More Info:

Determines if TCP port 5601 for Kibana is open to the public

Risk Level

Medium

Address

Security

Compliance Standards

HITRUST, GDPR, SOC2, NISTCSF, PCIDSS, FedRAMP

Triage and Remediation

Remediation

Using Console

Sure, here are the step-by-step instructions to remediate the misconfiguration “Kibana Port Should Not Be Open” for GCP using GCP console:
  1. Log in to the GCP console (https://console.cloud.google.com/).
  2. Go to the Navigation menu and select “Compute Engine”.
  3. Select the VM instance that has Kibana installed and running.
  4. Click on “Edit” at the top of the page.
  5. Scroll down to the “Firewall” section and click on “Management, security, disks, networking, sole tenancy”.
  6. Under “Network interfaces”, click on the network interface that has the external IP address.
  7. Scroll down to the “Firewall rules” section and click on “Allow HTTP traffic” and “Allow HTTPS traffic” rules.
  8. Click on the “X” icon to delete both rules.
  9. Click on “Save” to apply the changes.
This will remediate the misconfiguration by removing the rules that allow HTTP and HTTPS traffic to the Kibana port.

To remediate the Kibana Port Should Not Be Open misconfiguration on GCP using GCP CLI, you can follow these steps:
  1. Open the GCP Console and go to the Cloud Shell.
  2. Run the following command to get the list of firewall rules: 
    gcloud compute firewall-rules list
  3. Identify the firewall rule that allows traffic to port 5601 (Kibana port). Note down the name of the firewall rule.
  4. Run the following command to delete the firewall rule: 
    gcloud compute firewall-rules delete [FIREWALL_RULE_NAME]
    Replace [FIREWALL_RULE_NAME] with the name of the firewall rule identified in step 3.
  5. Confirm the deletion of the firewall rule by typing “y” when prompted.
  6. Verify that the firewall rule has been deleted by running the following command: 
    gcloud compute firewall-rules list
    The output should not include the firewall rule that allowed traffic to port 5601.
  7. Once you have confirmed that the firewall rule has been deleted, the Kibana port will no longer be open and the misconfiguration will be remediated.
Note: Before deleting the firewall rule, make sure that it is not required for any other services or applications running on your GCP project.
To remediate the Kibana port being open on a GCP instance, you can follow these steps using the Python programming language:
  1. Use the google-cloud-compute library to get a list of all instances in the project.
from google.cloud import compute_v1

compute_client = compute_v1.InstancesClient()

project_id = 'your-project-id'
zone = 'us-central1-a'

instances = compute_client.list(project=project_id, zone=zone).items
  1. Iterate over the list of instances and check if Kibana is running on any of them.
for instance in instances:
    # Get the instance's metadata
    metadata = compute_client.get_instance(project=project_id, zone=zone, instance=instance.name).metadata.items
    kibana_port_open = False
    
    # Check if Kibana is running on the instance
    for item in metadata:
        if item.key == 'startup-script' and 'kibana' in item.value:
            kibana_port_open = True
            break
    
    # If Kibana is running, remove the firewall rule
    if kibana_port_open:
        firewall_client = compute_v1.FirewallsClient()
        firewall_client.delete(project=project_id, firewall='kibana')
  1. If Kibana is running on an instance, use the google-cloud-compute library to delete the firewall rule that allows traffic to the Kibana port.
firewall_client = compute_v1.FirewallsClient()

firewall_name = 'kibana'
firewall_rule = firewall_client.get(project=project_id, firewall=firewall_name)

firewall_client.delete(project=project_id, firewall=firewall_name)
Note: This assumes that there is a firewall rule named kibana that allows traffic to the Kibana port. If the firewall rule has a different name, you will need to modify the code accordingly.

Additional Reading: