Skip to content

Commit

Permalink
refactor rego function
Browse files Browse the repository at this point in the history
  • Loading branch information
@moukoublen
moukoublen committed Jan 4, 2024
1 parent 0ac813c commit cad367b
Show file tree
Hide file tree
Showing 4 changed files with 9 additions and 12 deletions.
3 changes: 1 addition & 2 deletions security-policies/bundle/compliance/cis_azure/rules/cis_3_13/rule.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,5 @@ finding = result if {
default logs_are_enabled = false

logs_are_enabled if {
categories = ["StorageRead", "StorageWrite", "StorageDelete"]
audit.service_diagnostic_settings_log_enabled(data_adapter.resource.extension.blobDiagnosticSettings, categories)
audit.service_diagnostic_settings_log_rwd_enabled(data_adapter.resource.extension.blobDiagnosticSettings)
}
3 changes: 1 addition & 2 deletions security-policies/bundle/compliance/cis_azure/rules/cis_3_14/rule.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,5 @@ finding = result if {
default logs_are_enabled = false

logs_are_enabled if {
categories = ["StorageRead", "StorageWrite", "StorageDelete"]
audit.service_diagnostic_settings_log_enabled(data_adapter.resource.extension.tableDiagnosticSettings, categories)
audit.service_diagnostic_settings_log_rwd_enabled(data_adapter.resource.extension.tableDiagnosticSettings)
}
3 changes: 1 addition & 2 deletions security-policies/bundle/compliance/cis_azure/rules/cis_3_5/rule.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,5 @@ finding = result if {
default logs_are_enabled = false

logs_are_enabled if {
categories = ["StorageRead", "StorageWrite", "StorageDelete"]
audit.service_diagnostic_settings_log_enabled(data_adapter.resource.extension.queueDiagnosticSettings, categories)
audit.service_diagnostic_settings_log_rwd_enabled(data_adapter.resource.extension.queueDiagnosticSettings)
}
12 changes: 6 additions & 6 deletions security-policies/bundle/compliance/policy/azure/storage_account/ensure_service_log.rego
View file
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
package compliance.policy.azure.storage_account.ensure_service_log

import future.keywords.every
import future.keywords.if
import future.keywords.in

service_diagnostic_settings_log_enabled(serviceDiagnosticSettings, categories) if {
service_diagnostic_settings_log_rwd_enabled(serviceDiagnosticSettings) if {
# Ensure all categories exist and are enabled
category_exists := [log |
log := serviceDiagnosticSettings.properties.logs[_]
every category in ["StorageRead", "StorageWrite", "StorageDelete"] {
some log in serviceDiagnosticSettings.properties.logs
log.enabled == true
log.category == categories[_]
]
count(category_exists) == count(categories)
log.category = category
}
} else = false

0 comments on commit cad367b

Please sign in to comment.