Skip to content
This repository has been archived by the owner on Sep 17, 2024. It is now read-only.

Audit Diagnostic Settings Identifying False Negatives #6

Open
davidheerema opened this issue Apr 22, 2020 · 3 comments
Open

Audit Diagnostic Settings Identifying False Negatives #6

davidheerema opened this issue Apr 22, 2020 · 3 comments

Comments

@davidheerema
Copy link

After reviewing the text version of the validation report I noticed that the report flagged the following resources for non-compliance with the "Audit diagnostic setting" policy:

A cosmos DB
A container Instance

Both of these resources are logging to a log analytics workspace, which is kind of what the policy is meant to check (I believe, from looking at the policy JSON). I think the policy is looking for microsoft.insights/diagnosticSettings but these resources do not have this? I am not an expert.

The cosmos DB was created using https://github.com/cds-snc/report-a-cybercrime/blob/master/utils/azurescript.sh and near line 153 you can see that we create the diagnostic setting.

The container instance does not support a complete diagnostic setting but at this time you can specify a log analytics workspace to log to at creation time, which we do at line 93.

I wanted to highlight this so that perhaps you want to tailor your validation so that you can validate these types of resources correctly. I'm willing to help answer any questions you have.

@tacummins1
Copy link
Contributor

Hi David, the "Audit diagnostic setting" policy definition in this case is a built-in Azure policy. The reporting tool is simply obtaining the compliance data for that policy assignment from Azure.

To achieve what you indicated with respect to checking diagnostic settings for other types of Azure resources not supported by the built-in policy, you would need to create a custom Azure policy to do that.

You could either create a custom policy that checks audit diagnostic configuration settings for all types of resources, or have separate custom policies for each type.

Regardless, the current PBMM guardrail framework doesn't support creation of custom Azure policies as part of the blueprint and would need to be extended.

@davidheerema
Copy link
Author

Thank you for the explanation.

@tacummins1
Copy link
Contributor

On second thought David, it's probably better to just have Microsoft change their built-in policy to support the additional resource types rather than us going the custom policy route.

I assume it would need to be raised to MS as a feature request.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants