feat(azure): Implement missing CIS policies (#10928)

#### Summary
I have implemented some missing CIS Benchmark policies for Azure mainly Section 3 and 5.

plugins/source/azure/docs/tables/README.md

@@ -208,6 +208,7 @@
 - [azure_network_vpn_server_configurations](../../../../../website/tables/azure/azure_network_vpn_server_configurations.md)
 - [azure_network_vpn_sites](../../../../../website/tables/azure/azure_network_vpn_sites.md)
 - [azure_network_watchers](../../../../../website/tables/azure/azure_network_watchers.md)
+  - [azure_network_watcher_flow_logs](../../../../../website/tables/azure/azure_network_watcher_flow_logs.md)
 - [azure_network_web_application_firewall_policies](../../../../../website/tables/azure/azure_network_web_application_firewall_policies.md)
 - [azure_networkfunction_azure_traffic_collectors_by_subscription](../../../../../website/tables/azure/azure_networkfunction_azure_traffic_collectors_by_subscription.md)
 - [azure_nginx_deployments](../../../../../website/tables/azure/azure_nginx_deployments.md)
@@ -289,6 +290,7 @@
       - [azure_sql_server_database_vulnerability_assessment_scans](../../../../../website/tables/azure/azure_sql_server_database_vulnerability_assessment_scans.md)
     - [azure_sql_transparent_data_encryptions](../../../../../website/tables/azure/azure_sql_transparent_data_encryptions.md)
   - [azure_sql_server_encryption_protectors](../../../../../website/tables/azure/azure_sql_server_encryption_protectors.md)
+  - [azure_sql_server_firewall_rules](../../../../../website/tables/azure/azure_sql_server_firewall_rules.md)
   - [azure_sql_server_security_alert_policies](../../../../../website/tables/azure/azure_sql_server_security_alert_policies.md)
   - [azure_sql_server_virtual_network_rules](../../../../../website/tables/azure/azure_sql_server_virtual_network_rules.md)
   - [azure_sql_server_vulnerability_assessments](../../../../../website/tables/azure/azure_sql_server_vulnerability_assessments.md)

