. Verify that the chosen alert thresholds make sense for the user's organization.\n\n5. Ensure that the appropriate notification channels have been set up.\n\n**From Google Cloud CLI**\n\n**Ensure the prescribed log metric is present:**\n\n6. List the log metrics:\n```\ngcloud logging metrics list --format json\n```\n7. Ensure that the output contains at least one metric with the filter set to: \n\n```\nresource.type=\"gce_route\" \nAND (protoPayload.methodName:\"compute.routes.delete\" \nOR protoPayload.methodName:\"compute.routes.insert\")\n```\n\n8. Note the value of the property `metricDescriptor.type` for the identified metric, in the format `logging.googleapis.com/user/`.\n\n**Ensure that the prescribed alerting policy is present:**\n\n9. List the alerting policies:\n```\ngcloud alpha monitoring policies list --format json\n```\n10. Ensure that the output contains an least one alert policy where:\n- `conditions.conditionThreshold.filter` is set to `metric.type=\\\"logging.googleapis.com/user/\\\"`\n- AND `enabled` is set to `true`", + "remediation": "**From Google Cloud Console**\n\n**Create the prescribed Log Metric:**\n\n1. Go to `Logging/Logs-based Metrics` by visiting [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics) and click \"CREATE METRIC\".\n\n2. Click the down arrow symbol on the `Filter Bar` at the rightmost corner and select `Convert to Advanced Filter`\n\n3. Clear any text and add: \n\n```\nresource.type=\"gce_route\" \nAND (protoPayload.methodName:\"compute.routes.delete\" \nOR protoPayload.methodName:\"compute.routes.insert\")\n```\n\n4. Click `Submit Filter`. Display logs appear based on the filter text entered by the user.\n\n5. In the `Metric Editor` menu on the right, fill out the name field. Set `Units` to `1` (default) and `Type` to `Counter`. This ensures that the log metric counts the number of log entries matching the user's advanced logs query.\n\n6. Click `Create Metric`. \n\n**Create the prescribed alert policy:** \n\n7. Identify the newly created metric under the section `User-defined Metrics` at [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics).\n\n8. Click the 3-dot icon in the rightmost column for the new metric and select `Create alert from Metric`. A new page displays.\n\n9. Fill out the alert policy configuration and click `Save`. Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value ensures that a notification is triggered for every owner change in the project:\n```\nSet `Aggregator` to `Count`\n\nSet `Configuration`:\n\n- Condition: above\n\n- Threshold: 0\n\n- For: most recent value\n```\n\n10. Configure the desired notification channels in the section `Notifications`.\n\n11. Name the policy and click `Save`.\n\n**From Google Cloud CLI**\n\nCreate the prescribed Log Metric:\n- Use the command: gcloud logging metrics create \n\nCreate the prescribed the alert policy: \n- Use the command: gcloud alpha monitoring policies create", + "section": "Logging and Monitoring", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 2.8", + "Logging and Monitoring" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "2.8", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_2_8" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/89cc8ff0-be81-55f2-b1cf-d7db1e214741.json b/packages/cloud_security_posture/kibana/csp_rule_template/89cc8ff0-be81-55f2-b1cf-d7db1e214741.json new file mode 100644 index 00000000000..4bf3f179901 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/89cc8ff0-be81-55f2-b1cf-d7db1e214741.json @@ -0,0 +1,38 @@ +{ + "id": "89cc8ff0-be81-55f2-b1cf-d7db1e214741", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Setting `API restrictions` may break existing application functioning, if not done carefully.", + "default_value": "", + "references": "1. https://cloud.google.com/docs/authentication/api-keys\n2. https://cloud.google.com/apis/docs/overview", + "id": "89cc8ff0-be81-55f2-b1cf-d7db1e214741", + "name": "Ensure API Keys Are Restricted to Only APIs That Application Needs Access", + "profile_applicability": "* Level 2", + "description": "API Keys should only be used for services in cases where other authentication methods are unavailable.\nAPI keys are always at risk because they can be viewed publicly, such as from within a browser, or they can be accessed on a device where the key resides.\nIt is recommended to restrict API keys to use (call) only APIs required by an application.", + "rationale": "Security risks involved in using API-Keys are below:\n\n- API keys are simple encrypted strings\n\n- API keys do not identify the user or the application making the API request\n\n- API keys are typically accessible to clients, making it easy to discover and steal an API key\n\nIn light of these potential risks, Google recommends using the standard authentication flow instead of API-Keys.\nHowever, there are limited cases where API keys are more appropriate.\nFor example, if there is a mobile application that needs to use the Google Cloud Translation API, but doesn't otherwise need a backend server, API keys are the simplest way to authenticate to that API.\n\nIn order to reduce attack surfaces by providing `least privileges`, API-Keys can be restricted to use (call) only APIs required by an application.", + "audit": "**From Console:**\n\n1. Go to `APIs & Services\\Credentials` using `https://console.cloud.google.com/apis/credentials`\n\n2. In the section `API Keys`, Click the `API Key Name`. The API Key properties display on a new page.\n\n3. For every API Key, ensure the section `Key restrictions` parameter `API restrictions` is not set to `None`.\n\nOr, \n\nEnsure `API restrictions` is not set to `Google Cloud APIs`\n\n**Note:** `Google Cloud APIs` represents the API collection of all cloud services/APIs offered by Google cloud.\n\n**From Google Cloud CLI**\n\n4. List all API Keys.\n```\ngcloud services api-keys list\n```\nEach key should have a line that says `restrictions:` followed by varying parameters and NOT have a line saying `- service: cloudapis.googleapis.com` as shown here\n```\n restrictions:\n apiTargets:\n - service: cloudapis.googleapis.com\n\n```", + "remediation": "**From Console:**\n\n1. Go to `APIs & Services\\Credentials` using `https://console.cloud.google.com/apis/credentials`\n\n2. In the section `API Keys`, Click the `API Key Name`. The API Key properties display on a new page.\n\n3. In the `Key restrictions` section go to `API restrictions`.\n\n4. Click the `Select API` drop-down to choose an API.\n\n5. Click `Save`.\n\n6. Repeat steps 2,3,4,5 for every unrestricted API key\n\n**Note:** Do not set `API restrictions` to `Google Cloud APIs`, as this option allows access to all services offered by Google cloud.\n\n**From Google Cloud CLI**\n\n7. List all API keys.\n```\ngcloud services api-keys list\n```\n8. Note the `UID` of the key to add restrictions to.\n9. Run the update command with the appropriate flags to add the required restrictions.\n```\ngcloud alpha services api-keys update \n```\nNote- Flags can be found by running\n```\ngcloud alpha services api-keys update --help\n```\nor in this documentation\nhttps://cloud.google.com/sdk/gcloud/reference/alpha/services/api-keys/update", + "section": "Identity and Access Management", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 1.14", + "Identity and Access Management" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "1.14", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_1_14" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/8a985fda-fc4c-5435-b7f0-c4d40bb1307a.json b/packages/cloud_security_posture/kibana/csp_rule_template/8a985fda-fc4c-5435-b7f0-c4d40bb1307a.json new file mode 100644 index 00000000000..fcfbf84d09a --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/8a985fda-fc4c-5435-b7f0-c4d40bb1307a.json @@ -0,0 +1,38 @@ +{ + "id": "8a985fda-fc4c-5435-b7f0-c4d40bb1307a", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "When an organization deletes the default network, it may need to migrate or service onto a new network.", + "default_value": "", + "references": "1. https://cloud.google.com/compute/docs/networking#firewall_rules\n2. https://cloud.google.com/compute/docs/reference/latest/networks/insert\n3. https://cloud.google.com/compute/docs/reference/latest/networks/delete\n4. https://cloud.google.com/vpc/docs/firewall-rules-logging\n5. https://cloud.google.com/vpc/docs/vpc#default-network\n6. https://cloud.google.com/sdk/gcloud/reference/compute/networks/delete", + "id": "8a985fda-fc4c-5435-b7f0-c4d40bb1307a", + "name": "Ensure That the Default Network Does Not Exist in a Project", + "profile_applicability": "* Level 2", + "description": "To prevent use of `default` network, a project should not have a `default` network.", + "rationale": "The `default` network has a preconfigured network configuration and automatically generates the following insecure firewall rules: \n\n- default-allow-internal: Allows ingress connections for all protocols and ports among instances in the network.\n- default-allow-ssh: Allows ingress connections on TCP port 22(SSH) from any source to any instance in the network.\n- default-allow-rdp: Allows ingress connections on TCP port 3389(RDP) from any source to any instance in the network.\n- default-allow-icmp: Allows ingress ICMP traffic from any source to any instance in the network.\n\nThese automatically created firewall rules do not get audit logged and cannot be configured to enable firewall rule logging.\n\n\nFurthermore, the default network is an auto mode network, which means that its subnets use the same predefined range of IP addresses, and as a result, it's not possible to use Cloud VPN or VPC Network Peering with the default network.\n\n\nBased on organization security and networking requirements, the organization should create a new network and delete the `default` network.", + "audit": "**From Google Cloud Console**\n\n1. Go to the `VPC networks` page by visiting: [https://console.cloud.google.com/networking/networks/list](https://console.cloud.google.com/networking/networks/list).\n\n2. Ensure that a network with the name `default` is not present.\n\n**From Google Cloud CLI**\n\n3. Set the project name in the Google Cloud Shell:\n```\n\ngcloud config set project PROJECT_ID \n```\n4. List the networks configured in that project:\n```\ngcloud compute networks list \n```\nIt should not list `default` as one of the available networks in that project.", + "remediation": "**From Google Cloud Console**\n\n1. Go to the `VPC networks` page by visiting: [https://console.cloud.google.com/networking/networks/list](https://console.cloud.google.com/networking/networks/list).\n\n2. Click the network named `default`.\n\n3. On the network detail page, click `EDIT`.\n\n4. Click `DELETE VPC NETWORK`.\n\n5. If needed, create a new network to replace the default network.\n\n**From Google Cloud CLI**\n\nFor each Google Cloud Platform project,\n\n6. Delete the default network:\n```\ngcloud compute networks delete default\n```\n\n7. If needed, create a new network to replace it:\n```\ngcloud compute networks create NETWORK_NAME\n```\n\n**Prevention:**\n\nThe user can prevent the default network and its insecure default firewall rules from being created by setting up an Organization Policy to `Skip default network creation` at [https://console.cloud.google.com/iam-admin/orgpolicies/compute-skipDefaultNetworkCreation](https://console.cloud.google.com/iam-admin/orgpolicies/compute-skipDefaultNetworkCreation).", + "section": "Networking", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 3.1", + "Networking" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "3.1", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_3_1" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/8c36c21b-3c8f-5a92-bc7e-62871428f4d2.json b/packages/cloud_security_posture/kibana/csp_rule_template/8c36c21b-3c8f-5a92-bc7e-62871428f4d2.json new file mode 100644 index 00000000000..096c50fe45b --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/8c36c21b-3c8f-5a92-bc7e-62871428f4d2.json @@ -0,0 +1,38 @@ +{ + "id": "8c36c21b-3c8f-5a92-bc7e-62871428f4d2", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Users already having Project-wide ssh key pairs and using third party SSH clients will lose access to the impacted Instances. For Project users using gcloud or GCP Console based SSH option, no manual key creation and distribution is required and will be handled by GCE (Google Compute Engine) itself. To access Instance using third party SSH clients Instance specific SSH key pairs need to be created and distributed to the required users.", + "default_value": "", + "references": "1. https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys\n2. https://cloud.google.com/sdk/gcloud/reference/topic/formats", + "id": "8c36c21b-3c8f-5a92-bc7e-62871428f4d2", + "name": "Ensure \u201cBlock Project-Wide SSH Keys\u201d Is Enabled for VM Instances", + "profile_applicability": "* Level 1", + "description": "It is recommended to use Instance specific SSH key(s) instead of using common/shared project-wide SSH key(s) to access Instances.", + "rationale": "Project-wide SSH keys are stored in Compute/Project-meta-data.\nProject wide SSH keys can be used to login into all the instances within project.\nUsing project-wide SSH keys eases the SSH key management but if compromised, poses the security risk which can impact all the instances within project.\nIt is recommended to use Instance specific SSH keys which can limit the attack surface if the SSH keys are compromised.", + "audit": "**From Google Cloud Console**\n\n1. Go to the `VM instances` page by visiting [https://console.cloud.google.com/compute/instances](https://console.cloud.google.com/compute/instances). It will list all the instances in your project.\n\n2. For every instance, click on the name of the instance.\n\n3. Under `SSH Keys`, ensure `Block project-wide SSH keys` is selected.\n\n**From Google Cloud CLI**\n\n4. List the instances in your project and get details on each instance:\n```\ngcloud compute instances list --format=json\n```\n5. Ensure `key: block-project-ssh-keys` is set to `value: 'true'`.", + "remediation": "**From Google Cloud Console**\n\n1. Go to the `VM instances` page by visiting: [https://console.cloud.google.com/compute/instances](https://console.cloud.google.com/compute/instances). It will list all the instances in your project.\n\n2. Click on the name of the Impacted instance\n\n3. Click `Edit` in the toolbar\n\n4. Under SSH Keys, go to the `Block project-wide SSH keys` checkbox\n\n5. To block users with project-wide SSH keys from connecting to this instance, select `Block project-wide SSH keys`\n\n6. Click `Save` at the bottom of the page\n\n7. Repeat steps for every impacted Instance\n\n**From Google Cloud CLI**\n\nTo block project-wide public SSH keys, set the metadata value to `TRUE`:\n\n```\ngcloud compute instances add-metadata --metadata block-project-ssh-keys=TRUE\n```", + "section": "Virtual Machines", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 4.3", + "Virtual Machines" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "4.3", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_4_3" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/8f2644ed-70b5-576f-b9b9-aabea6821749.json b/packages/cloud_security_posture/kibana/csp_rule_template/8f2644ed-70b5-576f-b9b9-aabea6821749.json new file mode 100644 index 00000000000..df56a41b822 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/8f2644ed-70b5-576f-b9b9-aabea6821749.json @@ -0,0 +1,38 @@ +{ + "id": "8f2644ed-70b5-576f-b9b9-aabea6821749", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Updating flags may cause the database to restart. This may cause it to unavailable for a short amount of time, so this is best done at a time of low usage. You should also determine if the tables in your databases reference another table without using credentials for that database, as turning off cross database ownership will break this relationship.", + "default_value": "", + "references": "1. https://cloud.google.com/sql/docs/sqlserver/flags\n2. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/cross-db-ownership-chaining-server-configuration-option?view=sql-server-ver15", + "id": "8f2644ed-70b5-576f-b9b9-aabea6821749", + "name": "Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'", + "profile_applicability": "* Level 1", + "description": "It is recommended to set `cross db ownership chaining` database flag for Cloud SQL SQL Server instance to `off`.", + "rationale": "Use the `cross db ownership` for chaining option to configure cross-database ownership chaining for an instance of Microsoft SQL Server.\nThis server option allows you to control cross-database ownership chaining at the database level or to allow cross-database ownership chaining for all databases.\nEnabling `cross db ownership` is not recommended unless all of the databases hosted by the instance of SQL Server must participate in cross-database ownership chaining and you are aware of the security implications of this setting.