OS Login enables centralized SSH key management with IAM, and it disables metadata-based SSH key configuration on all instances in a project. OS Login can be enabled on the project level or on the instance level. Instance-level values override the project-level value.
- Access project
- Click Metadata
- Click Edit, and then click Add item.
- Add an item with key enable-oslogin and value TRUE.
- Click Save.
These are the recommended filters, metrics, and alert policies to configure per project to adhere to CIS benchmarks. Repeat the CREATE METRIC and CREATE ALERT POLICY steps for each filter listed below.
Go to https://console.cloud.google.com/logs/viewer?project=[project-id] click "CREATE METRIC", click the drop-down menu in the right-hand side of the search bar and select "Convert to advanced filter", clear any text from Advanced Filter and add the RecommendedLogFilter, set "Type" to "Counter" and "Units" to 1 (default), fill out the remaining fields and click "Create Metric".
Go to https://console.cloud.google.com/logs/metrics?project=[project-id] and in the section "User-defined Metrics", for the target metric (any one from the QualifiedLogMetricNames), click 3 dot icon in rightmost column and select "Create alert from Metric" (create a Stackdriver workspace for the project if you have not). In the Target section of the Alerting / Policies / Create window, remove "Resource type" from "Find resource type and metric" if it is there, leave "Filter" as is, set "Aligner" to "rate", "Reducer" to "count", and "Alignment Period" to 1 minute. Use the default values in the "Configuration" section and click "Save". In the overview page, add desired notification channel, and then click "Save".
CIS 2.8
resource.type="gce_route" AND jsonPayload.event_subtype="compute.routes.delete" OR jsonPayload.event_subtype="compute.routes.insert"
CIS 2.11
protoPayload.methodName="cloudsql.instances.update"
CIS 2.9
resource.type=gce_network AND jsonPayload.event_subtype="compute.networks.insert" OR jsonPayload.event_subtype="compute.networks.patch" OR jsonPayload.event_subtype="compute.networks.delete" OR jsonPayload.event_subtype="compute.networks.removePeering" OR jsonPayload.event_subtype="compute.networks.addPeering"
CIS 2.7
resource.type="gce_firewall_rule" AND jsonPayload.event_subtype="compute.firewalls.patch" OR jsonPayload.event_subtype="compute.firewalls.insert"
CIS 2.4
(protoPayload.serviceName="cloudresourcemanager.googleapis.com") AND (ProjectOwnership OR projectOwnerInvitee) OR (protoPayload.serviceData.policyDelta.bindingDeltas.action="REMOVE" AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner") OR (protoPayload.serviceData.policyDelta.bindingDeltas.action="ADD" AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner")
CIS 2.10
resource.type=gcs_bucket AND protoPayload.methodName="storage.setIamPermissions"
CIS 2.5
protoPayload.methodName="SetIamPolicy" AND protoPayload.serviceData.policyDelta.auditConfigDeltas:*
CIS 2.6
resource.type="iam_role" AND protoPayload.methodName="google.iam.admin.v1.CreateRole" OR protoPayload.methodName="google.iam.admin.v1.DeleteRole" OR protoPayload.methodName="google.iam.admin.v1.UpdateRole"