Skip to content

Commit

Permalink
Merge branch 'main' into patrick/fix-ClientAliveCountMax
Browse files Browse the repository at this point in the history
  • Loading branch information
@mm-weber
mm-weber authored Jan 15, 2025
2 parents fdfa73b + a2f4dc6 commit d0b0913
Show file tree
Hide file tree
Showing 9 changed files with 87 additions and 90 deletions.
3 changes: 0 additions & 3 deletions .github/actions/spelling/expect.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,6 @@ crowdstrike
ctl
CUSTOMERID
CYAAAAAAAKEY
Cybercriminals
cyserver
deactivateduser
decomp
Expand Down Expand Up @@ -93,7 +92,6 @@ jsonencode
jwks
kickstart
lastlog
libssh
linux
localtime
logfile
Expand All @@ -104,7 +102,6 @@ Lsass
lsetxattr
lsws
marcellus
misrouting
MLE
moonbase
mpim
Expand Down
12 changes: 11 additions & 1 deletion .github/actions/spelling/line_forbidden.patterns
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,9 @@
# Industry Terms
#

# s.b. NetFlow
\bNetflow\b

# s.b. Side scanning
\b[Ss]idescanning\b

Expand Down Expand Up @@ -101,6 +104,12 @@
# Product Names
#

# s.b. DigiCert
\bDigicert\b

# s.b. Cloudflare
\bCloudFlare\b

# s.b. Memcached
\bMemCached\b

Expand Down Expand Up @@ -325,6 +334,7 @@

# s.b. Microsoft IIS
\bIIS Server\b

#
# VMware Products
#
Expand Down Expand Up @@ -718,4 +728,4 @@
\bunder stand\b

# find spaces before a comma
# ( )+, # disabled in this repo due to MQL false positives
( )+,
51 changes: 13 additions & 38 deletions core/mondoo-azure-security.mql.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1241,7 +1241,7 @@ queries:
1. Navigate to the Azure Portal at https://portal.azure.com.
2. Go to **Key Vaults** and select a Key Vault.
3. Under **Monitoring**, select **Diagnostic settings**.
4. Verify that logging for both **AuditEvent** and **AllLogs** categories are enabled and that they are configured to send logs to an Azure Storage Account, Log Analytics workspace, or Event Hub.
4. Verify that logging for both **audit** and **allLogs** categories are enabled and that they are configured to send logs to an Azure Storage Account, Log Analytics workspace, or Event Hub.
**From Azure CLI:**
Expand All @@ -1251,7 +1251,7 @@ queries:
az monitor diagnostic-settings list --resource <Key Vault Resource ID> --output table
```
Ensure that the output shows that logs for AuditEvent and AllLogs categories are enabled and properly configured to a storage account or other supported destinations.
Ensure that the output shows that logs for audit and allLogs categories are enabled and properly configured to a storage account or other supported destinations.
**From PowerShell:**
Expand All @@ -1260,14 +1260,14 @@ queries:
Get-AzDiagnosticSetting -ResourceId $_.ResourceId
}
```
Verify that each Key Vault has AuditEvent and AllLogs enabled and is logging to the designated destinations.
Verify that each Key Vault has audit and allLogs enabled and is logging to the designated destinations.
remediation: |
### Microsoft Azure Portal
1. Log into Microsoft Azure Portal at https://portal.azure.com.
2. Visit `Key vaults` and select a vault.
3. Go to `Diagnostic settings`.
4. Edit an existing setting or add a new one, ensuring `AuditEvent` and `All logs` are selected.
4. Edit an existing setting or add a new one, ensuring `audit` and `All logs` are selected.
5. Set the appropriate destination for logs, such as an Azure storage account or Log Analytics workspace.
6. Save the configuration.
Expand All @@ -1276,15 +1276,15 @@ queries:
To create or update diagnostic settings for a Key Vault:
```bash
az monitor diagnostic-settings create --name "defaultLogs" --resource <Key Vault Resource ID> --logs '[{"category": "AuditEvent", "enabled": true}, {"category": "AllLogs", "enabled": true}]' --storage-account <Storage Account ID> | --workspace <Log Analytics Workspace ID> | --event-hub <Event Hub Name>