\nThis recommendation is applicable to SQL Server database instances.", + "audit": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console.\n2. Select the instance to open its `Instance Overview` page\n3. Ensure the database flag `cross db ownership chaining` that has been set is listed under the `Database flags` section.\n\n**From Google Cloud CLI**\n\n4. Ensure the below command returns `off` for every Cloud SQL SQL Server database instance:\n```\ngcloud sql instances list --format=json | jq '.settings.databaseFlags[] | select(.name==\"cross db ownership chaining\")|.value'\n```", + "remediation": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the SQL Server instance for which you want to enable to database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `cross db ownership chaining` from the drop-down menu, and set its value to `off`.\n6. Click `Save`.\n7. Confirm the changes under `Flags` on the Overview page.\n\n**From Google Cloud CLI**\n\n8. Configure the `cross db ownership chaining` database flag for every Cloud SQL SQL Server database instance using the below command:\n```\ngcloud sql instances patch --database-flags \"cross db ownership chaining=off\"\n```\n\nNote: \n\nThis command will overwrite all database flags previously set.\nTo keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.\nFor flags that do not take a value, specify the flag name followed by an equals sign (\"=\").", + "section": "SQL Server", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 6.3.2", + "SQL Server" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "6.3.2", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_6_3_2" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/9126cd85-611c-5b06-b2f2-a18338e26ae1.json b/packages/cloud_security_posture/kibana/csp_rule_template/9126cd85-611c-5b06-b2f2-a18338e26ae1.json new file mode 100644 index 00000000000..63aa2286410 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/9126cd85-611c-5b06-b2f2-a18338e26ae1.json @@ -0,0 +1,38 @@ +{ + "id": "9126cd85-611c-5b06-b2f2-a18338e26ae1", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "", + "default_value": "", + "references": "1. https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options", + "id": "9126cd85-611c-5b06-b2f2-a18338e26ae1", + "name": "Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSEC", + "profile_applicability": "* Level 1", + "description": "NOTE: Currently, the SHA1 algorithm has been removed from general use by Google, and, if being used, needs to be whitelisted on a project basis by Google and will also, therefore, require a Google Cloud support contract.\n\nDNSSEC algorithm numbers in this registry may be used in CERT RRs.\nZone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms.\nThe algorithm used for key signing should be a recommended one and it should be strong.", + "rationale": "DNSSEC algorithm numbers in this registry may be used in CERT RRs.\nZone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms.\n\nThe algorithm used for key signing should be a recommended one and it should be strong.\nWhen enabling DNSSEC for a managed zone, or creating a managed zone with DNSSEC, the DNSSEC signing algorithms and the denial-of-existence type can be selected.\nChanging the DNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled.\nIf the need exists to change the settings for a managed zone where it has been enabled, turn DNSSEC off and then re-enable it with different settings.", + "audit": "**From Google Cloud CLI**\n\nEnsure the property algorithm for keyType zone signing is not using RSASHA1.\n\n```\ngcloud dns managed-zones describe --format=\"json(dnsName,dnssecConfig.state,dnssecConfig.defaultKeySpecs)\"\n```", + "remediation": "**From Google Cloud CLI**\n\n1. If the need exists to change the settings for a managed zone where it has been enabled, DNSSEC must be turned off and then re-enabled with different settings. To turn off DNSSEC, run following command:\n```\ngcloud dns managed-zones update ZONE_NAME --dnssec-state off\n```\n\n2. To update zone-signing for a reported managed DNS Zone, run the following command:\n```\ngcloud dns managed-zones update ZONE_NAME --dnssec-state on --ksk-algorithm KSK_ALGORITHM --ksk-key-length KSK_KEY_LENGTH --zsk-algorithm ZSK_ALGORITHM --zsk-key-length ZSK_KEY_LENGTH --denial-of-existence DENIAL_OF_EXISTENCE\n```\n\nSupported algorithm options and key lengths are as follows.\n\n Algorithm KSK Length ZSK Length\n --------- ---------- ----------\n RSASHA1 1024,2048 1024,2048\n RSASHA256 1024,2048 1024,2048\n RSASHA512 1024,2048 1024,2048\n ECDSAP256SHA256 256 384\n ECDSAP384SHA384 384 384", + "section": "Networking", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 3.5", + "Networking" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "3.5", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_3_5" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/91d52d43-da61-5ba2-a4d4-1018fee84559.json b/packages/cloud_security_posture/kibana/csp_rule_template/91d52d43-da61-5ba2-a4d4-1018fee84559.json index 3a780a683ab..a67233f6b6c 100644 --- a/packages/cloud_security_posture/kibana/csp_rule_template/91d52d43-da61-5ba2-a4d4-1018fee84559.json +++ b/packages/cloud_security_posture/kibana/csp_rule_template/91d52d43-da61-5ba2-a4d4-1018fee84559.json @@ -11,8 +11,8 @@ "profile_applicability": "* Level 1", "description": "S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket.\nAn access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed.\nIt is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.", "rationale": "By enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within any target buckets.\nConfiguring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.", - "audit": "Perform the following ensure the CloudTrail S3 bucket has access logging is enabled:\n\n**From Console:**\n\n1. Go to the Amazon CloudTrail console at [https://console.aws.amazon.com/cloudtrail/home](https://console.aws.amazon.com/cloudtrail/home)\n2. In the API activity history pane on the left, click Trails\n3. In the Trails pane, note the bucket names in the S3 bucket column\n4. Sign in to the AWS Management Console and open the S3 console at [https://console.aws.amazon.com/s3](https://console.aws.amazon.com/s3).\n5. Under `All Buckets` click on a target S3 bucket\n6. Click on `Properties` in the top right of the console\n7. Under `Bucket:` _ `` _ click on `Logging` \n8. Ensure `Enabled` is checked.\n\n**From Command Line:**\n\n9. Get the name of the S3 bucket that CloudTrail is logging to:\n``` \naws cloudtrail describe-trails --query 'trailList[*].S3BucketName' \n```\n10. Ensure Bucket Logging is enabled:\n```\naws s3api get-bucket-logging --bucket \n```\nEnsure command does not returns empty output.\n\nSample Output for a bucket with logging enabled:\n\n```\n{\n \"LoggingEnabled\": {\n \"TargetPrefix\": \"\",\n \"TargetBucket\": \"\"\n }\n}\n```", - "remediation": "Perform the following to enable S3 bucket logging:\n\n**From Console:**\n\n1. Sign in to the AWS Management Console and open the S3 console at [https://console.aws.amazon.com/s3](https://console.aws.amazon.com/s3).\n2. Under `All Buckets` click on the target S3 bucket\n3. Click on `Properties` in the top right of the console\n4. Under `Bucket:` click on `Logging` \n5. Configure bucket logging\n - Click on the `Enabled` checkbox\n - Select Target Bucket from list\n - Enter a Target Prefix\n6. Click `Save`.\n\n**From Command Line:**\n\n7. Get the name of the S3 bucket that CloudTrail is logging to:\n```\naws cloudtrail describe-trails --region --query trailList[*].S3BucketName\n```\n8. Copy and add target bucket name at ``, Prefix for logfile at `` and optionally add an email address in the following template and save it as ``:\n```\n{\n \"LoggingEnabled\": {\n \"TargetBucket\": \"\",\n \"TargetPrefix\": \"\",\n \"TargetGrants\": [\n {\n \"Grantee\": {\n \"Type\": \"AmazonCustomerByEmail\",\n \"EmailAddress\": \"\"\n },\n \"Permission\": \"FULL_CONTROL\"\n }\n ]\n } \n}\n```\n9. Run the `put-bucket-logging` command with bucket name and `` as input, for more information refer at [put-bucket-logging](https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-logging.html):\n```\naws s3api put-bucket-logging --bucket --bucket-logging-status file://\n```", + "audit": "Perform the following ensure the CloudTrail S3 bucket has access logging is enabled:\n\n**From Console:**\n\n1. Go to the Amazon CloudTrail console at [https://console.aws.amazon.com/cloudtrail/home](https://console.aws.amazon.com/cloudtrail/home)\n2. In the API activity history pane on the left, click Trails\n3. In the Trails pane, note the bucket names in the S3 bucket column\n4. Sign in to the AWS Management Console and open the S3 console at [https://console.aws.amazon.com/s3](https://console.aws.amazon.com/s3).\n5. Under `All Buckets` click on a target S3 bucket\n6. Click on `Properties` in the top right of the console\n7. Under `Bucket:` _ `` _ click on `Logging` \n8. Ensure `Enabled` is checked.\n\n**From Command Line:**\n\n9. Get the name of the S3 bucket that CloudTrail is logging to:\n``` \naws cloudtrail describe-trails --query 'trailList[*].S3BucketName' \n```\n10. Ensure Bucket Logging is enabled:\n```\naws s3api get-bucket-logging --bucket \n```\nEnsure command does not returns empty output.\n\nSample Output for a bucket with logging enabled:\n\n```\n{\n \"LoggingEnabled\": {\n \"TargetPrefix\": \"\",\n \"TargetBucket\": \"\"\n }\n}\n```", + "remediation": "Perform the following to enable S3 bucket logging:\n\n**From Console:**\n\n1. Sign in to the AWS Management Console and open the S3 console at [https://console.aws.amazon.com/s3](https://console.aws.amazon.com/s3).\n2. Under `All Buckets` click on the target S3 bucket\n3. Click on `Properties` in the top right of the console\n4. Under `Bucket:` click on `Logging` \n5. Configure bucket logging\n - Click on the `Enabled` checkbox\n - Select Target Bucket from list\n - Enter a Target Prefix\n6. Click `Save`.\n\n**From Command Line:**\n\n7. Get the name of the S3 bucket that CloudTrail is logging to:\n```\naws cloudtrail describe-trails --region --query trailList[*].S3BucketName\n```\n8. Copy and add target bucket name at ``, Prefix for logfile at `` and optionally add an email address in the following template and save it as ``:\n```\n{\n \"LoggingEnabled\": {\n \"TargetBucket\": \"\",\n \"TargetPrefix\": \"\",\n \"TargetGrants\": [\n {\n \"Grantee\": {\n \"Type\": \"AmazonCustomerByEmail\",\n \"EmailAddress\": \"\"\n },\n \"Permission\": \"FULL_CONTROL\"\n }\n ]\n }\n}\n```\n9. Run the `put-bucket-logging` command with bucket name and `` as input, for more information refer at [put-bucket-logging](https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-logging.html):\n```\naws s3api put-bucket-logging --bucket --bucket-logging-status file://\n```", "section": "Logging", "version": "1.0", "tags": [ diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/92077c86-0322-5497-b94e-38ef356eadd6.json b/packages/cloud_security_posture/kibana/csp_rule_template/92077c86-0322-5497-b94e-38ef356eadd6.json new file mode 100644 index 00000000000..27dedc28495 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/92077c86-0322-5497-b94e-38ef356eadd6.json @@ -0,0 +1,38 @@ +{ + "id": "92077c86-0322-5497-b94e-38ef356eadd6", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Removing the public IP address on SQL instances may break some applications that relied on it for database connectivity.", + "default_value": "", + "references": "1. https://cloud.google.com/sql/docs/mysql/configure-private-ip\n2. https://cloud.google.com/sql/docs/mysql/private-ip\n3. https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints\n4. https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp", + "id": "92077c86-0322-5497-b94e-38ef356eadd6", + "name": "Ensure That Cloud SQL Database Instances Do Not Have Public IPs", + "profile_applicability": "* Level 2", + "description": "It is recommended to configure Second Generation Sql instance to use private IPs instead of public IPs.", + "rationale": "To lower the organization's attack surface, Cloud SQL databases should not have public IPs.\nPrivate IPs provide improved network security and lower latency for your application.", + "audit": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console: [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances)\n\n2. Ensure that every instance has a private IP address and no public IP address configured.\n\n**From Google Cloud CLI**\n\n3. List all Cloud SQL database instances using the following command:\n\n```\ngcloud sql instances list\n```\n\n4. For every instance of type `instanceType: CLOUD_SQL_INSTANCE` with `backendType: SECOND_GEN`, get detailed configuration. Ignore instances of type `READ_REPLICA_INSTANCE` because these instances inherit their settings from the primary instance. Also, note that first generation instances cannot be configured to have a private IP address.\n\n```\ngcloud sql instances describe \n```\n\n5. Ensure that the setting `ipAddresses` has an IP address configured of `type: PRIVATE` and has no IP address of `type: PRIMARY`. `PRIMARY` IP addresses are public addresses. An instance can have both a private and public address at the same time. Note also that you cannot use private IP with First Generation instances.", + "remediation": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console: [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances)\n2. Click the instance name to open its Instance details page.\n3. Select the `Connections` tab.\n4. Deselect the `Public IP` checkbox.\n5. Click `Save` to update the instance.\n\n**From Google Cloud CLI**\n\n6. For every instance remove its public IP and assign a private IP instead:\n```\ngcloud sql instances patch --network= --no-assign-ip\n```\n\n7. Confirm the changes using the following command::\n```\ngcloud sql instances describe \n```\n\n**Prevention:**\n\nTo prevent new SQL instances from getting configured with public IP addresses, set up a `Restrict Public IP access on Cloud SQL instances` Organization policy at: [https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp](https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp).", + "section": "Cloud SQL Database Services", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 6.6", + "Cloud SQL Database Services" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "6.6", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_6_6" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/9259a915-0294-54d6-b379-162ceb36e875.json b/packages/cloud_security_posture/kibana/csp_rule_template/9259a915-0294-54d6-b379-162ceb36e875.json new file mode 100644 index 00000000000..3e1c6fa8be5 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/9259a915-0294-54d6-b379-162ceb36e875.json @@ -0,0 +1,38 @@ +{ + "id": "9259a915-0294-54d6-b379-162ceb36e875", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Turning on logging will increase the required storage over time. Mismanaged logs may cause your storage costs to increase. Setting custom flags via command line on certain instances will cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flags changes during a period of low usage.", + "default_value": "", + "references": "1. https://cloud.google.com/sql/docs/postgres/flags\n2. https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT", + "id": "9259a915-0294-54d6-b379-162ceb36e875", + "name": "Ensure That the \u2018Log_disconnections\u2019 Database Flag for Cloud SQL PostgreSQL Instance Is Set to \u2018On\u2019", + "profile_applicability": "* Level 1", + "description": "Enabling the `log_disconnections` setting logs the end of each session, including the session duration.", + "rationale": "PostgreSQL does not log session details such as duration and session end by default.\nEnabling the `log_disconnections` setting will create log entries at the end of each session which can be useful in troubleshooting issues and determine any unusual activity across a time period.\nThe `log_disconnections` and `log_connections` work hand in hand and generally, the pair would be enabled/disabled together.\nThis recommendation is applicable to PostgreSQL database instances.", + "audit": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the instance to open its `Instance Overview` page\n3. Go to the `Configuration` card.\n4. Under `Database flags`, check the value of `log_disconnections` flag is configured as expected.\n\n**From Google Cloud CLI**\n\n5. Ensure the below command returns `on` for every Cloud SQL PostgreSQL database instance:\n```\ngcloud sql instances list --format=json | jq '.[].settings.databaseFlags[] | select(.name==\"log_disconnections\")|.value'\n```", + "remediation": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the PostgreSQL instance where the database flag needs to be enabled.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `log_disconnections` from the drop-down menu and set the value as `on`.\n6. Click `Save`.\n7. Confirm the changes under `Flags` on the Overview page.