Information
It is recommended that a metric filter and alarm be established for SQL instance configuration changes.
Rationale:
Monitoring changes to SQL instance configuration changes may reduce the time needed to detect and correct misconfigurations done on the SQL server.
Below are a few of the configurable options which may the impact security posture of an SQL instance:
Enable auto backups and high availability: Misconfiguration may adversely impact business continuity, disaster recovery, and high availability
Authorize networks: Misconfiguration may increase exposure to untrusted networks
Impact:
Enabling of logging may result in your project being charged for the additional logs usage. These charges could be significant depending on the size of the organization.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
From Google Cloud Console
Create the prescribed Log Metric:
Go to Logging/Logs-based Metrics by visiting https://console.cloud.google.com/logs/metrics and click 'CREATE METRIC'.
Click the down arrow symbol on the Filter Bar at the rightmost corner and select Convert to Advanced Filter.
Clear any text and add:
protoPayload.methodName='cloudsql.instances.update'
Click Submit Filter. Display logs appear based on the filter text entered by the user.
In the Metric Editor menu on right, fill out the name field. Set Units to 1 (default) and Type to Counter. This ensures that the log metric counts the number of log entries matching the user's advanced logs query.
Click Create Metric.
Create the prescribed alert policy:
Identify the newly created metric under the section User-defined Metrics at https://console.cloud.google.com/logs/metrics.
Click the 3-dot icon in the rightmost column for the new metric and select Create alert from Metric. A new page appears.
Fill out the alert policy configuration and click Save. Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the user's project:
Set 'Aggregator' to 'Count'
Set 'Configuration':
- Condition: above
- Threshold: 0
- For: most recent value
Configure the desired notification channels in the section Notifications.
Name the policy and click Save.
From Google Cloud CLI
Create the prescribed log metric:
Use the command: gcloud logging metrics create
Create the prescribed alert policy:
Use the command: gcloud alpha monitoring policies create
Reference for command usage: https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create