refactor(checks): migrate Azure monitor, network, synapse, securityce…

…nter to Rego Signed-off-by: Nikita Pivkin <[email protected]>
aquasecurity · Jul 19, 2024 · a04c2c3 · a04c2c3
1 parent 9bbb577
commit a04c2c3
Show file tree

Hide file tree

Showing 41 changed files with 813 additions and 669 deletions.
diff --git a/avd_docs/azure/monitor/AVD-AZU-0031/docs.md b/avd_docs/azure/monitor/AVD-AZU-0031/docs.md
@@ -1,8 +1,9 @@
 
 The average time to detect a breach is up to 210 days, to ensure that all the information required for an effective investigation is available, the retention period should allow for delayed starts to investigating.
 
+
 ### Impact
-Short life activity logs can lead to missing records when investigating a breach
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/azure/monitor/AVD-AZU-0032/docs.md b/avd_docs/azure/monitor/AVD-AZU-0032/docs.md
@@ -1,8 +1,9 @@
 
 Log profiles should capture all regions to ensure that all events are logged
 
+
 ### Impact
-Activity may be occurring in locations that aren't being monitored
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/azure/monitor/AVD-AZU-0033/docs.md b/avd_docs/azure/monitor/AVD-AZU-0033/docs.md
@@ -1,8 +1,9 @@
 
 Log profiles should capture all categories to ensure that all events are logged
 
+
 ### Impact
-Log profile must capture all activity to be able to ensure that all relevant information possible is available for an investigation
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/azure/network/AVD-AZU-0049/docs.md b/avd_docs/azure/network/AVD-AZU-0049/docs.md
@@ -1,11 +1,13 @@
 
-Flow logs are the source of truth for all network activity in your cloud environment. 
-To enable analysis in security event that was detected late, you need to have the logs available. 
-
+Flow logs are the source of truth for all network activity in your cloud environment.
+
+To enable analysis in security event that was detected late, you need to have the logs available.
+
 Setting an retention policy will help ensure as much information is available for review.
 
+
 ### Impact
-Not enabling retention or having short expiry on flow logs could lead to compromise being undetected limiting time for analysis
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/azure/securitycenter/AVD-AZU-0044/Terraform.md b/avd_docs/azure/securitycenter/AVD-AZU-0044/Terraform.md
@@ -1,5 +1,5 @@
 
