/
section_2.sp
335 lines (288 loc) · 14.4 KB
/
section_2.sp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
locals {
cis_v100_2_common_tags = merge(local.cis_v100_common_tags, {
cis_section_id = "2"
})
}
benchmark "cis_v100_2" {
title = "2 Logging and Monitoring"
documentation = file("./cis_v100/docs/cis_v100_2.md")
children = [
control.cis_v100_2_1,
control.cis_v100_2_2,
control.cis_v100_2_3,
control.cis_v100_2_4,
control.cis_v100_2_5,
control.cis_v100_2_6,
control.cis_v100_2_7,
control.cis_v100_2_8,
control.cis_v100_2_9,
control.cis_v100_2_10,
control.cis_v100_2_11,
control.cis_v100_2_12,
control.cis_v100_2_13,
control.cis_v100_2_14,
control.cis_v100_2_15,
control.cis_v100_2_16,
control.cis_v100_2_17,
control.cis_v100_2_18,
control.cis_v100_2_19,
control.cis_v100_2_20,
control.cis_v100_2_21,
control.cis_v100_2_22,
control.cis_v100_2_23,
]
tags = local.cis_v100_2_common_tags
}
control "cis_v100_2_1" {
title = "2.1 Ensure that ActionTrail are configured to export copies of all Log entries"
description = "ActionTrail is a web service that records API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the Alibaba Cloud service. ActionTrail provides a history of API calls for an account, including API calls made via the Management Console, SDKs, command line tools."
sql = query.action_trail_enabled.sql
documentation = file("./cis_v100/docs/cis_v100_2_1.md")
tags = merge(local.cis_v100_2_common_tags, {
cis_item_id = "2.1"
cis_level = "1"
cis_type = "automated"
})
}
control "cis_v100_2_2" {
title = "2.2 Ensure the OSS used to store ActionTrail logs is not publicly accessible"
description = "ActionTrail logs a record of every API call made in your Alibaba Cloud account. These logs file are stored in an OSS bucket. It is recommended that the access control list (ACL) of the OSS bucket, which ActionTrail logs to, shall prevent public access to the ActionTrail logs."
sql = query.action_trail_oss_bucket_not_public.sql
documentation = file("./cis_v100/docs/cis_v100_2_2.md")
tags = merge(local.cis_v100_2_common_tags, {
cis_item_id = "2.2"
cis_level = "1"
cis_type = "automated"
})
}
control "cis_v100_2_3" {
title = "2.3 Ensure audit logs for multiple cloud resources are integrated with Log Service"
description = "Log Service provides functions of log collection and analysis in real time across multiple cloud resources under the authorized resource owners. This enable the large-scale corporate for security governance over all resources owned by multiple accounts by integrating the log from different sources and monitoring."
sql = query.manual_control.sql
documentation = file("./cis_v100/docs/cis_v100_2_3.md")
tags = merge(local.cis_v100_2_common_tags, {
cis_item_id = "2.3"
cis_level = "1"
cis_type = "manual"
})
}
control "cis_v100_2_4" {
title = "2.4 Ensure Log Service is enabled for Container Service for Kubernetes"
description = "Log Service shall be connected with Kubernetes clusters of Alibaba Cloud Container Service to collect the audit log for central monitoring and analysis. You can simply enable Log Service when creating a cluster for log collection."
sql = query.manual_control.sql
documentation = file("./cis_v100/docs/cis_v100_2_4.md")
tags = merge(local.cis_v100_2_common_tags, {
cis_item_id = "2.4"
cis_level = "1"
cis_type = "manual"
})
}
control "cis_v100_2_5" {
title = "2.5 Ensure virtual network flow log service is enabled"
description = "The flow log can be used to capture the traffic of an Elastic Network Interface (ENI), Virtual Private Cloud (VPC) or Virtual Switch (VSwitch). The flow log of a VPC or VSwitch shall be integrated with Log Service to capture the traffic of all ENIs in the VPC or VSwtich including the ENIs created after the flow log function is enabled. The traffic data captured by flow logs is stored in Log Service for real-time monitoring and analysis. A capture window is about 10 minutes, during which the traffic data is aggregated and then released to flow log record."
sql = query.manual_control.sql
documentation = file("./cis_v100/docs/cis_v100_2_5.md")
tags = merge(local.cis_v100_2_common_tags, {
cis_item_id = "2.5"
cis_level = "1"
cis_type = "manual"
})
}
control "cis_v100_2_6" {
title = "2.6 Ensure Anti-DDoS access and security log service is enabled"
description = "Alibaba Cloud Anti-DDoS Pro supports integration with Log Service for website access log (including HTTP flood attack logs) to enable the real-time analysis and reporting center features. The log collected can be monitored on a central dashboard on Log Service."
sql = query.manual_control.sql
documentation = file("./cis_v100/docs/cis_v100_2_6.md")
tags = merge(local.cis_v100_2_common_tags, {
cis_item_id = "2.6"
cis_level = "2"
cis_type = "manual"
})
}
control "cis_v100_2_7" {
title = "2.7 Ensure Web Application Firewall access and security log service is enabled"
description = "Log Service collects log entries that record visits to and attacks on websites that are protected by Alibaba Cloud Web Application Firewall (WAF), and supports real-time log query and analysis. The query results are centrally displayed in dashboards."
sql = query.manual_control.sql
documentation = file("./cis_v100/docs/cis_v100_2_7.md")
tags = merge(local.cis_v100_2_common_tags, {
cis_item_id = "2.7"
cis_level = "2"
cis_type = "manual"
})
}
control "cis_v100_2_8" {
title = "2.8 Ensure Cloud Firewall access and security log analysis is enabled"
description = "Log Service collects log entries of internet traffic that are protected by Cloud Firewall, and supports real-time log query and analysis. The query results are centrally displayed in dashboards."
sql = query.manual_control.sql
documentation = file("./cis_v100/docs/cis_v100_2_8.md")
tags = merge(local.cis_v100_2_common_tags, {
cis_item_id = "2.8"
cis_level = "2"
cis_type = "manual"
})
}
control "cis_v100_2_9" {
title = "2.9 Ensure Security Center Network, Host and Security log analysis is enabled"
description = "Log Service collects log entries of Security Center for security logs, network logs, and host logs, with 14 subtypes."
sql = query.manual_control.sql
documentation = file("./cis_v100/docs/cis_v100_2_9.md")
tags = merge(local.cis_v100_2_common_tags, {
cis_item_id = "2.9"
cis_level = "2"
cis_type = "manual"
})
}
control "cis_v100_2_10" {
title = "2.10 Ensure log monitoring and alerts are set up for RAM Role changes"
description = "It is recommended that a query and alarm should be established for RAM Role creation, deletion and updating activities."
sql = query.manual_control.sql
documentation = file("./cis_v100/docs/cis_v100_2_10.md")
tags = merge(local.cis_v100_2_common_tags, {
cis_item_id = "2.10"
cis_level = "1"
cis_type = "manual"
})
}
control "cis_v100_2_11" {
title = "2.11 Ensure log monitoring and alerts are set up for Cloud Firewall changes"
description = "It is recommended that a metric filter and alarm be established for Cloud Firewall rule changes."
sql = query.manual_control.sql
documentation = file("./cis_v100/docs/cis_v100_2_11.md")
tags = merge(local.cis_v100_2_common_tags, {
cis_item_id = "2.11"
cis_level = "2"
cis_type = "manual"
})
}
control "cis_v100_2_12" {
title = "2.12 Ensure log monitoring and alerts are set up for VPC network route changes"
description = "It is recommended that a metric filter and alarm be established for VPC network route changes."
sql = query.manual_control.sql
documentation = file("./cis_v100/docs/cis_v100_2_12.md")
tags = merge(local.cis_v100_2_common_tags, {
cis_item_id = "2.12"
cis_level = "1"
cis_type = "manual"
})
}
control "cis_v100_2_13" {
title = "2.13 Ensure log monitoring and alerts are set up for VPC changes"
description = "It is recommended that a log search/analysis query and alarm be established for VPC changes."
sql = query.manual_control.sql
documentation = file("./cis_v100/docs/cis_v100_2_13.md")
tags = merge(local.cis_v100_2_common_tags, {
cis_item_id = "2.13"
cis_level = "1"
cis_type = "manual"
})
}
control "cis_v100_2_14" {
title = "2.14 Ensure log monitoring and alerts are set up for OSS permission changes"
description = "It is recommended that a metric filter and alarm be established for OSS Bucket RAM changes."
sql = query.manual_control.sql
documentation = file("./cis_v100/docs/cis_v100_2_14.md")
tags = merge(local.cis_v100_2_common_tags, {
cis_item_id = "2.14"
cis_level = "1"
cis_type = "manual"
})
}
control "cis_v100_2_15" {
title = "2.15 Ensure log monitoring and alerts are set up for RDS instance configuration changes"
description = "It is recommended that a metric filter and alarm be established for RDS Instance configuration changes."
sql = query.manual_control.sql
documentation = file("./cis_v100/docs/cis_v100_2_15.md")
tags = merge(local.cis_v100_2_common_tags, {
cis_item_id = "2.15"
cis_level = "1"
cis_type = "manual"
})
}
control "cis_v100_2_16" {
title = "2.16 Ensure a log monitoring and alerts are set up for unauthorized API calls"
description = "Real-time monitoring of API calls can be achieved by directing ActionTrail Logs to LogService and establishing corresponding query and alarms. It is recommended that a query and alarm be established for unauthorized API calls."
sql = query.manual_control.sql
documentation = file("./cis_v100/docs/cis_v100_2_16.md")
tags = merge(local.cis_v100_2_common_tags, {
cis_item_id = "2.16"
cis_level = "1"
cis_type = "manual"
})
}
control "cis_v100_2_17" {
title = "2.17 Ensure a log monitoring and alerts are set up for Management Console sign-in without MFA"
description = "Real-time monitoring of API calls can be achieved by directing ActionTrail Logs to Log Service and establishing corresponding query and alarms. It is recommended that a query and alarm be established for console logins that are not protected by multi-factor authentication (MFA)."
sql = query.manual_control.sql
documentation = file("./cis_v100/docs/cis_v100_2_17.md")
tags = merge(local.cis_v100_2_common_tags, {
cis_item_id = "2.17"
cis_level = "1"
cis_type = "manual"
})
}
control "cis_v100_2_18" {
title = "2.18 Ensure a log monitoring and alerts are set up for usage of 'root' account"
description = "Real-time monitoring of API calls can be achieved by directing ActionTrail Logs to Log Service and establishing corresponding query and alarms. It is recommended that a query and alarm be established for console logins that are not protected by root login attempts."
sql = query.manual_control.sql
documentation = file("./cis_v100/docs/cis_v100_2_18.md")
tags = merge(local.cis_v100_2_common_tags, {
cis_item_id = "2.18"
cis_level = "1"
cis_type = "manual"
})
}
control "cis_v100_2_19" {
title = "2.19 Ensure a log monitoring and alerts are set up for Management Console authentication failures"
description = "Real-time monitoring of API calls can be achieved by directing ActionTrail Logs to Log Service and establishing corresponding query and alarms. It is recommended that a query and alarm be established for failed console authentication attempts."
sql = query.manual_control.sql
documentation = file("./cis_v100/docs/cis_v100_2_19.md")
tags = merge(local.cis_v100_2_common_tags, {
cis_item_id = "2.19"
cis_level = "2"
cis_type = "manual"
})
}
control "cis_v100_2_20" {
title = "2.20 Ensure a log monitoring and alerts are set up for disabling or deletion of customer created CMKs"
description = "Real-time monitoring of API calls can be achieved by directing ActionTrail Logs to Log Service and establishing corresponding query and alarms. It is recommended that a query and alarm be established for customer created KMSs which have changed state to disabled or deletion."
sql = query.manual_control.sql
documentation = file("./cis_v100/docs/cis_v100_2_20.md")
tags = merge(local.cis_v100_2_common_tags, {
cis_item_id = "2.20"
cis_level = "2"
cis_type = "manual"
})
}
control "cis_v100_2_21" {
title = "2.21 Ensure a log monitoring and alerts are set up for OSS bucket policy changes"
description = "Real-time monitoring of API calls can be achieved by directing ActionTrail Logs to Log Service and establishing corresponding query and alarms. It is recommended that a query and alarm be established for changes to OSS bucket policies."
sql = query.manual_control.sql
documentation = file("./cis_v100/docs/cis_v100_2_21.md")
tags = merge(local.cis_v100_2_common_tags, {
cis_item_id = "2.21"
cis_level = "1"
cis_type = "manual"
})
}
control "cis_v100_2_22" {
title = "2.22 Ensure a log monitoring and alerts are set up for security group changes"
description = "Real-time monitoring of API calls can be achieved by directing ActionTrail Logs to Log Service and establishing corresponding query and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that query and alarm be established changes to Security Groups."
sql = query.manual_control.sql
documentation = file("./cis_v100/docs/cis_v100_2_22.md")
tags = merge(local.cis_v100_2_common_tags, {
cis_item_id = "2.22"
cis_level = "2"
cis_type = "manual"
})
}
control "cis_v100_2_23" {
title = "2.23 Ensure that Logstore data retention period is set 365 days or greater"
description = "Ensure Activity Log Retention is set for 365 days or greater"
sql = query.manual_control.sql
documentation = file("./cis_v100/docs/cis_v100_2_22.md")
tags = merge(local.cis_v100_2_common_tags, {
cis_item_id = "2.23"
cis_level = "2"
cis_type = "manual"
})
}