Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug: Cis check 4.13 does not recognize vcn flow logs that are applied to at the vcn level #149

Open
hslange opened this issue Sep 4, 2024 · 0 comments
Open

Bug: Cis check 4.13 does not recognize vcn flow logs that are applied to at the vcn level #149

hslange opened this issue Sep 4, 2024 · 0 comments

Comments

@hslange
Copy link

hslange commented Sep 4, 2024

CIS check 4.13 says: Ensure VCN flow logging is enabled for all subnets

In our implementation is build using the modules from terraform-oci-modules-observability

We create VCN flow logs for an entire VCN and not for each individual subnet. We implemented this using the following described construct for logging in the logging module:

Defining Flow Logs

  • flow_logs: A map of flow logs. Use this when defining flow logs in bulk within specified compartments. Logs are created in the same compartment as the enclosing flow log group.
  • name_prefix: (Optional) a prefix to flow log names.
  • log_group_id The flow log group. The value should be one of the reference keys defined in log_groups.
  • target_resource_type The target resource type for flow logs. Valid values: "vcn", "subnet", "vnic".
  • target_compartment_ids The list of compartments containing the resources of type defined in target_resource_type to create flow logs for. The module searches for all resources of target_resource_type in these compartments. For "vnic" target_resource_type, NLB (Network Load Balancer) private IP VNICs are also included.

By using this module, and specifying the target_resource_type as "**vcn", this will result in a log_group per VCN with 1 log for all subnets.

The cis_reports.py reports for all the subnets in the VCN that they don't have logging enabled, however this is not true, because its enabled at the VCN level.
The reason is that the python code only checks if a subnet exists in the list of subnet logs based on the subnet OCID.
But this should be either the subnet OCID or the VCN OCID.

After I made the following modification to the code, it actually passed successfully for all VCN's with logging enabled.
Code starts at line 4097:

original code
# CIS Check 4.13 - VCN FlowLog enable
# Generate list of subnets IDs
for subnet in self.__network_subnets:
if not (subnet['id'] in self.__subnet_logs):
self.cis_foundations_benchmark_2_0['4.13']['Status'] = False
self.cis_foundations_benchmark_2_0['4.13']['Findings'].append(subnet)

changed code
# CIS Check 4.13 - VCN FlowLog enable
# Generate list of subnets IDs
for subnet in self.__network_subnets:
if not (subnet['id'] in self.__subnet_logs) and not (subnet['vcn_id'] in self.__subnet_logs):
self.cis_foundations_benchmark_2_0['4.13']['Status'] = False
self.cis_foundations_benchmark_2_0['4.13']['Findings'].append(subnet)

I did not check the 3rd option to enable logging at the VNIC level, but that should fail this test, as the check is to ensure logging is enabled for the entire subnet (or VCN).

Please check and verify and if you agree, I hope you can add this as a fix.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@hslange