plugins/source/azure/policies/cis_v1.3.0/policy.sql

@@ -11,107 +11,13 @@ END AS "execution_time"  \gset
 \ir ../create_azure_policy_results.sql
 \echo "Creating view view_azure_security_policy_parameters"
 \ir ../views/policy_assignment_parameters.sql
-\echo "Executing CIS V1.3.0 Section 1 (Manual)"
-\echo "Executing CIS V1.3.0 Section 2"
-\set check_id "2.1"
-\echo "Executing check 2.1"
-\ir ../queries/security/defender_on_for_servers.sql
-\set check_id "2.2"
-\echo "Executing check 2.2"
-\ir ../queries/security/defender_on_for_app_service.sql
-\set check_id "2.3"
-\echo "Executing check 2.3"
-\ir ../queries/security/defender_on_for_sql_servers.sql
-\set check_id "2.4"
-\echo "Executing check 2.4"
-\ir ../queries/security/defender_on_for_sql_servers_on_machines.sql
-\set check_id "2.5"
-\echo "Executing check 2.5"
-\ir ../queries/security/defender_on_for_storage.sql
-\set check_id "2.6"
-\echo "Executing check 2.6"
-\ir ../queries/security/defender_on_for_k8s.sql
-\set check_id "2.7"
-\echo "Executing check 2.7"
-\ir ../queries/security/defender_on_for_container_registeries.sql
-\set check_id "2.8"
-\echo "Executing check 2.8"
-\ir ../queries/security/defender_on_for_key_vault.sql
--- security settings does not have "enabled" property
--- \set check_id "2.10"
--- \echo "Executing check 2.10"
--- \ir ../queries/security/mcas_integration_with_security_center_enabled.sql
-\set check_id "2.11"
-\echo "Executing check 2.11"
-\ir ../queries/security/auto_provisioning_monitoring_agent_enabled.sql
-\set check_id "2.12"
-\echo "Executing check 2.12"
-\ir ../queries/security/default_policy_disabled.sql
--- security contacts api is broken
--- \set check_id "2.13"
--- \echo "Executing check 2.13"
--- \ir ../queries/security/security_email_configured.sql
--- \set check_id "2.14"
--- \echo "Executing check 2.14"
--- \ir ../queries/security/notify_high_severity_alerts.sql
-
-\echo "Executing CIS V1.3.0 Section 4"
-\set check_id "4.1.1"
-\echo "Executing check 4.1.1"
-\ir ../queries/sql/auditing_off.sql
-\set check_id "4.1.2"
-\echo "Executing check 4.1.2"
-\ir ../queries/sql/data_encryption_off.sql
-\set check_id "4.1.3"
-\echo "Executing check 4.1.3"
-\ir ../queries/sql/auditing_retention_less_than_90_days.sql
-\set check_id "4.2.1"
-\echo "Executing check 4.2.1"
-\ir ../queries/sql/atp_on_sql_server_disabled.sql
-\set check_id "4.2.2"
-\echo "Executing check 4.2.2"
-\ir ../queries/sql/va_is_enabled_on_sql_server_by_storage_account.sql
-\set check_id "4.2.3"
-\echo "Executing check 4.2.3"
-\ir ../queries/sql/va_periodic_scans_enabled_on_sql_server.sql
-\set check_id "4.2.4"
-\echo "Executing check 4.2.4"
-\ir ../queries/sql/va_send_scan_report_enabled_on_sql_server.sql
-\set check_id "4.2.5"
-\echo "Executing check 4.2.5"
-\ir ../queries/sql/va_send_email_to_admins_and_owners_enabled.sql
-\set check_id "4.3.1"
-\echo "Executing check 4.3.1"
-\ir ../queries/sql/postgresql_ssl_enforcment_disabled.sql
-\set check_id "4.3.2"
-\echo "Executing check 4.3.2"
-\ir ../queries/sql/mysql_ssl_enforcment_disabled.sql
-\set check_id "4.3.3"
-\echo "Executing check 4.3.3"
-\ir ../queries/sql/postgresql_log_checkpoints_disabled.sql
-\set check_id "4.3.4"
-\echo "Executing check 4.3.4"
-\ir ../queries/sql/postgresql_log_connections_disabled.sql
-\set check_id "4.3.5"
-\echo "Executing check 4.3.5"
-\ir ../queries/sql/postgresql_log_disconnections_disabled.sql
-\set check_id "4.3.6"
-\echo "Executing check 4.3.6"
-\ir ../queries/sql/postgresql_connection_throttling_disabled.sql
-\set check_id "4.3.7"
-\echo "Executing check 4.3.7"
-\ir ../queries/sql/postgresql_log_retention_days_less_than_3_days.sql
-\set check_id "4.3.8"
-\echo "Executing check 4.3.8"
-\ir ../queries/sql/postgresql_allow_access_to_azure_services_enabled.sql
-\set check_id "4.4"
-\echo "Executing check 4.4"
-\ir ../queries/sql/ad_admin_configured.sql
-\set check_id "4.5"
-\echo "Executing check 4.5"
-\ir ../queries/sql/sqlserver_tde_not_encrypted_with_cmek.sql
-
 
+\ir section_1.sql
+\ir section_2.sql
+\ir section_3.sql
+\ir section_4.sql
+\ir section_5.sql
+\ir section_6.sql
 \ir section_7.sql
 \ir section_8.sql
 \ir section_9.sql

plugins/source/azure/policies/cis_v1.3.0/section_1.sql

@@ -0,0 +1 @@
+\echo "Executing CIS V1.3.0 Section 1 (Manual)"

plugins/source/azure/policies/cis_v1.3.0/section_2.sql

@@ -0,0 +1,42 @@
+\echo "Executing CIS V1.3.0 Section 2"
+\set check_id "2.1"
+\echo "Executing check 2.1"
+\ir ../queries/security/defender_on_for_servers.sql
+\set check_id "2.2"
+\echo "Executing check 2.2"
+\ir ../queries/security/defender_on_for_app_service.sql
+\set check_id "2.3"
+\echo "Executing check 2.3"
+\ir ../queries/security/defender_on_for_sql_servers.sql
+\set check_id "2.4"
+\echo "Executing check 2.4"
+\ir ../queries/security/defender_on_for_sql_servers_on_machines.sql
+\set check_id "2.5"
+\echo "Executing check 2.5"
+\ir ../queries/security/defender_on_for_storage.sql
+\set check_id "2.6"
+\echo "Executing check 2.6"
+\ir ../queries/security/defender_on_for_k8s.sql
+\set check_id "2.7"
+\echo "Executing check 2.7"
+\ir ../queries/security/defender_on_for_container_registeries.sql
+\set check_id "2.8"
+\echo "Executing check 2.8"
+\ir ../queries/security/defender_on_for_key_vault.sql
+-- security settings does not have "enabled" property
+-- \set check_id "2.10"
+-- \echo "Executing check 2.10"
+-- \ir ../queries/security/mcas_integration_with_security_center_enabled.sql
+\set check_id "2.11"
+\echo "Executing check 2.11"
+\ir ../queries/security/auto_provisioning_monitoring_agent_enabled.sql
+\set check_id "2.12"
+\echo "Executing check 2.12"
+\ir ../queries/security/default_policy_disabled.sql
+-- security contacts api is broken
+-- \set check_id "2.13"
+-- \echo "Executing check 2.13"
+-- \ir ../queries/security/security_email_configured.sql
+-- \set check_id "2.14"
+-- \echo "Executing check 2.14"
+-- \ir ../queries/security/notify_high_severity_alerts.sql

plugins/source/azure/policies/cis_v1.3.0/section_3.sql

@@ -0,0 +1,16 @@
+\echo "Executing CIS V1.3.0 Section 3"
+\set check_id '3.1'
+\echo "Executing check 3.1"
+\ir ../queries/storage/secure_transfer_to_storage_accounts_should_be_enabled.sql
+\set check_id '3.5'
+\echo "Executing check 3.5"
+\ir ../queries/storage/no_public_blob_container.sql
+\set check_id '3.6'
+\echo "Executing check 3.6"
+\ir ../queries/storage/default_network_access_rule_is_deny.sql
+\set check_id '3.8'
+\echo "Executing check 3.8"
+\ir ../queries/storage/soft_delete_is_enabled.sql
+\set check_id '3.9'
+\echo "Executing check 3.9"
+\ir ../queries/storage/encrypt_with_cmk.sql

