GITBOOK-571: change request with no subject merged in GitBook

pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-logging-post-exploitation.md

@@ -30,11 +30,11 @@ For other ways to disrupt monitoring check:
 
 ### Default Logging
 
-By default **`GetIamPolicy`** logs aren't generated, so an enumeration of permissions won't be caught.\
-Moreover, to enable these logs you need to **enable the Admin Read logs of each service** you want to monitor. For example to get `GetIamPolicy` actions over `Projects` you need to `Admin Read` over `Cloud Resources` and to get `GetIamPolicy` actions over `Pub/Sub` (for example) objects you need to enable `Admin Read` over it.\
-URL to enable more service logging: [https://console.cloud.google.com/iam-admin/audit](https://console.cloud.google.com/iam-admin/audit)
+**By default you won't get caught just for performing read actions. Fore more info check the Logging Enum section.**
 
-Note that by default these logs aren't enabled because they could be a lot, increasing the noise in the logs and the costs, so it might be possible that several GCP Organizations doesn't enable them.
+### Add Excepted Principal
+
+In [https://console.cloud.google.com/iam-admin/audit/allservices](https://console.cloud.google.com/iam-admin/audit/allservices) and [https://console.cloud.google.com/iam-admin/audit](https://console.cloud.google.com/iam-admin/audit) is possible to add principals to not generate logs. An attacker could abuse this to prevent being caught.
 
 ### Read logs - `logging.logEntries.list`
 

pentesting-cloud/gcp-security/gcp-services/gcp-logging-enum.md

@@ -85,6 +85,26 @@ It's possible to allow a principal **only to use a specific Log view** with an I
 }
 ```
 
+### Default Logs
+
+By default **Admin Write** operations (also called Admin Activity audit logs) are the ones logged (write metadata or configuration information) and **can't be disabled**.
+
+Then, the user can enable **Data Access audit logs**, these are **Admin Read, Data Write and Data Write**.
+
+You can find more info about each type of log in the docs: [https://cloud.google.com/iam/docs/audit-logging](https://cloud.google.com/iam/docs/audit-logging)
+
+However, note that this means that by default **`GetIamPolicy`** actions and other read actions are **not being logged**. So, by default an attacker trying to enumerate the environment won't be caught if the sysadmin didn't configure to generate more logs.
+
+To enable more logs in the console the sysadmin needs to go to [https://console.cloud.google.com/iam-admin/audit](https://console.cloud.google.com/iam-admin/audit) and enable them. There are 2 different options:
+
+* **Default Configuration**: It's possible to create a default configuration and log all the Admin Read and/or Data Read and/or Data Write logs and even add exempted principals:
+
+<figure><img src="../../../.gitbook/assets/image (149).png" alt=""><figcaption></figcaption></figure>
+
+* **Select the services**: Or just **select the services** you would like to generate logs and the type of logs and the excepted principal for that specific service.
+
+Also note that by default only those logs are being generated because generating more logs will increase the costs.
+
 ### Enumeration
 
 The `gcloud` command-line tool is an integral part of the GCP ecosystem, allowing you to manage your resources and services. Here's how you can use `gcloud` to manage your logging configurations and access logs.