Production Access controls for GoogleCloud using Stackdriver

0
votes

How have people implemented Production Access Controls (i.e. logging and reporting on access to compute instances by services and humans over SSH). Our goal is to forward all user logon entries to our SIEM consistently across projects and ideally avoid having project specific Stackdriver sinks (and associated setup and maintenance).

We've tried the following:

  • Enabled auth log forwarding in Fluentd as only syslog is done by default
  • Enabled organization level sinks that send to a topic (to forward on to SIEM via HTTP subscriber) that include all children
  • Can see syslog/auth at the project level for non-Container OS images (i.e. Ubuntu)

Issues we're seeing: - Limited documentation on filter format at org level (seems to differ from project level for things like logName). log_id function does appear to work - Some log types appear at the org level (things like cloudapis activity) but syslog does not appear to get processed - Container OS appears to not enable ssh/sudo forwarding by default in fluentd (or I haven't found which log type has this data). I do see this logged to journalctl on a test node

Does anyone have a consistent way to achieve this?

2
google-cloud-platformstackdriverfluentdgoogle-cloud-stackdriver
Stackdriver does not log the SSH server logs by default. You need to add /var/log/auth.log to Stackdriver for the instances that you are monitoring. serverfault.com/a/955094/437769 - John Hanley
Yup. Saw the linked item and that is the first in the list of things we tried. These logs apparently don;t get made visible to Stackdriver at org level or at least I have found way to enable this. Only at project level. - Edward Newman
What do you mean "org level". Stackdriver logs are per service/resource for most services. You have to drill down in Stackdriver to see the logs recorded for a resource. If you want something else then you will need to setup log exporting and process the entries in your own application or log monitoring service. - John Hanley
You can define sinks at an org level (not visible through UI - see aggregated logs documentation). We use sinks and pub/sub to forward logs to SIEM. Further testing suggests that syslog is available at org but you cannot list all available logs through the CLI. - Edward Newman

2 Answers

1
votes

A way to approach this could be to by exporting your log sink to BigQuery. Note that sink setup to export BigQuery Logs for all projects under the Organization contains a parameter that is set to 'False', the field 'includeChildren' must be set to 'True'. Once set to true then logs from all the projects, folders, and billing accounts contained in the sink's parent resource are also available for export, if set to false then only the logs owned by the sink's parent resource are available for export. Then you must be able to filter the logs needed from BigQuery.

Another way to approach this will be to script it out by listing all the projects using command: gcloud projects list | tail -n +2 | awk -F" " '{print $1}' This can be made into an array that can be iterated over and the logs for each project can be retrieved using a similar command as the one in this doc.

Not sure if all this can help somehow to solve or workaround your question, hope so.

0
votes

In case anyone else comes across this, we found the following:

  • It is possible to set up Stackdriver sinks at org level through CLI. Not visible through Cloud Console UI and also CLI does not allow you to list log types at org
  • Filters can be defined on the sinks in addition to logName but format can differ to project level filters
  • You need to enable auth log logging in fluentd which is platform specific (i.e. one process for google-fluentd on Ubuntu is different to stackdriver setup on Container OS)
  • SSHD for some reason does not log the initial log stating user and IP through syslog (and thus fluentd) and therefore is not visible to Stackdriver
  • Use or org sinks to topics is a child project with subscription to forward to your SIEM of choice, works well

Still trying to get logs of gcloud ssh commands