Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug: Cis check 4.13 does not recognize vcn flow logs that are applied to at the vcn level #149

Open
hslange opened this issue Sep 4, 2024 · 2 comments

Comments

@hslange
Copy link

hslange commented Sep 4, 2024

CIS check 4.13 says: Ensure VCN flow logging is enabled for all subnets

In our implementation is build using the modules from terraform-oci-modules-observability

We create VCN flow logs for an entire VCN and not for each individual subnet. We implemented this using the following described construct for logging in the logging module:

Defining Flow Logs

  • flow_logs: A map of flow logs. Use this when defining flow logs in bulk within specified compartments. Logs are created in the same compartment as the enclosing flow log group.
  • name_prefix: (Optional) a prefix to flow log names.
  • log_group_id The flow log group. The value should be one of the reference keys defined in log_groups.
  • target_resource_type The target resource type for flow logs. Valid values: "vcn", "subnet", "vnic".
  • target_compartment_ids The list of compartments containing the resources of type defined in target_resource_type to create flow logs for. The module searches for all resources of target_resource_type in these compartments. For "vnic" target_resource_type, NLB (Network Load Balancer) private IP VNICs are also included.

By using this module, and specifying the target_resource_type as "**vcn", this will result in a log_group per VCN with 1 log for all subnets.

The cis_reports.py reports for all the subnets in the VCN that they don't have logging enabled, however this is not true, because its enabled at the VCN level.
The reason is that the python code only checks if a subnet exists in the list of subnet logs based on the subnet OCID.
But this should be either the subnet OCID or the VCN OCID.

After I made the following modification to the code, it actually passed successfully for all VCN's with logging enabled.
Code starts at line 4097:

original code
# CIS Check 4.13 - VCN FlowLog enable
# Generate list of subnets IDs
for subnet in self.__network_subnets:
if not (subnet['id'] in self.__subnet_logs):
self.cis_foundations_benchmark_2_0['4.13']['Status'] = False
self.cis_foundations_benchmark_2_0['4.13']['Findings'].append(subnet)

changed code
# CIS Check 4.13 - VCN FlowLog enable
# Generate list of subnets IDs
for subnet in self.__network_subnets:
if not (subnet['id'] in self.__subnet_logs) and not (subnet['vcn_id'] in self.__subnet_logs):
self.cis_foundations_benchmark_2_0['4.13']['Status'] = False
self.cis_foundations_benchmark_2_0['4.13']['Findings'].append(subnet)

I did not check the 3rd option to enable logging at the VNIC level, but that should fail this test, as the check is to ensure logging is enabled for the entire subnet (or VCN).

Please check and verify and if you agree, I hope you can add this as a fix.

@Halimer
Copy link
Collaborator

Halimer commented Dec 21, 2024

Thank you for the recommendation. We will update the script in the next release.

@hslange
Copy link
Author

hslange commented Dec 21, 2024

Thanks for including this in the next release.
I think the same issue pops up when running with the -obp flag. I did not check how that can be solved as the code construct is different.
Hope this can also be fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants