Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

refactor(checks): migrate Azure monitor, network, synapse, securitycenter to Rego #202

Merged
merged 7 commits into from
Aug 22, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion avd_docs/azure/monitor/AVD-AZU-0031/docs.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@

The average time to detect a breach is up to 210 days, to ensure that all the information required for an effective investigation is available, the retention period should allow for delayed starts to investigating.


### Impact
Short life activity logs can lead to missing records when investigating a breach
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
3 changes: 2 additions & 1 deletion avd_docs/azure/monitor/AVD-AZU-0032/docs.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@

Log profiles should capture all regions to ensure that all events are logged


### Impact
Activity may be occurring in locations that aren't being monitored
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
3 changes: 2 additions & 1 deletion avd_docs/azure/monitor/AVD-AZU-0033/docs.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@

Log profiles should capture all categories to ensure that all events are logged


### Impact
Log profile must capture all activity to be able to ensure that all relevant information possible is available for an investigation
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
4 changes: 2 additions & 2 deletions avd_docs/azure/network/AVD-AZU-0047/docs.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@

Network security rules should not use very broad subnets.

Where possible, segments should be broken into smaller subnets.


### Impact
The port is exposed for ingress from the internet
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
4 changes: 2 additions & 2 deletions avd_docs/azure/network/AVD-AZU-0048/docs.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@

RDP access can be configured on either the network security group or in the network security group rule.

RDP access should not be permitted from the internet (*, 0.0.0.0, /0, internet, any). Consider using the Azure Bastion Service.


### Impact
Anyone from the internet can potentially RDP onto an instance
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
10 changes: 6 additions & 4 deletions avd_docs/azure/network/AVD-AZU-0049/docs.md
Original file line number Diff line number Diff line change
@@ -1,11 +1,13 @@

Flow logs are the source of truth for all network activity in your cloud environment.
To enable analysis in security event that was detected late, you need to have the logs available.

Flow logs are the source of truth for all network activity in your cloud environment.

To enable analysis in security event that was detected late, you need to have the logs available.

Setting an retention policy will help ensure as much information is available for review.


### Impact
Not enabling retention or having short expiry on flow logs could lead to compromise being undetected limiting time for analysis
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
6 changes: 3 additions & 3 deletions avd_docs/azure/network/AVD-AZU-0050/docs.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@

SSH access can be configured on either the network security group or in the network security group rule.

SSH access can be configured on either the network security group or in the network security group rule.
SSH access should not be permitted from the internet (*, 0.0.0.0, /0, internet, any)


### Impact
Its dangerous to allow SSH access from the internet
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
4 changes: 2 additions & 2 deletions avd_docs/azure/network/AVD-AZU-0051/docs.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@

Network security rules should not use very broad subnets.

Where possible, segments should be broken into smaller subnets.


### Impact
The port is exposed for egress to the internet
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
2 changes: 1 addition & 1 deletion avd_docs/azure/securitycenter/AVD-AZU-0044/Terraform.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@

Set alert notifications to be on
Set alert notifications to be on

```hcl
resource "azurerm_security_center_contact" "good_example" {
Expand Down
6 changes: 4 additions & 2 deletions avd_docs/azure/securitycenter/AVD-AZU-0044/docs.md
Original file line number Diff line number Diff line change
@@ -1,9 +1,11 @@

It is recommended that at least one valid contact is configured for the security center.
It is recommended that at least one valid contact is configured for the security center.

Microsoft will notify the security contact directly in the event of a security incident using email and require alerting to be turned on.


### Impact
The ability to react to high severity notifications could be delayed
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
7 changes: 4 additions & 3 deletions avd_docs/azure/securitycenter/AVD-AZU-0045/docs.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,11 @@

To benefit from Azure Defender you should use the Standard subscription tier.

Enabling Azure Defender extends the capabilities of the free mode to workloads running in private and other public clouds, providing unified security management and threat protection across your hybrid cloud workloads.

Enabling Azure Defender extends the capabilities of the free mode to workloads running in private and other public clouds, providing unified security management and threat protection across your hybrid cloud workloads.


### Impact
Using free subscription does not enable Azure Defender for the resource type
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
6 changes: 4 additions & 2 deletions avd_docs/azure/securitycenter/AVD-AZU-0046/docs.md
Original file line number Diff line number Diff line change
@@ -1,9 +1,11 @@

It is recommended that at least one valid contact is configured for the security center.
It is recommended that at least one valid contact is configured for the security center.

Microsoft will notify the security contact directly in the event of a security incident and will look to use a telephone number in cases where a prompt response is required.


### Impact
Without a telephone number set, Azure support can't contact
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
4 changes: 3 additions & 1 deletion avd_docs/azure/synapse/AVD-AZU-0034/docs.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,12 @@
Synapse Workspace does not have managed virtual network enabled by default.

When you create your Azure Synapse workspace, you can choose to associate it to a Microsoft Azure Virtual Network. The Virtual Network associated with your workspace is managed by Azure Synapse. This Virtual Network is called a Managed workspace Virtual Network.

Managed private endpoints are private endpoints created in a Managed Virtual Network associated with your Azure Synapse workspace. Managed private endpoints establish a private link to Azure resources. You can only use private links in a workspace that has a Managed workspace Virtual Network.


### Impact
Your Synapse workspace is not using the private endpoints
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
3 changes: 2 additions & 1 deletion checks/cloud/azure/monitor/activity_log_retention_set.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,8 @@ var CheckActivityLogRetentionSet = rules.Register(
Links: terraformActivityLogRetentionSetLinks,
RemediationMarkdown: terraformActivityLogRetentionSetRemediationMarkdown,
},
Severity: severity.Medium,
Severity: severity.Medium,
Deprecated: true,
},
func(s *state.State) (results scan.Results) {
for _, profile := range s.Azure.Monitor.LogProfiles {
Expand Down
54 changes: 54 additions & 0 deletions checks/cloud/azure/monitor/activity_log_retention_set.rego
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
# METADATA
# title: Ensure the activity retention log is set to at least a year
# description: |
# The average time to detect a breach is up to 210 days, to ensure that all the information required for an effective investigation is available, the retention period should allow for delayed starts to investigating.
# scope: package
# schemas:
# - input: schema["cloud"]
# related_resources:
# - https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/platform-logs-overview
# custom:
# id: AVD-AZU-0031
# avd_id: AVD-AZU-0031
# provider: azure
# service: monitor
# severity: MEDIUM
# short_code: activity-log-retention-set
# recommended_action: Set a retention period that will allow for delayed investigation
# input:
# selector:
# - type: cloud
# subtypes:
# - service: monitor
# provider: azure
# terraform:
# links:
# - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_log_profile#retention_policy
# good_examples: checks/cloud/azure/monitor/activity_log_retention_set.tf.go
# bad_examples: checks/cloud/azure/monitor/activity_log_retention_set.tf.go
package builtin.azure.monitor.azure0031

import rego.v1

deny contains res if {
some profile in input.azure.monitor.logprofiles
isManaged(profile)
not profile.retentionpolicy.enabled.value
res := result.new(
"Profile does not enable the log retention policy.",
object.get(profile, ["retentionpolicy", "enabled"], profile),
)
}

deny contains res if {
some profile in input.azure.monitor.logprofiles
isManaged(profile)
profile.retentionpolicy.enabled.value
not is_recommended_retention_policy(profile)
res := result.new(
"Profile has a log retention policy of less than 1 year.",
object.get(profile, ["retentionpolicy", "days"], profile),
)
}

is_recommended_retention_policy(profile) := profile.retentionpolicy.days.value >= 365
89 changes: 0 additions & 89 deletions checks/cloud/azure/monitor/activity_log_retention_set_test.go

This file was deleted.

33 changes: 33 additions & 0 deletions checks/cloud/azure/monitor/activity_log_retention_set_test.rego
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
package builtin.azure.monitor.azure0031_test

import rego.v1

import data.builtin.azure.monitor.azure0031 as check
import data.lib.test

test_deny_retention_policy_disabled if {
inp := {"azure": {"monitor": {"logprofiles": [{"retentionpolicy": {"enabled": {"value": false}}}]}}}

res := check.deny with input as inp
count(res) == 1
}

test_deny_retention_policy_enabled_but_days_lt_365 if {
inp := {"azure": {"monitor": {"logprofiles": [{"retentionpolicy": {
"enabled": {"value": true},
"days": {"value": 30},
}}]}}}

res := check.deny with input as inp
count(res) == 1
}

test_allow_retention_policy_enabled_and_days_gt_365 if {
inp := {"azure": {"monitor": {"logprofiles": [{"retentionpolicy": {
"enabled": {"value": true},
"days": {"value": 365},
}}]}}}

res := check.deny with input as inp
count(res) == 0
}
3 changes: 2 additions & 1 deletion checks/cloud/azure/monitor/capture_all_activities.go
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,8 @@ var CheckCaptureAllActivities = rules.Register(
Links: terraformCaptureAllActivitiesLinks,
RemediationMarkdown: terraformCaptureAllActivitiesRemediationMarkdown,
},
Severity: severity.Medium,
Severity: severity.Medium,
Deprecated: true,
},
func(s *state.State) (results scan.Results) {
required := []string{
Expand Down
Loading