From aa1d8509a5b161d47281a41e736cff032fb6eae6 Mon Sep 17 00:00:00 2001 From: daniel-teuchert-sonarsource <141642369+daniel-teuchert-sonarsource@users.noreply.github.com> Date: Mon, 18 Sep 2023 17:25:58 +0200 Subject: [PATCH] APPSEC-1087: S6413 Improve RSPEC (#3091) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> --- rules/S6413/azureresourcemanager/rule.adoc | 14 ++++---------- rules/S6413/recommended.adoc | 4 ++-- 2 files changed, 6 insertions(+), 12 deletions(-) diff --git a/rules/S6413/azureresourcemanager/rule.adoc b/rules/S6413/azureresourcemanager/rule.adoc index 165b6df819..ea1a6ef81d 100644 --- a/rules/S6413/azureresourcemanager/rule.adoc +++ b/rules/S6413/azureresourcemanager/rule.adoc @@ -41,8 +41,6 @@ resource firewallPolicy 'Microsoft.Network/firewallPolicies@2022-07-01' = { } ---- -Raise issue when `retentionDays` is smaller than `14`, but not `0` (zero), or if `isEnabled` is `false` or the `insights` block is missing. - For https://learn.microsoft.com/en-us/azure/templates/microsoft.network/networkwatchers/flowlogs[Microsoft Network Network Watchers Flow Logs]: [source,json,diff-id=3,diff-type=noncompliant] @@ -78,8 +76,6 @@ resource networkWatchersFlowLogs 'Microsoft.Network/networkWatchers/flowLogs@202 } ---- -Raise issue when `days` is smaller than `14`, but not `0` (zero), or if `enabled` is set to `false` or `retentionPolicy` is missing. - For https://learn.microsoft.com/en-us/azure/templates/microsoft.sql/2021-11-01/servers/auditingsettings[Microsoft SQL Servers Auditing Settings]: [source,json,diff-id=5,diff-type=noncompliant] @@ -110,9 +106,7 @@ resource sqlServerAudit 'Microsoft.Sql/servers/auditingSettings@2021-11-01' = { } ---- -Raise issue when retentionDays is smaller than `14`, but not `0` (zero). - -The same case applies to other types (when `type` field is set to one of following): +This rule also applies to log retention periods that are too short, on the following resources: * `Microsoft.DBforMariaDB/servers/securityAlertPolicies` - for https://learn.microsoft.com/en-us/azure/templates/microsoft.dbformariadb/2018-06-01/servers/securityalertpolicies[Microsoft DB for MariaDB Servers Security Alert Policies] * `Microsoft.Sql/servers/databases/securityAlertPolicies` - for https://learn.microsoft.com/en-us/azure/templates/microsoft.sql/servers/databases/securityalertpolicies[Microsoft Sql Servers Databases Security Alert Policies] @@ -151,7 +145,7 @@ resource firewallPolicy 'Microsoft.Network/firewallPolicies@2022-07-01' = { properties: { insights: { isEnabled: true - retentionDays: 30 // Compliant + retentionDays: 30 } } } @@ -185,7 +179,7 @@ For https://learn.microsoft.com/en-us/azure/templates/microsoft.network/networkw resource networkWatchersFlowLogs 'Microsoft.Network/networkWatchers/flowLogs@2022-07-01' = { properties: { retentionPolicy: { - days: 30 // Compliant + days: 30 enabled: true } } @@ -217,7 +211,7 @@ For https://learn.microsoft.com/en-us/azure/templates/microsoft.sql/2021-11-01/s ---- resource sqlServerAudit 'Microsoft.Sql/servers/auditingSettings@2021-11-01' = { properties: { - retentionDays: 30 // Compliant + retentionDays: 30 } } ---- diff --git a/rules/S6413/recommended.adoc b/rules/S6413/recommended.adoc index 029d8427ed..165ec3a13f 100644 --- a/rules/S6413/recommended.adoc +++ b/rules/S6413/recommended.adoc @@ -1,4 +1,4 @@ == Recommended Secure Coding Practices -Setting log retention period to 14 days is the bare minimum. -It's recommended to increase it to 30 days or above. +Increase the log retention period to an amount of time sufficient +enough to be able to investigate and restore service in case of an incident. \ No newline at end of file