\n\n**From Google Cloud CLI**\n\n8. Configure the `log_disconnections` database flag for every Cloud SQL PosgreSQL database instance using the below command:\n```\ngcloud sql instances patch --database-flags log_disconnections=on\n```\n```\nNote: This command will overwrite all previously set database flags.\nTo keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.\nFor flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n```", + "section": "PostgreSQL Database", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 6.2.3", + "PostgreSQL Database" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "6.2.3", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_6_2_3" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/92ab0102-d825-52ce-87a8-1d0b4e06166c.json b/packages/cloud_security_posture/kibana/csp_rule_template/92ab0102-d825-52ce-87a8-1d0b4e06166c.json new file mode 100644 index 00000000000..cc155ad42c3 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/92ab0102-d825-52ce-87a8-1d0b4e06166c.json @@ -0,0 +1,38 @@ +{ + "id": "92ab0102-d825-52ce-87a8-1d0b4e06166c", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Enabling the pgAudit extension can lead to increased data storage requirements and to ensure durability of pgAudit log records in the event of unexpected storage issues, it is recommended to enable the `Enable automatic storage increases` setting on the instance. Enabling flags via the command line will also overwrite all existing flags, so you should apply all needed flags in the CLI command. Also flags may require a restart of the server to be implemented or will break existing functionality so update your servers at a time of low usage.", + "default_value": "", + "references": "1. https://cloud.google.com/sql/docs/postgres/flags#list-flags-postgres\n2. https://cloud.google.com/sql/docs/postgres/pg-audit#enable-auditing-flag\n3. https://cloud.google.com/sql/docs/postgres/pg-audit#customizing-database-audit-logging\n4. https://cloud.google.com/logging/docs/audit/configure-data-access#config-console-enable", + "id": "92ab0102-d825-52ce-87a8-1d0b4e06166c", + "name": "Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging", + "profile_applicability": "* Level 1", + "description": "Ensure `cloudsql.enable_pgaudit` database flag for Cloud SQL PostgreSQL instance is set to `on` to allow for centralized logging.", + "rationale": "As numerous other recommendations in this section consist of turning on flags for logging purposes, your organization will need a way to manage these logs.\nYou may have a solution already in place.\nIf you do not, consider installing and enabling the open source pgaudit extension within PostgreSQL and enabling its corresponding flag of `cloudsql.enable_pgaudit`.\nThis flag and installing the extension enables database auditing in PostgreSQL through the open-source pgAudit extension.\nThis extension provides detailed session and object logging to comply with government, financial, & ISO standards and provides auditing capabilities to mitigate threats by monitoring security events on the instance.\nEnabling the flag and settings later in this recommendation will send these logs to Google Logs Explorer so that you can access them in a central location.\nto This recommendation is applicable only to PostgreSQL database instances.", + "audit": "**Determining if the pgAudit Flag is set to 'on'**\n\n**From Google Cloud Console**\n\n1. Go to [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the instance to open its `Overview` page.\n3. Click `Edit`.\n4. Scroll down and expand `Flags`.\n5. Ensure that `cloudsql.enable_pgaudit` flag is set to `on`.\n\n**From Google Cloud CLI**\n\nRun the command by providing ``.\nEnsure the value of the flag is `on`.\n\n``` \ngcloud sql instances describe --format=\"json\" | jq '.settings|.|.databaseFlags[]|select(.name==\"cloudsql.enable_pgaudit\")|.value' \n```\n\n**Determine if the pgAudit extension is installed**\n\n6. Connect to the the server running PostgreSQL or through a SQL client of your choice.\n7. Via command line open the PostgreSQL shell by typing `psql`\n8. Run the following command\n\n```\nSELECT * \nFROM pg_extension;\n```\n\n9. If pgAudit is in this list. If so, it is installed.\n\n**Determine if Data Access Audit logs are enabled for your project and have sufficient privileges**\n\n10. From the homepage open the hamburger menu in the top left.\n11. Scroll down to `IAM & Admin`and hover over it.\n12. In the menu that opens up, select `Audit Logs`\n13. In the middle of the page, in the search box next to `filter` search for `Cloud Composer API`\n14. Select it, and ensure that both 'Admin Read' and 'Data Read' are checked.\n\n**Determine if logs are being sent to Logs Explorer**\n\n15. From the Google Console home page, open the hamburger menu in the top left.\n16. In the menu that pops open, scroll down to Logs Explorer under Operations.\n17. In the query box, paste the following and search\n```\nresource.type=\"cloudsql_database\"\nlogName=\"projects//logs/cloudaudit.googleapis.com%2Fdata_access\"\nprotoPayload.request.@type=\"type.googleapis.com/google.cloud.sql.audit.v1.PgAuditEntry\"\n```\n18. If it returns any log sources, they are correctly setup.", + "remediation": "**Initialize the pgAudit flag**\n\n**From Google Cloud Console**\n\n1. Go to [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the instance to open its `Overview` page.\n3. Click `Edit`.\n4. Scroll down and expand `Flags`.\n5. To set a flag that has not been set on the instance before, click `Add item`.\n6. Enter `cloudsql.enable_pgaudit` for the flag name and set the flag to `on`.\n7. Click `Done`.\n8. Click `Save` to update the configuration.\n9. Confirm your changes under `Flags` on the `Overview` page.\n\n**From Google Cloud CLI**\n\nRun the below command by providing `` to enable `cloudsql.enable_pgaudit` flag.\n\n```\ngcloud sql instances patch --database-flags cloudsql.enable_pgaudit=on\n```\n\nNote: `RESTART` is required to get this configuration in effect.\n\n**Creating the extension**\n\n10. Connect to the the server running PostgreSQL or through a SQL client of your choice.\n11. If SSHing to the server in the command line open the PostgreSQL shell by typing `psql`\n12. Run the following command as a superuser.\n\n```\nCREATE EXTENSION pgaudit;\n```\n\n**Updating the previously created pgaudit.log flag for your Logging Needs**\n\n**From Console:**\n\nNote: there are multiple options here.\nThis command will enable logging for all databases on a server.\nPlease see the customizing database audit logging reference for more flag options.\n\n\n13. Go to [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n14. Select the instance to open its `Overview` page.\n15. Click `Edit`.\n16. Scroll down and expand `Flags`.\n17. To set a flag that has not been set on the instance before, click `Add item`.\n18. Enter `pgaudit.log=all` for the flag name and set the flag to `on`.\n19. Click `Done`.\n20. Click `Save` to update the configuration.\n21. Confirm your changes under `Flags` on the `Overview` page.\n\n**From Command Line:**\n\nRun the command\n\n```\ngcloud sql instances patch --database-flags \\\n cloudsql.enable_pgaudit=on,pgaudit.log=all\n```\n\n**Determine if logs are being sent to Logs Explorer**\n\n22. From the Google Console home page, open the hamburger menu in the top left.\n23. In the menu that pops open, scroll down to Logs Explorer under Operations.\n24. In the query box, paste the following and search\n\nresource.type=\"cloudsql_database\"\nlogName=\"projects//logs/cloudaudit.googleapis.com%2Fdata_access\"\nprotoPayload.request.@type=\"type.googleapis.com/google.cloud.sql.audit.v1.PgAuditEntry\"\n\n If it returns any log sources, they are correctly setup.", + "section": "PostgreSQL Database", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 6.2.8", + "PostgreSQL Database" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "6.2.8", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_6_2_8" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/936ea3f4-b4bc-5f3a-a7a0-dec9bda0a48c.json b/packages/cloud_security_posture/kibana/csp_rule_template/936ea3f4-b4bc-5f3a-a7a0-dec9bda0a48c.json new file mode 100644 index 00000000000..99e139636f4 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/936ea3f4-b4bc-5f3a-a7a0-dec9bda0a48c.json @@ -0,0 +1,38 @@ +{ + "id": "936ea3f4-b4bc-5f3a-a7a0-dec9bda0a48c", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "When `contained database authentication` is off (0) for the instance, contained databases cannot be created, or attached to the Database Engine. Turning on logging will increase the required storage over time. Mismanaged logs may cause your storage costs to increase.Setting custom flags via command line on certain instances will cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flags changes during a period of low usage.", + "default_value": "", + "references": "1. https://cloud.google.com/sql/docs/sqlserver/flags\n2. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/contained-database-authentication-server-configuration-option?view=sql-server-ver15\n3. https://docs.microsoft.com/en-us/sql/relational-databases/databases/security-best-practices-with-contained-databases?view=sql-server-ver15", + "id": "936ea3f4-b4bc-5f3a-a7a0-dec9bda0a48c", + "name": "Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'", + "profile_applicability": "* Level 1", + "description": "It is recommended to set `contained database authentication` database flag for Cloud SQL on the SQL Server instance to `off`.", + "rationale": "A contained database includes all database settings and metadata required to define the database and has no configuration dependencies on the instance of the Database Engine where the database is installed.\nUsers can connect to the database without authenticating a login at the Database Engine level.\nIsolating the database from the Database Engine makes it possible to easily move the database to another instance of SQL Server.\nContained databases have some unique threats that should be understood and mitigated by SQL Server Database Engine administrators.\nMost of the threats are related to the USER WITH PASSWORD authentication process, which moves the authentication boundary from the Database Engine level to the database level, hence this is recommended to disable this flag.\nThis recommendation is applicable to SQL Server database instances.", + "audit": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the instance to open its `Instance Overview` page\n3. Ensure the database flag `contained database authentication` that has been set is listed under the `Database flags` section.\n\n**From Google Cloud CLI**\n\n4. Ensure the below command returns `off` for every Cloud SQL SQL Server database instance.\n```\ngcloud sql instances list --format=json | jq '.settings.databaseFlags[] | select(.name==\"contained database authentication\")|.value'\n```", + "remediation": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the SQL Server instance for which you want to enable to database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `contained database authentication` from the drop-down menu, and set its value to `off`.\n6. Click `Save`.\n7. Confirm the changes under `Flags` on the Overview page.\n\n**From Google Cloud CLI**\n\n8. Configure the `contained database authentication` database flag for every Cloud SQL SQL Server database instance using the below command:\n```\ngcloud sql instances patch --database-flags \"contained database authentication=off\"\n```\n\n```\nNote: \n\nThis command will overwrite all database flags previously set.\nTo keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.\nFor flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n```", + "section": "SQL Server", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 6.3.7", + "SQL Server" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "6.3.7", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_6_3_7" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/a1f327c0-3e4b-5b55-891a-b91e720cd535.json b/packages/cloud_security_posture/kibana/csp_rule_template/a1f327c0-3e4b-5b55-891a-b91e720cd535.json new file mode 100644 index 00000000000..45659bb076a --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/a1f327c0-3e4b-5b55-891a-b91e720cd535.json @@ -0,0 +1,38 @@ +{ + "id": "a1f327c0-3e4b-5b55-891a-b91e720cd535", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "", + "default_value": "", + "references": "1. https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options", + "id": "a1f327c0-3e4b-5b55-891a-b91e720cd535", + "name": "Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC", + "profile_applicability": "* Level 1", + "description": "NOTE: Currently, the SHA1 algorithm has been removed from general use by Google, and, if being used, needs to be whitelisted on a project basis by Google and will also, therefore, require a Google Cloud support contract.\n\nDNSSEC algorithm numbers in this registry may be used in CERT RRs.\nZone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms.\nThe algorithm used for key signing should be a recommended one and it should be strong.", + "rationale": "Domain Name System Security Extensions (DNSSEC) algorithm numbers in this registry may be used in CERT RRs.\nZonesigning (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms.\n\nThe algorithm used for key signing should be a recommended one and it should be strong.\nWhen enabling DNSSEC for a managed zone, or creating a managed zone with DNSSEC, the user can select the DNSSEC signing algorithms and the denial-of-existence type.\nChanging the DNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled.\nIf there is a need to change the settings for a managed zone where it has been enabled, turn DNSSEC off and then re-enable it with different settings.", + "audit": "**From Google Cloud CLI**\n\nEnsure the property algorithm for keyType keySigning is not using `RSASHA1`.\n\n gcloud dns managed-zones describe ZONENAME --format=\"json(dnsName,dnssecConfig.state,dnssecConfig.defaultKeySpecs)\"", + "remediation": "**From Google Cloud CLI**\n\n1. If it is necessary to change the settings for a managed zone where it has been enabled, NSSEC must be turned off and re-enabled with different settings. To turn off DNSSEC, run the following command:\n\n```\ngcloud dns managed-zones update ZONE_NAME --dnssec-state off\n```\n\n2. To update key-signing for a reported managed DNS Zone, run the following command:\n\n```\ngcloud dns managed-zones update ZONE_NAME --dnssec-state on --ksk-algorithm KSK_ALGORITHM --ksk-key-length KSK_KEY_LENGTH --zsk-algorithm ZSK_ALGORITHM --zsk-key-length ZSK_KEY_LENGTH --denial-of-existence DENIAL_OF_EXISTENCE\n```\n\nSupported algorithm options and key lengths are as follows.\n\n Algorithm KSK Length ZSK Length\n --------- ---------- ----------\n RSASHA1 1024,2048 1024,2048\n RSASHA256 1024,2048 1024,2048\n RSASHA512 1024,2048 1024,2048\n ECDSAP256SHA256 256 256\n ECDSAP384SHA384 384 384", + "section": "Networking", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 3.4", + "Networking" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "3.4", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_3_4" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/a7c6b368-29db-53e6-8b86-dfaddf719f59.json b/packages/cloud_security_posture/kibana/csp_rule_template/a7c6b368-29db-53e6-8b86-dfaddf719f59.json new file mode 100644 index 00000000000..aa92f7cfd24 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/a7c6b368-29db-53e6-8b86-dfaddf719f59.json @@ -0,0 +1,38 @@ +{ + "id": "a7c6b368-29db-53e6-8b86-dfaddf719f59", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Enabling of logging may result in your project being charged for the additional logs usage. These charges could be significant depending on the size of the organization.", + "default_value": "", + "references": "1. https://cloud.google.com/logging/docs/logs-based-metrics/\n2. https://cloud.google.com/monitoring/custom-metrics/\n3. https://cloud.google.com/monitoring/alerts/\n4. https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n5. https://cloud.google.com/storage/docs/overview\n6. https://cloud.google.com/storage/docs/access-control/iam-roles", + "id": "a7c6b368-29db-53e6-8b86-dfaddf719f59", + "name": "Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes", + "profile_applicability": "* Level 2", + "description": "It is recommended that a metric filter and alarm be established for Cloud Storage Bucket IAM changes.", + "rationale": "Monitoring changes to cloud storage bucket permissions may reduce the time needed to detect and correct permissions on sensitive cloud storage buckets and objects inside the bucket.", + "audit": "**From Google Cloud Console**\n\n**Ensure the prescribed log metric is present:**\n\n1. For each project that contains cloud storage buckets, go to `Logging/Logs-based Metrics` by visiting [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics).\n\n2. In the `User-defined Metrics` section, ensure at least one metric `` is present with the filter text:\n\n```\nresource.type=\"gcs_bucket\"\nAND protoPayload.methodName=\"storage.setIamPermissions\"\n```\n\n**Ensure that the prescribed alerting policy is present:**\n\n3. Go to `Alerting` by visiting [https://console.cloud.google.com/monitoring/alerting](https://console.cloud.google.com/monitoring/alerting).\n\n4. Under the `Policies` section, ensure that at least one alert policy exists for the log metric above. Clicking on the policy should show that it is configured with a condition. For example, `Violates when: Any logging.googleapis.com/user/ stream` `is above a threshold of 0 for greater than 0 seconds` means that the alert will trigger for any new owner change. Verify that the chosen alerting thresholds make sense for the user's organization.\n\n5. Ensure that the appropriate notifications channels have been set up.\n\n**From Google Cloud CLI**\n\n**Ensure that the prescribed log metric is present:**\n\n6. List the log metrics:\n```\ngcloud logging metrics list --format json\n```\n7. Ensure that the output contains at least one metric with the filter set to: \n```\nresource.type=gcs_bucket \nAND protoPayload.methodName=\"storage.setIamPermissions\"\n```\n\n8. Note the value of the property `metricDescriptor.type` for the identified metric, in the format `logging.googleapis.com/user/`.\n\n**Ensure the prescribed alerting policy is present:**\n\n9. List the alerting policies:\n```\ngcloud alpha monitoring policies list --format json\n```\n10. Ensure that the output contains an least one alert policy where:\n- `conditions.conditionThreshold.filter` is set to `metric.type=\\\"logging.googleapis.com/user/\\\"`\n- AND `enabled` is set to `true`", + "remediation": "**From Google Cloud Console**\n\n**Create the prescribed log metric:**\n\n1. Go to `Logging/Logs-based Metrics` by visiting [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics) and click \"CREATE METRIC\".\n\n2. Click the down arrow symbol on the `Filter Bar` at the rightmost corner and select `Convert to Advanced Filter`.\n\n3. Clear any text and add: \n```\nresource.type=\"gcs_bucket\" \nAND protoPayload.methodName=\"storage.setIamPermissions\"\n```\n4. Click `Submit Filter`. Display logs appear based on the filter text entered by the user.\n\n5. In the `Metric Editor` menu on right, fill out the name field. Set `Units` to `1` (default) and `Type` to `Counter`. This ensures that the log metric counts the number of log entries matching the user's advanced logs query.\n\n6. Click `Create Metric`. \n\n**Create the prescribed Alert Policy:** \n\n7. Identify the newly created metric under the section `User-defined Metrics` at [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics).\n\n8. Click the 3-dot icon in the rightmost column for the new metric and select `Create alert from Metric`. A new page appears.\n\n9. Fill out the alert policy configuration and click `Save`. Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:\n```\nSet `Aggregator` to `Count`\n\nSet `Configuration`:\n\n- Condition: above\n\n- Threshold: 0\n\n- For: most recent value\n```\n\n10. Configure the desired notifications channels in the section `Notifications`.\n\n11. Name the policy and click `Save`.\n\n**From Google Cloud CLI**\n\nCreate the prescribed Log Metric:\n- Use the command: gcloud beta logging metrics create \n\nCreate the prescribed alert policy: \n- Use the command: gcloud alpha monitoring policies create", + "section": "Logging and Monitoring", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 2.10", + "Logging and Monitoring" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "2.10", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_2_10" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/b0ed2847-4db1-57c3-b2b6-49b0576a2506.json b/packages/cloud_security_posture/kibana/csp_rule_template/b0ed2847-4db1-57c3-b2b6-49b0576a2506.json new file mode 100644 index 00000000000..ea7f5e09e27 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/b0ed2847-4db1-57c3-b2b6-49b0576a2506.json @@ -0,0 +1,38 @@ +{ + "id": "b0ed2847-4db1-57c3-b2b6-49b0576a2506", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "", + "default_value": "", + "references": "1. https://cloud.google.com/sql/docs/mysql/flags\n2. https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_skip_show_database", + "id": "b0ed2847-4db1-57c3-b2b6-49b0576a2506", + "name": "Ensure \u2018Skip_show_database\u2019 Database Flag for Cloud SQL MySQL Instance Is Set to \u2018On\u2019", + "profile_applicability": "* Level 1", + "description": "It is recommended to set `skip_show_database` database flag for Cloud SQL Mysql instance to `on`", + "rationale": "'skip_show_database' database flag prevents people from using the SHOW DATABASES statement if they do not have the SHOW DATABASES privilege.\nThis can improve security if you have concerns about users being able to see databases belonging to other users.\nIts effect depends on the SHOW DATABASES privilege: If the variable value is ON, the SHOW DATABASES statement is permitted only to users who have the SHOW DATABASES privilege, and the statement displays all database names.\nIf the value is OFF, SHOW DATABASES is permitted to all users, but displays the names of only those databases for which the user has the SHOW DATABASES or other privilege.\nThis recommendation is applicable to Mysql database instances.", + "audit": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the instance to open its `Instance Overview` page\n3. Ensure the database flag `skip_show_database` that has been set is listed under the `Database flags` section.\n\n**From Google Cloud CLI**\n\n4. List all Cloud SQL database Instances\n```\ngcloud sql instances list\n```\n5. Ensure the below command returns `on` for every Cloud SQL Mysql database instance\n```\ngcloud sql instances describe INSTANCE_NAME --format=json | jq '.settings.databaseFlags[] | select(.name==\"skip_show_database\")|.value'\n```", + "remediation": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the Mysql instance for which you want to enable to database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `skip_show_database` from the drop-down menu, and set its value to `on`.\n6. Click `Save` to save your changes.\n7. Confirm your changes under `Flags` on the Overview page.\n\n**From Google Cloud CLI**\n\n8. List all Cloud SQL database Instances\n```\ngcloud sql instances list\n```\n9. Configure the `skip_show_database` database flag for every Cloud SQL Mysql database instance using the below command.\n```\ngcloud sql instances patch INSTANCE_NAME --database-flags skip_show_database=on\n```\n\n```\nNote : \n\nThis command will overwrite all database flags previously set.\nTo keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value.\nFor flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n```", + "section": "MySQL Database", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 6.1.2", + "MySQL Database" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "6.1.2", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_6_1_2" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/b190337a-56a7-5906-8960-76fd05283599.json b/packages/cloud_security_posture/kibana/csp_rule_template/b190337a-56a7-5906-8960-76fd05283599.json new file mode 100644 index 00000000000..ce8e8a9cbb2 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/b190337a-56a7-5906-8960-76fd05283599.json @@ -0,0 +1,38 @@ +{ + "id": "b190337a-56a7-5906-8960-76fd05283599", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Deleting instance(s) acting as routers/packet forwarders may break the network connectivity.", + "default_value": "", + "references": "1. https://cloud.google.com/vpc/docs/using-routes#canipforward", + "id": "b190337a-56a7-5906-8960-76fd05283599", + "name": "Ensure That IP Forwarding Is Not Enabled on Instances", + "profile_applicability": "* Level 1", + "description": "Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance.\nSimilarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet.\nHowever, both capabilities are required if you want to use instances to help route packets.\n\nForwarding of data packets should be disabled to prevent data loss or information disclosure.", + "rationale": "Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance.\nSimilarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet.\nHowever, both capabilities are required if you want to use instances to help route packets.\nTo enable this source and destination IP check, disable the `canIpForward` field, which allows an instance to send and receive packets with non-matching destination or source IPs.", + "audit": "**From Google Cloud Console**\n\n1. Go to the `VM Instances` page by visiting: [https://console.cloud.google.com/compute/instances](https://console.cloud.google.com/compute/instances). \n2. For every instance, click on its name to go to the `VM instance details` page.\n3. Under the `Network interfaces` section, ensure that `IP forwarding` is set to `Off` for every network interface.\n\n**From Google Cloud CLI**\n\n4. List all instances:\n```\ngcloud compute instances list --format='table(name,canIpForward)'\n```\n5. Ensure that `CAN_IP_FORWARD` column in the output of above command does not contain `True` for any VM instance.\n\n**Exception:**\nInstances created by GKE should be excluded because they need to have IP forwarding enabled and cannot be changed.\nInstances created by GKE have names that start with \"gke-\".", + "remediation": "You only edit the `canIpForward` setting at instance creation time.\nTherefore, you need to delete the instance and create a new one where `canIpForward` is set to `false`.\n\n**From Google Cloud Console**\n\n1. Go to the `VM Instances` page by visiting: [https://console.cloud.google.com/compute/instances](https://console.cloud.google.com/compute/instances). \n2. Select the `VM Instance` you want to remediate.\n3. Click the `Delete` button.\n4. On the 'VM Instances' page, click `CREATE INSTANCE'.\n5. Create a new instance with the desired configuration. By default, the instance is configured to not allow IP forwarding.\n\n**From Google Cloud CLI**\n\n6. Delete the instance:\n```\ngcloud compute instances delete INSTANCE_NAME\n```\n\n7. Create a new instance to replace it, with `IP forwarding` set to `Off`\n```\ngcloud compute instances create\n```", + "section": "Virtual Machines", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 4.6", + "Virtual Machines" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "4.6", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_4_6" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/b64386ab-20fa-57d2-9b5b-631d64181531.json b/packages/cloud_security_posture/kibana/csp_rule_template/b64386ab-20fa-57d2-9b5b-631d64181531.json new file mode 100644 index 00000000000..02158c0b535 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/b64386ab-20fa-57d2-9b5b-631d64181531.json @@ -0,0 +1,38 @@ +{ + "id": "b64386ab-20fa-57d2-9b5b-631d64181531", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Turning on logging will increase the required storage over time. Mismanaged logs may cause your storage costs to increase. Setting custom flags via command line on certain instances will cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flags changes during a period of low usage.", + "default_value": "", + "references": "1. https://cloud.google.com/sql/docs/postgres/flags\n2. https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT", + "id": "b64386ab-20fa-57d2-9b5b-631d64181531", + "name": "Ensure \u2018Log_error_verbosity\u2019 Database Flag for Cloud SQL PostgreSQL Instance Is Set to \u2018DEFAULT\u2019 or Stricter", + "profile_applicability": "* Level 2", + "description": "The `log_error_verbosity` flag controls the verbosity/details of messages logged.\nValid values are:\n- `TERSE`\n- `DEFAULT`\n- `VERBOSE`\n\n`TERSE` excludes the logging of `DETAIL`, `HINT`, `QUERY`, and `CONTEXT` error information.\n\n`VERBOSE` output includes the `SQLSTATE` error code, source code file name, function name, and line number that generated the error.\n\nEnsure an appropriate value is set to 'DEFAULT' or stricter.", + "rationale": "Auditing helps in troubleshooting operational problems and also permits forensic analysis.\nIf `log_error_verbosity` is not set to the correct value, too many details or too few details may be logged.\nThis flag should be configured with a value of 'DEFAULT' or stricter.\nThis recommendation is applicable to PostgreSQL database instances.", + "audit": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the instance to open its `Instance Overview` page\n3. Go to `Configuration` card\n4. Under `Database flags`, check the value of `log_error_verbosity` flag is set to 'DEFAULT' or stricter.\n\n**From Google Cloud CLI**\n\n5. Use the below command for every Cloud SQL PostgreSQL database instance to verify the value of `log_error_verbosity`\n```\ngcloud sql instances list --format=json | jq '.settings.databaseFlags[] | select(.name==\"log_error_verbosity\")|.value'\n```", + "remediation": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `log_error_verbosity` from the drop-down menu and set appropriate value.\n6. Click `Save` to save your changes.\n7. Confirm your changes under `Flags` on the Overview page.\n\n**From Google Cloud CLI**\n\n8. Configure the log_error_verbosity database flag for every Cloud SQL PosgreSQL database instance using the below command.\n```\ngcloud sql instances patch --database-flags log_error_verbosity=\n```\n```\nNote: This command will overwrite all database flags previously set.\nTo keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value.\nFor flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n```", + "section": "PostgreSQL Database", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 6.2.1", + "PostgreSQL Database" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "6.2.1", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_6_2_1" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/b8c40039-034b-5299-8660-a7c8d34efe36.json b/packages/cloud_security_posture/kibana/csp_rule_template/b8c40039-034b-5299-8660-a7c8d34efe36.json new file mode 100644 index 00000000000..c4bbf9c8932 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/b8c40039-034b-5299-8660-a7c8d34efe36.json @@ -0,0 +1,38 @@ +{ + "id": "b8c40039-034b-5299-8660-a7c8d34efe36", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "", + "default_value": "", + "references": "1. https://cloud.google.com/compute/docs/instances/modifying-shielded-vm\n2. https://cloud.google.com/shielded-vm\n3. https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint", + "id": "b8c40039-034b-5299-8660-a7c8d34efe36", + "name": "Ensure Compute Instances Are Launched With Shielded VM Enabled", + "profile_applicability": "* Level 2", + "description": "To defend against advanced threats and ensure that the boot loader and firmware on your VMs are signed and untampered, it is recommended that Compute instances are launched with Shielded VM enabled.", + "rationale": "Shielded VMs are virtual machines (VMs) on Google Cloud Platform hardened by a set of security controls that help defend against rootkits and bootkits.\n\n\nShielded VM offers verifiable integrity of your Compute Engine VM instances, so you can be confident your instances haven't been compromised by boot- or kernel-level malware or rootkits.\nShielded VM's verifiable integrity is achieved through the use of Secure Boot, virtual trusted platform module (vTPM)-enabled Measured Boot, and integrity monitoring.\n\nShielded VM instances run firmware which is signed and verified using Google's Certificate Authority, ensuring that the instance's firmware is unmodified and establishing the root of trust for Secure Boot.\n\nIntegrity monitoring helps you understand and make decisions about the state of your VM instances and the Shielded VM vTPM enables Measured Boot by performing the measurements needed to create a known good boot baseline, called the integrity policy baseline.\nThe integrity policy baseline is used for comparison with measurements from subsequent VM boots to determine if anything has changed.\n\nSecure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails.", + "audit": "**From Google Cloud Console**\n\n1. Go to the `VM instances` page by visiting: [https://console.cloud.google.com/compute/instances](https://console.cloud.google.com/compute/instances).\n\n2. Click on the instance name to see its `VM instance details` page.\n\n3. Under the section `Shielded VM`, ensure that `vTPM` and `Integrity Monitoring` are `on`.\n\n**From Google Cloud CLI**\n\n4. For each instance in your project, get its metadata:\n```\ngcloud compute instances list --format=json | jq -r '.\n| \"vTPM: \\(.[].shieldedInstanceConfig.enableVtpm) IntegrityMonitoring: \\(.[].shieldedInstanceConfig.enableIntegrityMonitoring) Name: \\(.[].name)\"'\n```\n\n5. Ensure that there is a `shieldedInstanceConfig` configuration and that configuration has the `enableIntegrityMonitoring` and `enableVtpm` set to `true`. If the VM is not a Shield VM image, you will not see a shieldedInstanceConfig` in the output.", + "remediation": "To be able turn on `Shielded VM` on an instance, your instance must use an image with Shielded VM support.