Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-oci-compliance
Overview
4Dashboards
187Benchmarks
49Queries
2Variables
GitHub

Control: 4.13 Ensure VCN flow logging is enabled for all subnets

Description

VCN flow logs record details about traffic that has been accepted or rejected based on the security list rule.

Enabling VCN flow logs enables you to monitor traffic flowing within your virtual network and can be used to detect anomalous traffic.

Remediation

From Console

First, if a Capture filter has not already been created, create a Capture Filter by the following steps:

  1. Go to the Network Command Center page (https://cloud.oracle.com/networking/network-command-center).
  2. Click 'Capture filters'.
  3. Click 'Create Capture filter'.
  4. Type a name for the Capture filter in the Name box.
  5. Select 'Flow log capture filter'.
  6. For Sample rating select 100%.
  7. Scroll to Rules.
  8. For Traffic disposition select All.
  9. For Include/Exclude select Include.
  10. Level Source IPv4 CIDR or IPv6 prefix and Destination IPv4 CIDR or IPv6 prefix empty.
  11. For IP protocol select Include.
  12. Click Create Capture filter.

Second, enable VCN flow logging for your VCN or subnet(s) by the following steps:

  1. Go to the Logs page.
  2. Click the Enable Service Log button in the middle of the screen.
  3. Select the relevant resource compartment.
  4. Select Virtual Cloud Networks - Flow logs from the Service drop down menu.
  5. Select the relevant resource level from the resource drop down menu either VCN or subnet.
  6. Select the relevant resource from the resource drop down menu.
  7. Select the from the Log Category drop down menu that either Flow Logs - subnet records or Flow Logs - vcn records.
  8. Select the Capture filter from above
  9. Type a name for your flow logs in the Log Name text box.
  10. Select the Compartment for the Log Location
  11. Select the Log Group for the Log Location or Click Create New Group to create a new log group
  12. Click the Enable Log button in the lower left-hand corner.

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v300_4_13

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v300_4_13 --share

SQL

This control uses a named query:

with subnets_with_flowlog as (
  select
    configuration -> 'source' ->> 'resource' as subnet_id,
    lifecycle_state
  from
    oci_logging_log
  where
    configuration -> 'source' ->> 'service' = 'flowlogs'
    and lifecycle_state = 'ACTIVE'
)
select
  s.id as resource,
  case
    when a.subnet_id is null then 'alarm'
    else 'ok'
  end as status,
  case
    when a.subnet_id is null then s.title || ' flow logging disabled.'
    else s.title || ' flow logging enabled.'
  end as reason
  
  , s.region as region, s.tenant_name as tenant
  , coalesce(c.name, 'root') as compartment
from
  oci_core_subnet as s
  left join subnets_with_flowlog as a on s.id = a.subnet_id
  left join oci_identity_compartment as c on c.id = s.compartment_id;

Tags

category = Compliance
cis = true
cis_item_id = 4.13
cis_level = 2
cis_section_id = 4
cis_type = automated
cis_version = v3.0.0
plugin = oci
service = OCI/VCN