-
Notifications
You must be signed in to change notification settings - Fork 501
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(azure): Implement missing CIS policies (#10928)
#### Summary I have implemented some missing CIS Benchmark policies for Azure mainly Section 3 and 5.
- Loading branch information
Showing
48 changed files
with
1,212 additions
and
127 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
\echo "Executing CIS V1.3.0 Section 1 (Manual)" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
\echo "Executing CIS V1.3.0 Section 2" | ||
\set check_id "2.1" | ||
\echo "Executing check 2.1" | ||
\ir ../queries/security/defender_on_for_servers.sql | ||
\set check_id "2.2" | ||
\echo "Executing check 2.2" | ||
\ir ../queries/security/defender_on_for_app_service.sql | ||
\set check_id "2.3" | ||
\echo "Executing check 2.3" | ||
\ir ../queries/security/defender_on_for_sql_servers.sql | ||
\set check_id "2.4" | ||
\echo "Executing check 2.4" | ||
\ir ../queries/security/defender_on_for_sql_servers_on_machines.sql | ||
\set check_id "2.5" | ||
\echo "Executing check 2.5" | ||
\ir ../queries/security/defender_on_for_storage.sql | ||
\set check_id "2.6" | ||
\echo "Executing check 2.6" | ||
\ir ../queries/security/defender_on_for_k8s.sql | ||
\set check_id "2.7" | ||
\echo "Executing check 2.7" | ||
\ir ../queries/security/defender_on_for_container_registeries.sql | ||
\set check_id "2.8" | ||
\echo "Executing check 2.8" | ||
\ir ../queries/security/defender_on_for_key_vault.sql | ||
-- security settings does not have "enabled" property | ||
-- \set check_id "2.10" | ||
-- \echo "Executing check 2.10" | ||
-- \ir ../queries/security/mcas_integration_with_security_center_enabled.sql | ||
\set check_id "2.11" | ||
\echo "Executing check 2.11" | ||
\ir ../queries/security/auto_provisioning_monitoring_agent_enabled.sql | ||
\set check_id "2.12" | ||
\echo "Executing check 2.12" | ||
\ir ../queries/security/default_policy_disabled.sql | ||
-- security contacts api is broken | ||
-- \set check_id "2.13" | ||
-- \echo "Executing check 2.13" | ||
-- \ir ../queries/security/security_email_configured.sql | ||
-- \set check_id "2.14" | ||
-- \echo "Executing check 2.14" | ||
-- \ir ../queries/security/notify_high_severity_alerts.sql |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
\echo "Executing CIS V1.3.0 Section 3" | ||
\set check_id '3.1' | ||
\echo "Executing check 3.1" | ||
\ir ../queries/storage/secure_transfer_to_storage_accounts_should_be_enabled.sql | ||
\set check_id '3.5' | ||
\echo "Executing check 3.5" | ||
\ir ../queries/storage/no_public_blob_container.sql | ||
\set check_id '3.6' | ||
\echo "Executing check 3.6" | ||
\ir ../queries/storage/default_network_access_rule_is_deny.sql | ||
\set check_id '3.8' | ||
\echo "Executing check 3.8" | ||
\ir ../queries/storage/soft_delete_is_enabled.sql | ||
\set check_id '3.9' | ||
\echo "Executing check 3.9" | ||
\ir ../queries/storage/encrypt_with_cmk.sql |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
\echo "Executing CIS V1.3.0 Section 4" | ||
\set check_id "4.1.1" | ||
\echo "Executing check 4.1.1" | ||
\ir ../queries/sql/auditing_off.sql | ||
\set check_id "4.1.2" | ||
\echo "Executing check 4.1.2" | ||
\ir ../queries/sql/data_encryption_off.sql | ||
\set check_id "4.1.3" | ||
\echo "Executing check 4.1.3" | ||
\ir ../queries/sql/auditing_retention_less_than_90_days.sql | ||