az monitor diagnostic-settings create --name "defaultLogs" --resource <Key Vault Resource ID> --logs '[{"category": "audit", "enabled": true}, {"category": "allLogs", "enabled": true}]' --storage-account <Storage Account ID> | --workspace <Log Analytics Workspace ID> | --event-hub <Event Hub Name>
```
**From PowerShell:**
```powershell
$logs = @(
New-AzDiagnosticSettingLogConfig -Category "AuditEvent" -Enabled $true
New-AzDiagnosticSettingLogConfig -Category "AllLogs" -Enabled $true
New-AzDiagnosticSettingLogConfig -Category "audit" -Enabled $true
New-AzDiagnosticSettingLogConfig -Category "allLogs" -Enabled $true
)
Set-AzDiagnosticSetting -ResourceId <Key Vault Resource ID> -Log $logs -StorageAccountId <Storage Account ID> | -WorkspaceId <Log Analytics Workspace ID> | -EventHubAuthorizationRuleId <Event Hub Authorization Rule ID> | -EventHubName <Event Hub Name>
```
Expand All @@ -1298,7 +1298,7 @@ queries:
log_analytics_workspace_id = azurerm_log_analytics_workspace.example.id
log {
category = "AuditEvent"
category = "audit"
enabled = true
retention_policy {
Expand All @@ -1308,7 +1308,7 @@ queries:
}
log {
category = "AllLogs"
category = "allLogs"
enabled = true
retention_policy {
Expand All @@ -1332,42 +1332,17 @@ queries:
filters: |
asset.platform == "azure-keyvault-vault"
mql: |
// Step 1: Verify that diagnostic settings are configured for the Key Vault vaults.
azure.subscription.keyVault.vault.diagnosticSettings != empty
// Step 2: Confirm the presence and enablement of specific log categories within the diagnostic settings.
// The checks ensure that both 'audit' and 'allLogs' category groups are actively enabled for comprehensive logging.
azure.subscription.keyVault.vault.diagnosticSettings.all(properties.logs.any(categoryGroup == "AuditEvent"))
azure.subscription.keyVault.vault.diagnosticSettings.all(properties.logs.any(categoryGroup == "allLogs"))
azure.subscription.keyVault.vault.diagnosticSettings.any(properties.logs.where(categoryGroup == "AuditEvent").all(enabled == true))
azure.subscription.keyVault.vault.diagnosticSettings.any(properties.logs.where(categoryGroup == "allLogs").all(enabled == true))
// Step 3: Ensure that there is an appropriate destination for the logs.
// Diagnostic settings should forward logs to one or more of the following destinations:
// an Azure Storage account, an Azure Monitor Log Analytics workspace, an event hub, or a partner solution.
// The existence of any of these destination settings confirms that the logs are not only enabled but also appropriately stored.
azure.subscription.keyVault.vault.diagnosticSettings.all(properties.eventHubAuthorizationRuleId != empty) ||
azure.subscription.keyVault.vault.diagnosticSettings.all(properties.workspaceId != empty) ||
azure.subscription.keyVault.vault.diagnosticSettings.all(properties.storageAccountId != empty) ||
azure.subscription.keyVault.vault.diagnosticSettings.all(properties.marketplacePartnerId != empty)
azure.subscription.keyVault.vault.diagnosticSettings.any(properties.logs.where(categoryGroup == "audit").any(enabled == true))
azure.subscription.keyVault.vault.diagnosticSettings.any(properties.logs.where(categoryGroup == "allLogs").any(enabled == true))
- uid: mondoo-azure-security-ensure-logging-enabled-kv-api
filters: |
asset.platform == "azure"
mql: |
// Step 1: Verify that diagnostic settings are configured for the Key Vault vaults.
azure.subscription.keyVault.vaults.all(diagnosticSettings != empty)
// Step 2: Confirm the presence and enablement of specific log categories within the diagnostic settings.
// The checks ensure that both 'audit' and 'allLogs' category groups are actively enabled for comprehensive logging.
azure.subscription.keyVault.vaults.all(diagnosticSettings.all(properties.logs.any(categoryGroup == "AuditEvent")))
azure.subscription.keyVault.vaults.all(diagnosticSettings.all(properties.logs.any(categoryGroup == "allLogs")))
azure.subscription.keyVault.vaults.all(diagnosticSettings.any(properties.logs.where(categoryGroup == "AuditEvent").all(enabled == true)))