\n\n\n**From Google Cloud Console**\n\n1. Go to the `VM instances` page by visiting: [https://console.cloud.google.com/compute/instances](https://console.cloud.google.com/compute/instances).\n\n2. Click on the instance name to see its `VM instance details` page.\n\n3. Click `STOP` to stop the instance.\n\n4. When the instance has stopped, click `EDIT`.\n\n5. In the Shielded VM section, select `Turn on vTPM` and `Turn on Integrity Monitoring`.\n\n6. Optionally, if you do not use any custom or unsigned drivers on the instance, also select `Turn on Secure Boot`.\n\n7. Click the `Save` button to modify the instance and then click `START` to restart it.\n\n**From Google Cloud CLI**\n\nYou can only enable Shielded VM options on instances that have Shielded VM support.\nFor a list of Shielded VM public images, run the gcloud compute images list command with the following flags:\n\n```\ngcloud compute images list --project gce-uefi-images --no-standard-images\n```\n\n8. Stop the instance:\n```\ngcloud compute instances stop \n```\n9. Update the instance:\n\n```\ngcloud compute instances update --shielded-vtpm --shielded-vm-integrity-monitoring\n```\n10. Optionally, if you do not use any custom or unsigned drivers on the instance, also turn on secure boot.\n\n```\ngcloud compute instances update --shielded-vm-secure-boot\n```\n\n11. Restart the instance:\n\n```\ngcloud compute instances start \n```\n\n**Prevention:**\n\nYou can ensure that all new VMs will be created with Shielded VM enabled by setting up an Organization Policy to for `Shielded VM` at [https://console.cloud.google.com/iam-admin/orgpolicies/compute-requireShieldedVm](https://console.cloud.google.com/iam-admin/orgpolicies/compute-requireShieldedVm).\nLearn more at: \n[https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint](https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint).", + "section": "Virtual Machines", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 4.8", + "Virtual Machines" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "4.8", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_4_8" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/bac65dd0-771b-5bfb-8e5f-3b1dc8962684.json b/packages/cloud_security_posture/kibana/csp_rule_template/bac65dd0-771b-5bfb-8e5f-3b1dc8962684.json new file mode 100644 index 00000000000..55231991664 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/bac65dd0-771b-5bfb-8e5f-3b1dc8962684.json @@ -0,0 +1,38 @@ +{ + "id": "bac65dd0-771b-5bfb-8e5f-3b1dc8962684", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "The Cloud SQL database instance would not be available to public IP addresses.", + "default_value": "", + "references": "1. https://cloud.google.com/sql/docs/mysql/configure-ip\n2. https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks\n3. https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints\n4. https://cloud.google.com/sql/docs/mysql/connection-org-policy", + "id": "bac65dd0-771b-5bfb-8e5f-3b1dc8962684", + "name": "Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses", + "profile_applicability": "* Level 1", + "description": "Database Server should accept connections only from trusted Network(s)/IP(s) and restrict access from public IP addresses.", + "rationale": "To minimize attack surface on a Database server instance, only trusted/known and required IP(s) should be white-listed to connect to it.\n\nAn authorized network should not have IPs/networks configured to `0.0.0.0/0` which will allow access to the instance from anywhere in the world.\nNote that authorized networks apply only to instances with public IPs.", + "audit": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Click the instance name to open its `Instance details` page.\n3. Under the `Configuration` section click `Edit configurations`\n4. Under `Configuration options` expand the `Connectivity` section.\n5. Ensure that no authorized network is configured to allow `0.0.0.0/0`.\n\n**From Google Cloud CLI**\n\n6. Get detailed configuration for every Cloud SQL database instance.\n\n```\ngcloud sql instances list --format=json\n```\n\nEnsure that the section `settings: ipConfiguration : authorizedNetworks` does not have any parameter `value` containing `0.0.0.0/0`.", + "remediation": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n\n2. Click the instance name to open its `Instance details` page.\n3. Under the `Configuration` section click `Edit configurations`\n4. Under `Configuration options` expand the `Connectivity` section.\n5. Click the `delete` icon for the authorized network `0.0.0.0/0`.\n6. Click `Save` to update the instance.\n\n**From Google Cloud CLI**\n\nUpdate the authorized network list by dropping off any addresses.\n\n```\ngcloud sql instances patch --authorized-networks=IP_ADDR1,IP_ADDR2...\n```\n\n**Prevention:**\n\nTo prevent new SQL instances from being configured to accept incoming connections from any IP addresses, set up a `Restrict Authorized Networks on Cloud SQL instances` Organization Policy at: [https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks](https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks).", + "section": "Cloud SQL Database Services", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 6.5", + "Cloud SQL Database Services" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "6.5", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_6_5" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/be1197db-90d0-58db-b780-f0a939264bd0.json b/packages/cloud_security_posture/kibana/csp_rule_template/be1197db-90d0-58db-b780-f0a939264bd0.json new file mode 100644 index 00000000000..699a62a3e25 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/be1197db-90d0-58db-b780-f0a939264bd0.json @@ -0,0 +1,38 @@ +{ + "id": "be1197db-90d0-58db-b780-f0a939264bd0", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Turning on logging will increase the required storage over time. Mismanaged logs may cause your storage costs to increase. Setting custom flags via command line on certain instances will cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flags changes during a period of low usage.", + "default_value": "", + "references": "1. https://cloud.google.com/sql/docs/postgres/flags\n2. https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT", + "id": "be1197db-90d0-58db-b780-f0a939264bd0", + "name": "Ensure That the \u2018Log_connections\u2019 Database Flag for Cloud SQL PostgreSQL Instance Is Set to \u2018On\u2019", + "profile_applicability": "* Level 1", + "description": "Enabling the `log_connections` setting causes each attempted connection to the server to be logged, along with successful completion of client authentication.\nThis parameter cannot be changed after the session starts.", + "rationale": "PostgreSQL does not log attempted connections by default.\nEnabling the `log_connections` setting will create log entries for each attempted connection as well as successful completion of client authentication which can be useful in troubleshooting issues and to determine any unusual connection attempts to the server.\nThis recommendation is applicable to PostgreSQL database instances.", + "audit": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the instance to open its `Instance Overview` page.\n3. Go to the `Configuration` card.\n4. Under `Database flags`, check the value of `log_connections` flag to determine if it is configured as expected.\n\n**From Google Cloud CLI**\n\n5. Ensure the below command returns `on` for every Cloud SQL PostgreSQL database instance:\n```\ngcloud sql instances list --format=json | jq '.settings.databaseFlags[] | select(.name==\"log_connections\")|.value'\n```", + "remediation": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances.\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `log_connections` from the drop-down menu and set the value as `on`.\n6. Click `Save`.\n7. Confirm the changes under `Flags` on the Overview page.\n\n**From Google Cloud CLI**\n\n8. Configure the `log_connections` database flag for every Cloud SQL PosgreSQL database instance using the below command.\n```\ngcloud sql instances patch --database-flags log_connections=on\n```\n```\nNote: \nThis command will overwrite all previously set database flags.\nTo keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.\nFor flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n```", + "section": "PostgreSQL Database", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 6.2.2", + "PostgreSQL Database" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "6.2.2", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_6_2_2" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/c2d65e60-221b-5748-a545-579a69ad4a93.json b/packages/cloud_security_posture/kibana/csp_rule_template/c2d65e60-221b-5748-a545-579a69ad4a93.json new file mode 100644 index 00000000000..cef624726b5 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/c2d65e60-221b-5748-a545-579a69ad4a93.json @@ -0,0 +1,38 @@ +{ + "id": "c2d65e60-221b-5748-a545-579a69ad4a93", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Enabling OS Login on project disables metadata-based SSH key configurations on all instances from a project. Disabling OS Login restores SSH keys that you have configured in project or instance meta-data.", + "default_value": "", + "references": "1. https://cloud.google.com/compute/docs/instances/managing-instance-access\n2. https://cloud.google.com/compute/docs/instances/managing-instance-access#enable_oslogin\n3. https://cloud.google.com/sdk/gcloud/reference/compute/instances/remove-metadata\n4. https://cloud.google.com/compute/docs/oslogin/setup-two-factor-authentication", + "id": "c2d65e60-221b-5748-a545-579a69ad4a93", + "name": "Ensure Oslogin Is Enabled for a Project", + "profile_applicability": "* Level 1", + "description": "Enabling OS login binds SSH certificates to IAM users and facilitates effective SSH certificate management.", + "rationale": "Enabling osLogin ensures that SSH keys used to connect to instances are mapped with IAM users.\nRevoking access to IAM user will revoke all the SSH keys associated with that particular user.\nIt facilitates centralized and automated SSH key pair management which is useful in handling cases like response to compromised SSH key pairs and/or revocation of external/third-party/Vendor users.", + "audit": "**From Google Cloud Console**\n\n1. Go to the VM compute metadata page by visiting [https://console.cloud.google.com/compute/metadata](https://console.cloud.google.com/compute/metadata).\n\n2. Ensure that key `enable-oslogin` is present with value set to `TRUE`. \n\n3. Because instances can override project settings, ensure that no instance has custom metadata with key `enable-oslogin` and value `FALSE`.\n\n**From Google Cloud CLI**\n\n4. List the instances in your project and get details on each instance:\n```\ngcloud compute instances list --format=json\n```\n5. Verify that the section `commonInstanceMetadata` has a key `enable-oslogin` set to value `TRUE`.\n**Exception:**\nVMs created by GKE should be excluded.\nThese VMs have names that start with `gke-` and are labeled `goog-gke-node`", + "remediation": "**From Google Cloud Console**\n\n1. Go to the VM compute metadata page by visiting: [https://console.cloud.google.com/compute/metadata](https://console.cloud.google.com/compute/metadata).\n\n2. Click `Edit`.\n\n3. Add a metadata entry where the key is `enable-oslogin` and the value is `TRUE`.\n\n4. Click `Save` to apply the changes.\n\n5. For every instance that overrides the project setting, go to the `VM Instances` page at [https://console.cloud.google.com/compute/instances](https://console.cloud.google.com/compute/instances).\n\n6. Click the name of the instance on which you want to remove the metadata value.\n7. At the top of the instance details page, click `Edit` to edit the instance settings.\n8. Under `Custom metadata`, remove any entry with key `enable-oslogin` and the value is `FALSE`\n9. At the bottom of the instance details page, click `Save` to apply your changes to the instance.\n\n**From Google Cloud CLI**\n\n10. Configure oslogin on the project:\n```\ngcloud compute project-info add-metadata --metadata enable-oslogin=TRUE\n```\n11. Remove instance metadata that overrides the project setting.\n```\ngcloud compute instances remove-metadata --keys=enable-oslogin\n```\n\nOptionally, you can enable two factor authentication for OS login.\nFor more information, see: [https://cloud.google.com/compute/docs/oslogin/setup-two-factor-authentication](https://cloud.google.com/compute/docs/oslogin/setup-two-factor-authentication).", + "section": "Virtual Machines", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 4.4", + "Virtual Machines" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "4.4", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_4_4" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/d63a2fd8-7ba2-5589-9899-23f99fd8c846.json b/packages/cloud_security_posture/kibana/csp_rule_template/d63a2fd8-7ba2-5589-9899-23f99fd8c846.json new file mode 100644 index 00000000000..5acfeeacc85 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/d63a2fd8-7ba2-5589-9899-23f99fd8c846.json @@ -0,0 +1,38 @@ +{ + "id": "d63a2fd8-7ba2-5589-9899-23f99fd8c846", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "", + "default_value": "", + "references": "1. https://cloud.google.com/compute/docs/instances/interacting-with-serial-console", + "id": "d63a2fd8-7ba2-5589-9899-23f99fd8c846", + "name": "Ensure \u2018Enable Connecting to Serial Ports\u2019 Is Not Enabled for VM Instance", + "profile_applicability": "* Level 1", + "description": "Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support.\n\nIf you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address.\nTherefore interactive serial console support should be disabled.", + "rationale": "A virtual machine instance has four virtual serial ports.\nInteracting with a serial port is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support.\nThe instance's operating system, BIOS, and other system-level entities often write output to the serial ports, and can accept input such as commands or answers to prompts.\nTypically, these system-level entities use the first serial port (port 1) and serial port 1 is often referred to as the serial console.\n\nThe interactive serial console does not support IP-based access restrictions such as IP whitelists.\nIf you enable the interactive serial console on an instance, clients can attempt to connect to that instance from any IP address.\nThis allows anybody to connect to that instance if they know the correct SSH key, username, project ID, zone, and instance name.\n\nTherefore interactive serial console support should be disabled.", + "audit": "**From Google Cloud CLI**\n\n1. Login to Google Cloud console\n2. Go to Computer Engine\n3. Go to VM instances\n4. Click on the Specific VM\n5. Ensure `Enable connecting to serial ports` below `Remote access` block is unselected.\n\n**From Google Cloud Console**\n\nEnsure the below command's output shows `null`:\n\n```\ngcloud compute instances describe --zone= --format=\"json(metadata.items[].key,metadata.items[].value)\"\n``` \n\nor `key` and `value` properties from below command's json response are equal to `serial-port-enable` and `0` or `false` respectively.\n\n```\n {\n \"metadata\": {\n \"items\": [\n {\n \"key\": \"serial-port-enable\",\n \"value\": \"0\"\n }\n ]\n }\n}\n```", + "remediation": "**From Google Cloud CLI**\n\n1. Login to Google Cloud console\n2. Go to Computer Engine\n3. Go to VM instances\n4. Click on the Specific VM\n5. Click `EDIT`\n6. Unselect `Enable connecting to serial ports` below `Remote access` block.\n7. Click `Save`\n\n**From Google Cloud Console**\n\nUse the below command to disable \n```\ngcloud compute instances add-metadata --zone= --metadata=serial-port-enable=false\n```\n\nor\n\n```\ngcloud compute instances add-metadata --zone= --metadata=serial-port-enable=0\n```\n\n**Prevention:**\n\nYou can prevent VMs from having serial port access enable by `Disable VM serial port access` organization policy: \n[https://console.cloud.google.com/iam-admin/orgpolicies/compute-disableSerialPortAccess](https://console.cloud.google.com/iam-admin/orgpolicies/compute-disableSerialPortAccess).", + "section": "Virtual Machines", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 4.5", + "Virtual Machines" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "4.5", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_4_5" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/dbd6a799-b6c3-5768-ab68-9bd6f63bbd48.json b/packages/cloud_security_posture/kibana/csp_rule_template/dbd6a799-b6c3-5768-ab68-9bd6f63bbd48.json new file mode 100644 index 00000000000..2c020aa532e --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/dbd6a799-b6c3-5768-ab68-9bd6f63bbd48.json @@ -0,0 +1,38 @@ +{ + "id": "dbd6a799-b6c3-5768-ab68-9bd6f63bbd48", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Setting custom flags via command line on certain instances will cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flags changes during a period of low usage.", + "default_value": "", + "references": "1. https://cloud.google.com/sql/docs/sqlserver/flags\n2. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-options-server-configuration-option?view=sql-server-ver15\n3. https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79335", + "id": "dbd6a799-b6c3-5768-ab68-9bd6f63bbd48", + "name": "Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured", + "profile_applicability": "* Level 1", + "description": "It is recommended that, `user options` database flag for Cloud SQL SQL Server instance should not be configured.", + "rationale": "The `user options` option specifies global defaults for all users.\nA list of default query processing options is established for the duration of a user's work session.\nThe user options option allows you to change the default values of the SET options (if the server's default settings are not appropriate).\n\nA user can override these defaults by using the SET statement.\nYou can configure user options dynamically for new logins.\nAfter you change the setting of user options, new login sessions use the new setting; current login sessions are not affected.\nThis recommendation is applicable to SQL Server database instances.", + "audit": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the instance to open its `Instance Overview` page\n3. Ensure the database flag `user options` that has been set is not listed under the `Database flags` section.\n\n**From Google Cloud CLI**\n\n4. Ensure the below command returns empty result for every Cloud SQL SQL Server database instance\n```\ngcloud sql instances list --format=json | jq '.settings.databaseFlags[] | select(.name==\"user options\")|.value'\n```", + "remediation": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the SQL Server instance for which you want to enable to database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. Click the X next `user options` flag shown\n6. Click `Save` to save your changes.\n7. Confirm your changes under `Flags` on the Overview page.\n\n**From Google Cloud CLI**\n\n8. List all Cloud SQL database Instances\n```\ngcloud sql instances list\n```\n9. Clear the `user options` database flag for every Cloud SQL SQL Server database instance using either of the below commands.\n\n```\n10. 1.Clearing all flags to their default value\n\ngcloud sql instances patch --clear-database-flags\n\nOR\n11. To clear only `user options` database flag, configure the database flag by overriding the `user options`. Exclude `user options` flag and its value, and keep all other flags you want to configure.\n\ngcloud sql instances patch --database-flags [FLAG1=VALUE1,FLAG2=VALUE2]\n```\n\n```\nNote : \n\nThis command will overwrite all database flags previously set.\nTo keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value.\nFor flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n```", + "section": "SQL Server", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 6.3.4", + "SQL Server" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "6.3.4", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_6_3_4" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/e2306922-4f95-5660-bf2e-9610f556de69.json b/packages/cloud_security_posture/kibana/csp_rule_template/e2306922-4f95-5660-bf2e-9610f556de69.json new file mode 100644 index 00000000000..d9e95e0dd03 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/e2306922-4f95-5660-bf2e-9610f556de69.json @@ -0,0 +1,38 @@ +{ + "id": "e2306922-4f95-5660-bf2e-9610f556de69", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "All Remote Desktop Protocol (RDP) connections from outside of the network to the concerned VPC(s) will be blocked. There could be a business need where secure shell access is required from outside of the network to access resources associated with the VPC. In that case, specific source IP(s) should be mentioned in firewall rules to white-list access to RDP port for the concerned VPC(s).", + "default_value": "", + "references": "1. https://cloud.google.com/vpc/docs/firewalls#blockedtraffic\n2. https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts", + "id": "e2306922-4f95-5660-bf2e-9610f556de69", + "name": "Ensure That RDP Access Is Restricted From the Internet", + "profile_applicability": "* Level 2", + "description": "GCP `Firewall Rules` are specific to a `VPC Network`.\nEach rule either `allows` or `denies` traffic when its conditions are met.\nIts conditions allow users to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances.\n\nFirewall rules are defined at the VPC network level and are specific to the network in which they are defined.\nThe rules themselves cannot be shared among networks.\nFirewall rules only support IPv4 traffic.\nWhen specifying a source for an ingress rule or a destination for an egress rule by address, an `IPv4` address or `IPv4 block in CIDR` notation can be used.\nGeneric `(0.0.0.0/0)` incoming traffic from the Internet to a VPC or VM instance using `RDP` on `Port 3389` can be avoided.", + "rationale": "GCP `Firewall Rules` within a `VPC Network`.\nThese rules apply to outgoing (egress) traffic from instances and incoming (ingress) traffic to instances in the network.\nEgress and ingress traffic flows are controlled even if the traffic stays within the network (for example, instance-to-instance communication).\nFor an instance to have outgoing Internet access, the network must have a valid Internet gateway route or custom route whose destination IP is specified.\nThis route simply defines the path to the Internet, to avoid the most general `(0.0.0.0/0)` destination `IP Range` specified from the Internet through `RDP` with the default `Port 3389`.\nGeneric access from the Internet to a specific IP Range should be restricted.", + "audit": "**From Google Cloud Console**\n\n1. Go to `VPC network`.\n2. Go to the `Firewall Rules`.\n3. Ensure `Port` is not equal to `3389` and `Action` is not `Allow`.\n4. Ensure `IP Ranges` is not equal to `0.0.0.0/0` under `Source filters`.\n\n**From Google Cloud CLI**\n\n gcloud compute firewall-rules list --format=table'(name,direction,sourceRanges,allowed.ports)'\n\nEnsure that there is no rule matching the below criteria:\n- `SOURCE_RANGES` is `0.0.0.0/0`\n- AND `DIRECTION` is `INGRESS`\n- AND IPProtocol is `TCP` or `ALL`\n- AND `PORTS` is set to `3389` or `range containing 3389` or `Null (not set)`\n\nNote: \n- When ALL TCP ports are allowed in a rule, PORT does not have any value set (`NULL`)\n- When ALL Protocols are allowed in a rule, PORT does not have any value set (`NULL`)", + "remediation": "**From Google Cloud Console**\n\n1. Go to `VPC Network`.\n2. Go to the `Firewall Rules`.\n3. Click the `Firewall Rule` to be modified.\n4. Click `Edit`.\n5. Modify `Source IP ranges` to specific `IP`.\n6. Click `Save`.\n\n**From Google Cloud CLI**\n\n7. 1.Update RDP Firewall rule with new `SOURCE_RANGE` from the below command:\n\n gcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[-PORT]],...] --source-ranges=[CIDR_RANGE,...]", + "section": "Networking", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 3.7", + "Networking" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "3.7", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_3_7" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/e833e6a8-673d-56b2-a979-f9aa4e52cb71.json b/packages/cloud_security_posture/kibana/csp_rule_template/e833e6a8-673d-56b2-a979-f9aa4e52cb71.json new file mode 100644 index 00000000000..30d126e76bb --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/e833e6a8-673d-56b2-a979-f9aa4e52cb71.json @@ -0,0 +1,38 @@ +{ + "id": "e833e6a8-673d-56b2-a979-f9aa4e52cb71", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "'- Confidential Computing for Compute instances does not support live migration. Unlike regular Compute instances, Confidential VMs experience disruptions during maintenance events like a software or hardware update.\n- Additional charges may be incurred when enabling this security feature. See [https://cloud.google.com/compute/confidential-vm/pricing](https://cloud.google.com/compute/confidential-vm/pricing) for more info.", + "default_value": "", + "references": "1. https://cloud.google.com/compute/confidential-vm/docs/creating-cvm-instance\n2. https://cloud.google.com/compute/confidential-vm/docs/about-cvm\n3. https://cloud.google.com/confidential-computing\n4. https://cloud.google.com/blog/products/identity-security/introducing-google-cloud-confidential-computing-with-confidential-vms", + "id": "e833e6a8-673d-56b2-a979-f9aa4e52cb71", + "name": "Ensure That Compute Instances Have Confidential Computing Enabled", + "profile_applicability": "* Level 2", + "description": "Google Cloud encrypts data at-rest and in-transit, but customer data must be decrypted for processing.\nConfidential Computing is a breakthrough technology which encrypts data in-use\u2014while it is being processed.\nConfidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU).\n\n\nConfidential VMs leverage the Secure Encrypted Virtualization (SEV) feature of AMD EPYC\u2122 CPUs.\nCustomer data will stay encrypted while it is used, indexed, queried, or trained on.\nEncryption keys are generated in hardware, per VM, and not exportable.\nThanks to built-in hardware optimizations of both performance and security, there is no significant performance penalty to Confidential Computing workloads.", + "rationale": "Confidential Computing enables customers' sensitive code and other data encrypted in memory during processing.\nGoogle does not have access to the encryption keys.\nConfidential VM can help alleviate concerns about risk related to either dependency on Google infrastructure or Google insiders' access to customer data in the clear.", + "audit": "Note: Confidential Computing is currently only supported on N2D machines.\nTo learn more about types of N2D machines, visit [https://cloud.google.com/compute/docs/machine-types#n2d_machine_types](https://cloud.google.com/compute/docs/machine-types#n2d_machine_types)\n\n**From Google Cloud Console**\n\n1. Go to the `VM instances` page by visiting: [https://console.cloud.google.com/compute/instances](https://console.cloud.google.com/compute/instances).\n\n2. Click on the instance name to see its VM instance details page.\n\n3. Ensure that `Confidential VM service` is `Enabled`.\n\n**From Google Cloud CLI**\n\n4. List the instances in your project and get details on each instance:\n\n```\ngcloud compute instances list --format=json\n```\n5. Ensure that `enableConfidentialCompute` is set to `true` for all instances with machine type starting with \"n2d-\".\n\n```\nconfidentialInstanceConfig:\n enableConfidentialCompute: true\n```", + "remediation": "Confidential Computing can only be enabled when an instance is created.\nYou must delete the current instance and create a new one.\n\n**From Google Cloud Console**\n\n1. Go to the VM instances page by visiting: [https://console.cloud.google.com/compute/instances](https://console.cloud.google.com/compute/instances).\n\n2. Click `CREATE INSTANCE`.\n\n3. Fill out the desired configuration for your instance.\n\n4. Under the `Confidential VM service` section, check the option `Enable the Confidential Computing service on this VM instance`.\n\n5. Click `Create`.\n\n**From Google Cloud CLI**\n\nCreate a new instance with Confidential Compute enabled.\n\n\n```\ngcloud compute instances create --zone --confidential-compute --maintenance-policy=TERMINATE \n```", + "section": "Virtual Machines", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 4.11", + "Virtual Machines" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "4.11", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_4_11" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/e83a8e8a-e34b-5a01-8142-82d5aef60cab.json b/packages/cloud_security_posture/kibana/csp_rule_template/e83a8e8a-e34b-5a01-8142-82d5aef60cab.json new file mode 100644 index 00000000000..a1d1432645c --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/e83a8e8a-e34b-5a01-8142-82d5aef60cab.json @@ -0,0 +1,38 @@ +{ + "id": "e83a8e8a-e34b-5a01-8142-82d5aef60cab", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Enabling of logging may result in your project being charged for the additional logs usage.", + "default_value": "", + "references": "1. https://cloud.google.com/logging/docs/logs-based-metrics/\n2. https://cloud.google.com/monitoring/custom-metrics/\n3. https://cloud.google.com/monitoring/alerts/\n4. https://cloud.google.com/logging/docs/reference/tools/gcloud-logging", + "id": "e83a8e8a-e34b-5a01-8142-82d5aef60cab", + "name": "Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes", + "profile_applicability": "* Level 1", + "description": "In order to prevent unnecessary project ownership assignments to users/service-accounts and further misuses of projects and resources, all `roles/Owner` assignments should be monitored.\n\nMembers (users/Service-Accounts) with a role assignment to primitive role `roles/Owner` are project owners.\n\nThe project owner has all the privileges on the project the role belongs to.\nThese are summarized below:\n- All viewer permissions on all GCP Services within the project\n- Permissions for actions that modify the state of all GCP services within the project\n- Manage roles and permissions for a project and all resources within the project\n- Set up billing for a project\n\nGranting the owner role to a member (user/Service-Account) will allow that member to modify the Identity and Access Management (IAM) policy.\nTherefore, grant the owner role only if the member has a legitimate purpose to manage the IAM policy.\nThis is because the project IAM policy contains sensitive access control data.\nHaving a minimal set of users allowed to manage IAM policy will simplify any auditing that may be necessary.", + "rationale": "Project ownership has the highest level of privileges on a project.\nTo avoid misuse of project resources, the project ownership assignment/change actions mentioned above should be monitored and alerted to concerned recipients.\n- Sending project ownership invites\n- Acceptance/Rejection of project ownership invite by user\n- Adding `role\\Owner` to a user/service-account\n- Removing a user/Service account from `role\\Owner`", + "audit": "**From Google Cloud Console**\n\n**Ensure that the prescribed log metric is present:**\n\n1. Go to `Logging/Log-based Metrics` by visiting [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics).\n\n2. In the `User-defined Metrics` section, ensure that at least one metric `` is present with filter text:\n\n```\n(protoPayload.serviceName=\"cloudresourcemanager.googleapis.com\") \nAND (ProjectOwnership OR projectOwnerInvitee) \nOR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\"REMOVE\" \nAND protoPayload.serviceData.policyDelta.bindingDeltas.role=\"roles/owner\") \nOR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\"ADD\" \nAND protoPayload.serviceData.policyDelta.bindingDeltas.role=\"roles/owner\")\n```\n\n**Ensure that the prescribed Alerting Policy is present:**\n\n3. Go to `Alerting` by visiting [https://console.cloud.google.com/monitoring/alerting](https://console.cloud.google.com/monitoring/alerting).\n\n4. Under the `Policies` section, ensure that at least one alert policy exists for the log metric above. Clicking on the policy should show that it is configured with a condition. For example, `Violates when: Any logging.googleapis.com/user/ stream` `is above a threshold of zero(0) for greater than zero(0) seconds` means that the alert will trigger for any new owner change. Verify that the chosen alerting thresholds make sense for your organization.\n\n5. Ensure that the appropriate notifications channels have been set up.\n\n**From Google Cloud CLI**\n\n**Ensure that the prescribed log metric is present:**\n\n6. List the log metrics:\n```\ngcloud logging metrics list --format json\n```\n7. Ensure that the output contains at least one metric with filter set to: \n```\n(protoPayload.serviceName=\"cloudresourcemanager.googleapis.com\") \nAND (ProjectOwnership OR projectOwnerInvitee) \nOR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\"REMOVE\" \nAND protoPayload.serviceData.policyDelta.bindingDeltas.role=\"roles/owner\") \nOR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\"ADD\" \nAND protoPayload.serviceData.policyDelta.bindingDeltas.role=\"roles/owner\")\n```\n\n8. Note the value of the property `metricDescriptor.type` for the identified metric, in the format `logging.googleapis.com/user/`.\n\n**Ensure that the prescribed alerting policy is present:**\n\n9. List the alerting policies:\n```\ngcloud alpha monitoring policies list --format json\n```\n10. Ensure that the output contains an least one alert policy where:\n- `conditions.conditionThreshold.filter` is set to `metric.type=\\\"logging.googleapis.com/user/\\\"`\n- AND `enabled` is set to `true`", + "remediation": "**From Google Cloud Console**\n\n**Create the prescribed log metric:**\n\n1. Go to `Logging/Logs-based Metrics` by visiting [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics) and click \"CREATE METRIC\".