-
Notifications
You must be signed in to change notification settings - Fork 42
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
5 changed files
with
155 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
96 changes: 96 additions & 0 deletions
96
security-policies/bundle/compliance/cis_azure/rules/cis_4_1_1/data.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,96 @@ | ||
| metadata: | ||
| id: e570dc22-4f5d-51db-a193-983cb7d20afe | ||
| name: Ensure that 'Auditing' is set to 'On' | ||
| profile_applicability: '* Level 1' | ||
| description: Enable auditing on SQL Servers. | ||
| rationale: |- | ||
| The Azure platform allows a SQL server to be created as a service. | ||
| Enabling auditing at the server level ensures that all existing and newly created databases on the SQL server instance are audited. | ||
| Auditing policy applied on the SQL database does not override auditing policy and settings applied on the particular SQL server where the database is hosted. | ||
| Auditing tracks database events and writes them to an audit log in the Azure storage account. | ||
| It also helps to maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations. | ||
| audit: |- | ||
| **From Azure Portal** | ||
| 1. Go to `SQL servers` | ||
| 2. For each server instance | ||
| 3. Click on `Auditing` | ||
| 4. Ensure that `Enable Azure SQL Auditing` is set to `On` | ||
| **From PowerShell** | ||
| Get the list of all SQL Servers | ||
| ``` | ||
| Get-AzSqlServer | ||
| ``` | ||
| For each Server | ||
| ``` | ||
| Get-AzSqlServerAudit -ResourceGroupName <ResourceGroupName> -ServerName <SQLServerName> | ||
| ``` | ||
| Ensure that `BlobStorageTargetState`, `EventHubTargetState`, or `LogAnalyticsTargetState` is set to `Enabled`. | ||
| remediation: |- | ||
| **From Azure Portal** | ||
| 1. Go to `SQL servers` | ||
| 2. Select the SQL server instance | ||
| 3. Under `Security`, click `Auditing` | ||
| 4. Click the toggle next to `Enable Azure SQL Auditing` | ||
| 5. Select an Audit log destination | ||
| 6. Click `Save` | ||
| **From PowerShell** | ||
| Get the list of all SQL Servers | ||
| ``` | ||
| Get-AzSqlServer | ||
| ``` | ||
| For each Server, enable auditing and set the retention for at least 90 days. | ||
| **Log Analytics Example** | ||
| ``` | ||
| Set-AzSqlServerAudit -ResourceGroupName <resource group name> -ServerName <SQL Server name> -RetentionInDays <Number of Days to retain the audit logs, should be 90days minimum> -LogAnalyticsTargetState Enabled -WorkspaceResourceId "/subscriptions/<subscription ID>/resourceGroups/insights-integration/providers/Microsoft.OperationalInsights/workspaces/<workspace name> | ||
| ``` | ||
| **Event Hub Example** | ||
| ``` | ||
| Set-AzSqlServerAudit -ResourceGroupName "<resource group name>" -ServerName "<SQL Server name>" -EventHubTargetState Enabled -EventHubName | ||
| "<Event Hub name>" -EventHubAuthorizationRuleResourceId "<Event Hub Authorization Rule Resource ID>" | ||
| ``` | ||
| **Blob Storage Example*** | ||
| ``` | ||
| Set-AzSqlServerAudit -ResourceGroupName "<resource group name>" -ServerName "<SQL Server name>" -BlobStorageTargetState Enabled | ||
| -StorageAccountResourceId "/subscriptions/<subscription_ID>/resourceGroups/<Resource_Group>/providers/Microsoft.Stora | ||
| ge/storageAccounts/<Storage Account name>" | ||
| ``` | ||
| impact: '' | ||
| default_value: '' | ||
| references: |- | ||
| 1. https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-auditing-on-sql-servers | ||
| 2. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverauditing?view=azurermps-5.2.0 | ||
| 3. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverauditingpolicy?view=azurermps-5.2.0 | ||
| 4. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing | ||
| 5. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation | ||
| section: SQL Server - Auditing | ||
| version: '1.0' | ||
| tags: | ||
| - CIS | ||
| - AZURE | ||
| - CIS 4.1.1 | ||
| - SQL Server - Auditing | ||
| benchmark: | ||
| name: CIS Microsoft Azure Foundations | ||
| version: v2.0.0 | ||
| id: cis_azure | ||
| rule_number: 4.1.1 | ||
| posture_type: cspm |
23 changes: 23 additions & 0 deletions
23
security-policies/bundle/compliance/cis_azure/rules/cis_4_1_1/rule.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| package compliance.cis_azure.rules.cis_4_1_1 | ||
|
|
||
| import data.compliance.lib.common | ||
| import data.compliance.policy.azure.data_adapter | ||
| import future.keywords.every | ||
| import future.keywords.if | ||
|
|
||
| finding = result if { | ||
| # filter | ||
| data_adapter.is_sql_server | ||
|
|
||
| # set result | ||
| result := common.generate_result_without_expected( | ||
| common.calculate_result(is_audit_enabled), | ||
| {"Resource": data_adapter.resource}, | ||
| ) | ||
| } | ||
|
|
||
| default is_audit_enabled = false | ||
|
|
||
| is_audit_enabled if { | ||
| data_adapter.resource.extension.sqlBlobAuditPolicy.state == "Enabled" | ||
| } |
32 changes: 32 additions & 0 deletions
32
security-policies/bundle/compliance/cis_azure/rules/cis_4_1_1/test.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| package compliance.cis_azure.rules.cis_4_1_1 | ||
|
|
||
| import data.cis_azure.test_data | ||
| import data.compliance.policy.azure.data_adapter | ||
| import data.lib.test | ||
| import future.keywords.if | ||
|
|
||
| test_violation if { | ||
| eval_fail with input as test_data.generate_azure_asset_with_ext("azure-sql-server", {}, {"sqlBlobAuditPolicy": {"state": "Disabled"}}) | ||
|
|
||
| eval_fail with input as test_data.generate_azure_asset_with_ext("azure-sql-server", {}, {}) | ||
| } | ||
|
|
||
| test_pass if { | ||
| eval_pass with input as test_data.generate_azure_asset_with_ext("azure-sql-server", {}, {"sqlBlobAuditPolicy": {"state": "Enabled"}}) | ||
| } | ||
|
|
||
| test_not_evaluated if { | ||
| not_eval with input as test_data.not_eval_non_exist_type | ||
| } | ||
|
|
||
| eval_fail if { | ||
| test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter | ||
| } | ||
|
|
||
| eval_pass if { | ||
| test.assert_pass(finding) with data.benchmark_data_adapter as data_adapter | ||
| } | ||
|
|
||
| not_eval if { | ||
| not finding with data.benchmark_data_adapter as data_adapter | ||
| } |