Control: 3.17 Ensure write level Object Storage logging is enabled for all buckets
Description
Object Storage write logs will log all write requests made to objects in a bucket.
Remediation
From Console
First, if a log group for holding these logs has not already been created, create a log group by the following steps:
- Go to the Log Groups page.
- Click the
Create Log Groups
button in the middle of the screen. - Select the relevant compartment to place these logs.
- Type a name for the log group in the
Name
box. - Add an optional description in the
Description
box. - Click the
Create
button in the lower left hand corner.
Second, enable Object Storage write log logging for your bucket(s) by the following steps:
- Go to the Logs page.
- Click the
Enable Service Log
button in the middle of the screen. - Select the relevant resource compartment.
- Select
Object Storage
from the Service drop down menu. - Select the relevant bucket from the resource drop down menu.
- Select
Write Access Events
from theLog Category
drop down menu. - Type a name for your
Object Storage write log
in theLog Name
drop down menu. - Click the
Enable Log
button in the lower left hand corner.
From Command Line
First, if a log group for holding these logs has not already been created, create a log group by the following steps:
- Create a
log group
:
oci logging log-group create --compartment-id <compartment-id> \--display-name "<DisplayName>" \--description "<Description>"
The output of the command gives you a work request id. You can query the work request to see the status of the job by issuing the following command:
oci logging work-request get --work-request-id <output from command above>
Look for status filed to be SUCCEEDED.
Second, enable Object Storage write log
logging for your bucket(s) by the following steps:
- Get the
Log group ID
needed for creating the Log:
oci logging log-group list --compartment-id <compartment-id> \--query 'data[?contains("display-name", `'"<DisplayName>"'`)].id|join(`\n`, @)' \--raw-output
- Create a JSON file called config.json with the following content:
{ "compartmentid":"ocid1.compartment.oc1..aaaaaaaamaywlaznovmvdwk3uqx2sedfavssagba5cxufe6wy llqgwzcq43a", "source": { "resource": "<bucket-name.", "service": "ObjectStorage", "source-type": "OCISERVICE", "category": "write" }}
The compartment-id is the Compartment OCID
of where the bucket is exists. The resource value is the bucket name.
- Create the
Service Log
:
oci logging log create --log-group-id <value from step 2.> \--display-name "<DisplayName>" \--log-type SERVICE --is-enabled TRUE \--configuration file://config.json
The output of the command gives you a work request id. You can query the work request to see that status of the job by issuing the following command:
oci logging work-request get --work-request-id <output from command above>
Look for the status filed to be SUCCEEDED.
Usage
Run the control in your terminal:
powerpipe control run oci_compliance.control.cis_v110_3_17
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run oci_compliance.control.cis_v110_3_17 --share
SQL
This control uses a named query:
manual_control