fix log metrics and remove alert conditions (#73)

Author: KonradSchieban

controls/2.04-logging.rb

@@ -72,10 +72,6 @@
         describe "[#{gcp_project_id}] Project Ownership changes alert policy" do
           subject { condition }
           it { should exist }
-          its('aggregation_cross_series_reducer') { should eq 'REDUCE_COUNT' }
-          its('aggregation_per_series_aligner') { should eq 'ALIGN_RATE' }
-          its('condition_threshold_value') { should eq 0.001 }
-          its('aggregation_alignment_period') { should eq '60s' }
         end
       end
     end

controls/2.05-logging.rb

@@ -55,10 +55,6 @@
         describe "[#{gcp_project_id}] Audit configuration changes alert policy" do
           subject { condition }
           it { should exist }
-          its('aggregation_cross_series_reducer') { should eq 'REDUCE_COUNT' }
-          its('aggregation_per_series_aligner') { should eq 'ALIGN_RATE' }
-          its('condition_threshold_value') { should eq 0.001 }
-          its('aggregation_alignment_period') { should eq '60s' }
         end
       end
     end

controls/2.06-logging.rb

@@ -41,7 +41,7 @@
   ref 'GCP Docs', url: 'https://cloud.google.com/logging/docs/reference/tools/gcloud-logging'
   ref 'GCP Docs', url: 'https://cloud.google.com/iam/docs/understanding-custom-roles'
 
-  log_filter = 'resource.type="iam_role" AND protoPayload.methodName="google.iam.admin.v1.CreateRole" OR protoPayload.methodName="google.iam.admin.v1.DeleteRole" OR protoPayload.methodName="google.iam.admin.v1.UpdateRole"'
+  log_filter = 'protoPayload.methodName="google.iam.admin.v1.CreateRole" OR protoPayload.methodName="google.iam.admin.v1.DeleteRole" OR protoPayload.methodName="google.iam.admin.v1.UpdateRole"'
   describe "[#{gcp_project_id}] Custom Role changes filter" do
     subject { google_project_metrics(project: gcp_project_id).where(metric_filter: log_filter) }
     it { should exist }
@@ -55,10 +55,6 @@
         describe "[#{gcp_project_id}] Custom Role changes alert policy" do
           subject { condition }
           it { should exist }
-          its('aggregation_cross_series_reducer') { should eq 'REDUCE_COUNT' }
-          its('aggregation_per_series_aligner') { should eq 'ALIGN_RATE' }
-          its('condition_threshold_value') { should eq 0.001 }
-          its('aggregation_alignment_period') { should eq '60s' }
         end
       end
     end

controls/2.07-logging.rb

@@ -41,7 +41,7 @@
   ref 'GCP Docs', url: 'https://cloud.google.com/logging/docs/reference/tools/gcloud-logging'
   ref 'GCP Docs', url: 'https://cloud.google.com/vpc/docs/firewalls'
 
-  log_filter = 'resource.type="gce_firewall_rule" AND jsonPayload.event_subtype="compute.firewalls.patch" OR jsonPayload.event_subtype="compute.firewalls.insert"'
+  log_filter = 'jsonPayload.event_subtype="compute.firewalls.patch" OR jsonPayload.event_subtype="compute.firewalls.insert"'
   describe "[#{gcp_project_id}] VPC FW Rule changes filter" do
     subject { google_project_metrics(project: gcp_project_id).where(metric_filter: log_filter) }
     it { should exist }
@@ -55,10 +55,6 @@
         describe "[#{gcp_project_id}] VPC FW Rule changes alert policy" do
           subject { condition }
           it { should exist }
-          its('aggregation_cross_series_reducer') { should eq 'REDUCE_COUNT' }
-          its('aggregation_per_series_aligner') { should eq 'ALIGN_RATE' }
-          its('condition_threshold_value') { should eq 0.001 }
-          its('aggregation_alignment_period') { should eq '60s' }
         end
       end
     end

controls/2.08-logging.rb

@@ -43,7 +43,7 @@
   ref 'GCP Docs', url: 'https://cloud.google.com/logging/docs/reference/tools/gcloud-logging'
   ref 'GCP Docs', url: 'https://cloud.google.com/storage/docs/access-control/iam'
 
-  log_filter = 'resource.type="gce_route" AND jsonPayload.event_subtype="compute.routes.delete" OR jsonPayload.event_subtype="compute.routes.insert"'
+  log_filter = 'jsonPayload.event_subtype="compute.routes.delete" OR jsonPayload.event_subtype="compute.routes.insert"'
   describe "[#{gcp_project_id}] VPC Route changes filter" do
     subject { google_project_metrics(project: gcp_project_id).where(metric_filter: log_filter) }
     it { should exist }
@@ -57,10 +57,6 @@
         describe "[#{gcp_project_id}] VPC Route changes alert policy" do
           subject { condition }
           it { should exist }
-          its('aggregation_cross_series_reducer') { should eq 'REDUCE_COUNT' }
-          its('aggregation_per_series_aligner') { should eq 'ALIGN_RATE' }
-          its('condition_threshold_value') { should eq 0.001 }
-          its('aggregation_alignment_period') { should eq '60s' }
         end
       end
     end

controls/2.09-logging.rb

@@ -43,7 +43,7 @@
   ref 'GCP Docs', url: 'https://cloud.google.com/logging/docs/reference/tools/gcloud-logging'
   ref 'GCP Docs', url: 'https://cloud.google.com/vpc/docs/overview'
 
-  log_filter = 'resource.type=gce_network AND jsonPayload.event_subtype="compute.networks.insert" OR jsonPayload.event_subtype="compute.networks.patch" OR jsonPayload.event_subtype="compute.networks.delete" OR jsonPayload.event_subtype="compute.networks.removePeering" OR jsonPayload.event_subtype="compute.networks.addPeering"'
+  log_filter = 'jsonPayload.event_subtype="compute.networks.insert" OR jsonPayload.event_subtype="compute.networks.patch" OR jsonPayload.event_subtype="compute.networks.delete" OR jsonPayload.event_subtype="compute.networks.removePeering" OR jsonPayload.event_subtype="compute.networks.addPeering"'
   describe "[#{gcp_project_id}] VPC Network changes filter" do
     subject { google_project_metrics(project: gcp_project_id).where(metric_filter: log_filter) }
     it { should exist }
@@ -57,10 +57,6 @@
         describe "[#{gcp_project_id}] VPC Network changes alert policy" do
           subject { condition }
           it { should exist }
-          its('aggregation_cross_series_reducer') { should eq 'REDUCE_COUNT' }
-          its('aggregation_per_series_aligner') { should eq 'ALIGN_RATE' }
-          its('condition_threshold_value') { should eq 0.001 }
-          its('aggregation_alignment_period') { should eq '60s' }
         end
       end
     end

controls/2.10-logging.rb

@@ -56,10 +56,6 @@
         describe "[#{gcp_project_id}] Cloud Storage changes alert policy" do
           subject { condition }
           it { should exist }
-          its('aggregation_cross_series_reducer') { should eq 'REDUCE_COUNT' }
-          its('aggregation_per_series_aligner') { should eq 'ALIGN_RATE' }
-          its('condition_threshold_value') { should eq 0.001 }
-          its('aggregation_alignment_period') { should eq '60s' }
         end
       end
     end

controls/2.11-logging.rb

@@ -63,10 +63,6 @@
         describe "[#{gcp_project_id}] Cloud SQL changes alert policy" do
           subject { condition }
           it { should exist }
-          its('aggregation_cross_series_reducer') { should eq 'REDUCE_COUNT' }
-          its('aggregation_per_series_aligner') { should eq 'ALIGN_RATE' }
-          its('condition_threshold_value') { should eq 0.001 }
-          its('aggregation_alignment_period') { should eq '60s' }
         end
       end
     end

inspec.yml

@@ -19,7 +19,7 @@ copyright: "(c) 2020, Google, Inc."
 copyright_email: "[email protected]"
 license: "Apache-2.0"
 summary: "Inspec Google Cloud Platform Center for Internet Security Benchmark v1.1 Profile"
-version: 1.1.0-23
+version: 1.1.0-24
 
 supports:
   - platform: gcp