v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/oci_compliance
Overview
3Dashboards
133Controls
43Queries
2Variables
GitHub

Control: 3.14 Ensure VCN flow logging is enabled for all subnets

Description

VCN flow logs record details about traffic that has been accepted or rejected based on the security list rule.

Remediation

From Console

First, if a log group for holding these logs has not already been created, create a log group by the following steps:

  1. Go to the Log Groups page.
  2. Click the Create Log Groups button in the middle of the screen.
  3. Select the relevant compartment to place these logs.
  4. Type a name for the log group in the Name box.
  5. Add an optional description in the Description box.
  6. Click the Create button in the lower left hand corner.

Second, enable VCN flow logging for your subnet(s) by the following steps:

  1. Go to the Logs page.
  2. Click the Enable Service Log button in the middle of the screen.
  3. Select the relevant resource compartment.
  4. Select Virtual Cloud Networks (subnets) from the Service drop down menu.
  5. Select the relevant resource from the resource drop down menu.
  6. Select Flow Logs (all records) from the Log Category drop down menu.
  7. Type a name for your flow logs in the Log Name drop down menu.
  8. Click the Enable Log button in the lower left hand corner.

From Command Line

  1. Set the variable C to the OCID of the compartment
export C=<Compartment OCID>
  1. Create a log group:
oci logging log-group create --compartment-id $C \ 
--display-name "<DisplayName>" \
--description "<Description>"

The output of the command gives you a work request id. You can query the work request to see the status of the job by issuing the following command:

oci logging work-request get --work-request-id <output from command above>

Look for the status filed to be SUCCEEDED.

  1. Get the Log group ID, needed for creating the Log:
oci logging log-group list --compartment-id $C \
--query 'data[?contains("display-name", `'"<DisplayName>"'`)].id|join(`\n`, @)' \
--raw-output
  1. Create a JSON file called config.json with the following content:
{
  "compartment-id":"ocid1.compartment.oc1.......",
  "source": {
    "resource": "ocid1.subnet.oc1.iad.......",
    "service": "flowlogs",
    "source-type": "OCISERVICE",
    "category": "all"
  }
}

The compartment-id is the Compartment OCID of where the subnet resource is present. The resource value is the OCID of subnet for which flowlogs is enabled.

  1. Create the Service Log:
oci logging log create --log-group-id <value from step 3.> \
--display-name "<DisplayName>" \
--log-type SERVICE --is-enabled TRUE \
--configuration file://config.json

The output of the command gives you a work request id. You can query the work request to see that status of the job by issuing the following command:

oci logging work-request get --work-request-id <output from command above>

Look for the status filed to be SUCCEEDED.

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v110_3_14

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v110_3_14 --share

SQL

This control uses a named query:

core_subnet_flow_log_enabled

Tags

category = Compliance
cis = true
cis_item_id = 3.14
cis_level = 2
cis_section_id = 3
cis_type = manual
cis_version = v1.1.0
plugin = oci
service = OCI/VCN