azure.subscription.keyVault.vaults.all(diagnosticSettings.any(properties.logs.where(categoryGroup == "allLogs").all(enabled == true)))
// Step 3: Ensure that there is an appropriate destination for the logs.
// Diagnostic settings should forward logs to one or more of the following destinations:
// an Azure Storage account, an Azure Monitor Log Analytics workspace, an event hub, or a partner solution.
// The existence of any of these destination settings confirms that the logs are not only enabled but also appropriately stored.
azure.subscription.keyVault.vaults.all(diagnosticSettings.all(properties.eventHubAuthorizationRuleId != empty)) ||
azure.subscription.keyVault.vaults.all(diagnosticSettings.all(properties.workspaceId != empty)) ||
azure.subscription.keyVault.vaults.all(diagnosticSettings.all(properties.storageAccountId != empty)) ||
azure.subscription.keyVault.vaults.all(diagnosticSettings.all(properties.marketplacePartnerId != empty))
azure.subscription.keyVault.vaults.all(diagnosticSettings.any(properties.logs.where(categoryGroup == "audit").any(enabled == true)))
azure.subscription.keyVault.vaults.all(diagnosticSettings.any(properties.logs.where(categoryGroup == "allLogs").any(enabled == true)))
- uid: mondoo-azure-security-ensure-activity-log-alert-exists-for-create-update-delete-network-security-group
title: Ensure that activity log alerts exist for the commands Create, Update, and Delete Network Security Group
impact: 80
Expand Down
36 changes: 36 additions & 0 deletions core/mondoo-edr-policy.mql.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,8 +81,14 @@ queries:
Please install an EDR agent on the system, e.g. SentinelOne, CrowdStrike, ESET Endpoint Security, Wazuh
variants:
- uid: mondoo-edr-policy-ensure-edr-agent-is-installed-macos
tags:
mondoo.com/filter-title: macos
- uid: mondoo-edr-policy-ensure-edr-agent-is-installed-linux
tags:
mondoo.com/filter-title: linux
- uid: mondoo-edr-policy-ensure-edr-agent-is-installed-windows
tags:
mondoo.com/filter-title: windows
- uid: mondoo-edr-policy-ensure-edr-agent-is-installed-macos
filters: asset.platform == 'macos'
mql: |
Expand Down Expand Up @@ -119,20 +125,50 @@ queries:
Please install the EDR agent on the system, e.g. SentinelOne, CrowdStrike.
variants:
- uid: mondoo-edr-policy-ensure-crowdstrike-agent-is-running-macos
tags:
mondoo.com/filter-title: macos
- uid: mondoo-edr-policy-ensure-crowdstrike-agent-is-running-linux
tags:
mondoo.com/filter-title: linux
- uid: mondoo-edr-policy-ensure-crowdstrike-agent-is-running-windows
tags:
mondoo.com/filter-title: windows
- uid: mondoo-edr-policy-ensure-sentinelone-agent-is-running-macos
tags:
mondoo.com/filter-title: macos
- uid: mondoo-edr-policy-ensure-sentinelone-agent-is-running-linux
tags:
mondoo.com/filter-title: linux
- uid: mondoo-edr-policy-ensure-sentinelone-agent-is-running-windows
tags:
mondoo.com/filter-title: windows
- uid: mondoo-edr-policy-ensure-eset-agent-is-running-macos
tags:
mondoo.com/filter-title: macos
- uid: mondoo-edr-policy-ensure-eset-agent-is-running-linux
tags:
mondoo.com/filter-title: linux
- uid: mondoo-edr-policy-ensure-eset-agent-is-running-windows
tags:
mondoo.com/filter-title: windows
- uid: mondoo-edr-policy-ensure-defender-agent-is-running-and-updated-windows
tags:
mondoo.com/filter-title: windows
- uid: mondoo-edr-policy-ensure-wazuh-agent-is-running-macos
tags:
mondoo.com/filter-title: macos
- uid: mondoo-edr-policy-ensure-wazuh-agent-is-running-windows
tags:
mondoo.com/filter-title: windows
- uid: mondoo-edr-policy-ensure-sophos-endpoint-defense-is-running-windows
tags:
mondoo.com/filter-title: windows
- uid: mondoo-edr-policy-ensure-cortex-xdr-agent-is-running-macos
tags:
mondoo.com/filter-title: macos
- uid: mondoo-edr-policy-ensure-cortex-xdr-agent-is-running-windows
tags:
mondoo.com/filter-title: windows

- uid: mondoo-edr-policy-ensure-crowdstrike-agent-is-running-macos
title: Ensure CrowdStrike Agent is running
Expand Down
Loading

0 comments on commit d0b0913

Please sign in to comment.