Benchmark: 3 Logging and Monitoring
Overview
This section contains recommendations for configuring logging and monitoring related options.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-oci-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 3 Logging and Monitoring.
Run this benchmark in your terminal:
powerpipe benchmark run oci_compliance.benchmark.cis_v120_3Snapshot and share results via Turbot Pipes:
powerpipe benchmark run oci_compliance.benchmark.cis_v120_3 --shareControls
- 3.1 Ensure audit log retention period is set to 365 days
- 3.2 Ensure default tags are used on resources
- 3.3 Create at least one notification topic and subscription to receive monitoring alerts
- 3.4 Ensure a notification is configured for Identity Provider changes
- 3.5 Ensure a notification is configured for IdP group mapping changes
- 3.6 Ensure a notification is configured for IAM group changes
- 3.7 Ensure a notification is configured for IAM policy changes
- 3.8 Ensure a notification is configured for user changes
- 3.9 Ensure a notification is configured for VCN changes
- 3.10 Ensure a notification is configured for changes to route tables
- 3.11 Ensure a notification is configured for security list changes
- 3.12 Ensure a notification is configured for network security group changes
- 3.13 Ensure a notification is configured for changes to network gateways
- 3.14 Ensure VCN flow logging is enabled for all subnets
- 3.15 Ensure Cloud Guard is enabled in the root compartment of the tenancy
- 3.16 Ensure customer created Customer Managed Key (CMK) is rotated at least annually
- 3.17 Ensure write level Object Storage logging is enabled for all buckets