Enable Logging for VPC Firewall Rules
ID: gcloud-firewall-rule-logging-not-enabled
Severity: medium
Author: princechaddha
Tags: cloud,devops,gcp,gcloud,google-cloud-vpc,firewall-logging,security,gcp-cloud-config
Description
Section titled “Description”Enable Virtual Private Cloud (VPC) firewall rule logging for each firewall rule whose connections you need to log. Firewall rule logging provides valuable insights into the source and destination of traffic, protocols, ports, and actions taken by the rules.
YAML Source
Section titled “YAML Source”id: gcloud-firewall-rule-logging-not-enabled
info: name: Enable Logging for VPC Firewall Rules author: princechaddha severity: medium description: | Enable Virtual Private Cloud (VPC) firewall rule logging for each firewall rule whose connections you need to log. Firewall rule logging provides valuable insights into the source and destination of traffic, protocols, ports, and actions taken by the rules. impact: | Without firewall rule logging, it is difficult to analyze and monitor network traffic, making it challenging to troubleshoot and ensure compliance with security policies. remediation: | Enable logging for your VPC firewall rules to capture connection details, including traffic source, destination, and actions taken by the rules. reference: - https://cloud.google.com/vpc/docs/using-firewall-rules-logging tags: cloud,devops,gcp,gcloud,google-cloud-vpc,firewall-logging,security,gcp-cloud-config
flow: | code(1) for(let projectId of iterate(template.projectIds)){ set("projectId", projectId) code(2) for(let network of iterate(template.networks)){ set("networkName", network) code(3) } }
self-contained: true
code: - engine: - sh - bash source: | gcloud projects list --format="json(projectId)"
extractors: - type: json name: projectIds internal: true json: - '.[].projectId'
- engine: - sh - bash source: | gcloud compute networks list --project $projectId --format="json(name)"
extractors: - type: json name: networks internal: true json: - '.[].name'
- engine: - sh - bash source: | gcloud compute firewall-rules list --filter="network=$networkName" --sort-by="priority" --format="json(name,disabled,direction,logConfig)"
matchers: - type: word words: - '"enable": false' - '"disabled": false' condition: and
extractors: - type: dsl dsl: - '"The firewall rule " + name + " in network " + networkName + " in project " + projectId + " does not have logging enabled."'# digest: 4b0a00483046022100d5031c3dce754710cfcafe6f799a9421188b95c712f5d77b1b35c6783f1e22ad022100f9a2fbc7b3b8384572f1e2885ea08397e6567d15ead3f3208344aa4884d56f45:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "cloud/gcp/vpc/gcloud-firewall-rule-logging-not-enabled.yaml"