plugins/source/azure/policies/cis_v1.3.0/section_4.sql

@@ -0,0 +1,55 @@
+\echo "Executing CIS V1.3.0 Section 4"
+\set check_id "4.1.1"
+\echo "Executing check 4.1.1"
+\ir ../queries/sql/auditing_off.sql
+\set check_id "4.1.2"
+\echo "Executing check 4.1.2"
+\ir ../queries/sql/data_encryption_off.sql
+\set check_id "4.1.3"
+\echo "Executing check 4.1.3"
+\ir ../queries/sql/auditing_retention_less_than_90_days.sql
+\set check_id "4.2.1"
+\echo "Executing check 4.2.1"
+\ir ../queries/sql/atp_on_sql_server_disabled.sql
+\set check_id "4.2.2"
+\echo "Executing check 4.2.2"
+\ir ../queries/sql/va_is_enabled_on_sql_server_by_storage_account.sql
+\set check_id "4.2.3"
+\echo "Executing check 4.2.3"
+\ir ../queries/sql/va_periodic_scans_enabled_on_sql_server.sql
+\set check_id "4.2.4"
+\echo "Executing check 4.2.4"
+\ir ../queries/sql/va_send_scan_report_enabled_on_sql_server.sql
+\set check_id "4.2.5"
+\echo "Executing check 4.2.5"
+\ir ../queries/sql/va_send_email_to_admins_and_owners_enabled.sql
+\set check_id "4.3.1"
+\echo "Executing check 4.3.1"
+\ir ../queries/sql/postgresql_ssl_enforcment_disabled.sql
+\set check_id "4.3.2"
+\echo "Executing check 4.3.2"
+\ir ../queries/sql/mysql_ssl_enforcment_disabled.sql
+\set check_id "4.3.3"
+\echo "Executing check 4.3.3"
+\ir ../queries/sql/postgresql_log_checkpoints_disabled.sql
+\set check_id "4.3.4"
+\echo "Executing check 4.3.4"
+\ir ../queries/sql/postgresql_log_connections_disabled.sql
+\set check_id "4.3.5"
+\echo "Executing check 4.3.5"
+\ir ../queries/sql/postgresql_log_disconnections_disabled.sql
+\set check_id "4.3.6"
+\echo "Executing check 4.3.6"
+\ir ../queries/sql/postgresql_connection_throttling_disabled.sql
+\set check_id "4.3.7"
+\echo "Executing check 4.3.7"
+\ir ../queries/sql/postgresql_log_retention_days_less_than_3_days.sql
+\set check_id "4.3.8"
+\echo "Executing check 4.3.8"
+\ir ../queries/sql/postgresql_allow_access_to_azure_services_enabled.sql
+\set check_id "4.4"
+\echo "Executing check 4.4"
+\ir ../queries/sql/ad_admin_configured.sql
+\set check_id "4.5"
+\echo "Executing check 4.5"
+\ir ../queries/sql/sqlserver_tde_not_encrypted_with_cmek.sql

plugins/source/azure/policies/cis_v1.3.0/section_5.sql

@@ -0,0 +1,46 @@
+\echo "Executing CIS V1.3.0 Section 5"
+\set check_id '5.1.1'
+\echo "Executing check 5.1.1"
+\ir ../queries/monitor/no_diagnostic_setting.sql
+\set check_id '5.1.2'
+\echo "Executing check 5.1.2"
+\ir ../queries/monitor/insufficient_diagnostic_capturing_settings.sql
+\set check_id '5.1.3'
+\echo "Executing check 5.1.3"
+\ir ../queries/storage/no_publicly_accessible_insights_activity_logs.sql
+\set check_id '5.1.4'
+\echo "Executing check 5.1.4"
+\ir ../queries/storage/encrypt_with_cmk_for_activity_log.sql
+\set check_id '5.1.5'
+\echo "Executing check 5.1.5"
+\ir ../queries/monitor/logging_key_valut_is_enabled.sql
+\set check_id '5.2.1'
+\echo "Executing check 5.2.1"
+\ir ../queries/monitor/log_alert_for_create_policy_assignment.sql
+\set check_id '5.2.2'
+\echo "Executing check 5.2.2"
+\ir ../queries/monitor/log_alert_for_delete_policy_assignment.sql
+\set check_id '5.2.3'
+\echo "Executing check 5.2.3"
+\ir ../queries/monitor/log_alert_for_create_or_update_network_sg.sql
+\set check_id '5.2.4'
+\echo "Executing check 5.2.4"
+\ir ../queries/monitor/log_alert_for_delete_network_sg.sql
+\set check_id '5.2.5'
+\echo "Executing check 5.2.5"
+\ir ../queries/monitor/log_alert_for_create_or_update_network_sg_rule.sql
+\set check_id '5.2.6'
+\echo "Executing check 5.2.6"
+\ir ../queries/monitor/log_alert_for_delete_network_sg_rule.sql
+\set check_id '5.2.7'
+\echo "Executing check 5.2.7"
+\ir ../queries/monitor/log_alert_for_create_or_update_security_solution.sql
+\set check_id '5.2.8'
+\echo "Executing check 5.2.8"
+\ir ../queries/monitor/log_alert_for_delete_security_solution.sql
+\set check_id '5.2.9'
+\echo "Executing check 5.2.9"
+\ir ../queries/monitor/log_alert_for_create_or_update_or_delete_sql_server_firewall_rule.sql
+\set check_id '5.3'
+\echo "Executing check 5.3"
+\ir ../queries/monitor/diagnostic_logs_for_all_services.sql

