ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Modify rule S6413: Defining a short log retention duration is security-sensitive, add Bicep format (#2743)

Browse Source 
## Review

A dedicated reviewer checked the rule description successfully for:

- [ ] logical errors and incorrect information
- [ ] information gaps and missing content
- [ ] text style and tone
- [ ] PR summary and labels follow [the
guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule)
This commit is contained in:
Marcin Stachniuk 2023-08-03 08:42:07 +02:00 committed by GitHub
parent b9614645f8
commit 8dbe0e2ed2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 65 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
rules/S6413/azureresourcemanager/rule.adoc
View File

@ -28,6 +28,18 @@ For https://docs.microsoft.com/en-us/azure/firewall-manager/policy-overview[Azur
}
----
[source,bicep,diff-id=2,diff-type=noncompliant]
----
resource firewallPolicy 'Microsoft.Network/firewallPolicies@2022-07-01' = {
properties: {
insights: {
isEnabled: true
retentionDays: 7 // Sensitive
}
}
}
----
Raise issue when `retentionDays` is smaller than `14`, but not `0` (zero), or if `isEnabled` is `false` or the `insights` block is missing.
For https://learn.microsoft.com/en-us/azure/templates/microsoft.network/networkwatchers/flowlogs[Microsoft Network Network Watchers Flow Logs]:
@ -52,6 +64,18 @@ For https://learn.microsoft.com/en-us/azure/templates/microsoft.network/networkw
}
----
[source,bicep,diff-id=4,diff-type=noncompliant]
----
resource networkWatchersFlowLogs 'Microsoft.Network/networkWatchers/flowLogs@2022-07-01' = {
properties: {
retentionPolicy: {
days: 7
enabled: true
}
}
}
----
Raise issue when `days` is smaller than `14`, but not `0` (zero), or if `enabled` is set to `false` or `retentionPolicy` is missing.
For https://learn.microsoft.com/en-us/azure/templates/microsoft.sql/2021-11-01/servers/auditingsettings[Microsoft SQL Servers Auditing Settings]:
@ -73,6 +97,15 @@ For https://learn.microsoft.com/en-us/azure/templates/microsoft.sql/2021-11-01/s
}
----
[source,bicep,diff-id=6,diff-type=noncompliant]
----
resource sqlServerAudit 'Microsoft.Sql/servers/auditingSettings@2021-11-01' = {
properties: {
retentionDays: 7 // Sensitive
}
}
----
Raise issue when retentionDays is smaller than `14`, but not `0` (zero).
The same case applies to other types (when `type` field is set to one of following):
@ -107,6 +140,17 @@ For https://docs.microsoft.com/en-us/azure/firewall-manager/policy-overview[Azur
}
----
[source,bicep,diff-id=2,diff-type=compliant]
----
resource firewallPolicy 'Microsoft.Network/firewallPolicies@2022-07-01' = {
properties: {
insights: {
isEnabled: true
retentionDays: 30 // Compliant
}
}
}
----
For https://learn.microsoft.com/en-us/azure/templates/microsoft.network/networkwatchers/flowlogs[Microsoft Network Network Watchers Flow Logs]:
@ -130,6 +174,18 @@ For https://learn.microsoft.com/en-us/azure/templates/microsoft.network/networkw
}
----
[source,bicep,diff-id=4,diff-type=compliant]
----
resource networkWatchersFlowLogs 'Microsoft.Network/networkWatchers/flowLogs@2022-07-01' = {
properties: {
retentionPolicy: {
days: 30 // Compliant
enabled: true
}
}
}
----
For https://learn.microsoft.com/en-us/azure/templates/microsoft.sql/2021-11-01/servers/auditingsettings[Microsoft SQL Servers Auditing Settings]:
[source,json,diff-id=5,diff-type=compliant]
@ -149,6 +205,15 @@ For https://learn.microsoft.com/en-us/azure/templates/microsoft.sql/2021-11-01/s
}
----
[source,bicep,diff-id=6,diff-type=compliant]
----
resource sqlServerAudit 'Microsoft.Sql/servers/auditingSettings@2021-11-01' = {
properties: {
retentionDays: 30 // Compliant
}
}
----
Above code also applies to other types defined in previous paragraph.
ifdef::env-github,rspecator-view[]