Skip to content

feat(query): implements "Beta - Logs And Alerts Missing Audit Configuration Changes" #7801

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 11 commits into
base: master
Choose a base branch
from
Open

feat(query): implements "Beta - Logs And Alerts Missing Audit Configuration Changes" #7801

wants to merge 11 commits into from

Conversation

@cx-andre-pereira
Copy link
Contributor

@cx-andre-pereira cx-andre-pereira commented Oct 29, 2025
edited
Loading

Reason for Proposed Changes

  • Currently there are no queries addressing the Terraform/gcp "google_logging_metric" and "google_monitoring_alert_policy" resources's "filter" fields. This query is meant to ensure those resources's filters properly check for admin activity and data access logs.

  • Quoting CIS_Google_Cloud_Platform_Foundation_Benchmark_v4.0.0 page 86: "Admin activity and data access logs produced by cloud audit logging enable security analysis, resource change tracking, and compliance auditing. Configuring the metric filter and alerts for audit configuration changes ensures the recommended state of audit configuration is maintained so that all activities in the project are audit-able at any point in time."

  • Additionally page 86 states the specific filter that should be present :

protoPayload.methodName="SetIamPolicy" AND
protoPayload.serviceData.policyDelta.auditConfigDeltas:*

Proposed Changes

  • Developed an initial implementation for a query that ensures "Audit Configuration Changes" are accounted for by a given filter.

  • Based on the audit described by the CIS entry the query will flag if :

    • There is at least one"google_logging_metric" resource in the project and none contain the correct filter
    • There is at least one "google_monitoring_alert_policy" resource in the project and none contain the filter/reference a logging metric that contains the correct filter
    • There is at least one "google_monitoring_alert_policy" resource that contains the filter but none of them declare "notification_channels".

Note: there are currently issues with the search values, i could not get them to point to the "filter" field for either of the target resources in the scan results.

Tenable Reference

I submit this contribution under the Apache-2.0 license.

@github-actions github-actions bot added feature New feature query New query feature labels Oct 29, 2025
@github-actions
Copy link
Contributor

kics-logo

KICS version: v2.1.13

Category Results
CRITICAL CRITICAL 0
HIGH HIGH 0
MEDIUM MEDIUM 0
LOW LOW 0
INFO INFO 0
TRACE TRACE 0
TOTAL TOTAL 0
Metric Values
Files scanned placeholder 1
Files parsed placeholder 1
Files failed to scan placeholder 0
Total executed queries placeholder 47
Queries failed to execute placeholder 0
Execution time placeholder 0

@github-actions github-actions bot added terraform Terraform query gcp PR related with GCP Cloud azure PR related with Azure Cloud labels Oct 31, 2025
@cx-andre-pereira cx-andre-pereira marked this pull request as ready for review October 31, 2025 12:37
@cx-andre-pereira cx-andre-pereira requested a review from a team as a code owner October 31, 2025 12:37
@cx-andre-pereira
Merge branch 'master' into AST-116617_4_2-Logging_and_Monitoring_ensu…
6e21076 
…re_that_the_log_metric_filter_and_alerts_exist_for_audit_configuration_changes
@github-actions github-actions bot removed the azure PR related with Azure Cloud label Oct 31, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

feature New feature gcp PR related with GCP Cloud query New query feature terraform Terraform query

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cx-andre-pereira