\n\n2. Click the down arrow symbol on the `Filter Bar` at the rightmost corner and select `Convert to Advanced Filter`.\n\n3. Clear any text and add: \n\n```\n(protoPayload.serviceName=\"cloudresourcemanager.googleapis.com\") \nAND (ProjectOwnership OR projectOwnerInvitee) \nOR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\"REMOVE\" \nAND protoPayload.serviceData.policyDelta.bindingDeltas.role=\"roles/owner\") \nOR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\"ADD\" \nAND protoPayload.serviceData.policyDelta.bindingDeltas.role=\"roles/owner\")\n```\n\n4. Click `Submit Filter`. The logs display based on the filter text entered by the user.\n\n5. In the `Metric Editor` menu on the right, fill out the name field. Set `Units` to `1` (default) and the `Type` to `Counter`. This ensures that the log metric counts the number of log entries matching the advanced logs query.\n\n6. Click `Create Metric`. \n\n**Create the display prescribed Alert Policy:** \n\n7. Identify the newly created metric under the section `User-defined Metrics` at [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics).\n\n8. Click the 3-dot icon in the rightmost column for the desired metric and select `Create alert from Metric`. A new page opens.\n\n9. Fill out the alert policy configuration and click `Save`. Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:\n```\nSet `Aggregator` to `Count`\n\nSet `Configuration`:\n\n- Condition: above\n\n- Threshold: 0\n\n- For: most recent value\n```\n\n10. Configure the desired notifications channels in the section `Notifications`.\n\n11. Name the policy and click `Save`.\n\n**From Google Cloud CLI**\n\nCreate a prescribed Log Metric:\n- Use the command: gcloud beta logging metrics create \n- Reference for Command Usage: https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create\n\nCreate prescribed Alert Policy \n- Use the command: gcloud alpha monitoring policies create\n- Reference for Command Usage: https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create", + "section": "Logging and Monitoring", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 2.4", + "Logging and Monitoring" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "2.4", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_2_4" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/ec7949d4-9e55-5f44-8c4a-a0e674a2a46f.json b/packages/cloud_security_posture/kibana/csp_rule_template/ec7949d4-9e55-5f44-8c4a-a0e674a2a46f.json new file mode 100644 index 00000000000..d87d91ecc2c --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/ec7949d4-9e55-5f44-8c4a-a0e674a2a46f.json @@ -0,0 +1,38 @@ +{ + "id": "ec7949d4-9e55-5f44-8c4a-a0e674a2a46f", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "", + "default_value": "", + "references": "1. https://cloudplatform.googleblog.com/2017/11/DNSSEC-now-available-in-Cloud-DNS.html\n2. https://cloud.google.com/dns/dnssec-config#enabling\n3. https://cloud.google.com/dns/dnssec", + "id": "ec7949d4-9e55-5f44-8c4a-a0e674a2a46f", + "name": "Ensure That DNSSEC Is Enabled for Cloud DNS", + "profile_applicability": "* Level 1", + "description": "Cloud Domain Name System (DNS) is a fast, reliable and cost-effective domain name system that powers millions of domains on the internet.\nDomain Name System Security Extensions (DNSSEC) in Cloud DNS enables domain owners to take easy steps to protect their domains against DNS hijacking and man-in-the-middle and other attacks.", + "rationale": "Domain Name System Security Extensions (DNSSEC) adds security to the DNS protocol by enabling DNS responses to be validated.\nHaving a trustworthy DNS that translates a domain name like www.example.com into its associated IP address is an increasingly important building block of today\u2019s web-based applications.\nAttackers can hijack this process of domain/IP lookup and redirect users to a malicious site through DNS hijacking and man-in-the-middle attacks.\nDNSSEC helps mitigate the risk of such attacks by cryptographically signing DNS records.\nAs a result, it prevents attackers from issuing fake DNS responses that may misdirect browsers to nefarious websites.", + "audit": "**From Google Cloud Console**\n\n1. Go to `Cloud DNS` by visiting [https://console.cloud.google.com/net-services/dns/zones](https://console.cloud.google.com/net-services/dns/zones).\n2. For each zone of `Type` `Public`, ensure that `DNSSEC` is set to `On`.\n\n**From Google Cloud CLI**\n\n3. List all the Managed Zones in a project:\n```\ngcloud dns managed-zones list\n```\n\n4. For each zone of `VISIBILITY` `public`, get its metadata: \n\n```\ngcloud dns managed-zones describe ZONE_NAME\n```\n\n5. Ensure that `dnssecConfig.state` property is `on`.", + "remediation": "**From Google Cloud Console**\n\n1. Go to `Cloud DNS` by visiting [https://console.cloud.google.com/net-services/dns/zones](https://console.cloud.google.com/net-services/dns/zones).\n2. For each zone of `Type` `Public`, set `DNSSEC` to `On`.\n\n**From Google Cloud CLI**\n\nUse the below command to enable `DNSSEC` for Cloud DNS Zone Name.\n```\ngcloud dns managed-zones update ZONE_NAME --dnssec-state on\n```", + "section": "Networking", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 3.3", + "Networking" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "3.3", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_3_3" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/f44d0940-2e62-5993-9028-d3e63ae23960.json b/packages/cloud_security_posture/kibana/csp_rule_template/f44d0940-2e62-5993-9028-d3e63ae23960.json new file mode 100644 index 00000000000..381a94bb82a --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/f44d0940-2e62-5993-9028-d3e63ae23960.json @@ -0,0 +1,38 @@ +{ + "id": "f44d0940-2e62-5993-9028-d3e63ae23960", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "On high use systems with a high percentage sample rate, the logging file may grow to high capacity in a short amount of time. Ensure that the sample rate is set appropriately so that storage costs are not exorbitant.", + "default_value": "", + "references": "1. https://cloud.google.com/load-balancing/\n2. https://cloud.google.com/load-balancing/docs/https/https-logging-monitoring#gcloud:-global-mode\n3. https://cloud.google.com/sdk/gcloud/reference/compute/backend-services/", + "id": "f44d0940-2e62-5993-9028-d3e63ae23960", + "name": "Ensure Logging is enabled for HTTP(S) Load Balancer", + "profile_applicability": "* Level 2", + "description": "Logging enabled on a HTTPS Load Balancer will show all network traffic and its destination.", + "rationale": "Logging will allow you to view HTTPS network traffic to your web applications.", + "audit": "**From Google Cloud Console**\n\n1. From Google Cloud home open the Navigation Menu in the top left.\n\n2. Under the `Networking` heading select `Network services`.\n\n3. Select the HTTPS load-balancer you wish to audit.\n\n4. Select `Edit` then `Backend Configuration`. \n\n5. Select `Edit` on the corresponding backend service.\n\n6. Ensure that `Enable Logging` is selected. Also ensure that `Sample Rate` is set to an appropriate level for your needs.\n\n**From Google Cloud CLI**\n\n7. Run the following command\n\n```\ngcloud compute backend-services describe \n```\n\n8. Ensure that ```enable-logging``` is enabled and ```sample rate``` is set to your desired level.", + "remediation": "**From Google Cloud Console**\n\n1. From Google Cloud home open the Navigation Menu in the top left.\n\n2. Under the `Networking` heading select `Network services`.\n\n3. Select the HTTPS load-balancer you wish to audit.\n\n4. Select `Edit` then `Backend Configuration`. \n\n5. Select `Edit` on the corresponding backend service.\n\n6. Click `Enable Logging`.\n\n7. Set `Sample Rate` to a desired value. This is a percentage as a decimal point. 1.0 is 100%.\n\n**From Google Cloud CLI**\n\n8. Run the following command\n\n```\ngcloud compute backend-services update --region=REGION --enable-logging --logging-sample-rate=\n```", + "section": "Logging and Monitoring", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 2.16", + "Logging and Monitoring" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "2.16", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_2_16" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/f62488d2-4b52-57d4-8ecd-d8f47dcb3dda.json b/packages/cloud_security_posture/kibana/csp_rule_template/f62488d2-4b52-57d4-8ecd-d8f47dcb3dda.json new file mode 100644 index 00000000000..f6dc8318d80 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/f62488d2-4b52-57d4-8ecd-d8f47dcb3dda.json @@ -0,0 +1,38 @@ +{ + "id": "f62488d2-4b52-57d4-8ecd-d8f47dcb3dda", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Disabling `local_infile` makes the server refuse local data loading by clients that have LOCAL enabled on the client side.", + "default_value": "", + "references": "1. https://cloud.google.com/sql/docs/mysql/flags\n2. https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile\n3. https://dev.mysql.com/doc/refman/5.7/en/load-data-local.html", + "id": "f62488d2-4b52-57d4-8ecd-d8f47dcb3dda", + "name": "Ensure That the \u2018Local_infile\u2019 Database Flag for a Cloud SQL MySQL Instance Is Set to \u2018Off\u2019", + "profile_applicability": "* Level 1", + "description": "It is recommended to set the `local_infile` database flag for a Cloud SQL MySQL instance to `off`.", + "rationale": "The `local_infile` flag controls the server-side LOCAL capability for LOAD DATA statements.\nDepending on the `local_infile` setting, the server refuses or permits local data loading by clients that have LOCAL enabled on the client side.\n\nTo explicitly cause the server to refuse LOAD DATA LOCAL statements (regardless of how client programs and libraries are configured at build time or runtime), start mysqld with local_infile disabled.\nlocal_infile can also be set at runtime.\n\nDue to security issues associated with the `local_infile` flag, it is recommended to disable it.\nThis recommendation is applicable to MySQL database instances.", + "audit": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the instance to open its `Instance Overview` page\n3. Ensure the database flag `local_infile` that has been set is listed under the `Database flags` section.\n\n**From Google Cloud CLI**\n\n4. List all Cloud SQL database instances:\n```\ngcloud sql instances list\n```\n5. Ensure the below command returns `off` for every Cloud SQL MySQL database instance.\n```\ngcloud sql instances describe INSTANCE_NAME --format=json | jq '.settings.databaseFlags[] | select(.name==\"local_infile\")|.value'\n```", + "remediation": "**From Google Cloud Console**\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances](https://console.cloud.google.com/sql/instances).\n2. Select the MySQL instance where the database flag needs to be enabled.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `local_infile` from the drop-down menu, and set its value to `off`.\n6. Click `Save`.\n7. Confirm the changes under `Flags` on the Overview page.\n\n**From Google Cloud CLI**\n\n8. List all Cloud SQL database instances using the following command:\n```\ngcloud sql instances list\n```\n9. Configure the `local_infile` database flag for every Cloud SQL Mysql database instance using the below command:\n```\ngcloud sql instances patch INSTANCE_NAME --database-flags local_infile=off\n```\n\n```\nNote : \n\nThis command will overwrite all database flags that were previously set.\nTo keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value.\nFor flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n```", + "section": "MySQL Database", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 6.1.3", + "MySQL Database" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "6.1.3", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_6_1_3" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/fdff0b83-dc73-5d60-9ad3-b98ed139a1b4.json b/packages/cloud_security_posture/kibana/csp_rule_template/fdff0b83-dc73-5d60-9ad3-b98ed139a1b4.json new file mode 100644 index 00000000000..c9315c54778 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/fdff0b83-dc73-5d60-9ad3-b98ed139a1b4.json @@ -0,0 +1,38 @@ +{ + "id": "fdff0b83-dc73-5d60-9ad3-b98ed139a1b4", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Rotating service account keys will break communication for dependent applications. Dependent applications need to be configured manually with the new key `ID` displayed in the `Service account keys` section and the `private key` downloaded by the user.", + "default_value": "", + "references": "1. https://cloud.google.com/iam/docs/understanding-service-accounts#managing_service_account_keys\n2. https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/keys/list\n3. https://cloud.google.com/iam/docs/service-accounts", + "id": "fdff0b83-dc73-5d60-9ad3-b98ed139a1b4", + "name": "Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewer", + "profile_applicability": "* Level 1", + "description": "Service Account keys consist of a key ID (Private_key_Id) and Private key, which are used to sign programmatic requests users make to Google cloud services accessible to that particular service account.\nIt is recommended that all Service Account keys are regularly rotated.", + "rationale": "Rotating Service Account keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used.\nService Account keys should be rotated to ensure that data cannot be accessed with an old key that might have been lost, cracked, or stolen.\n\nEach service account is associated with a key pair managed by Google Cloud Platform (GCP).\nIt is used for service-to-service authentication within GCP.\nGoogle rotates the keys daily.\n\nGCP provides the option to create one or more user-managed (also called external key pairs) key pairs for use from outside GCP (for example, for use with Application Default Credentials).\nWhen a new key pair is created, the user is required to download the private key (which is not retained by Google).\nWith external keys, users are responsible for keeping the private key secure and other management operations such as key rotation.\nExternal keys can be managed by the IAM API, gcloud command-line tool, or the Service Accounts page in the Google Cloud Platform Console.\nGCP facilitates up to 10 external service account keys per service account to facilitate key rotation.", + "audit": "**From Google Cloud Console**\n\n1. Go to `APIs & Services\\Credentials` using `https://console.cloud.google.com/apis/credentials`\n\n2. In the section `Service Account Keys`, for every External (user-managed) service account key listed ensure the `creation date` is within the past 90 days.\n\n**From Google Cloud CLI**\n\n3. List all Service accounts from a project.\n\n```\ngcloud iam service-accounts list\n```\n\n4. For every service account list service account keys.\n\n```\ngcloud iam service-accounts keys list --iam-account [Service_Account_Email_Id] --format=json\n```\n\n5. Ensure every service account key for a service account has a `\"validAfterTime\"` value within the past 90 days.", + "remediation": "**From Google Cloud Console**\n\n**Delete any external (user-managed) Service Account Key older than 90 days:**\n\n1. Go to `APIs & Services\\Credentials` using `https://console.cloud.google.com/apis/credentials`\n\n2. In the Section `Service Account Keys`, for every external (user-managed) service account key where `creation date` is greater than or equal to the past 90 days, click `Delete Bin Icon` to `Delete Service Account key`\n\n**Create a new external (user-managed) Service Account Key for a Service Account:**\n\n3. Go to `APIs & Services\\Credentials` using `https://console.cloud.google.com/apis/credentials`\n\n4. Click `Create Credentials` and Select `Service Account Key`.\n\n5. Choose the service account in the drop-down list for which an External (user-managed) Service Account key needs to be created.\n\n6. Select the desired key type format among `JSON` or `P12`.\n\n7. Click `Create`. It will download the `private key`. Keep it safe. \n\n8. Click `Close` if prompted. \n\n9. The site will redirect to the `APIs & Services\\Credentials` page. Make a note of the new `ID` displayed in the `Service account keys` section.", + "section": "Identity and Access Management", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 1.7", + "Identity and Access Management" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "1.7", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_1_7" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/fe083488-fa0f-5408-9624-ac27607ac2ff.json b/packages/cloud_security_posture/kibana/csp_rule_template/fe083488-fa0f-5408-9624-ac27607ac2ff.json new file mode 100644 index 00000000000..ba74705f786 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/fe083488-fa0f-5408-9624-ac27607ac2ff.json @@ -0,0 +1,38 @@ +{ + "id": "fe083488-fa0f-5408-9624-ac27607ac2ff", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Standard pricing for Stackdriver Logging, BigQuery, or Cloud Pub/Sub applies. VPC Flow Logs generation will be charged starting in GA as described in reference: https://cloud.google.com/vpc/", + "default_value": "", + "references": "1. https://cloud.google.com/vpc/docs/using-flow-logs#enabling_vpc_flow_logging\n2. https://cloud.google.com/vpc/", + "id": "fe083488-fa0f-5408-9624-ac27607ac2ff", + "name": "Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network", + "profile_applicability": "* Level 2", + "description": "Flow Logs is a feature that enables users to capture information about the IP traffic going to and from network interfaces in the organization's VPC Subnets.