> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Enforce Detailed Audit Logging Mode

### More Info:

Ensure that "Google Cloud Platform - Detailed Audit Logging Mode" policy is enforced at the organization level in order to enable Detailed Audit Logging feature for the supported Cloud Storage resources available within your GCP organization.

### Risk Level

Medium

### Address

Operational Maturity, Reliability, Security

### Compliance Standards

CISGCP, CBP, GDPR, HIPAA, ISO27001

### Triage and Remediation

<Tabs>
  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        To remediate the misconfiguration of not enforcing detailed audit logging mode in GCP, you can follow the steps below using the GCP console:

        1. Log in to your Google Cloud Console.

        2. Navigate to the "Logging" page by clicking on the hamburger menu on the top left corner of the page and selecting "Logging" under the "TOOLS" section.

        3. Click on "Log Router" on the left-hand side of the page.

        4. Click on "Create Sink" at the top of the page.

        5. In the "Create Sink" page, enter a name for the sink in the "Name" field.

        6. In the "Sink Service" field, select the service you want to enable detailed audit logging for. For example, you can select "Cloud Storage".

        7. In the "Sink Destination" field, select "BigQuery" or "Cloud Pub/Sub" as the destination for the logs.

        8. In the "Sink Filter" field, enter the filter expression to specify the logs you want to collect. For example, you can enter "protoPayload.serviceName=storage.googleapis.com" to collect logs related to Cloud Storage.

        9. Click on "Create Sink" to create the sink.

        10. Repeat steps 4 to 9 for each service you want to enable detailed audit logging for.

        By following these steps, you will have enabled detailed audit logging mode for the selected GCP services and can now monitor and analyze the logs for security and compliance purposes.

        #
      </Accordion>

      <Accordion title="Using CLI">
        To remediate the misconfiguration "Enforce Detailed Audit Logging Mode" for GCP using GCP CLI, follow these steps:

        1. Open the Cloud Shell in the GCP Console.
        2. Run the following command to enable audit logging for all services in the current project:

        ```
        gcloud alpha logging configs create --project [PROJECT_ID] --service all --data-access all --log-type audit --exempted-members user:[USER_EMAIL]
        ```

        Note: Replace `[PROJECT_ID]` with the ID of your GCP project and `[USER_EMAIL]` with the email address of the user who should be exempted from audit logging.

        3. Run the following command to verify that audit logging is enabled:

        ```
        gcloud alpha logging configs describe --project [PROJECT_ID] --config-type data-access --config-name all
        ```

        This command should return the configuration details for audit logging.

        4. Run the following command to enable enforced audit logging mode:

        ```
        gcloud alpha logging configs update --project [PROJECT_ID] --config-type data-access --config-name all --enforced true
        ```

        This command will enable enforced audit logging mode for all services in the current project.

        5. Run the following command to verify that enforced audit logging mode is enabled:

        ```
        gcloud alpha logging configs describe --project [PROJECT_ID] --config-type data-access --config-name all
        ```

        This command should return the configuration details for enforced audit logging mode.

        6. Verify that audit logs are being generated for all services in the project by checking the audit logs in the Logging console.

        By following these steps, you will remediate the misconfiguration "Enforce Detailed Audit Logging Mode" for GCP using GCP CLI.
      </Accordion>

      <Accordion title="Using Python">
        To remediate the misconfiguration "Enforce Detailed Audit Logging Mode" in GCP using Python, you can follow the below steps:

        Step 1: Install the necessary packages

        ```
        pip install google-auth google-auth-oauthlib google-auth-httplib2 google-cloud-logging
        ```

        Step 2: Set the project ID and the log sink name

        ```
        project_id = "your-project-id"
        sink_name = "your-sink-name"
        ```

        Step 3: Create a client object for the Logging API

        ```
        from google.cloud import logging_v2
        from google.oauth2 import service_account

        credentials = service_account.Credentials.from_service_account_file('path/to/service/account/key.json')
        client = logging_v2.LoggingServiceV2Client(credentials=credentials)
        ```

        Step 4: Create a sink filter to include all audit logs

        ```
        filter = "logName:\"logs/cloudaudit.googleapis.com\""
        ```

        Step 5: Create a sink object with the filter and destination

        ```
        from google.cloud.logging_v2.types import LogSink

        destination = f"bigquery.googleapis.com/projects/{project_id}/datasets/audit_logs"
        sink = LogSink(
            name=sink_name,
            filter=filter,
            destination=destination
        )
        ```

        Step 6: Create or update the sink in the project

        ```
        from google.api_core.exceptions import AlreadyExists

        try:
            response = client.create_sink(
                parent=f"projects/{project_id}",
                sink=sink
            )
            print(f"Sink created: {response.name}")
        except AlreadyExists:
            response = client.update_sink(
                sink_name,
                sink,
                update_mask=["filter", "destination"]
            )
            print(f"Sink updated: {response.name}")
        ```

        Step 7: Verify that the sink is created and that audit logs are being exported

        ```
        response = client.list_sinks(f"projects/{project_id}")
        for sink in response:
            print(sink.name)
        ```

        This will create or update the sink in the project and start exporting all audit logs to BigQuery. You can verify that the sink is created and that audit logs are being exported by checking the output of the `list_sinks` method.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>
