Beta - Logs And Alerts Missing Audit Configuration Changes
- Query id: 39d83c5a-2df4-4a2c-8ffb-b96b1bc3a813
- Query name: Beta - Logs And Alerts Missing Audit Configuration Changes
- Platform: Terraform
- Severity: Medium
- Category: Observability
- CWE: 778
- Risk score: 3.0
- URL: Github
Description¶
Ensure 'google_logging_metric' and 'google_monitoring_alert_policy' resources account for audit configuration changes.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "google_logging_metric" "audit_config_change" {
name = "audit_config_change"
description = "Detects changes to audit configurations via SetIamPolicy"
filter = "protoPayload.methodName=\"wrong_method\" AND protoPayload.serviceData.policyDelta.auditConfigDeltas:*"
# incorrect filter
}
resource "google_monitoring_alert_policy" "audit_config_alert" {
display_name = "Audit Config Change Alert"
combiner = "OR"
conditions {
display_name = "Audit Config Change Condition"
condition_threshold {
filter = "resource.type=\"gce_instance\" AND metric.type=\"logging.googleapis.com/user/audit_config_change\""
}
}
notification_channels = [google_monitoring_notification_channel.email.id]
}
Positive test num. 2 - tf file
resource "google_logging_metric" "audit_config_change" {
name = "audit_config_change"
description = "Detects changes to audit configurations via SetIamPolicy"
filter = "protoPayload.methodName=\"SetIamPolicy\" AND protoPayload.serviceData.policyDelta.auditConfigDeltas:*"
}
resource "google_monitoring_alert_policy" "audit_config_alert" {
display_name = "Audit Config Change Alert"
combiner = "OR"
conditions {
display_name = "Audit Config Change Condition"
condition_threshold {
filter = "resource.type=\"gce_instance\" AND metric.type=\"logging.googleapis.com/user/wrong_reference\""
# incorrect filter reference
}
}
notification_channels = [google_monitoring_notification_channel.email.id]
}
Positive test num. 3 - tf file
resource "google_logging_metric" "audit_config_change" {
name = "audit_config_change"
description = "Detects changes to audit configurations via SetIamPolicy"
filter = "protoPayload.methodName=\"SetIamPolicy\" AND protoPayload.serviceData.policyDelta.auditConfigDeltas:*"
}
resource "google_monitoring_alert_policy" "audit_config_alert" {
display_name = "Audit Config Change Alert (Log Match)"
combiner = "OR"
conditions {
display_name = "Audit Config Change Condition"
condition_matched_log {
filter = "protoPayload.methodName=\"SetIamPolicy\" AND protoPayload.serviceData.policyDelta.auditConfigDeltas: single_value"
# incorrect filter
}
}
notification_channels = [google_monitoring_notification_channel.email.id]
}
Positive test num. 4 - tf file
resource "google_logging_metric" "audit_config_change" {
name = "audit_config_change"
description = "Detects changes to audit configurations via SetIamPolicy"
filter = "protoPayload.methodName=\"SetIamPolicy\" AND protoPayload.serviceData.policyDelta.auditConfigDeltas:*"
}
resource "google_monitoring_alert_policy" "audit_config_alert" {
display_name = "Audit Config Change Alert"
combiner = "OR"
conditions {
display_name = "Audit Config Change Condition"
condition_threshold {
filter = "resource.type=\"gce_instance\" AND metric.type=\"logging.googleapis.com/user/audit_config_change\""
}
}
# missing notification channels
}
Positive test num. 5 - tf file
resource "google_monitoring_alert_policy" "audit_config_alert" {
display_name = "Audit Config Change Alert (Log Match)"
combiner = "OR"
conditions {
display_name = "Audit Config Change Condition" # test for unusual spacing
condition_matched_log {
filter = <<-FILTER
protoPayload.methodName = "SetIamPolicy"
AND protoPayload.serviceData.policyDelta.auditConfigDeltas : *
FILTER
}
}
# missing notification channels
}
Positive test num. 6 - tf file
resource "google_monitoring_alert_policy" "audit_config_alert" {
display_name = "Audit Config Change Alert"
combiner = "OR"
conditions {
display_name = "Audit Config Change Condition"
condition_threshold {
filter = "resource.type=\"gce_instance\" AND metric.type=\"logging.googleapis.com/user/audit_config_change\""
} # missing specific filter
}
notification_channels = [google_monitoring_notification_channel.email.id]
}
Positive test num. 7 - tf file
resource "google_logging_metric" "audit_config_change" {
name = "audit_config_change"
description = "Detects changes to audit configurations via SetIamPolicy"
filter = "protoPayload.methodName=\"SetIamPolicy\" AND protoPayload.serviceData.policyDelta.auditConfigDeltas:* AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\"roles/editor\")"
} # specific filter has additional condition at the end
Positive test num. 8 - tf file
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "google_logging_metric" "audit_config_change" {
name = "audit_config_change"
description = "Detects changes to audit configurations via SetIamPolicy"
filter = "protoPayload.methodName=\"SetIamPolicy\" AND protoPayload.serviceData.policyDelta.auditConfigDeltas:*"
}
resource "google_monitoring_alert_policy" "audit_config_alert" {
display_name = "Audit Config Change Alert"
combiner = "OR"
conditions {
display_name = "Audit Config Change Condition"
condition_threshold {
filter = "resource.type=\"gce_instance\" AND metric.type=\"logging.googleapis.com/user/audit_config_change\""
}
}
notification_channels = [google_monitoring_notification_channel.email.id]
}
Negative test num. 2 - tf file
resource "google_logging_metric" "audit_config_change" {
name = "audit_config_change"
description = "Detects changes to audit configurations via SetIamPolicy"
filter = "protoPayload.methodName=\"SetIamPolicy\" AND protoPayload.serviceData.policyDelta.auditConfigDeltas:*"
}
resource "google_monitoring_alert_policy" "audit_config_alert" {
display_name = "Audit Config Change Alert (Log Match)"
combiner = "OR"
conditions {
display_name = "Audit Config Change Condition" # test for unusual spacing
condition_matched_log {
filter = <<-FILTER
protoPayload.methodName = "SetIamPolicy"
AND protoPayload.serviceData.policyDelta.auditConfigDeltas : *
FILTER
}
}
notification_channels = [google_monitoring_notification_channel.email.id]
}