Control: 4.13 Ensure VCN flow logging is enabled for all subnets

Description

VCN flow logs record details about traffic that has been accepted or rejected based on the security list rule.

Enabling VCN flow logs enables you to monitor traffic flowing within your virtual network and can be used to detect anomalous traffic.

Remediation

From Console

First, if a log group for holding these logs has not already been created, create a log group by the following steps:

Go to the Log Groups page.
Click the Create Log Groups button in the middle of the screen.
Select the relevant compartment to place these logs.
Type a name for the log group in the Name box.
Add an optional description in the Description box.
Click the Create button in the lower left hand corner.

Second, enable VCN flow logging for your subnet(s) by the following steps:

Go to the Logs page.
Click the Enable Service Log button in the middle of the screen.
Select the relevant resource compartment.
Select Virtual Cloud Networks (subnets) from the Service drop down menu.
Select the relevant resource from the resource drop down menu.
Select Flow Logs (all records) from the Log Category drop down menu.
Type a name for your flow logs in the Log Name drop down menu.
Click the Enable Log button in the lower left hand corner.

From CLI

Create a log group:

oci logging log-group create --compartment-id $C \ --display-name "<DisplayName>" \--description "<Description>"

The output of the command gives you a work request id. You can query the work request to see the status of the job by issuing the following command:

oci logging work-request get --work-request-id <work-request-id>

Look for the status filed to be SUCCEEDED.

Get the Log group ID, needed for creating the Log:

oci logging log-group list --compartment-id $C \--query 'data[?contains("display-name", `'"<DisplayName>"'`)].id|join(`\n`, @)' \--raw-output

Create a JSON file called config.json with the following content:

{
  "compartment-id":"ocid1.compartment.oc1.......",
  "source": {
    "resource": "ocid1.subnet.oc1.iad.......",
    "service": "flowlogs",
    "source-type": "OCISERVICE",
    "category": "all"
  }
}

The compartment-id is the Compartment OCID of where the subnet resource is present. The resource value is the OCID of subnet for which flowlogs is enabled.

Create the Service Log:

oci logging log create --log-group-id <value from step 3.> \ --display-name "<DisplayName>" \ --log-type SERVICE --is-enabled TRUE \ --configuration file://config.json

The output of the command gives you a work request id. You can query the work request to see that status of the job by issuing the following command:

oci logging work-request get --work-request-id <work-request-id>

Look for the status filed to be SUCCEEDED.

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v200_4_13

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v200_4_13 --share

SQL

This control uses a named query:

with subnets_with_flowlog as (
  select
    configuration -> 'source' ->> 'resource' as subnet_id,
    lifecycle_state
  from
    oci_logging_log
  where
    configuration -> 'source' ->> 'service' = 'flowlogs'
    and lifecycle_state = 'ACTIVE'
)
select
  s.id as resource,
  case
    when a.subnet_id is null then 'alarm'
    else 'ok'
  end as status,
  case
    when a.subnet_id is null then s.title || ' flow logging disabled.'
    else s.title || ' flow logging enabled.'
  end as reason
  
  , s.region as region, s.tenant_name as tenant
  , coalesce(c.name, 'root') as compartment
from
  oci_core_subnet as s
  left join subnets_with_flowlog as a on s.id = a.subnet_id
  left join oci_identity_compartment as c on c.id = s.compartment_id;