/
section_4.sp
382 lines (330 loc) · 12.4 KB
/
section_4.sp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
locals {
cis_v140_4_common_tags = merge(local.cis_v140_common_tags, {
cis_section_id = "4"
})
}
locals {
cis_v140_4_1_common_tags = merge(local.cis_v140_4_common_tags, {
cis_section_id = "4.1"
})
cis_v140_4_2_common_tags = merge(local.cis_v140_4_common_tags, {
cis_section_id = "4.2"
})
cis_v140_4_3_common_tags = merge(local.cis_v140_4_common_tags, {
cis_section_id = "4.3"
})
cis_v140_4_4_common_tags = merge(local.cis_v140_4_common_tags, {
cis_section_id = "4.4"
})
}
benchmark "cis_v140_4" {
title = "4 Database Services"
documentation = file("./cis_v140/docs/cis_v140_4.md")
children = [
benchmark.cis_v140_4_1,
benchmark.cis_v140_4_2,
benchmark.cis_v140_4_3,
benchmark.cis_v140_4_4,
control.cis_v140_4_5,
control.cis_v140_4_6,
]
tags = merge(local.cis_v140_4_common_tags, {
type = "Benchmark"
})
}
benchmark "cis_v140_4_1" {
title = "4.1 SQL Server - Auditing"
documentation = file("./cis_v140/docs/cis_v140_4_1.md")
children = [
control.cis_v140_4_1_1,
control.cis_v140_4_1_2,
control.cis_v140_4_1_3,
]
tags = merge(local.cis_v140_4_1_common_tags, {
type = "Benchmark"
service = "Azure/SQL"
})
}
benchmark "cis_v140_4_2" {
title = "4.2 SQL Server - Azure Defender for SQL"
documentation = file("./cis_v140/docs/cis_v140_4_2.md")
children = [
control.cis_v140_4_2_1,
control.cis_v140_4_2_2,
control.cis_v140_4_2_3,
control.cis_v140_4_2_4,
control.cis_v140_4_2_5
]
tags = merge(local.cis_v140_4_2_common_tags, {
type = "Benchmark"
service = "Azure/SQL"
})
}
benchmark "cis_v140_4_3" {
title = "4.3 PostgreSQL Database Server"
documentation = file("./cis_v140/docs/cis_v140_4_3.md")
children = [
control.cis_v140_4_3_1,
control.cis_v140_4_3_2,
control.cis_v140_4_3_3,
control.cis_v140_4_3_4,
control.cis_v140_4_3_5,
control.cis_v140_4_3_6,
control.cis_v140_4_3_7,
control.cis_v140_4_3_8
]
tags = merge(local.cis_v140_4_3_common_tags, {
type = "Benchmark"
})
}
control "cis_v140_4_1_1" {
title = "4.1.1 Ensure that 'Auditing' is set to 'On'"
description = "Enable auditing on SQL Servers."
query = query.sql_server_auditing_on
documentation = file("./cis_v140/docs/cis_v140_4_1_1.md")
tags = merge(local.cis_v140_4_1_common_tags, {
cis_item_id = "4.1.1"
cis_level = "1"
cis_type = "automated"
service = "Azure/SQL"
})
}
control "cis_v140_4_1_2" {
title = "4.1.2 Ensure that 'Data encryption' is set to 'On' on a SQL Database"
query = query.sql_database_transparent_data_encryption_enabled
documentation = file("./cis_v140/docs/cis_v140_4_1_2.md")
tags = merge(local.cis_v140_4_1_common_tags, {
cis_item_id = "4.1.2"
cis_level = "1"
cis_type = "automated"
service = "Azure/SQL"
})
}
control "cis_v140_4_1_3" {
title = "4.1.3 Ensure that 'Auditing' Retention is 'greater than 90 days'"
description = "SQL Server Audit Retention should be configured to be greater than 90 days."
query = query.sql_server_auditing_retention_period_90
documentation = file("./cis_v140/docs/cis_v140_4_1_3.md")
tags = merge(local.cis_v140_4_1_common_tags, {
cis_item_id = "4.1.3"
cis_level = "1"
cis_type = "automated"
service = "Azure/SQL"
})
}
control "cis_v140_4_2_1" {
title = "4.2.1 Ensure that Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled'"
description = "Enable \"Azure Defender for SQL\" on critical SQL Servers."
query = query.sql_server_atp_enabled
documentation = file("./cis_v140/docs/cis_v140_4_2_1.md")
tags = merge(local.cis_v140_4_2_common_tags, {
"cis_item_id" = "4.2.1"
"cis_level" = "2"
"cis_type" = "automated"
service = "Azure/SQL"
})
}
control "cis_v140_4_2_2" {
title = "4.2.2 Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account"
description = "Enable Vulnerability Assessment (VA) service scans for critical SQL servers and corresponding SQL databases."
query = query.sql_server_and_databases_va_enabled
documentation = file("./cis_v140/docs/cis_v140_4_2_2.md")
tags = merge(local.cis_v140_4_2_common_tags, {
cis_item_id = "4.2.2"
cis_level = "2"
cis_type = "automated"
service = "Azure/SQL"
})
}
control "cis_v140_4_2_3" {
title = "4.2.3 Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server"
description = "Enable Vulnerability Assessment (VA) Periodic recurring scans for critical SQL servers and corresponding SQL databases."
query = query.sql_server_va_setting_periodic_scan_enabled
documentation = file("./cis_v140/docs/cis_v140_4_2_3.md")
tags = merge(local.cis_v140_4_2_common_tags, {
cis_item_id = "4.2.3"
cis_level = "2"
cis_type = "automated"
service = "Azure/SQL"
})
}
control "cis_v140_4_2_4" {
title = "4.2.4 Ensure that VA setting 'Send scan reports to' is configured for a SQL server"
description = "Configure 'Send scan reports to' with email ids of concerned data owners/stakeholders for a critical SQL servers."
query = query.sql_server_va_setting_scan_reports_configured
documentation = file("./cis_v140/docs/cis_v140_4_2_4.md")
tags = merge(local.cis_v140_4_2_common_tags, {
cis_item_id = "4.2.4"
cis_level = "2"
cis_type = "automated"
service = "Azure/SQL"
})
}
control "cis_v140_4_2_5" {
title = "4.2.5 Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL server"
description = "Enable Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners'."
query = query.sql_server_va_setting_reports_notify_admins
documentation = file("./cis_v140/docs/cis_v140_4_2_5.md")
tags = merge(local.cis_v140_4_2_common_tags, {
cis_item_id = "4.2.5"
cis_level = "2"
cis_type = "automated"
service = "Azure/SQL"
})
}
control "cis_v140_4_3_1" {
title = "4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server"
description = "Enable SSL connection on PostgreSQL Servers."
query = query.postgres_sql_ssl_enabled
documentation = file("./cis_v140/docs/cis_v140_4_3_1.md")
tags = merge(local.cis_v140_4_3_common_tags, {
cis_item_id = "4.3.1"
cis_level = "1"
cis_type = "automated"
service = "Azure/PostgreSQL"
})
}
control "cis_v140_4_3_2" {
title = "4.3.2 Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server"
description = "Enable log_checkpoints on PostgreSQL Servers."
query = query.postgres_db_server_log_checkpoints_on
documentation = file("./cis_v140/docs/cis_v140_4_3_2.md")
tags = merge(local.cis_v140_4_3_common_tags, {
cis_item_id = "4.3.2"
cis_level = "1"
cis_type = "automated"
service = "Azure/PostgreSQL"
})
}
control "cis_v140_4_3_3" {
title = "4.3.3 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server"
description = "Enable log_connections on PostgreSQL Servers."
query = query.postgres_db_server_log_connections_on
documentation = file("./cis_v140/docs/cis_v140_4_3_3.md")
tags = merge(local.cis_v140_4_3_common_tags, {
cis_item_id = "4.3.3"
cis_level = "1"
cis_type = "automated"
service = "Azure/PostgreSQL"
})
}
control "cis_v140_4_3_4" {
title = "4.3.4 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server"
description = "Enable log_disconnections on PostgreSQL Servers."
query = query.postgres_db_server_log_disconnections_on
documentation = file("./cis_v140/docs/cis_v140_4_3_4.md")
tags = merge(local.cis_v140_4_3_common_tags, {
cis_item_id = "4.3.4"
cis_level = "1"
cis_type = "automated"
service = "Azure/PostgreSQL"
})
}
control "cis_v140_4_3_5" {
title = "4.3.5 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server"
description = "Enable connection_throttling on PostgreSQL Servers."
query = query.postgres_db_server_connection_throttling_on
documentation = file("./cis_v140/docs/cis_v140_4_3_5.md")
tags = merge(local.cis_v140_4_3_common_tags, {
cis_item_id = "4.3.5"
cis_level = "1"
cis_type = "automated"
service = "Azure/PostgreSQL"
})
}
control "cis_v140_4_3_6" {
title = "4.3.6 Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server"
description = "Enable log_retention_days on PostgreSQL Servers."
query = query.postgres_db_server_log_retention_days_3
documentation = file("./cis_v140/docs/cis_v140_4_3_6.md")
tags = merge(local.cis_v140_4_3_common_tags, {
cis_item_id = "4.3.6"
cis_level = "1"
cis_type = "automated"
service = "Azure/PostgreSQL"
})
}
control "cis_v140_4_3_7" {
title = "4.3.7 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled"
description = "Disable access from Azure services to PostgreSQL Database Server."
query = query.manual_control
documentation = file("./cis_v140/docs/cis_v140_4_3_7.md")
tags = merge(local.cis_v140_4_3_common_tags, {
cis_item_id = "4.3.7"
cis_level = "1"
cis_type = "manual"
service = "Azure/PostgreSQL"
})
}
control "cis_v140_4_3_8" {
title = "4.3.8 Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'"
description = "Enable encryption at rest for PostgreSQL Databases."
query = query.postgresql_server_infrastructure_encryption_enabled
documentation = file("./cis_v140/docs/cis_v140_4_3_8.md")
tags = merge(local.cis_v140_4_3_common_tags, {
cis_item_id = "4.3.8"
cis_level = "1"
cis_type = "manual"
service = "Azure/PostgreSQL"
})
}
benchmark "cis_v140_4_4" {
title = "4.4 MySQL Database"
documentation = file("./cis_v140/docs/cis_v140_4_4.md")
children = [
control.cis_v140_4_4_1,
control.cis_v140_4_4_2
]
tags = merge(local.cis_v140_4_4_common_tags, {
type = "Benchmark"
service = "Azure/SQL"
})
}
control "cis_v140_4_4_1" {
title = "4.4.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server"
description = "Enable SSL connection on MYSQL Servers."
query = query.mysql_ssl_enabled
documentation = file("./cis_v140/docs/cis_v140_4_4_1.md")
tags = merge(local.cis_v140_4_4_common_tags, {
cis_item_id = "4.4.1"
cis_level = "1"
cis_type = "automated"
service = "Azure/MySQL"
})
}
control "cis_v140_4_4_2" {
title = "4.4.2 Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server"
description = "Ensure TLS version on MySQL flexible servers is set to the default value."
query = query.mysql_server_min_tls_1_2
documentation = file("./cis_v140/docs/cis_v140_4_4_2.md")
tags = merge(local.cis_v140_4_4_common_tags, {
cis_item_id = "4.4.2"
cis_level = "1"
cis_type = "automated"
service = "Azure/MySQL"
})
}
control "cis_v140_4_5" {
title = "4.5 Ensure that Azure Active Directory Admin is configured"
description = "Use Azure Active Directory Authentication for authentication with SQL Database."
query = query.sql_db_active_directory_admin_configured
documentation = file("./cis_v140/docs/cis_v140_4_5.md")
tags = merge(local.cis_v140_4_common_tags, {
cis_item_id = "4.5"
cis_level = "1"
cis_type = "automated"
service = "Azure/SQL"
})
}
control "cis_v140_4_6" {
title = "4.6 Ensure SQL server's TDE protector is encrypted with Customer-managed key"
description = "Based on business needs or criticality of data/databases hosted a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key)"
query = query.sql_server_tde_protector_cmk_encrypted
documentation = file("./cis_v140/docs/cis_v140_4_6.md")
tags = merge(local.cis_v140_4_common_tags, {
cis_item_id = "4.6"
cis_level = "2"
cis_type = "automated"
service = "Azure/SQL"
})
}