feat(CG-1298): add GCP CIS 1.30 2.13

james-zhou-inspire11 · james-zhou-inspire11 · commit cbe48dff0d0e · 2022-12-11T23:48:21.000-06:00
diff --git a/src/gcp/cis-1.3.0/README.md b/src/gcp/cis-1.3.0/README.md
@@ -82,6 +82,7 @@ Policy Pack based on the GCP Foundations 1.3.0 benchmark provided by the [Center
 | GCP CIS 2.10   | Ensure that the log metric filter and alerts exist for Cloud Storage IAM permission changes                                                                         |
 | GCP CIS 2.11   | Ensure that the log metric filter and alerts exist for SQL instance configuration changes                                                                           |
 | GCP CIS 2.12   | Ensure that Cloud DNS logging is enabled for all VPC networks                                                                                                       |
+| GCP CIS 2.13   | Ensure Cloud Asset Inventory Is Enabled                                                                                                                             |
 | GCP CIS 3.1    | Ensure that the default network does not exist in a project                                                                                                         |
 | GCP CIS 3.2    | Ensure legacy networks do not exist for a project                                                                                                                   |
 | GCP CIS 3.3    | Ensure that DNSSEC is enabled for Cloud DNS                                                                                                                         |
diff --git a/src/gcp/cis-1.3.0/rules/gcp-cis-1.3.0-2.13.ts b/src/gcp/cis-1.3.0/rules/gcp-cis-1.3.0-2.13.ts
@@ -0,0 +1,62 @@
+export default {
+  id: 'gcp-cis-1.3.0-2.13',
+  title:
+    'GCP CIS 2.13 Ensure Cloud Asset Inventory Is Enabled',
+  description: `GCP Cloud Asset Inventory is services that provides a historical view of GCP resources and
+IAM policies through a time-series database. The information recorded includes metadata
+on Google Cloud resources, metadata on policies set on Google Cloud projects or resources,
+and runtime information gathered within a Google Cloud resource.`,
+  audit: `**From Console:
+
+  Ensure that the Cloud Asset API is enabled:**
+
+  1. Go to API & Services/Library by visiting
+  https://console.cloud.google.com/apis/library
+  2. Search for Cloud Asset API and select the result for Cloud Asset API
+  3. Ensure that API Enabled is displayed.
+
+  **From Command Line:
+
+  Ensure that the Cloud Asset API is enabled:**
+
+  1. Query enabled services:
+
+        gcloud services list --enabled --filter=name:cloudasset.googleapis.com
+
+  If the API is listed, then it is enabled. If the response is Listed 0 items the API is not enabled.`,
+  rationale: 'The GCP resources and IAM policies captured by GCP Cloud Asset Inventory enables security analysis, resource change tracking, and compliance auditing.',
+  remediation: `**From Console:
+
+  Enable the Cloud Asset API:**
+
+  1. Go to API & Services/Library by visiting
+    https://console.cloud.google.com/apis/library
+  2. Search for Cloud Asset API and select the result for Cloud Asset API
+  3. Click the ENABLE button.
+
+  **From Command Line:
+
+  Enable the Cloud Asset API:**
+
+  1. Enable the Cloud Asset API through the services interface:
+
+        gcloud services enable cloudasset.googleapis.com
+
+  **Default Value:**
+  
+  The Cloud Asset Inventory API is disabled by default in each project
+`,
+  references: ['https://cloud.google.com/asset-inventory/docs'],
+  gql: `{
+    querygcpAsset {
+      id
+      __typename
+    }
+  }`,
+  resource: 'querygcpProject[*]',
+  severity: 'unknown',
+  check: ({ resource }: any) => {
+    const { assets } = resource
+    return !!assets
+  },
+}
diff --git a/src/gcp/cis-1.3.0/rules/index.ts b/src/gcp/cis-1.3.0/rules/index.ts
@@ -25,6 +25,7 @@ import Gcp_CIS_130_29 from './gcp-cis-1.3.0-2.9'
 import Gcp_CIS_130_210 from './gcp-cis-1.3.0-2.10'
 import Gcp_CIS_130_211 from './gcp-cis-1.3.0-2.11'
 import Gcp_CIS_130_212 from './gcp-cis-1.3.0-2.12'
+import Gcp_CIS_130_213 from './gcp-cis-1.3.0-2.13'
 import Gcp_CIS_130_31 from './gcp-cis-1.3.0-3.1'
 import Gcp_CIS_130_32 from './gcp-cis-1.3.0-3.2'
 import Gcp_CIS_130_33 from './gcp-cis-1.3.0-3.3'
@@ -101,6 +102,7 @@ export default [
   Gcp_CIS_130_210,
   Gcp_CIS_130_211,
   Gcp_CIS_130_212,
+  Gcp_CIS_130_213,
   Gcp_CIS_130_31,
   Gcp_CIS_130_32,
   Gcp_CIS_130_33,
diff --git a/src/gcp/cis-1.3.0/tests/gcp-cis-1.3.0-2.x.test.ts b/src/gcp/cis-1.3.0/tests/gcp-cis-1.3.0-2.x.test.ts
@@ -15,6 +15,7 @@ import Gcp_CIS_130_29 from '../rules/gcp-cis-1.3.0-2.9'
 import Gcp_CIS_130_210 from '../rules/gcp-cis-1.3.0-2.10'
 import Gcp_CIS_130_211 from '../rules/gcp-cis-1.3.0-2.11'
 import Gcp_CIS_130_212 from '../rules/gcp-cis-1.3.0-2.12'
+import Gcp_CIS_130_213 from '../rules/gcp-cis-1.3.0-2.13'
 import { initRuleEngine } from '../../../utils/test'
 
 const Gcp_CIS_130_24_Filter =
@@ -78,10 +79,15 @@ export interface LogSink {
   destination?: string
 }
 
+export interface Asset {
+  id: string
+}
+
 export interface QuerygcpProject {
   id: string
-  logSinks: LogSink[]
+  logSinks?: LogSink[]
   logBuckets?: LogBucket[]
+  assets?: Asset[]
 }
 
 export interface AuditLogConfig {
@@ -1263,4 +1269,44 @@ describe('CIS Google Cloud Platform Foundations: 1.3.0', () => {
       await test212Rule(false, false, Result.FAIL)
     })
   })
+
+  describe('GCP CIS 2.13 Ensure Cloud Asset Inventory Is Enabled', () => {
+    const test213Rule = async (
+      hasAsset: boolean,
+      expectedResult: Result
+    ): Promise<void> => {
+      // Arrange
+      const data: CIS2xQueryResponse = {
+        querygcpProject: [
+          {
+            id: cuid(),
+            assets: hasAsset? [
+              {
+                id: cuid(),
+              },
+            ]
+            : undefined,
+          },
+        ],
+        
+      }
+
+      // Act
+      const [processedRule] = await rulesEngine.processRule(
+        Gcp_CIS_130_213 as Rule,
+        { ...data }
+      )
+
+      // Asserts
+      expect(processedRule.result).toBe(expectedResult)
+    }
+
+    test('No Security Issue when there is an inbound rule with dns logging enabled for all VPC networks', async () => {
+      await test213Rule(true, Result.PASS)
+    })
+
+    test('Security Issue when there is an inbound rule that does not have dns logging enabled for all VPC networks', async () => {
+      await test213Rule(false, Result.FAIL)
+    })
+  })
 })
