2.11 Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes

Information

It is recommended that a metric filter and alarm be established for SQL instance configuration changes.

Rationale:

Monitoring changes to SQL instance configuration changes may reduce the time needed to detect and correct misconfigurations done on the SQL server.

Below are a few of the configurable options which may the impact security posture of an SQL instance:

Enable auto backups and high availability: Misconfiguration may adversely impact business continuity, disaster recovery, and high availability

Authorize networks: Misconfiguration may increase exposure to untrusted networks

Impact:

Enabling of logging may result in your project being charged for the additional logs usage. These charges could be significant depending on the size of the organization.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

From Google Cloud Console
Create the prescribed Log Metric:

Go to Logging/Logs-based Metrics by visiting https://console.cloud.google.com/logs/metrics and click 'CREATE METRIC'.

Click the down arrow symbol on the Filter Bar at the rightmost corner and select Convert to Advanced Filter.

Clear any text and add:

protoPayload.methodName='cloudsql.instances.update'

Click Submit Filter. Display logs appear based on the filter text entered by the user.

In the Metric Editor menu on right, fill out the name field. Set Units to 1 (default) and Type to Counter. This ensures that the log metric counts the number of log entries matching the user's advanced logs query.

Click Create Metric.

Create the prescribed alert policy:

Identify the newly created metric under the section User-defined Metrics at https://console.cloud.google.com/logs/metrics.

Click the 3-dot icon in the rightmost column for the new metric and select Create alert from Metric. A new page appears.

Fill out the alert policy configuration and click Save. Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the user's project:

Set 'Aggregator' to 'Count'

Set 'Configuration':

- Condition: above

- Threshold: 0

- For: most recent value

Configure the desired notification channels in the section Notifications.

Name the policy and click Save.

From Google Cloud CLI
Create the prescribed log metric:

Use the command: gcloud logging metrics create

Create the prescribed alert policy:

Use the command: gcloud alpha monitoring policies create

Reference for command usage: https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create

See Also

https://workbench.cisecurity.org/benchmarks/11843