ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6413/azureresourcemanager/rule.adoc
Marcin Stachniuk 8dbe0e2ed2
Modify rule S6413: Defining a short log retention duration is security-sensitive, add Bicep format (#2743) 
## Review

A dedicated reviewer checked the rule description successfully for:

- [ ] logical errors and incorrect information
- [ ] information gaps and missing content
- [ ] text style and tone
- [ ] PR summary and labels follow [the
guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule)
2023-08-03 08:42:07 +02:00

234 lines
6.7 KiB
Plaintext
Raw Blame History

include::../description.adoc[]
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
== Sensitive Code Example
For https://docs.microsoft.com/en-us/azure/firewall-manager/policy-overview[Azure Firewall Policy]:
[source,json,diff-id=1,diff-type=noncompliant]
----
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Network/firewallPolicies",
"apiVersion": "2022-07-01",
"properties": {
"insights": {
"isEnabled": true,
"retentionDays": 7
}
}
}
]
}
----
[source,bicep,diff-id=2,diff-type=noncompliant]
----
resource firewallPolicy 'Microsoft.Network/firewallPolicies@2022-07-01' = {
properties: {
insights: {
isEnabled: true
retentionDays: 7 // Sensitive
}
}
}
----
Raise issue when `retentionDays` is smaller than `14`, but not `0` (zero), or if `isEnabled` is `false` or the `insights` block is missing.
For https://learn.microsoft.com/en-us/azure/templates/microsoft.network/networkwatchers/flowlogs[Microsoft Network Network Watchers Flow Logs]:
[source,json,diff-id=3,diff-type=noncompliant]
----
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Network/networkWatchers/flowLogs",
"apiVersion": "2022-07-01",
"properties": {
"retentionPolicy": {
"days": 7,
"enabled": true
}
}
}
]
}
----
[source,bicep,diff-id=4,diff-type=noncompliant]
----
resource networkWatchersFlowLogs 'Microsoft.Network/networkWatchers/flowLogs@2022-07-01' = {
properties: {
retentionPolicy: {
days: 7
enabled: true
}
}
}
----
Raise issue when `days` is smaller than `14`, but not `0` (zero), or if `enabled` is set to `false` or `retentionPolicy` is missing.
For https://learn.microsoft.com/en-us/azure/templates/microsoft.sql/2021-11-01/servers/auditingsettings[Microsoft SQL Servers Auditing Settings]:
[source,json,diff-id=5,diff-type=noncompliant]
----
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Sql/servers/auditingSettings",
"apiVersion": "2021-11-01",
"properties": {
"retentionDays": 7
}
}
]
}
----
[source,bicep,diff-id=6,diff-type=noncompliant]
----
resource sqlServerAudit 'Microsoft.Sql/servers/auditingSettings@2021-11-01' = {
properties: {
retentionDays: 7 // Sensitive
}
}
----
Raise issue when retentionDays is smaller than `14`, but not `0` (zero).
The same case applies to other types (when `type` field is set to one of following):
* `Microsoft.DBforMariaDB/servers/securityAlertPolicies` - for https://learn.microsoft.com/en-us/azure/templates/microsoft.dbformariadb/2018-06-01/servers/securityalertpolicies[Microsoft DB for MariaDB Servers Security Alert Policies]
* `Microsoft.Sql/servers/databases/securityAlertPolicies` - for https://learn.microsoft.com/en-us/azure/templates/microsoft.sql/servers/databases/securityalertpolicies[Microsoft Sql Servers Databases Security Alert Policies]
* `Microsoft.Sql/servers/auditingPolicies` - for https://learn.microsoft.com/en-us/azure/templates/microsoft.sql/servers/auditingpolicies[Microsoft Sql Servers Auditing Policies]
* `Microsoft.Synapse/workspaces/auditingSettings` - for https://learn.microsoft.com/en-us/azure/templates/microsoft.synapse/2021-06-01/workspaces/auditingsettings[Microsoft Synapse Workspaces Auditing Settings]
* `Microsoft.Synapse/workspaces/sqlPools/securityAlertPolicies` - for https://learn.microsoft.com/en-us/azure/templates/microsoft.synapse/workspaces/sqlpools/securityalertpolicies?pivots=deployment-language-bicep[Microsoft Synapse Workspaces Sql Pools Security Alert Policies]
== Compliant Solution
For https://docs.microsoft.com/en-us/azure/firewall-manager/policy-overview[Azure Firewall Policy]:
[source,json,diff-id=1,diff-type=compliant]
----
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Network/firewallPolicies",
"apiVersion": "2022-07-01",
"properties": {
"insights": {
"isEnabled": true,
"retentionDays": 30
}
}
}
]
}
----
[source,bicep,diff-id=2,diff-type=compliant]
----
resource firewallPolicy 'Microsoft.Network/firewallPolicies@2022-07-01' = {
properties: {
insights: {
isEnabled: true
retentionDays: 30 // Compliant
}
}
}
----
For https://learn.microsoft.com/en-us/azure/templates/microsoft.network/networkwatchers/flowlogs[Microsoft Network Network Watchers Flow Logs]:
[source,json,diff-id=3,diff-type=compliant]
----
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Network/networkWatchers/flowLogs",
"apiVersion": "2022-07-01",
"properties": {
"retentionPolicy": {
"days": 30,
"enabled": true
}
}
}
]
}
----
[source,bicep,diff-id=4,diff-type=compliant]
----
resource networkWatchersFlowLogs 'Microsoft.Network/networkWatchers/flowLogs@2022-07-01' = {
properties: {
retentionPolicy: {
days: 30 // Compliant
enabled: true
}
}
}
----
For https://learn.microsoft.com/en-us/azure/templates/microsoft.sql/2021-11-01/servers/auditingsettings[Microsoft SQL Servers Auditing Settings]:
[source,json,diff-id=5,diff-type=compliant]
----
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Sql/servers/auditingSettings",
"apiVersion": "2021-11-01",
"properties": {
"retentionDays": 30
}
}
]
}
----
[source,bicep,diff-id=6,diff-type=compliant]
----
resource sqlServerAudit 'Microsoft.Sql/servers/auditingSettings@2021-11-01' = {
properties: {
retentionDays: 30 // Compliant
}
}
----
Above code also applies to other types defined in previous paragraph.
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
* Make sure that defining a short log retention duration is safe here.
* Omitting {parameter} results in a short log retention duration. Make sure it is safe here.
* Disabling {parameter} results in a short log retention duration. Make sure it is safe here.
include::../highlighting.adoc[]
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink