Merge pull request #122 from cloudgraphdev/feature/CG-1306-GCP-CIS-130-629

Feature/cg 1306 gcp cis 130 629

Author: tyler-dunkel

src/gcp/cis-1.3.0/README.md

@@ -120,6 +120,7 @@ Policy Pack based on the GCP Foundations 1.3.0 benchmark provided by the [Center
 | GCP CIS 6.2.6  | Ensure that the 'log_min_messages' database flag for Cloud SQL PostgreSQL instance is set appropriately                                                             |
 | GCP CIS 6.2.7  | Ensure 'log_min_error_statement' database flag for Cloud SQL PostgreSQL instance is set to 'Error' or stricter                                                      |
 | GCP CIS 6.2.8  | Ensure that the 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1' (disabled)                                              |
+| GCP CIS 6.2.9  | Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging                                   |
 | GCP CIS 6.3.1  | Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'                                                                   |
 | GCP CIS 6.3.2  | Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'                                                       |
 | GCP CIS 6.3.3  | Ensure 'user connections' database flag for Cloud SQL SQL Server instance is set as appropriate                                                                     |

src/gcp/cis-1.3.0/rules/gcp-cis-1.3.0-6.2.9.ts

@@ -0,0 +1,163 @@
+export default {
+  id: 'gcp-cis-1.3.0-6.2.9',
+  title:
+    "GCP CIS 6.2.9 Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging",
+  description: `Ensure *cloudsql.enable_pgaudit* database flag for Cloud SQL PostgreSQL instance is set 
+  to *on* to allow for centralized logging.`,
+  audit: `**Determining if the pgAudit Flag is set to 'on'
+  
+  From Console:**
+
+  1. Go to https://console.cloud.google.com/sql/instances.
+  2. Select the instance to open its *Overview* page.
+  3. Click *Edit*.
+  4. Scroll down and expand Flags.
+  5. Ensure that *cloudsql.enable_pgaudit* flag is set to *on*.
+
+  **From Command Line:**
+
+  Run the command by providing *<INSTANCE_NAME>*. Ensure the value of the flag is *on*.
+
+        gcloud sql instances describe <INSTANCE_NAME> --format="json" | jq '.settings|.|.databaseFlags[]|select(.name=="cloudsql.enable_pgaudit")|.value '
+
+  **Determine if the pgAudit extension is installed**
+
+  1. Connect to the the server running PostgreSQL or through a SQL client of your choice.
+  2. Via command line open the PostgreSQL shell by typing psql
+  3. Run the following command
+
+        SELECT * FROM pg_extension;
+
+  4. If pgAudit is in this list. If so, it is installed.
+
+  **Determine if Data Access Audit logs are enabled for your project and have sufficient privileges**
+
+  1. From the homepage open the hamburger menu in the top left.
+  2. Scroll down to IAM & Adminand hover over it.
+  3. In the menu that opens up, select Audit Logs
+  4. In the middle of the page, in the search box next to filter search for Cloud Composer API
+  5. Select it, and ensure that both 'Admin Read' and 'Data Read' are checked.
+
+  **Determine if logs are being sent to Logs Explorer**
+
+  1. From the Google Console home page, open the hamburger menu in the top left.
+  2. In the menu that pops open, scroll down to Logs Explorer under Operations.
+  3. In the query box, paste the following and search
+
+  resource.type="cloudsql_database" 
+  logName="projects/<your-project-name>/logs/cloudaudit.googleapis.com%2Fdata_access"
+  protoPayload.request.@type="type.googleapis.com/google.cloud.sql.audit.v1.PgA uditEntry"
+
+  4. If it returns any log sources, they are correctly setup.
+`,
+  rationale: 'As numerous other recommendations in this section consist of turning on flags for logging purposes, your organization will need a way to manage these logs. You may have a solution already in place. If you do not, consider installing and enabling the open source pgaudit extension within PostgreSQL and enabling its corresponding flag of cloudsql.enable_pgaudit. This flag and installing the extension enables database auditing in PostgreSQL through the open-source pgAudit extension. This extension provides detailed session and object logging to comply with government, financial, & ISO standards and provides auditing capabilities to mitigate threats by monitoring security events on the instance. Enabling the flag and settings later in this recommendation will send these logs to Google Logs Explorer so that you can access them in a central location. to This recommendation is applicable only to PostgreSQL database instances.',
+  remediation: `**Initialize the pgAudit flag
+  
+  From Console:**
+
+  1. Go to https://console.cloud.google.com/sql/instances.
+  2. Select the instance to open its Overview page.
+  3. Click *Edit*.
+  4. Scroll down and expand Flags.
+  5. To set a flag that has not been set on the instance before, click *Add item*.
+  6. Enter *cloudsql.enable_pgaudit* for the flag name and set the flag to *on*.
+  7. Click *Done*.
+  8. Click *Save* to update the configuration.
+  9. Confirm your changes under *Flags* on the *Overview* page.
+
+  **From Command Line:**
+
+  Run the below command by providing *<INSTANCE_NAME>* to enable *cloudsql.enable_pgaudit* flag.
+
+        gcloud sql instances patch <INSTANCE_NAME> --database- flags=cloudsql.enable_pgaudit=on
+
+  Note: *RESTART* is required to get this configuration in effect.
+
+  **Creating the extension**
+
+  1. Connect to the the server running PostgreSQL or through a SQL client of your choice.
+  2. If SSHing to the server in the command line open the PostgreSQL shell by typing *psql*
+  3. Run the following command as a superuser.
+
+        CREATE EXTENSION pgaudit;
+
+  **Updating the previously created pgaudit.log flag for your Logging Needs
+  
+  From Console:**
+
+  Note: there are multiple options here. This command will enable logging for all databases on a server. Please see the customizing database audit logging reference for more flag options.
+
+  1. Go to https://console.cloud.google.com/sql/instances.
+  2. Select the instance to open its *Overview* page.
+  3. Click *Edit*.
+  4. Scroll down and expand *Flags*.
+  5. To set a flag that has not been set on the instance before, click *Add item*.
+  6. Enter *pgaudit.log=all* for the flag name and set the flag to on.
+  7. Click *Done*.
+  8. Click *Save* to update the configuration.
+  9. Confirm your changes under *Flags* on the *Overview* page.
+
+  **From Command Line:**
+  Run the command
+
+        gcloud sql instances patch <INSTANCE_NAME> --database-flags cloudsql.enable_pgaudit=on,pgaudit.log=all
+  
+  **Determine if logs are being sent to Logs Explorer**
+
+  1. From the Google Console home page, open the hamburger menu in the top left.
+  2. In the menu that pops open, scroll down to Logs Explorer under Operations.
+  3. In the query box, paste the following and search
+
+  resource.type="cloudsql_database" logName="projects//logs/cloudaudit.googleapis.com%2Fdata_access" protoPayload.request.@type="type.googleapis.com/google.cloud.sql.audit.v1.PgAuditEntry "
+
+        If it returns any log sources, they are correctly setup.
+
+  **Default Value:**
+
+  By default *cloudsql.enable_pgaudit* database flag is set to *off* and the extension is not enabled.`,
+  references: [
+    'https://cloud.google.com/sql/docs/postgres/flags#list-flags-postgres',
+    'https://cloud.google.com/sql/docs/postgres/pg-audit#enable-auditing-flag',
+    'https://cloud.google.com/sql/docs/postgres/pg-audit#customizing-database-audit-logging',
+    'https://cloud.google.com/logging/docs/audit/configure-data-access#config-console-enable',
+  ],
+  gql: `{
+    querygcpSqlInstance(filter:{ databaseVersion: {regexp:  "/POSTGRES*/"}}){
+      name
+      id
+      __typename
+      settings{
+        databaseFlags{
+          name
+          value
+        }
+      }
+    }
+  }`,
+  resource: 'querygcpSqlInstance[*]',
+  exclude: { not: { path: '@.databaseVersion', match: /POSTGRES*/ } },
+  severity: 'medium',
+  conditions: {
+    and: [
+      {
+        path: '@.settings.databaseFlags',
+        isEmpty: false,
+      },
+      {
+        path: '@.settings.databaseFlags',
+        array_any: {
+          and: [
+            {
+              path: '[*].name',
+              equal: 'cloudsql.enable_pgaudit',
+            },
+            {
+              path: '[*].value',
+              equal: 'on',
+            },
+          ],
+        },
+      },
+    ],
+  },
+}

src/gcp/cis-1.3.0/tests/gcp-cis-1.3.0-6.x.test.ts

@@ -13,6 +13,7 @@ import Gcp_CIS_130_625 from '../rules/gcp-cis-1.3.0-6.2.5'
 import Gcp_CIS_130_626 from '../rules/gcp-cis-1.3.0-6.2.6'
 import Gcp_CIS_130_627 from '../rules/gcp-cis-1.3.0-6.2.7'
 import Gcp_CIS_130_628 from '../rules/gcp-cis-1.3.0-6.2.8'
+import Gcp_CIS_130_629 from '../rules/gcp-cis-1.3.0-6.2.9'
 import Gcp_CIS_130_631 from '../rules/gcp-cis-1.3.0-6.3.1'
 import Gcp_CIS_130_632 from '../rules/gcp-cis-1.3.0-6.3.2'
 import Gcp_CIS_130_633 from '../rules/gcp-cis-1.3.0-6.3.3'
@@ -882,6 +883,97 @@ describe('CIS Google Cloud Platform Foundations: 1.3.0', () => {
     })
   })
 
+  describe("GCP CIS 6.2.9 Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging", () => {
+    const getRuleFixture = (): SqlInstances => {
+      return {
+        id: 'db-id',
+        databaseVersion: 'POSTGRES',
+        name: 'test-postgres-instance',
+        settings: {
+          databaseFlags: [
+            {
+              name: 'cloudsql.enable_pgaudit',
+              value: 'on',
+            },
+          ],
+        },
+      }
+    }
+
+    const testRule = async (
+      data: SqlInstances,
+      expectedResult: Result
+    ): Promise<void> => {
+      // Act
+      const [processedRule] = await rulesEngine.processRule(
+        Gcp_CIS_130_629 as Rule,
+        { querygcpSqlInstance: [data] }
+      )
+
+      // Asserts
+      expect(processedRule.result).toBe(expectedResult)
+    }
+
+    test("No Security Issue when all POSTGRES instances have the 'cloudsql.enable_pgaudit' set to 'on'", async () => {
+      const data = {
+        id: 'db-id',
+        databaseVersion: 'POSTGRES',
+        name: 'test-postgres-instance',
+        settings: {
+          databaseFlags: [
+            {
+              name: 'dummy_key',
+              value: 'on',
+            },
+            {
+              name: 'cloudsql.enable_pgaudit',
+              value: 'on',
+            },
+          ],
+        },
+      }
+      await testRule(data, Result.PASS)
+    })
+
+    test('Security Issue when the POSTGRES instances have no database flags', async () => {
+      const data = getRuleFixture()
+      data.settings.databaseFlags = []
+      await testRule(data, Result.FAIL)
+    })
+
+    test("Security Issue when the POSTGRES instances do NOT have a 'cloudsql.enable_pgaudit' database flag", async () => {
+      const data = getRuleFixture()
+      data.settings.databaseFlags = [
+        {
+          name: 'dummy_key',
+          value: '-1',
+        },
+      ]
+      await testRule(data, Result.FAIL)
+    })
+
+    test("Security Issue when the POSTGRES instances do have a 'cloudsql.enable_pgaudit' database flag set to 'off'", async () => {
+      const data = {
+        id: 'db-id',
+        databaseVersion: 'POSTGRES',
+        name: 'test-postgres-instance',
+        settings: {
+          databaseFlags: [
+            {
+              name: 'dummy_key',
+              value: 'on',
+            },
+            {
+              name: 'cloudsql.enable_pgaudit',
+              value: 'off',
+            },
+          ],
+        },
+      }
+      await testRule(data, Result.FAIL)
+    })
+  })
+
   describe("GCP CIS 6.3.1 Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'", () => {
     const getRuleFixture = (): SqlInstances => {
       return {