feat(CG-1151): support gcp nist IAM default audit log config check

james-zhou-inspire11 · james-zhou-inspire11 · commit b821ecfe243c · 2022-10-08T22:07:32.000-05:00
diff --git a/src/gcp/nist-800-53-rev4/README.md b/src/gcp/nist-800-53-rev4/README.md
@@ -75,6 +75,7 @@ Policy Pack based on the [800-53 Rev. 4](https://csrc.nist.gov/publications/deta
 | GCP NIST 3.8  | PostgreSQL database instance 'log_min_duration_statement' database flag should be set to '-1' (disabled)                           |
 | GCP NIST 3.9  | At least one project-level logging sink should be configured with an empty filter                                                  |
 | GCP NIST 3.10 | Network subnet flow logs should be enabled                                                                                         |
+| GCP NIST 3.11 | IAM default audit log config should include 'DATA_READ' and 'DATA_WRITE' log types                                                 |
 | GCP NIST 4.1  | Compute instance disks should be encrypted with customer-supplied encryption keys (CSEKs)                                          |
 | GCP NIST 4.2  | SQL database instances should require incoming connections to use SSL                                                              |
 | GCP NIST 5.1  | Logging metric filter and alert for project ownership assignments/changes should be configured                                     |
diff --git a/src/gcp/nist-800-53-rev4/rules/gcp-nist-800-53-rev4-3.11.ts b/src/gcp/nist-800-53-rev4/rules/gcp-nist-800-53-rev4-3.11.ts
@@ -0,0 +1,80 @@
+export default {
+  id: 'gcp-nist-800-53-rev4-3.11',
+  title:
+    'GCP NIST 3.11  IAM default audit log config should include \'DATA_READ\' and \'DATA_WRITE\' log types',
+  description: 
+    'A best practice is to enable \'DATA_READ\' and \'DATA_WRITE\' data access log types as part of the default IAM audit log config, so that read and write operations on user-provided data are tracked across all relevant services. Please note that the \'ADMIN_WRITE\' log type and BigQuery data access logs are enabled by default.',
+
+  audit: '',
+  rationale: '',
+  remediation: `**From Console:**
+
+  1. Navigate to IAM & Admin, Audit Logs, or using https://console.cloud.google.com/iam-admin/audit
+  2. Click on Set Default Configuration at the top of the page.
+  34. In the Log Type tab, select the Data Write and Data Read boxes.
+  4. Click Save.
+
+  **From Command Line:**
+  1. Run the following command to read the project’s IAM policy:
+
+      gcloud projects get-iam-policy PROJECT_ID > /tmp/project_policy.yaml
+  
+  2. Alternatively, the policy can be set at the organization or folder level. If setting the policy at the organization level, it is not necessary to also set it for each folder or project.
+
+      gcloud organizations get-iam-policy ORGANIZATION_ID > /tmp/org_policy.yaml
+      gcloud resource-manager folders get-iam-policy FOLDER_ID > /tmp/folder_policy.yaml
+
+  3. Edit policy in /tmp/policy.yaml, adding or changing only the audit logs configuration to:
+
+      auditConfigs:
+      - auditLogConfigs:
+        - logType: DATA_WRITE
+        - logType: DATA_READ
+        service: allServices
+
+  4. To write new IAM policy run the following command:
+
+      gcloud organizations set-iam-policy ORGANIZATION_ID /tmp/org_policy.yaml
+      gcloud resource-manager folders set-iam-policy FOLDER_ID /tmp/folder_policy.yaml
+      gcloud projects set-iam-policy PROJECT_ID /tmp/project_policy.yaml
+  `,
+  references: [
+    'https://cloud.google.com/logging/docs/audit/',
+    'https://cloud.google.com/logging/docs/audit/configure-data-access',
+    'https://cloud.google.com/sdk/gcloud/reference/projects/get-iam-policy',
+  ],
+  gql: `{
+    querygcpIamPolicy{
+      id
+      __typename
+      auditConfigs {
+        auditLogConfigs {
+          logType
+        }
+      }
+    }
+  }`,
+  resource: 'querygcpIamPolicy[*]',
+  severity: 'medium',
+  conditions: {
+    path: '@.auditConfigs',
+    array_all: {
+      and: [
+        {
+          path: '[*].auditLogConfigs',
+          array_any: {
+            path: '[*].logType',
+            equal: 'DATA_WRITE',
+          },
+        },
+        {
+          path: '[*].auditLogConfigs',
+          array_any: {
+            path: '[*].logType',
+            equal: 'DATA_READ',
+          },
+        },
+      ],
+    },
+  },
+}
diff --git a/src/gcp/nist-800-53-rev4/rules/index.ts b/src/gcp/nist-800-53-rev4/rules/index.ts
@@ -18,6 +18,7 @@ import Gcp_NIST_800_53_37 from './gcp-nist-800-53-rev4-3.7'
 import Gcp_NIST_800_53_38 from './gcp-nist-800-53-rev4-3.8'
 import Gcp_NIST_800_53_39 from './gcp-nist-800-53-rev4-3.9'
 import Gcp_NIST_800_53_310 from './gcp-nist-800-53-rev4-3.10'
+import Gcp_NIST_800_53_311 from './gcp-nist-800-53-rev4-3.11'
 import Gcp_NIST_800_53_41 from './gcp-nist-800-53-rev4-4.1'
 import Gcp_NIST_800_53_42 from './gcp-nist-800-53-rev4-4.2'
 import Gcp_NIST_800_53_51 from './gcp-nist-800-53-rev4-5.1'
@@ -55,6 +56,7 @@ export default [
   Gcp_NIST_800_53_38,
   Gcp_NIST_800_53_39,
   Gcp_NIST_800_53_310,
+  Gcp_NIST_800_53_311,
   Gcp_NIST_800_53_41,
   Gcp_NIST_800_53_42,
   Gcp_NIST_800_53_51,
diff --git a/src/gcp/nist-800-53-rev4/tests/nist-800-53-rev4-3.x.test.ts b/src/gcp/nist-800-53-rev4/tests/nist-800-53-rev4-3.x.test.ts
@@ -11,6 +11,7 @@ import Gcp_NIST_800_53_37 from '../rules/gcp-nist-800-53-rev4-3.7'
 import Gcp_NIST_800_53_38 from '../rules/gcp-nist-800-53-rev4-3.8'
 import Gcp_NIST_800_53_39 from '../rules/gcp-nist-800-53-rev4-3.9'
 import Gcp_NIST_800_53_310 from '../rules/gcp-nist-800-53-rev4-3.10'
+import Gcp_NIST_800_53_311 from '../rules/gcp-nist-800-53-rev4-3.11'
 import { initRuleEngine } from '../../../utils/test'
 
 export interface DatabaseFlagsItem {
@@ -70,13 +71,13 @@ export interface QuerygcpProject {
 
 export interface AuditLogConfig {
   logType: string
-  exemptedMembers: string[]
+  exemptedMembers?: string[]
 }
 
 export interface AuditConfig {
   auditLogConfigs: AuditLogConfig[]
-  service: string
-  exemptedMembers: string[]
+  service?: string
+  exemptedMembers?: string[]
 }
 
 export interface QuerygcpIamPolicy {
@@ -968,4 +969,74 @@ describe('GCP NIST 800-53: Rev. 4', () => {
       await testRule(subnets, Result.FAIL)
     })
   })
+
+  describe('GCP NIST 3.11 IAM default audit log config should include \'DATA_READ\' and \'DATA_WRITE\' log types', () => {
+    const testRule = async (
+      auditConfigs: AuditConfig[],
+      expectedResult: Result
+      ): Promise<void> => {
+      // Arrange
+      const data: NIST3xQueryResponse = {
+        querygcpIamPolicy: [
+          {
+            id: cuid(),
+            auditConfigs,
+          },
+        ],
+      }
+
+      // Act
+      const [processedRule] = await rulesEngine.processRule(
+        Gcp_NIST_800_53_311 as Rule,
+        { ...data }
+      )
+
+      // Asserts
+      expect(processedRule.result).toBe(expectedResult)
+    }
+
+    test('No Security Issue when there is a auditConfig with logtype set to DATA_WRITE and DATA_READ for all services, and exemptedMembers is empty', async () => {
+      const data: AuditConfig[] = [
+        {
+          auditLogConfigs: [
+            {
+              logType: 'DATA_WRITE',
+            },
+            {
+              logType: 'DATA_READ',
+            },
+          ],
+        },
+      ]
+
+      await testRule(data, Result.PASS)
+    })
+    test('Security Issue when there is a auditConfig without logtype set to DATA_WRITE', async () => {
+      const data: AuditConfig[] = [
+        {
+          auditLogConfigs: [
+
+            {
+              logType: 'DATA_READ',
+            },
+          ],
+        },
+      ]
+
+      await testRule(data, Result.FAIL)
+    })
+    test('Security Issue when there is a auditConfig without logtype set to DATA_READ', async () => {
+      const data: AuditConfig[] = [
+        {
+          auditLogConfigs: [
+            {
+              logType: 'DATA_WRITE',
+            },
+          ],
+        },
+      ]
+
+      await testRule(data, Result.FAIL)
+    })
+  })
 })
