Skip to content

Commit

Permalink
more dummy rules
Browse files Browse the repository at this point in the history
  • Loading branch information
@orouz
orouz committed Mar 13, 2024
1 parent 09bf8c2 commit 5b9fb1e
Show file tree
Hide file tree
Showing 6 changed files with 399 additions and 0 deletions.
103 changes: 103 additions & 0 deletions security-policies/bundle/compliance/cis_azure/rules/cis_4_2_2/data.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,103 @@
metadata:
id: 49320fd4-4abc-58d2-95cd-ec5c674015d4
name: Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting
a Storage Account
profile_applicability: '* Level 2'
description: |-
Enable Vulnerability Assessment (VA) service scans for critical SQL servers and corresponding SQL databases.
rationale: |-
Enabling Microsoft Defender for SQL server does not enables Vulnerability Assessment capability for individual SQL databases unless storage account is set to store the scanning data and reports.
The Vulnerability Assessment service scans databases for known security vulnerabilities and highlights deviations from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data.
Results of the scan include actionable steps to resolve each issue and provide customized remediation scripts where applicable.
Additionally, an assessment report can be customized by setting an acceptable baseline for permission configurations, feature configurations, and database settings.
audit: |-
**From Azure Portal**
1. Go to `SQL servers`
2. Select a server instance
3. Click on `Security Center`
4. Ensure that `Microsoft Defender for SQL` is set to `Enabled`
5. Select `Configure` next to `Enabled at subscription-level`
6. In Section `Vulnerability Assessment Settings`, Ensure `Storage Accounts` does not read `Select Storage account` with no storage accounts listed under the `Storage account` heading.
**From PowerShell**
Get the list of all SQL Servers
```
Get-AZSqlServer
```
For each Server
```
Get-AzSqlServerVulnerabilityAssessmentSetting -ResourceGroupName <resource group name> -ServerName <server name>
```
Ensure that value for parameter `StorageAccountName` is not `empty` (blank).
Sample Output:
```
ResourceGroupName : ResourceGroup01
ServerName : Server01
StorageAccountName : mystorage
ScanResultsContainerName : vulnerability-assessment
RecurringScansInterval : None
EmailSubscriptionAdmins : False
NotificationEmail : {}
```
remediation: |-
**From Azure Portal**
1. Go to `SQL servers`
2. Select a server instance
3. Click on `Security Center`
4. Select `Configure` next to `Enabled at subscription-level`
5. In Section `Vulnerability Assessment Settings`, Click `Select Storage account`
6. Choose Storage Account (Existing or `Create New`). Click `Ok`
7. Click `Save`
**From PowerShell**
If not already, Enable `Microsoft Defender for a SQL`:
```
Set-AZSqlServerThreatDetectionPolicy -ResourceGroupName <resource group name> -ServerName <server name> -EmailAdmins $True
```
To enable ADS-VA service by setting Storage Account
```
Update-AzSqlServerVulnerabilityAssessmentSetting `
-ResourceGroupName "<resource group name>"`
-ServerName "<Server Name>"`
-StorageAccountName "<Storage Name from same subscription and same Location" `
-ScanResultsContainerName "vulnerability-assessment" `
-RecurringScansInterval Weekly `
-EmailSubscriptionAdmins $true `
-NotificationEmail @("mail1@mail.com" , "mail2@mail.com")
```
impact: Enabling the `Microsoft Defender for SQL` features will incur additional
costs for each SQL server.
default_value: ''
references: |-
1. https://docs.microsoft.com/en-us/azure/sql-database/sql-vulnerability-assessment
2. https://docs.microsoft.com/en-us/rest/api/sql/servervulnerabilityassessments/listbyserver
3. https://docs.microsoft.com/en-in/powershell/module/Az.Sql/Update-AzSqlServerVulnerabilityAssessmentSetting?view=azps-2.6.0
4. https://docs.microsoft.com/en-in/powershell/module/Az.Sql/Get-AzSqlServerVulnerabilityAssessmentSetting?view=azps-2.6.0
5. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-posture-vulnerability-management#pv-6-perform-software-vulnerability-assessments
section: SQL Server - Microsoft Defender for SQL
version: '1.0'
tags:
- CIS
- AZURE
- CIS 4.2.2
- SQL Server - Microsoft Defender for SQL
benchmark:
name: CIS Microsoft Azure Foundations
version: v2.0.0
id: cis_azure
rule_number: 4.2.2
posture_type: cspm
27 changes: 27 additions & 0 deletions security-policies/bundle/compliance/cis_azure/rules/cis_4_2_2/rule.rego
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
package compliance.cis_azure.rules.cis_4_2_1

import data.compliance.lib.common
import data.compliance.policy.azure.data_adapter
import future.keywords.every
import future.keywords.if

finding = result if {
# filter
data_adapter.is_sql_server

# set result
result := common.generate_result_without_expected(
common.calculate_result(is_defender_on),
{"Resource": data_adapter.resource},
)
}

default is_defender_on = false

is_defender_on if {
count(data_adapter.resource.extension.sqlAdvancedThreatProtectionSettings) > 0

every setting in data_adapter.resource.extension.sqlAdvancedThreatProtectionSettings {
setting.properties.state == "Enabled"
}
}
46 changes: 46 additions & 0 deletions security-policies/bundle/compliance/cis_azure/rules/cis_4_2_2/test.rego
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
package compliance.cis_azure.rules.cis_4_2_1

import data.cis_azure.test_data
import data.compliance.policy.azure.data_adapter
import data.lib.test
import future.keywords.if

test_violation if {
eval_fail with input as test_data.generate_azure_asset_with_ext("azure-sql-server", {}, {"sqlAdvancedThreatProtectionSettings": []})
eval_fail with input as test_data.generate_azure_asset_with_ext("azure-sql-server", {}, {"sqlAdvancedThreatProtectionSettings": [{"properties": {"state": "Disabled"}}]})
eval_fail with input as test_data.generate_azure_asset_with_ext("azure-sql-server", {}, {"sqlAdvancedThreatProtectionSettings": [
{"properties": {"state": "Disabled"}},
{"properties": {"state": "Enabled"}},
]})
eval_fail with input as test_data.generate_azure_asset_with_ext("azure-sql-server", {}, {"sqlAdvancedThreatProtectionSettings": [
{"properties": {"state": "Disabled"}},
{"properties": {"state": "Disabled"}},
]})

eval_fail with input as test_data.generate_azure_asset_with_ext("azure-sql-server", {}, {})
}

test_pass if {
eval_pass with input as test_data.generate_azure_asset_with_ext("azure-sql-server", {}, {"sqlAdvancedThreatProtectionSettings": [{"properties": {"state": "Enabled"}}]})
eval_pass with input as test_data.generate_azure_asset_with_ext("azure-sql-server", {}, {"sqlAdvancedThreatProtectionSettings": [
{"properties": {"state": "Enabled"}},
{"properties": {"state": "Enabled"}},
{"properties": {"state": "Enabled"}},
]})
}

test_not_evaluated if {
not_eval with input as test_data.not_eval_non_exist_type
}

eval_fail if {
test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter
}

eval_pass if {
test.assert_pass(finding) with data.benchmark_data_adapter as data_adapter
}