- Set alert notifications to be on
+Set alert notifications to be on
 
 ```hcl
 		resource "azurerm_security_center_contact" "good_example" {

diff --git a/avd_docs/azure/securitycenter/AVD-AZU-0044/docs.md b/avd_docs/azure/securitycenter/AVD-AZU-0044/docs.md
@@ -1,9 +1,11 @@
 
-It is recommended that at least one valid contact is configured for the security center. 
+It is recommended that at least one valid contact is configured for the security center.
+
 Microsoft will notify the security contact directly in the event of a security incident using email and require alerting to be turned on.
 
+
 ### Impact
-The ability to react to high severity notifications could be delayed
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/azure/securitycenter/AVD-AZU-0045/docs.md b/avd_docs/azure/securitycenter/AVD-AZU-0045/docs.md
@@ -1,10 +1,11 @@
 
 To benefit from Azure Defender you should use the Standard subscription tier.
-
-			Enabling Azure Defender extends the capabilities of the free mode to workloads running in private and other public clouds, providing unified security management and threat protection across your hybrid cloud workloads.
+
+Enabling Azure Defender extends the capabilities of the free mode to workloads running in private and other public clouds, providing unified security management and threat protection across your hybrid cloud workloads.
+
 
 ### Impact
-Using free subscription does not enable Azure Defender for the resource type
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/azure/securitycenter/AVD-AZU-0046/docs.md b/avd_docs/azure/securitycenter/AVD-AZU-0046/docs.md
@@ -1,9 +1,11 @@
 
-It is recommended that at least one valid contact is configured for the security center. 
+It is recommended that at least one valid contact is configured for the security center.
+
 Microsoft will notify the security contact directly in the event of a security incident and will look to use a telephone number in cases where a prompt response is required.
 
+
 ### Impact
-Without a telephone number set, Azure support can't contact
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/azure/synapse/AVD-AZU-0034/docs.md b/avd_docs/azure/synapse/AVD-AZU-0034/docs.md
@@ -2,10 +2,12 @@
 Synapse Workspace does not have managed virtual network enabled by default.
 
 When you create your Azure Synapse workspace, you can choose to associate it to a Microsoft Azure Virtual Network. The Virtual Network associated with your workspace is managed by Azure Synapse. This Virtual Network is called a Managed workspace Virtual Network.
+
 Managed private endpoints are private endpoints created in a Managed Virtual Network associated with your Azure Synapse workspace. Managed private endpoints establish a private link to Azure resources. You can only use private links in a workspace that has a Managed workspace Virtual Network.
 
+
 ### Impact
-Your Synapse workspace is not using the private endpoints
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/checks/cloud/azure/monitor/activity_log_retention_set.go b/checks/cloud/azure/monitor/activity_log_retention_set.go
@@ -27,7 +27,8 @@ var CheckActivityLogRetentionSet = rules.Register(
 			Links:               terraformActivityLogRetentionSetLinks,
 			RemediationMarkdown: terraformActivityLogRetentionSetRemediationMarkdown,
 		},
-		Severity: severity.Medium,
+		Severity:   severity.Medium,
+		Deprecated: true,
 	},
 	func(s *state.State) (results scan.Results) {
 		for _, profile := range s.Azure.Monitor.LogProfiles {

diff --git a/checks/cloud/azure/monitor/activity_log_retention_set.rego b/checks/cloud/azure/monitor/activity_log_retention_set.rego
@@ -0,0 +1,54 @@
+# METADATA
+# title: Ensure the activity retention log is set to at least a year
+# description: |
+#   The average time to detect a breach is up to 210 days, to ensure that all the information required for an effective investigation is available, the retention period should allow for delayed starts to investigating.
+# scope: package
+# schemas:
+#   - input: schema["cloud"]
+# related_resources:
+#   - https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/platform-logs-overview
+# custom:
+#   id: AVD-AZU-0031
+#   avd_id: AVD-AZU-0031
+#   provider: azure
+#   service: monitor
+#   severity: MEDIUM
+#   short_code: activity-log-retention-set
+#   recommended_action: Set a retention period that will allow for delayed investigation
+#   input:
+#     selector:
+#       - type: cloud
+#         subtypes:
+#           - service: monitor
+#             provider: azure
+#   terraform:
+#     links:
+#       - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_log_profile#retention_policy
+#     good_examples: checks/cloud/azure/monitor/activity_log_retention_set.tf.go
+#     bad_examples: checks/cloud/azure/monitor/activity_log_retention_set.tf.go
+package builtin.azure.monitor.azure0031
+
+import rego.v1
+
+deny contains res if {
+	some profile in input.azure.monitor.logprofiles
+	isManaged(profile)
+	not profile.retentionpolicy.enabled.value
+	res := result.new(
+		"Profile does not enable the log retention policy.",
+		object.get(profile, ["retentionpolicy", "enabled"], profile),
+	)
+}
+
+deny contains res if {
+	some profile in input.azure.monitor.logprofiles
+	isManaged(profile)
+	profile.retentionpolicy.enabled.value
+	not is_recommended_retention_policy(profile)
+	res := result.new(
+		"Profile has a log retention policy of less than 1 year.",
+		object.get(profile, ["retentionpolicy", "days"], profile),
+	)
+}
+
+is_recommended_retention_policy(profile) := profile.retentionpolicy.days.value >= 365
diff --git a/checks/cloud/azure/monitor/activity_log_retention_set_test.go b/checks/cloud/azure/monitor/activity_log_retention_set_test.go
diff --git a/checks/cloud/azure/monitor/activity_log_retention_set_test.rego b/checks/cloud/azure/monitor/activity_log_retention_set_test.rego
@@ -0,0 +1,33 @@
+package builtin.azure.monitor.azure0031_test
+
+import rego.v1
+
+import data.builtin.azure.monitor.azure0031 as check
+import data.lib.test
+
+test_deny_retention_policy_disabled if {
+	inp := {"azure": {"monitor": {"logprofiles": [{"retentionpolicy": {"enabled": {"value": false}}}]}}}
+
+	res := check.deny with input as inp
+	count(res) == 1
+}
+
+test_deny_retention_policy_enabled_but_days_lt_365 if {
+	inp := {"azure": {"monitor": {"logprofiles": [{"retentionpolicy": {
+		"enabled": {"value": true},
+		"days": {"value": 30},
+	}}]}}}
+
+	res := check.deny with input as inp
+	count(res) == 1
+}
+
+test_allow_retention_policy_enabled_and_days_gt_365 if {
+	inp := {"azure": {"monitor": {"logprofiles": [{"retentionpolicy": {
+		"enabled": {"value": true},
+		"days": {"value": 365},
+	}}]}}}
+
+	res := check.deny with input as inp
+	count(res) == 0
+}
diff --git a/checks/cloud/azure/monitor/capture_all_activities.go b/checks/cloud/azure/monitor/capture_all_activities.go
@@ -35,7 +35,8 @@ var CheckCaptureAllActivities = rules.Register(
 			Links:               terraformCaptureAllActivitiesLinks,
 			RemediationMarkdown: terraformCaptureAllActivitiesRemediationMarkdown,
 		},
-		Severity: severity.Medium,
+		Severity:   severity.Medium,
+		Deprecated: true,
 	},
 	func(s *state.State) (results scan.Results) {
 		required := []string{

diff --git a/checks/cloud/azure/monitor/capture_all_activities.rego b/checks/cloud/azure/monitor/capture_all_activities.rego
@@ -0,0 +1,55 @@
+# METADATA
+# title: Ensure log profile captures all activities
+# description: |
+#   Log profiles should capture all categories to ensure that all events are logged
+# scope: package
+# schemas:
+#   - input: schema["cloud"]
+# related_resources:
+#   - https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log
+#   - https://docs.microsoft.com/en-us/cli/azure/monitor/log-profiles?view=azure-cli-latest#az_monitor_log_profiles_create-required-parameters
+# custom:
+#   id: AVD-AZU-0033
+#   avd_id: AVD-AZU-0033
+#   provider: azure
+#   service: monitor
+#   severity: MEDIUM
+#   short_code: capture-all-activities
+#   recommended_action: Configure log profile to capture all activities
+#   input:
+#     selector:
+#       - type: cloud
+#         subtypes:
+#           - service: monitor
+#             provider: azure
+#   terraform:
+#     links:
+#       - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_log_profile#categories
+#     good_examples: checks/cloud/azure/monitor/capture_all_activities.tf.go
+#     bad_examples: checks/cloud/azure/monitor/capture_all_activities.tf.go
+package builtin.azure.monitor.azure0033
+
+import rego.v1
+
+required_categories := {"Action", "Write", "Delete"}
+
+deny contains res if {
+	some profile in input.azure.monitor.logprofiles
+	isManaged(profile)
+	missing := missing_required_categories(profile)
+	count(missing) > 0
+	res := result.new(
+		sprintf("Log profile does not require categories: %v", [missing]),
+		profile,
+	)
+}
+
+missing_required_categories(profile) := missing if {
+	categories := {
+	val |
+		some category in profile.categories
+		val := category.value
+	}
+
+	missing := required_categories - categories
+} else := {}