plugins/source/azure/policies/cis_v1.3.0/section_6.sql

@@ -0,0 +1,16 @@
+\echo "Executing CIS V1.3.0 Section 5"
+\ir ../views/nsg_rules_dest_ports.sql
+\set check_id '6.1'
+\ir ../queries/network/rdp_services_are_restricted_from_the_internet.sql
+\set check_id '6.2'
+\ir ../queries/network/ssh_services_are_restricted_from_the_internet.sql
+-- \set check_id '6.3'
+-- There is no firewal-rules table
+-- https://learn.microsoft.com/en-us/rest/api/sql/2021-11-01/firewall-rules/list-by-server?tabs=HTTP
+-- \ir ../queries/network/
+-- \set check_id '6.4'
+-- There is no flow-log-status table
+-- https://learn.microsoft.com/en-us/rest/api/network-watcher/network-watchers/get-flow-log-status?tabs=HTTP
+-- \ir ../queries/network/
+\set check_id '6.6'
+\ir ../queries/network/udp_services_are_restricted_from_the_internet.sql

plugins/source/azure/policies/cis_v1.3.0/section_9.sql

@@ -26,10 +26,9 @@
 \set check_id '9.9'
 \echo "Executing check 9.9"
 \echo "Check must be done manually"
--- todo add a publishing profiles currently they are returned as XML document
--- \set check_id '9.10'
--- \echo "Executing check 9.10"
--- \ir ../queries/web/app_ftp_deployment_enabled.sql
+\set check_id '9.10'
+\echo "Executing check 9.10"
+\ir ../queries/web/app_ftp_deployment_enabled.sql
 \set check_id '9.11'
 \echo "Executing check 9.11"
 \echo "Check must be done manually"

plugins/source/azure/policies/queries/monitor/diagnostic_logs_for_all_services.sql

@@ -0,0 +1,16 @@
+INSERT INTO azure_policy_results
+SELECT
+    :'execution_time'                                                            AS execution_time,
+    :'framework'                                                                 AS framework,
+    :'check_id'                                                                  AS check_id,
+    'Ensure that Diagnostic Logs are enabled for all services which support it.' AS title,
+    amr.subscription_id                                                          AS subscription_id,
+    amr.id                                                                       AS resource_id,
+    CASE
+        WHEN amds.id IS DISTINCT FROM NULL
+        THEN 'pass'
+        ELSE 'fail'
+    END                                                                          AS status
+FROM azure_monitor_resources AS amr
+    LEFT JOIN azure_monitor_diagnostic_settings AS amds
+        ON amr._cq_id = amds._cq_parent_id

plugins/source/azure/policies/queries/monitor/insufficient_diagnostic_capturing_settings.sql

@@ -0,0 +1,31 @@
+insert into azure_policy_results
+WITH diagnostic_settings AS (
+    SELECT
+        subscription_id,
+        id,
+        (logs->>'enabled')::boolean AS enabled,
+        logs->>'category' AS category
+    FROM
+        azure_monitor_subscription_diagnostic_settings a,
+        jsonb_array_elements(properties->'logs') AS logs
+),
+required_settings AS (
+    SELECT *
+    FROM diagnostic_settings
+    WHERE category IN ('Administrative', 'Alert', 'Policy', 'Security')
+)
+SELECT
+    :'execution_time'                                           AS execution_time,
+    :'framework'                                                AS framework,
+    :'check_id'                                                 AS check_id,
+    'Ensure Diagnostic Setting captures appropriate categories' AS title,
+    subscription_id                                             AS subscription_id,
+    id                                                          AS resource_id,
+    CASE
+        WHEN COUNT(id) = 4
+        THEN 'pass'
+        ELSE 'fail'
+    END                                                         AS status
+FROM required_settings
+WHERE enabled
+GROUP BY subscription_id, id