not_eval if {
not finding with data.benchmark_data_adapter as data_adapter
}
104 changes: 104 additions & 0 deletions security-policies/bundle/compliance/cis_gcp/rules/cis_2_15/data.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,104 @@
metadata:
id: 43f5d256-b75d-559b-982e-532d707a7f40
name: Ensure 'Access Approval' is 'Enabled'
profile_applicability: '* Level 2'
description: |-
GCP Access Approval enables you to require your organizations' explicit approval whenever Google support try to access your projects.
You can then select users within your organization who can approve these requests through giving them a security role in IAM.
All access requests display which Google Employee requested them in an email or Pub/Sub message that you can choose to Approve.
This adds an additional control and logging of who in your organization approved/denied these requests.
rationale: |-
Controlling access to your information is one of the foundations of information security.
Google Employees do have access to your organizations' projects for support reasons.
With Access Approval, organizations can then be certain that their information is accessed by only approved Google Personnel.
audit: |-
**From Google Cloud Console**
**Determine if Access Transparency is Enabled as it is a Dependency**
1. From the Google Cloud Home inside the project you wish to audit, click on the Navigation hamburger menu in the top left. Hover over the `IAM & Admin` Menu. Select `settings` in the middle of the column that opens.
2. The status should be "Enabled' under the heading `Access Transparency`
**Determine if Access Approval is Enabled**
3. From the Google Cloud Home, within the project you wish to check, click on the Navigation hamburger menu in the top left. Hover over the `Security` Menu. Select `Access Approval` in the middle of the column that opens.
4. The status will be displayed here. If you see a screen saying you need to enroll in Access Approval, it is not enabled.
**From Google Cloud CLI**
**Determine if Access Approval is Enabled**
5. From within the project you wish to audit, run the following command.
```
gcloud access-approval settings get
```
6. The status will be displayed in the output.
IF Access Approval is not enabled you should get this output:
```
API [accessapproval.googleapis.com] not enabled on project [-----].
Would you like to enable and retry (this will take a few minutes)? (y/N)?
```
After entering `Y` if you get the following output, it means that `Access Transparency` is not enabled:
```
ERROR: (gcloud.access-approval.settings.get) FAILED_PRECONDITION: Precondition check failed.
```
remediation: |-
**From Google Cloud Console**
1. From the Google Cloud Home, within the project you wish to enable, click on the Navigation hamburger menu in the top left. Hover over the `Security` Menu. Select `Access Approval` in the middle of the column that opens.
2. The status will be displayed here. On this screen, there is an option to click `Enroll`. If it is greyed out and you see an error bar at the top of the screen that says `Access Transparency is not enabled` please view the corresponding reference within this section to enable it.
3. In the second screen click `Enroll`.
**Grant an IAM Group or User the role with permissions to Add Users to be Access Approval message Recipients**
4. From the Google Cloud Home, within the project you wish to enable, click on the Navigation hamburger menu in the top left. Hover over the `IAM and Admin`. Select `IAM` in the middle of the column that opens.
5. Click the blue button the says `+ ADD` at the top of the screen.
6. In the `principals` field, select a user or group by typing in their associated email address.
7. Click on the role field to expand it. In the filter field enter `Access Approval Approver` and select it.
8. Click `save`.
**Add a Group or User as an Approver for Access Approval Requests**
9. As a user with the `Access Approval Approver` permission, within the project where you wish to add an email address to which request will be sent, click on the Navigation hamburger menu in the top left. Hover over the `Security` Menu. Select `Access Approval` in the middle of the column that opens.
10. Click `Manage Settings`
11. Under `Set up approval notifications`, enter the email address associated with a Google Cloud User or Group you wish to send Access Approval requests to. All future access approvals will be sent as emails to this address.
**From Google Cloud CLI**
12. To update all services in an entire project, run the following command from an account that has permissions as an 'Approver for Access Approval Requests'
```
gcloud access-approval settings update --project=<project name> --enrolled_services=all --notification_emails='<email recipient for access approval requests>@<domain name>'
```
impact: |-
To use Access Approval your organization will need have enabled Access Transparency and have at one of the following support level: Enhanced or Premium. There will be subscription costs associated with these support levels, as well as increased storage costs for storing the logs. You will also not be able to turn the Access Transparency which Access Approval depends on, off yourself. To do so you will need to submit a service request to Google Cloud Support. There will also be additional overhead in managing user permissions. There may also be a potential delay in support times as Google Personnel will have to wait for their access to be approved.
default_value: ''
references: |-
1. https://cloud.google.com/cloud-provider-access-management/access-approval/docs
2. https://cloud.google.com/cloud-provider-access-management/access-approval/docs/overview
3. https://cloud.google.com/cloud-provider-access-management/access-approval/docs/quickstart-custom-key
4. https://cloud.google.com/cloud-provider-access-management/access-approval/docs/supported-services
5. https://cloud.google.com/cloud-provider-access-management/access-approval/docs/view-historical-requests
section: Logging and Monitoring
version: '1.0'
tags:
- CIS
- GCP
- CIS 2.15
- Logging and Monitoring
benchmark:
name: CIS Google Cloud Platform Foundation
version: v2.0.0
id: cis_gcp
rule_number: '2.15'
posture_type: cspm
34 changes: 34 additions & 0 deletions security-policies/bundle/compliance/cis_gcp/rules/cis_2_15/rule.rego
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
package compliance.cis_gcp.rules.cis_2_1

import data.compliance.lib.common
import data.compliance.policy.gcp.data_adapter
import future.keywords.if
import future.keywords.in

finding = result if {
data_adapter.is_policies_resource

result := common.generate_result_without_expected(
common.calculate_result(cloud_logging_is_configured),
input.resource,
)
}

cloud_logging_is_configured if {
policy := input.resource[_].iam_policy
has_read_write_logs(policy)
not has_exempted_members(policy)
} else = false

has_read_write_logs(policy) if {
log_types := {t | t = policy.audit_configs[i].audit_log_configs[j].log_type}
1 in log_types # "ADMIN_READ"
2 in log_types # "DATA_WRITE"
3 in log_types # "DATA_READ"
policy.audit_configs[_].service == "allServices"
} else = false

has_exempted_members(policy) if {
configs := policy.audit_configs[_].audit_log_configs[_]
count(configs.exempted_members) > 0
} else = false
Loading

0 comments on commit 5b9fb1e

Please sign in to comment.