\set check_id "4.2.1" | ||
\echo "Executing check 4.2.1" | ||
\ir ../queries/sql/atp_on_sql_server_disabled.sql | ||
\set check_id "4.2.2" | ||
\echo "Executing check 4.2.2" | ||
\ir ../queries/sql/va_is_enabled_on_sql_server_by_storage_account.sql | ||
\set check_id "4.2.3" | ||
\echo "Executing check 4.2.3" | ||
\ir ../queries/sql/va_periodic_scans_enabled_on_sql_server.sql | ||
\set check_id "4.2.4" | ||
\echo "Executing check 4.2.4" | ||
\ir ../queries/sql/va_send_scan_report_enabled_on_sql_server.sql | ||
\set check_id "4.2.5" | ||
\echo "Executing check 4.2.5" | ||
\ir ../queries/sql/va_send_email_to_admins_and_owners_enabled.sql | ||
\set check_id "4.3.1" | ||
\echo "Executing check 4.3.1" | ||
\ir ../queries/sql/postgresql_ssl_enforcment_disabled.sql | ||
\set check_id "4.3.2" | ||
\echo "Executing check 4.3.2" | ||
\ir ../queries/sql/mysql_ssl_enforcment_disabled.sql | ||
\set check_id "4.3.3" | ||
\echo "Executing check 4.3.3" | ||
\ir ../queries/sql/postgresql_log_checkpoints_disabled.sql | ||
\set check_id "4.3.4" | ||
\echo "Executing check 4.3.4" | ||
\ir ../queries/sql/postgresql_log_connections_disabled.sql | ||
\set check_id "4.3.5" | ||
\echo "Executing check 4.3.5" | ||
\ir ../queries/sql/postgresql_log_disconnections_disabled.sql | ||
\set check_id "4.3.6" | ||
\echo "Executing check 4.3.6" | ||
\ir ../queries/sql/postgresql_connection_throttling_disabled.sql | ||
\set check_id "4.3.7" | ||
\echo "Executing check 4.3.7" | ||
\ir ../queries/sql/postgresql_log_retention_days_less_than_3_days.sql | ||
\set check_id "4.3.8" | ||
\echo "Executing check 4.3.8" | ||
\ir ../queries/sql/postgresql_allow_access_to_azure_services_enabled.sql | ||
\set check_id "4.4" | ||
\echo "Executing check 4.4" | ||
\ir ../queries/sql/ad_admin_configured.sql | ||
\set check_id "4.5" | ||
\echo "Executing check 4.5" | ||
\ir ../queries/sql/sqlserver_tde_not_encrypted_with_cmek.sql |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
\echo "Executing CIS V1.3.0 Section 5" | ||
\set check_id '5.1.1' | ||
\echo "Executing check 5.1.1" | ||
\ir ../queries/monitor/no_diagnostic_setting.sql | ||
\set check_id '5.1.2' | ||
\echo "Executing check 5.1.2" | ||
\ir ../queries/monitor/insufficient_diagnostic_capturing_settings.sql | ||
\set check_id '5.1.3' | ||
\echo "Executing check 5.1.3" | ||
\ir ../queries/storage/no_publicly_accessible_insights_activity_logs.sql | ||
\set check_id '5.1.4' | ||
\echo "Executing check 5.1.4" | ||
\ir ../queries/storage/encrypt_with_cmk_for_activity_log.sql | ||
\set check_id '5.1.5' | ||
\echo "Executing check 5.1.5" | ||
\ir ../queries/monitor/logging_key_valut_is_enabled.sql | ||
\set check_id '5.2.1' | ||
\echo "Executing check 5.2.1" | ||
\ir ../queries/monitor/log_alert_for_create_policy_assignment.sql | ||
\set check_id '5.2.2' | ||
\echo "Executing check 5.2.2" | ||
\ir ../queries/monitor/log_alert_for_delete_policy_assignment.sql | ||
\set check_id '5.2.3' | ||
\echo "Executing check 5.2.3" | ||
\ir ../queries/monitor/log_alert_for_create_or_update_network_sg.sql | ||
\set check_id '5.2.4' | ||
\echo "Executing check 5.2.4" | ||
\ir ../queries/monitor/log_alert_for_delete_network_sg.sql | ||
\set check_id '5.2.5' | ||
\echo "Executing check 5.2.5" | ||
\ir ../queries/monitor/log_alert_for_create_or_update_network_sg_rule.sql | ||
\set check_id '5.2.6' | ||
\echo "Executing check 5.2.6" | ||
