GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Kibana Port Should Not Be Open
More Info:
Determines if TCP port 5601 for Kibana is open to the public
Risk Level
Medium
Address
Security
Compliance Standards
HITRUST, GDPR, SOC2, NISTCSF, PCIDSS, FedRAMP
Triage and Remediation
Remediation
Sure, here are the step-by-step instructions to remediate the misconfiguration “Kibana Port Should Not Be Open” for GCP using GCP console:
- Log in to the GCP console (https://console.cloud.google.com/).
- Go to the Navigation menu and select “Compute Engine”.
- Select the VM instance that has Kibana installed and running.
- Click on “Edit” at the top of the page.
- Scroll down to the “Firewall” section and click on “Management, security, disks, networking, sole tenancy”.
- Under “Network interfaces”, click on the network interface that has the external IP address.
- Scroll down to the “Firewall rules” section and click on “Allow HTTP traffic” and “Allow HTTPS traffic” rules.
- Click on the “X” icon to delete both rules.
- Click on “Save” to apply the changes.
This will remediate the misconfiguration by removing the rules that allow HTTP and HTTPS traffic to the Kibana port.
To remediate the Kibana Port Should Not Be Open misconfiguration on GCP using GCP CLI, you can follow these steps:
-
Open the GCP Console and go to the Cloud Shell.
-
Run the following command to get the list of firewall rules:
gcloud compute firewall-rules list -
Identify the firewall rule that allows traffic to port 5601 (Kibana port). Note down the name of the firewall rule.
-
Run the following command to delete the firewall rule:
gcloud compute firewall-rules delete [FIREWALL_RULE_NAME]Replace [FIREWALL_RULE_NAME] with the name of the firewall rule identified in step 3.
-
Confirm the deletion of the firewall rule by typing “y” when prompted.
-
Verify that the firewall rule has been deleted by running the following command:
gcloud compute firewall-rules listThe output should not include the firewall rule that allowed traffic to port 5601.
-
Once you have confirmed that the firewall rule has been deleted, the Kibana port will no longer be open and the misconfiguration will be remediated.
Note: Before deleting the firewall rule, make sure that it is not required for any other services or applications running on your GCP project.
To remediate the Kibana port being open on a GCP instance, you can follow these steps using the Python programming language:
- Use the
google-cloud-computelibrary to get a list of all instances in the project.
from google.cloud import compute_v1
compute_client = compute_v1.InstancesClient()
project_id = 'your-project-id'
zone = 'us-central1-a'
instances = compute_client.list(project=project_id, zone=zone).items
- Iterate over the list of instances and check if Kibana is running on any of them.
for instance in instances:
# Get the instance's metadata
metadata = compute_client.get_instance(project=project_id, zone=zone, instance=instance.name).metadata.items
kibana_port_open = False
# Check if Kibana is running on the instance
for item in metadata:
if item.key == 'startup-script' and 'kibana' in item.value:
kibana_port_open = True
break
# If Kibana is running, remove the firewall rule
if kibana_port_open:
firewall_client = compute_v1.FirewallsClient()
firewall_client.delete(project=project_id, firewall='kibana')
- If Kibana is running on an instance, use the
google-cloud-computelibrary to delete the firewall rule that allows traffic to the Kibana port.
firewall_client = compute_v1.FirewallsClient()
firewall_name = 'kibana'
firewall_rule = firewall_client.get(project=project_id, firewall=firewall_name)
firewall_client.delete(project=project_id, firewall=firewall_name)
Note: This assumes that there is a firewall rule named kibana that allows traffic to the Kibana port. If the firewall rule has a different name, you will need to modify the code accordingly.