Firewall Change Log Alerts Should Be Enabled

More Info:

Ensures that logging and log alerts exist for firewall rule changes.

Risk Level

Low

Address

Security

Compliance Standards

CISGCP, CBP, HIPAA, ISO27001, HITRUST, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration “Firewall Change Log Alerts Should Be Enabled” for GCP using GCP CLI, follow these steps:

Open the Cloud Shell in the GCP Console.
Run the following command to enable firewall log exports:

gcloud logging sinks create firewall_logs_sink storage.googleapis.com/[BUCKET_NAME] --log-filter="resource.type=gce_firewall_rule AND protoPayload.methodName=compute.firewalls.patch AND protoPayload.serviceData.rule.direction=INGRESS" --include-children --organization=[ORGANIZATION_ID] --project=[PROJECT_ID]

Replace [BUCKET_NAME] with the name of the GCS bucket where you want to store the logs, [ORGANIZATION_ID] with the ID of your GCP organization, and [PROJECT_ID] with the ID of the GCP project where you want to enable the firewall log exports.

Run the following command to grant the Logs Writer role to the [email protected] service account:

gcloud projects add-iam-policy-binding [PROJECT_ID] --member="serviceAccount:[email protected]" --role="roles/logging.logWriter"

Replace [PROJECT_ID] with the ID of the GCP project where you enabled the firewall log exports.

Run the following command to create a firewall rule to allow traffic from the [email protected] service account:

gcloud compute firewall-rules create allow-cloud-logs --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=tcp:22 [email protected] --target-tags=allow-cloud-logs

Run the following command to add the allow-cloud-logs tag to the instances where you want to allow traffic from the [email protected] service account:

gcloud compute instances add-tags [INSTANCE_NAME] --tags=allow-cloud-logs --zone=[ZONE]

Replace [INSTANCE_NAME] with the name of the instance where you want to allow traffic from the [email protected] service account, and [ZONE] with the zone where the instance is located.By following these steps, you will enable firewall log exports and allow the [email protected] service account to access the logs.

Using Python

To remediate the misconfiguration “Firewall Change Log Alerts Should Be Enabled” in GCP using Python, you can follow the below steps:Step 1: Install the necessary libraries

pip install google-cloud-logging google-auth

Step 2: Authenticate with GCP

from google.oauth2 import service_account
from google.cloud import logging_v2

credentials = service_account.Credentials.from_service_account_file(
    '/path/to/your/credentials.json')
client = logging_v2.LoggingServiceV2Client(credentials=credentials)

Step 3: Create a log sink

from google.cloud.logging_v2.types import LogSink

sink_name = "firewall-change-log-alerts"
destination_uri = "pubsub://projects/{project_id}/topics/{topic_name}"
filter_ = "logName=projects/{project_id}/logs/compute.googleapis.com%2Ffirewall"
sink = LogSink(
    name=sink_name,
    destination=destination_uri,
    filter=filter_,
    include_children=True
)
parent = f"projects/{project_id}"
client.create_sink(parent=parent, sink=sink)

Step 4: Verify the log sink

sinks = client.list_sinks(parent=f"projects/{project_id}")
for sink in sinks:
    if sink.name == sink_name:
        print("Log sink created successfully")
        break
else:
    print("Log sink creation failed")

After running these steps, the log sink for Firewall Change Log Alerts will be created successfully in GCP using Python.

Additional Reading:

https://cloud.google.com/logging/docs/logs-based-metrics/

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Firewall Change Log Alerts Should Be Enabled

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: