Merge pull request #202 from nikpivkin/go2rego-azure-4

refactor(checks): migrate Azure monitor, network, synapse, securitycenter to Rego
aquasecurity · Aug 22, 2024 · f49bf32 · f49bf32
2 parents cea826d + 6a9fb51
commit f49bf32
Show file tree

Hide file tree

Showing 65 changed files with 1,656 additions and 1,054 deletions.
diff --git a/avd_docs/azure/monitor/AVD-AZU-0031/docs.md b/avd_docs/azure/monitor/AVD-AZU-0031/docs.md
@@ -1,8 +1,9 @@
 
 The average time to detect a breach is up to 210 days, to ensure that all the information required for an effective investigation is available, the retention period should allow for delayed starts to investigating.
 
+
 ### Impact
-Short life activity logs can lead to missing records when investigating a breach
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/azure/monitor/AVD-AZU-0032/docs.md b/avd_docs/azure/monitor/AVD-AZU-0032/docs.md
@@ -1,8 +1,9 @@
 
 Log profiles should capture all regions to ensure that all events are logged
 
+
 ### Impact
-Activity may be occurring in locations that aren't being monitored
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/azure/monitor/AVD-AZU-0033/docs.md b/avd_docs/azure/monitor/AVD-AZU-0033/docs.md
@@ -1,8 +1,9 @@
 
 Log profiles should capture all categories to ensure that all events are logged
 
+
 ### Impact
-Log profile must capture all activity to be able to ensure that all relevant information possible is available for an investigation
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/azure/network/AVD-AZU-0047/docs.md b/avd_docs/azure/network/AVD-AZU-0047/docs.md
@@ -1,10 +1,10 @@
 
 Network security rules should not use very broad subnets.
-
 Where possible, segments should be broken into smaller subnets.
 
+
 ### Impact
-The port is exposed for ingress from the internet
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/azure/network/AVD-AZU-0048/docs.md b/avd_docs/azure/network/AVD-AZU-0048/docs.md
@@ -1,10 +1,10 @@
 
 RDP access can be configured on either the network security group or in the network security group rule.
-
 RDP access should not be permitted from the internet (*, 0.0.0.0, /0, internet, any). Consider using the Azure Bastion Service.
 
+
 ### Impact
-Anyone from the internet can potentially RDP onto an instance
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/azure/network/AVD-AZU-0049/docs.md b/avd_docs/azure/network/AVD-AZU-0049/docs.md
@@ -1,11 +1,13 @@
 
-Flow logs are the source of truth for all network activity in your cloud environment. 
-To enable analysis in security event that was detected late, you need to have the logs available. 
-
+Flow logs are the source of truth for all network activity in your cloud environment.
+
+To enable analysis in security event that was detected late, you need to have the logs available.
+
 Setting an retention policy will help ensure as much information is available for review.
 
+
 ### Impact
-Not enabling retention or having short expiry on flow logs could lead to compromise being undetected limiting time for analysis
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/azure/network/AVD-AZU-0050/docs.md b/avd_docs/azure/network/AVD-AZU-0050/docs.md
@@ -1,10 +1,10 @@
 
-SSH access can be configured on either the network security group or in the network security group rule. 
-
+SSH access can be configured on either the network security group or in the network security group rule.
 SSH access should not be permitted from the internet (*, 0.0.0.0, /0, internet, any)
 
+
 ### Impact
-Its dangerous to allow SSH access from the internet
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/azure/network/AVD-AZU-0051/docs.md b/avd_docs/azure/network/AVD-AZU-0051/docs.md
@@ -1,10 +1,10 @@
 
 Network security rules should not use very broad subnets.
-
 Where possible, segments should be broken into smaller subnets.
 
+
 ### Impact
-The port is exposed for egress to the internet
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/azure/securitycenter/AVD-AZU-0044/Terraform.md b/avd_docs/azure/securitycenter/AVD-AZU-0044/Terraform.md
@@ -1,5 +1,5 @@
 
- Set alert notifications to be on
+Set alert notifications to be on
 
 ```hcl
 		resource "azurerm_security_center_contact" "good_example" {

diff --git a/avd_docs/azure/securitycenter/AVD-AZU-0044/docs.md b/avd_docs/azure/securitycenter/AVD-AZU-0044/docs.md
@@ -1,9 +1,11 @@
 
-It is recommended that at least one valid contact is configured for the security center. 
+It is recommended that at least one valid contact is configured for the security center.
+
 Microsoft will notify the security contact directly in the event of a security incident using email and require alerting to be turned on.
 
+
 ### Impact
-The ability to react to high severity notifications could be delayed
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/azure/securitycenter/AVD-AZU-0045/docs.md b/avd_docs/azure/securitycenter/AVD-AZU-0045/docs.md
@@ -1,10 +1,11 @@
 
 To benefit from Azure Defender you should use the Standard subscription tier.
-
-			Enabling Azure Defender extends the capabilities of the free mode to workloads running in private and other public clouds, providing unified security management and threat protection across your hybrid cloud workloads.
+
+Enabling Azure Defender extends the capabilities of the free mode to workloads running in private and other public clouds, providing unified security management and threat protection across your hybrid cloud workloads.
+
 
 ### Impact
-Using free subscription does not enable Azure Defender for the resource type
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/azure/securitycenter/AVD-AZU-0046/docs.md b/avd_docs/azure/securitycenter/AVD-AZU-0046/docs.md
@@ -1,9 +1,11 @@
 
-It is recommended that at least one valid contact is configured for the security center. 
+It is recommended that at least one valid contact is configured for the security center.
+
 Microsoft will notify the security contact directly in the event of a security incident and will look to use a telephone number in cases where a prompt response is required.
 
+
 ### Impact
-Without a telephone number set, Azure support can't contact
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/avd_docs/azure/synapse/AVD-AZU-0034/docs.md b/avd_docs/azure/synapse/AVD-AZU-0034/docs.md
@@ -2,10 +2,12 @@
 Synapse Workspace does not have managed virtual network enabled by default.
 
 When you create your Azure Synapse workspace, you can choose to associate it to a Microsoft Azure Virtual Network. The Virtual Network associated with your workspace is managed by Azure Synapse. This Virtual Network is called a Managed workspace Virtual Network.
+
 Managed private endpoints are private endpoints created in a Managed Virtual Network associated with your Azure Synapse workspace. Managed private endpoints establish a private link to Azure resources. You can only use private links in a workspace that has a Managed workspace Virtual Network.
 
+
 ### Impact
-Your Synapse workspace is not using the private endpoints
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

diff --git a/checks/cloud/azure/monitor/activity_log_retention_set.go b/checks/cloud/azure/monitor/activity_log_retention_set.go
@@ -27,7 +27,8 @@ var CheckActivityLogRetentionSet = rules.Register(
 			Links:               terraformActivityLogRetentionSetLinks,
 			RemediationMarkdown: terraformActivityLogRetentionSetRemediationMarkdown,
 		},
-		Severity: severity.Medium,
+		Severity:   severity.Medium,
+		Deprecated: true,
 	},
 	func(s *state.State) (results scan.Results) {
 		for _, profile := range s.Azure.Monitor.LogProfiles {

diff --git a/checks/cloud/azure/monitor/activity_log_retention_set.rego b/checks/cloud/azure/monitor/activity_log_retention_set.rego
@@ -0,0 +1,54 @@
+# METADATA
+# title: Ensure the activity retention log is set to at least a year
+# description: |
+#   The average time to detect a breach is up to 210 days, to ensure that all the information required for an effective investigation is available, the retention period should allow for delayed starts to investigating.
+# scope: package
+# schemas:
+#   - input: schema["cloud"]
+# related_resources:
+#   - https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/platform-logs-overview
+# custom:
+#   id: AVD-AZU-0031
+#   avd_id: AVD-AZU-0031
+#   provider: azure
+#   service: monitor
+#   severity: MEDIUM
+#   short_code: activity-log-retention-set
+#   recommended_action: Set a retention period that will allow for delayed investigation
+#   input:
+#     selector:
+#       - type: cloud
+#         subtypes:
+#           - service: monitor
+#             provider: azure
+#   terraform:
+#     links:
+#       - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_log_profile#retention_policy
+#     good_examples: checks/cloud/azure/monitor/activity_log_retention_set.tf.go
+#     bad_examples: checks/cloud/azure/monitor/activity_log_retention_set.tf.go
+package builtin.azure.monitor.azure0031
+
+import rego.v1
+
+deny contains res if {
+	some profile in input.azure.monitor.logprofiles
+	isManaged(profile)
+	not profile.retentionpolicy.enabled.value
+	res := result.new(
+		"Profile does not enable the log retention policy.",
+		object.get(profile, ["retentionpolicy", "enabled"], profile),
+	)
+}
+
+deny contains res if {
+	some profile in input.azure.monitor.logprofiles
+	isManaged(profile)
+	profile.retentionpolicy.enabled.value
+	not is_recommended_retention_policy(profile)
+	res := result.new(
+		"Profile has a log retention policy of less than 1 year.",
+		object.get(profile, ["retentionpolicy", "days"], profile),
+	)
+}
+
+is_recommended_retention_policy(profile) := profile.retentionpolicy.days.value >= 365
diff --git a/checks/cloud/azure/monitor/activity_log_retention_set_test.go b/checks/cloud/azure/monitor/activity_log_retention_set_test.go
diff --git a/checks/cloud/azure/monitor/activity_log_retention_set_test.rego b/checks/cloud/azure/monitor/activity_log_retention_set_test.rego
@@ -0,0 +1,33 @@
+package builtin.azure.monitor.azure0031_test
+
+import rego.v1
+
+import data.builtin.azure.monitor.azure0031 as check
+import data.lib.test
+
+test_deny_retention_policy_disabled if {
+	inp := {"azure": {"monitor": {"logprofiles": [{"retentionpolicy": {"enabled": {"value": false}}}]}}}
+
+	res := check.deny with input as inp
+	count(res) == 1
+}
+
+test_deny_retention_policy_enabled_but_days_lt_365 if {
+	inp := {"azure": {"monitor": {"logprofiles": [{"retentionpolicy": {
+		"enabled": {"value": true},
+		"days": {"value": 30},
+	}}]}}}
+
+	res := check.deny with input as inp
+	count(res) == 1
+}
+
+test_allow_retention_policy_enabled_and_days_gt_365 if {
+	inp := {"azure": {"monitor": {"logprofiles": [{"retentionpolicy": {
+		"enabled": {"value": true},
+		"days": {"value": 365},
+	}}]}}}
+
+	res := check.deny with input as inp
+	count(res) == 0
+}
diff --git a/checks/cloud/azure/monitor/capture_all_activities.go b/checks/cloud/azure/monitor/capture_all_activities.go
@@ -35,7 +35,8 @@ var CheckCaptureAllActivities = rules.Register(
 			Links:               terraformCaptureAllActivitiesLinks,
 			RemediationMarkdown: terraformCaptureAllActivitiesRemediationMarkdown,
 		},
-		Severity: severity.Medium,
+		Severity:   severity.Medium,
+		Deprecated: true,
 	},
 	func(s *state.State) (results scan.Results) {
 		required := []string{