\ir ../queries/monitor/log_alert_for_delete_network_sg_rule.sql | ||
\set check_id '5.2.7' | ||
\echo "Executing check 5.2.7" | ||
\ir ../queries/monitor/log_alert_for_create_or_update_security_solution.sql | ||
\set check_id '5.2.8' | ||
\echo "Executing check 5.2.8" | ||
\ir ../queries/monitor/log_alert_for_delete_security_solution.sql | ||
\set check_id '5.2.9' | ||
\echo "Executing check 5.2.9" | ||
\ir ../queries/monitor/log_alert_for_create_or_update_or_delete_sql_server_firewall_rule.sql | ||
\set check_id '5.3' | ||
\echo "Executing check 5.3" | ||
\ir ../queries/monitor/diagnostic_logs_for_all_services.sql |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
\echo "Executing CIS V1.3.0 Section 5" | ||
\ir ../views/nsg_rules_dest_ports.sql | ||
\set check_id '6.1' | ||
\ir ../queries/network/rdp_services_are_restricted_from_the_internet.sql | ||
\set check_id '6.2' | ||
\ir ../queries/network/ssh_services_are_restricted_from_the_internet.sql | ||
-- \set check_id '6.3' | ||
-- There is no firewal-rules table | ||
-- https://learn.microsoft.com/en-us/rest/api/sql/2021-11-01/firewall-rules/list-by-server?tabs=HTTP | ||
-- \ir ../queries/network/ | ||
-- \set check_id '6.4' | ||
-- There is no flow-log-status table | ||
-- https://learn.microsoft.com/en-us/rest/api/network-watcher/network-watchers/get-flow-log-status?tabs=HTTP | ||
-- \ir ../queries/network/ | ||
\set check_id '6.6' | ||
\ir ../queries/network/udp_services_are_restricted_from_the_internet.sql |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
16 changes: 16 additions & 0 deletions
16
plugins/source/azure/policies/queries/monitor/diagnostic_logs_for_all_services.sql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
INSERT INTO azure_policy_results | ||
SELECT | ||
:'execution_time' AS execution_time, | ||
:'framework' AS framework, | ||
:'check_id' AS check_id, | ||
'Ensure that Diagnostic Logs are enabled for all services which support it.' AS title, | ||
amr.subscription_id AS subscription_id, | ||
amr.id AS resource_id, | ||
CASE | ||
WHEN amds.id IS DISTINCT FROM NULL | ||
THEN 'pass' | ||
ELSE 'fail' | ||
END AS status | ||
FROM azure_monitor_resources AS amr | ||
LEFT JOIN azure_monitor_diagnostic_settings AS amds | ||
ON amr._cq_id = amds._cq_parent_id |
31 changes: 31 additions & 0 deletions
31
plugins/source/azure/policies/queries/monitor/insufficient_diagnostic_capturing_settings.sql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
insert into azure_policy_results | ||
WITH diagnostic_settings AS ( | ||
SELECT | ||
subscription_id, | ||
id, | ||
(logs->>'enabled')::boolean AS enabled, | ||
logs->>'category' AS category | ||
FROM | ||
azure_monitor_subscription_diagnostic_settings a, | ||
jsonb_array_elements(properties->'logs') AS logs | ||
), | ||
required_settings AS ( | ||
SELECT * | ||
FROM diagnostic_settings | ||
WHERE category IN ('Administrative', 'Alert', 'Policy', 'Security') | ||
) | ||
SELECT | ||
:'execution_time' AS execution_time, | ||
:'framework' AS framework, | ||
:'check_id' AS check_id, | ||
'Ensure Diagnostic Setting captures appropriate categories' AS title, | ||
subscription_id AS subscription_id, | ||
id AS resource_id, | ||
CASE | ||
WHEN COUNT(id) = 4 | ||
THEN 'pass' | ||
ELSE 'fail' | ||
END AS status | ||
FROM required_settings | ||
WHERE enabled | ||
GROUP BY subscription_id, id |
Oops, something went wrong.