More Info:

Ensure that “Google Cloud Platform - Detailed Audit Logging Mode” policy is enforced at the organization level in order to enable Detailed Audit Logging feature for the supported Cloud Storage resources available within your GCP organization.

Risk Level

Medium

Address

Operational Maturity, Reliability, Security

Compliance Standards

CISGCP, CBP, GDPR, HIPAA, ISO27001

Remediation

Using Console

To remediate the misconfiguration of not enforcing detailed audit logging mode in GCP, you can follow the steps below using the GCP console:

  1. Log in to your Google Cloud Console.

  2. Navigate to the “Logging” page by clicking on the hamburger menu on the top left corner of the page and selecting “Logging” under the “TOOLS” section.

  3. Click on “Log Router” on the left-hand side of the page.

  4. Click on “Create Sink” at the top of the page.

  5. In the “Create Sink” page, enter a name for the sink in the “Name” field.

  6. In the “Sink Service” field, select the service you want to enable detailed audit logging for. For example, you can select “Cloud Storage”.

  7. In the “Sink Destination” field, select “BigQuery” or “Cloud Pub/Sub” as the destination for the logs.

  8. In the “Sink Filter” field, enter the filter expression to specify the logs you want to collect. For example, you can enter “protoPayload.serviceName=storage.googleapis.com” to collect logs related to Cloud Storage.

  9. Click on “Create Sink” to create the sink.

  10. Repeat steps 4 to 9 for each service you want to enable detailed audit logging for.

By following these steps, you will have enabled detailed audit logging mode for the selected GCP services and can now monitor and analyze the logs for security and compliance purposes.

Using CLI

To remediate the misconfiguration “Enforce Detailed Audit Logging Mode” for GCP using GCP CLI, follow these steps:

  1. Open the Cloud Shell in the GCP Console.
  2. Run the following command to enable audit logging for all services in the current project:
gcloud alpha logging configs create --project [PROJECT_ID] --service all --data-access all --log-type audit --exempted-members user:[USER_EMAIL]

Note: Replace [PROJECT_ID] with the ID of your GCP project and [USER_EMAIL] with the email address of the user who should be exempted from audit logging.

  1. Run the following command to verify that audit logging is enabled:
gcloud alpha logging configs describe --project [PROJECT_ID] --config-type data-access --config-name all

This command should return the configuration details for audit logging.

  1. Run the following command to enable enforced audit logging mode:
gcloud alpha logging configs update --project [PROJECT_ID] --config-type data-access --config-name all --enforced true

This command will enable enforced audit logging mode for all services in the current project.

  1. Run the following command to verify that enforced audit logging mode is enabled:
gcloud alpha logging configs describe --project [PROJECT_ID] --config-type data-access --config-name all

This command should return the configuration details for enforced audit logging mode.

  1. Verify that audit logs are being generated for all services in the project by checking the audit logs in the Logging console.

By following these steps, you will remediate the misconfiguration “Enforce Detailed Audit Logging Mode” for GCP using GCP CLI.

Using Python

To remediate the misconfiguration “Enforce Detailed Audit Logging Mode” in GCP using Python, you can follow the below steps:

Step 1: Install the necessary packages

pip install google-auth google-auth-oauthlib google-auth-httplib2 google-cloud-logging

Step 2: Set the project ID and the log sink name

project_id = "your-project-id"
sink_name = "your-sink-name"

Step 3: Create a client object for the Logging API

from google.cloud import logging_v2
from google.oauth2 import service_account

credentials = service_account.Credentials.from_service_account_file('path/to/service/account/key.json')
client = logging_v2.LoggingServiceV2Client(credentials=credentials)

Step 4: Create a sink filter to include all audit logs

filter = "logName:\"logs/cloudaudit.googleapis.com\""

Step 5: Create a sink object with the filter and destination

from google.cloud.logging_v2.types import LogSink

destination = f"bigquery.googleapis.com/projects/{project_id}/datasets/audit_logs"
sink = LogSink(
    name=sink_name,
    filter=filter,
    destination=destination
)

Step 6: Create or update the sink in the project

from google.api_core.exceptions import AlreadyExists

try:
    response = client.create_sink(
        parent=f"projects/{project_id}",
        sink=sink
    )
    print(f"Sink created: {response.name}")
except AlreadyExists:
    response = client.update_sink(
        sink_name,
        sink,
        update_mask=["filter", "destination"]
    )
    print(f"Sink updated: {response.name}")

Step 7: Verify that the sink is created and that audit logs are being exported

response = client.list_sinks(f"projects/{project_id}")
for sink in response:
    print(sink.name)

This will create or update the sink in the project and start exporting all audit logs to BigQuery. You can verify that the sink is created and that audit logs are being exported by checking the output of the list_sinks method.