Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Audit diagnostic setting for selected resource types: false positive for microsoft.automation/automationaccounts, microsoft.keyvault/vaults, and microsoft.network/publicipaddresses #1370

Open
sanderaernouts opened this issue Aug 20, 2024 · 0 comments
Open

Audit diagnostic setting for selected resource types: false positive for microsoft.automation/automationaccounts, microsoft.keyvault/vaults, and microsoft.network/publicipaddresses #1370

sanderaernouts opened this issue Aug 20, 2024 · 0 comments

Comments

@sanderaernouts
Copy link

Details of the scenario you tried and the problem that is occurring

When the Audit diagnostic setting for selected resource types is assigned in a scope that contains a resource of the type microsoft.automation/automationaccounts, microsoft.keyvault/vaults, and microsoft.network/publicipaddresses then the policy will flag these resources as Non-Complaint. The policy checks for the existence of the field Microsoft.Insights/diagnosticSettings/logs.enabled with a value of true.

However the Microsoft.Insights/diagnosticSettings resources for microsoft.automation/automationaccounts, microsoft.keyvault/vaults, and microsoft.network/publicipaddresses are different from most resource types. Below is the difference:

"properties": {
        "logs": [
+           {
+               "category": null,
+               "categoryGroup": "audit",
+               "enabled": false,
+               "retentionPolicy": {
+                   "days": 0,
+                   "enabled": false
+               }
+           },            
            {
                "category": null,
                "categoryGroup": "allLogs",
                "enabled": true,
                "retentionPolicy": {
                    "days": 0,
                    "enabled": false
                }
            }
        ],
        "metrics": [
            {
                "timeGrain": null,
                "enabled": false,
                "retentionPolicy": {
                    "days": 0,
                    "enabled": false
                },
                "category": "AllMetrics"
            }
        ],

Because logs contains both the audit and allLogs categories and audit has enabled: "false" the policy flags this resource as Non-Compliant

Verbose logs showing the problem

N/A

Suggested solution to the issue

Flag a resource as compliant if at least one log.enabled = true is found.

If policy is Guest Configuration - details about target node

N/A
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sanderaernouts