diff --git a/checkov/bicep/checks/graph_checks/SQLServerThreatDetectionTypes.yaml b/checkov/bicep/checks/graph_checks/SQLServerThreatDetectionTypes.yaml new file mode 100644 index 00000000000..c762987dc03 --- /dev/null +++ b/checkov/bicep/checks/graph_checks/SQLServerThreatDetectionTypes.yaml @@ -0,0 +1,61 @@ +metadata: + id: "CKV_AZURE_25" + name: "Azure SQL Server threat detection alerts are enabled for all threat types" + category: "LOGGING" +definition: + and: + - cond_type: filter + attribute: resource_type + operator: within + value: + - Microsoft.Sql/servers + - Microsoft.Sql/servers/databases + - or: + - and: + - cond_type: connection + resource_types: + - Microsoft.Sql/servers + connected_resource_types: + - Microsoft.Sql/servers/securityAlertPolicies + operator: exists + - cond_type: attribute + resource_types: + - Microsoft.Sql/servers/securityAlertPolicies + attribute: properties.state + operator: equals + value: Enabled + - or: + - cond_type: attribute + resource_types: + - Microsoft.Sql/servers/securityAlertPolicies + attribute: properties.disabledAlerts + operator: is_empty + - cond_type: attribute + resource_types: + - Microsoft.Sql/servers/securityAlertPolicies + attribute: properties.disabledAlerts + operator: not_exists + - and: + - cond_type: connection + resource_types: + - Microsoft.Sql/servers/databases + connected_resource_types: + - Microsoft.Sql/servers/databases/securityAlertPolicies + operator: exists + - cond_type: attribute + resource_types: + - Microsoft.Sql/servers/databases/securityAlertPolicies + attribute: properties.state + operator: equals + value: Enabled + - or: + - cond_type: attribute + resource_types: + - Microsoft.Sql/servers/databases/securityAlertPolicies + attribute: properties.disabledAlerts + operator: is_empty + - cond_type: attribute + resource_types: + - Microsoft.Sql/servers/databases/securityAlertPolicies + attribute: properties.disabledAlerts + operator: not_exists diff --git a/tests/bicep/graph/checks/resources/SQLServerThreatDetectionTypes/expected.yaml b/tests/bicep/graph/checks/resources/SQLServerThreatDetectionTypes/expected.yaml new file mode 100644 index 00000000000..f914120a692 --- /dev/null +++ b/tests/bicep/graph/checks/resources/SQLServerThreatDetectionTypes/expected.yaml @@ -0,0 +1,18 @@ +pass: + - 'Microsoft.Sql/servers.serverEnabled' + - 'Microsoft.Sql/servers.serverEnabledWithoutAlertsAttribute' + - 'Microsoft.Sql/servers/databases.databaseEnabled' + - 'Microsoft.Sql/servers/databases.databaseEnabledWithoutAlertsAttribute' +fail: + - 'Microsoft.Sql/servers.serverWithoutSecurityPolicy' + - 'Microsoft.Sql/servers.serverDisabledState' + - 'Microsoft.Sql/servers.serverDisabledAlerts' + - 'Microsoft.Sql/servers.serverDisabled' + - 'Microsoft.Sql/servers/databases.databaseWithoutSecurityPolicy' + - 'Microsoft.Sql/servers/databases.databaseDisabledState' + - 'Microsoft.Sql/servers/databases.databaseDisabledAlerts' + - 'Microsoft.Sql/servers/databases.databaseDisabled' +evaluated_keys: + - 'resource_type' + - 'properties/state' + - 'properties/disabledAlerts' \ No newline at end of file diff --git a/tests/bicep/graph/checks/resources/SQLServerThreatDetectionTypes/main.bicep b/tests/bicep/graph/checks/resources/SQLServerThreatDetectionTypes/main.bicep new file mode 100644 index 00000000000..3994caa7709 --- /dev/null +++ b/tests/bicep/graph/checks/resources/SQLServerThreatDetectionTypes/main.bicep @@ -0,0 +1,224 @@ +// pass +resource serverEnabled 'Microsoft.Sql/servers@2021-02-01-preview' = { + name: 'default' + location: location + + properties: { + administratorLogin: sqlLogicalServer.userName + administratorLoginPassword: password + version: '12.0' + minimalTlsVersion: sqlLogicalServer.minimalTlsVersion + publicNetworkAccess: sqlLogicalServer.publicNetworkAccess + } + + resource securityAlertPolicyEnabled 'securityAlertPolicies' = { + name: 'default' + properties: { + state: 'Enabled' + disabledAlerts: [ + ] + } + } +} + +resource serverEnabledWithoutAlertsAttribute 'Microsoft.Sql/servers@2021-02-01-preview' = { + name: 'default' + location: location + + properties: { + administratorLogin: sqlLogicalServer.userName + administratorLoginPassword: password + version: '12.0' + minimalTlsVersion: sqlLogicalServer.minimalTlsVersion + publicNetworkAccess: sqlLogicalServer.publicNetworkAccess + } + + resource securityAlertPolicyEnabled 'securityAlertPolicies' = { + name: 'default' + properties: { + state: 'Enabled' + } + } +} + +resource databaseEnabled 'Microsoft.Sql/servers/databases@2023-08-01-preview' = { + name: '${server.name}/${sqlDBName}' + location: location + sku: { + name: 'GP_S_Gen5_2' + tier: 'GeneralPurpose' + } + + resource securityAlertPolicyEnabled 'securityAlertPolicies' = { + name: 'default' + properties: { + state: 'Enabled' + disabledAlerts: [ + ] + } + } +} + +resource databaseEnabledWithoutAlertsAttribute 'Microsoft.Sql/servers/databases@2023-08-01-preview' = { + name: '${server.name}/${sqlDBName}' + location: location + sku: { + name: 'GP_S_Gen5_2' + tier: 'GeneralPurpose' + } + + resource securityAlertPolicyEnabled 'securityAlertPolicies' = { + name: 'default' + properties: { + state: 'Enabled' + } + } +} + +// fail +resource serverWithoutSecurityPolicy 'Microsoft.Sql/servers@2021-02-01-preview' = { + name: 'default' + location: location + + properties: { + administratorLogin: sqlLogicalServer.userName + administratorLoginPassword: password + version: '12.0' + minimalTlsVersion: sqlLogicalServer.minimalTlsVersion + publicNetworkAccess: sqlLogicalServer.publicNetworkAccess + } +} + +resource serverDisabledState 'Microsoft.Sql/servers@2021-02-01-preview' = { + name: 'default' + location: location + + properties: { + administratorLogin: sqlLogicalServer.userName + administratorLoginPassword: password + version: '12.0' + minimalTlsVersion: sqlLogicalServer.minimalTlsVersion + publicNetworkAccess: sqlLogicalServer.publicNetworkAccess + } + + resource securityAlertPolicyEnabled 'securityAlertPolicies' = { + name: 'default' + properties: { + state: 'Disabled' + disabledAlerts: [ + ] + } + } +} + +resource serverDisabledAlerts 'Microsoft.Sql/servers@2021-02-01-preview' = { + name: 'default' + location: location + + properties: { + administratorLogin: sqlLogicalServer.userName + administratorLoginPassword: password + version: '12.0' + minimalTlsVersion: sqlLogicalServer.minimalTlsVersion + publicNetworkAccess: sqlLogicalServer.publicNetworkAccess + } + + resource securityAlertPolicyEnabled 'securityAlertPolicies' = { + name: 'default' + properties: { + state: 'Enabled' + disabledAlerts: [ + 'disabledAlert' + ] + } + } +} + +resource serverDisabled 'Microsoft.Sql/servers@2021-02-01-preview' = { + name: 'default' + location: location + + properties: { + administratorLogin: sqlLogicalServer.userName + administratorLoginPassword: password + version: '12.0' + minimalTlsVersion: sqlLogicalServer.minimalTlsVersion + publicNetworkAccess: sqlLogicalServer.publicNetworkAccess + } + + resource securityAlertPolicyEnabled 'securityAlertPolicies' = { + name: 'default' + properties: { + state: 'Disabled' + disabledAlerts: [ + 'disabledAlert' + ] + } + } +} + +resource databaseWithoutSecurityPolicy 'Microsoft.Sql/servers/databases@2023-08-01-preview' = { + name: '${server.name}/${sqlDBName}' + location: location + sku: { + name: 'GP_S_Gen5_2' + tier: 'GeneralPurpose' + } +} + +resource databaseDisabledState 'Microsoft.Sql/servers/databases@2023-08-01-preview' = { + name: '${server.name}/${sqlDBName}' + location: location + sku: { + name: 'GP_S_Gen5_2' + tier: 'GeneralPurpose' + } + + resource securityAlertPolicyDisabledAlerts 'securityAlertPolicies' = { + name: 'default' + properties: { + state: 'Disabled' + disabledAlerts: [ + ] + } + } +} + +resource databaseDisabledAlerts 'Microsoft.Sql/servers/databases@2023-08-01-preview' = { + name: '${server.name}/${sqlDBName}' + location: location + sku: { + name: 'GP_S_Gen5_2' + tier: 'GeneralPurpose' + } + + resource securityAlertPolicyDisabledAlerts 'securityAlertPolicies' = { + name: 'default' + properties: { + state: 'Enabled' + disabledAlerts: [ + 'disabledAlert' + ] + } + } +} + +resource databaseDisabled 'Microsoft.Sql/servers/databases@2023-08-01-preview' = { + name: '${server.name}/${sqlDBName}' + location: location + sku: { + name: 'GP_S_Gen5_2' + tier: 'GeneralPurpose' + } + + resource securityAlertPolicy 'securityAlertPolicies' = { + name: 'default' + properties: { + state: 'Disabled' + disabledAlerts: [ + 'disabledAlert' + ] + } + } +} + diff --git a/tests/bicep/graph/checks/test_yaml_policies.py b/tests/bicep/graph/checks/test_yaml_policies.py index 8824b5ec52b..92a0ac6683a 100644 --- a/tests/bicep/graph/checks/test_yaml_policies.py +++ b/tests/bicep/graph/checks/test_yaml_policies.py @@ -39,6 +39,9 @@ def test_SQLServerAuditingEnabled(self): def test_SQLServerAuditingRetention90Days(self): self.go("SQLServerAuditingRetention90Days") + def test_SQLServerThreatDetectionTypes(self): + self.go("SQLServerThreatDetectionTypes") + def test_registry_load(self): registry = self.get_checks_registry() self.assertGreater(len(registry.checks), 0)