Detections
Analytics

2.9 Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes

Information

It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) network changes.

It is possible to have more than one VPC within a project. In addition, it is also possible to create a peer connection between two VPCs enabling network traffic to route between VPCs.

Monitoring changes to a VPC will help ensure VPC traffic flow is not getting impacted.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

From Google Cloud Console

Create the prescribed log metric:

 -

Go to Logging/Logs-based Metrics by visiting https://console.cloud.google.com/logs/metrics and click "CREATE METRIC".

 -

Click the down arrow symbol on Filter Bar at the rightmost corner and select Convert to Advanced Filter

 -

Clear any text and add:

resource.type="gce_network"
AND (protoPayload.methodName:"compute.networks.insert"
OR protoPayload.methodName:"compute.networks.patch"
OR protoPayload.methodName:"compute.networks.delete"
OR protoPayload.methodName:"compute.networks.removePeering"
OR protoPayload.methodName:"compute.networks.addPeering") <xhtml:ol start="4"> -

Click Submit Filter Display logs appear based on the filter text entered by the user.

 -

In the Metric Editor menu on the right, fill out the name field. Set Units to 1 (default) and Type to Counter This ensures that the log metric counts the number of log entries matching the user's advanced logs query.

 -

Click Create Metric

Create the prescribed alert policy:

 -

Identify the newly created metric under the section User-defined Metrics at https://console.cloud.google.com/logs/metrics .

 -

Click the 3-dot icon in the rightmost column for the new metric and select Create alert from Metric A new page appears.

 -

Fill out the alert policy configuration and click Save Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of 0 for the most recent value will ensure that a notification is triggered for every owner change in the project:

Set `Aggregator` to `Count`

Set `Configuration`:

- Condition: above

- Threshold: 0

- For: most recent value <xhtml:ol start="4"> -

Configure the desired notification channels in the section Notifications

 -

Name the policy and click Save

From Google Cloud CLI

Create the prescribed Log Metric:

 - Use the command: gcloud logging metrics create

Create the prescribed alert policy:

 - Use the command: gcloud alpha monitoring policies create

Impact:

Enabling of logging may result in your project being charged for the additional logs usage. These charges could be significant depending on the size of the organization.

See Also

https://workbench.cisecurity.org/benchmarks/17308

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-2, 800-53|AU-3, 800-53|AU-3(1), 800-53|AU-7, 800-53|AU-12, CSCv7|6.2, CSCv7|6.3

Plugin: GCP

Control ID: 0be1fdbb96113ba7298fe04069b7d846c7889cfd1abaa8b6146ec38e4169fa4c