\nOnce a flow log is created, the user can view and retrieve its data in Stackdriver Logging.\nIt is recommended that Flow Logs be enabled for every business-critical VPC subnet.", + "rationale": "VPC networks and subnetworks not reserved for internal HTTP(S) load balancing provide logically isolated and secure network partitions where GCP resources can be launched.\nWhen Flow Logs are enabled for a subnet, VMs within that subnet start reporting on all Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) flows.\nEach VM samples the TCP and UDP flows it sees, inbound and outbound, whether the flow is to or from another VM, a host in the on-premises datacenter, a Google service, or a host on the Internet.\nIf two GCP VMs are communicating, and both are in subnets that have VPC Flow Logs enabled, both VMs report the flows.\n\nFlow Logs supports the following use cases:\n\n- Network monitoring\n- Understanding network usage and optimizing network traffic expenses\n- Network forensics\n- Real-time security analysis\n\nFlow Logs provide visibility into network traffic for each VM inside the subnet and can be used to detect anomalous traffic or provide insight during security workflows.\n\nThe Flow Logs must be configured such that all network traffic is logged, the interval of logging is granular to provide detailed information on the connections, no logs are filtered, and metadata to facilitate investigations are included.\n\n**Note**: Subnets reserved for use by internal HTTP(S) load balancers do not support VPC flow logs.", + "audit": "**From Google Cloud Console**\n\n1. Go to the VPC network GCP Console visiting `https://console.cloud.google.com/networking/networks/list` \n\n2. From the list of network subnets, make sure for each subnet:\n- `Flow Logs` is set to `On`\n- `Aggregation Interval` is set to `5 sec`\n- `Include metadata` checkbox is checked\n- `Sample rate` is set to `100%`\n\n**Note**: It is not possible to determine if a Log filter has been defined from the console.\n\n**From Google Cloud CLI**\n\n```\ngcloud compute networks subnets list --format json | \\\n jq -r '([\"Subnet\",\"Purpose\",\"Flow_Logs\",\"Aggregation_Interval\",\"Flow_Sampling\",\"Metadata\",\"Logs_Filtered\"] | (., map(length*\"-\"))), \n (.[] | \n [\n .name, \n .purpose,\n (if has(\"enableFlowLogs\") and .enableFlowLogs == true then \"Enabled\" else \"Disabled\" end),\n (if has(\"logConfig\") then .logConfig.aggregationInterval else \"N/A\" end),\n (if has(\"logConfig\") then .logConfig.flowSampling else \"N/A\" end),\n (if has(\"logConfig\") then .logConfig.metadata else \"N/A\" end),\n (if has(\"logConfig\") then (.logConfig | has(\"filterExpr\")) else \"N/A\" end)\n ]\n ) | \n @tsv' | \\\n column -t\n\n```\n\nThe output of the above command will list:\n- each subnet\n- the subnet's purpose\n- a `Enabled` or `Disabled` value if `Flow Logs` are enabled\n- the value for `Aggregation Interval` or `N/A` if disabled, the value for `Flow Sampling` or `N/A` if disabled\n- the value for `Metadata` or `N/A` if disabled\n- 'true' or 'false' if a Logging Filter is configured or 'N/A' if disabled.\n\nIf the subnet's purpose is `PRIVATE` then `Flow Logs` should be `Enabled`.\n\nIf `Flow Logs` is enabled then:\n- `Aggregation_Interval` should be `INTERVAL_5_SEC`\n- `Flow_Sampling` should be 1\n- `Metadata` should be `INCLUDE_ALL_METADATA`\n- `Logs_Filtered` should be `false`.", + "remediation": "**From Google Cloud Console**\n\n1. Go to the VPC network GCP Console visiting `https://console.cloud.google.com/networking/networks/list` \n\n2. Click the name of a subnet, The `Subnet details` page displays.\n\n3. Click the `EDIT` button.\n\n4. Set `Flow Logs` to `On`.\n\n5. Expand the `Configure Logs` section.\n\n6. Set `Aggregation Interval` to `5 SEC`.\n\n7. Check the box beside `Include metadata`.\n\n8. Set `Sample rate` to `100`.\n\n9. Click Save.\n\n**Note**: It is not possible to configure a Log filter from the console.\n\n**From Google Cloud CLI**\n\nTo enable VPC Flow Logs for a network subnet, run the following command:\n```\ngcloud compute networks subnets update [SUBNET_NAME] --region [REGION] --enable-flow-logs --logging-aggregation-interval=interval-5-sec --logging-flow-sampling=1 --logging-metadata=include-all\n```", + "section": "Networking", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 3.8", + "Networking" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "3.8", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_3_8" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/ff3a8287-e4ac-5a3c-b0d7-4f349e0ab077.json b/packages/cloud_security_posture/kibana/csp_rule_template/ff3a8287-e4ac-5a3c-b0d7-4f349e0ab077.json new file mode 100644 index 00000000000..39b1d4e8ac2 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/ff3a8287-e4ac-5a3c-b0d7-4f349e0ab077.json @@ -0,0 +1,38 @@ +{ + "id": "ff3a8287-e4ac-5a3c-b0d7-4f349e0ab077", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "If you lose your encryption key, you will not be able to recover the data.", + "default_value": "", + "references": "1. https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#encrypt_a_new_persistent_disk_with_your_own_keys\n2. https://cloud.google.com/compute/docs/reference/rest/v1/disks/get\n3. https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#key_file", + "id": "ff3a8287-e4ac-5a3c-b0d7-4f349e0ab077", + "name": "Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK)", + "profile_applicability": "* Level 2", + "description": "Customer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and Google Compute Engine.\nIf you supply your own encryption keys, Google uses your key to protect the Google-generated keys used to encrypt and decrypt your data.\nBy default, Google Compute Engine encrypts all data at rest.\nCompute Engine handles and manages this encryption for you without any additional actions on your part.\nHowever, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys.", + "rationale": "By default, Google Compute Engine encrypts all data at rest.\nCompute Engine handles and manages this encryption for you without any additional actions on your part.\nHowever, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys.\n\nIf you provide your own encryption keys, Compute Engine uses your key to protect the Google-generated keys used to encrypt and decrypt your data.\nOnly users who can provide the correct key can use resources protected by a customer-supplied encryption key.\n\nGoogle does not store your keys on its servers and cannot access your protected data unless you provide the key.\nThis also means that if you forget or lose your key, there is no way for Google to recover the key or to recover any data encrypted with the lost key.\n\nAt least business critical VMs should have VM disks encrypted with CSEK.", + "audit": "**From Google Cloud Console**\n\n1. Go to Compute Engine `Disks` by visiting: [https://console.cloud.google.com/compute/disks](https://console.cloud.google.com/compute/disks).\n2. Click on the disk for your critical VMs to see its configuration details.\n3. Ensure that `Encryption type` is set to `Customer supplied`.\n\n**From Google Cloud CLI**\n\nEnsure `diskEncryptionKey` property in the below command's response is not null, and contains key `sha256` with corresponding value\n\n```\ngcloud compute disks describe --zone --format=\"json(diskEncryptionKey,name)\"\n```", + "remediation": "Currently there is no way to update the encryption of an existing disk.\nTherefore you should create a new disk with `Encryption` set to `Customer supplied`.\n\n**From Google Cloud Console**\n\n1. Go to Compute Engine `Disks` by visiting: [https://console.cloud.google.com/compute/disks](https://console.cloud.google.com/compute/disks).\n2. Click `CREATE DISK`.\n3. Set `Encryption type` to `Customer supplied`,\n4. Provide the `Key` in the box.\n5. Select `Wrapped key`.\n6. Click `Create`.\n\n**From Google Cloud CLI**\n\nIn the gcloud compute tool, encrypt a disk using the --csek-key-file flag during instance creation.\nIf you are using an RSA-wrapped key, use the gcloud beta component:\n\n```\ngcloud compute instances create --csek-key-file \n```\n\nTo encrypt a standalone persistent disk:\n```\ngcloud compute disks create --csek-key-file \n```", + "section": "Virtual Machines", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 4.7", + "Virtual Machines" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "4.7", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_4_7" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file diff --git a/packages/cloud_security_posture/kibana/csp_rule_template/ffc9fb91-dc44-512b-a558-036e8ce11282.json b/packages/cloud_security_posture/kibana/csp_rule_template/ffc9fb91-dc44-512b-a558-036e8ce11282.json new file mode 100644 index 00000000000..3a053ddea09 --- /dev/null +++ b/packages/cloud_security_posture/kibana/csp_rule_template/ffc9fb91-dc44-512b-a558-036e8ce11282.json @@ -0,0 +1,38 @@ +{ + "id": "ffc9fb91-dc44-512b-a558-036e8ce11282", + "type": "csp-rule-template", + "attributes": { + "metadata": { + "impact": "Enabling of logging may result in your project being charged for the additional logs usage.", + "default_value": "", + "references": "1. https://cloud.google.com/logging/docs/logs-based-metrics/\n2. https://cloud.google.com/monitoring/custom-metrics/\n3. https://cloud.google.com/monitoring/alerts/\n4. https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n5. https://cloud.google.com/iam/docs/understanding-custom-roles", + "id": "ffc9fb91-dc44-512b-a558-036e8ce11282", + "name": "Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes", + "profile_applicability": "* Level 1", + "description": "It is recommended that a metric filter and alarm be established for changes to Identity and Access Management (IAM) role creation, deletion and updating activities.", + "rationale": "Google Cloud IAM provides predefined roles that give granular access to specific Google Cloud Platform resources and prevent unwanted access to other resources.\nHowever, to cater to organization-specific needs, Cloud IAM also provides the ability to create custom roles.\nProject owners and administrators with the Organization Role Administrator role or the IAM Role Administrator role can create custom roles.\n\nMonitoring role creation, deletion and updating activities will help in identifying any over-privileged role at early stages.", + "audit": "**From Console:**\n\n**Ensure that the prescribed log metric is present:**\n\n1. Go to `Logging/Logs-based Metrics` by visiting [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics).\n\n2. In the `User-defined Metrics` section, ensure that at least one metric `` is present with filter text:\n\n```\nresource.type=\"iam_role\" \nAND (protoPayload.methodName=\"google.iam.admin.v1.CreateRole\" \nOR protoPayload.methodName=\"google.iam.admin.v1.DeleteRole\" \nOR protoPayload.methodName=\"google.iam.admin.v1.UpdateRole\")\n```\n\n**Ensure that the prescribed alerting policy is present:**\n\n3. Go to `Alerting` by visiting [https://console.cloud.google.com/monitoring/alerting](https://console.cloud.google.com/monitoring/alerting).\n\n4. Under the `Policies` section, ensure that at least one alert policy exists for the log metric above. Clicking on the policy should show that it is configured with a condition. For example, `Violates when: Any logging.googleapis.com/user/ stream` `is above a threshold of zero(0) for greater than zero(0) seconds` means that the alert will trigger for any new owner change. Verify that the chosen alerting thresholds make sense for the user's organization.\n\n5. Ensure that the appropriate notifications channels have been set up.\n\n**From Google Cloud CLI**\n\nEnsure that the prescribed log metric is present:\n\n6. List the log metrics:\n\n```\ngcloud logging metrics list --format json\n```\n7. Ensure that the output contains at least one metric with the filter set to:\n\n```\nresource.type=\"iam_role\"\nAND (protoPayload.methodName = \"google.iam.admin.v1.CreateRole\" OR\nprotoPayload.methodName=\"google.iam.admin.v1.DeleteRole\" OR\nprotoPayload.methodName=\"google.iam.admin.v1.UpdateRole\")\n```\n\n8. Note the value of the property `metricDescriptor.type` for the identified metric, in the format `logging.googleapis.com/user/`.\n\n**Ensure that the prescribed alerting policy is present:**\n\n9. List the alerting policies:\n```\ngcloud alpha monitoring policies list --format json\n```\n10. Ensure that the output contains an least one alert policy where:\n- `conditions.conditionThreshold.filter` is set to `metric.type=\\\"logging.googleapis.com/user/\\\"`\n- AND `enabled` is set to `true`.", + "remediation": "**From Console:**\n\n**Create the prescribed log metric:**\n\n1. Go to `Logging/Logs-based Metrics` by visiting [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics) and click \"CREATE METRIC\".\n\n2. Click the down arrow symbol on the `Filter Bar` at the rightmost corner and select `Convert to Advanced Filter`.\n\n3. Clear any text and add: \n\n```\nresource.type=\"iam_role\" \nAND (protoPayload.methodName = \"google.iam.admin.v1.CreateRole\" \nOR protoPayload.methodName=\"google.iam.admin.v1.DeleteRole\" \nOR protoPayload.methodName=\"google.iam.admin.v1.UpdateRole\")\n```\n\n4. Click `Submit Filter`. Display logs appear based on the filter text entered by the user.\n\n5. In the `Metric Editor` menu on the right, fill out the name field. Set `Units` to `1` (default) and `Type` to `Counter`. This ensures that the log metric counts the number of log entries matching the advanced logs query.\n\n6. Click `Create Metric`. \n\n**Create a prescribed Alert Policy:** \n\n7. Identify the new metric that was just created under the section `User-defined Metrics` at [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics).\n\n8. Click the 3-dot icon in the rightmost column for the metric and select `Create alert from Metric`. A new page displays.\n\n9. Fill out the alert policy configuration and click `Save`. Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value ensures that a notification is triggered for every owner change in the project:\n```\nSet `Aggregator` to `Count`\n\nSet `Configuration`:\n\n- Condition: above\n\n- Threshold: 0\n\n- For: most recent value\n```\n\n10. Configure the desired notification channels in the section `Notifications`.\n\n11. Name the policy and click `Save`.\n\n**From Google Cloud CLI**\n\nCreate the prescribed Log Metric:\n- Use the command: gcloud logging metrics create \n\nCreate the prescribed Alert Policy: \n- Use the command: gcloud alpha monitoring policies create ", + "section": "Logging and Monitoring", + "version": "1.0", + "tags": [ + "CIS", + "GCP", + "CIS 2.6", + "Logging and Monitoring" + ], + "benchmark": { + "name": "CIS Google Cloud Platform Foundation", + "version": "v2.0.0", + "id": "cis_gcp", + "rule_number": "2.6", + "posture_type": "cspm" + }, + "rego_rule_id": "cis_2_6" + } + }, + "migrationVersion": { + "csp-rule-template": "8.7.0" + }, + "coreMigrationVersion": "8.7.0" +} \ No newline at end of file From 46b01f780d1e2dc2fe49b21fd2a04a31cc3e66bd Mon Sep 17 00:00:00 2001 From: Or Ouziel Date: Tue, 15 Aug 2023 13:54:53 +0300 Subject: [PATCH 2/2] bump version --- packages/cloud_security_posture/changelog.yml | 5 +++++ packages/cloud_security_posture/manifest.yml | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/packages/cloud_security_posture/changelog.yml b/packages/cloud_security_posture/changelog.yml index c489251f904..b3601c1a817 100644 --- a/packages/cloud_security_posture/changelog.yml +++ b/packages/cloud_security_posture/changelog.yml @@ -4,6 +4,11 @@ # 1.4.x - 8.9.x # 1.3.x - 8.8.x # 1.2.x - 8.7.x +- version: "1.5.0-preview34" + changes: + - description: Add CIS GCP rule templates + type: enhancement + link: https://github.com/elastic/integrations/pull/7390 - version: "1.5.0-preview33" changes: - description: Remove default value for project id diff --git a/packages/cloud_security_posture/manifest.yml b/packages/cloud_security_posture/manifest.yml index 162edeaf3e2..25d2f5bcdc4 100644 --- a/packages/cloud_security_posture/manifest.yml +++ b/packages/cloud_security_posture/manifest.yml @@ -1,7 +1,7 @@ format_version: 2.3.0 name: cloud_security_posture title: "Security Posture Management" -version: "1.5.0-preview33" +version: "1.5.0-preview34" source: license: "Elastic-2.0" description: "Identify & remediate configuration risks in your Cloud infrastructure"