- cloudsecurity_cdr

- version: "1.8.0-preview08"

- description: Add missing CIS Azure rule templates

type: enhancement

link: https://github.com/elastic/integrations/pull/9211

{

"id": "01629238-aea8-5737-a59b-45baf8dab404",

"type": "csp-rule-template",

"attributes": {

"metadata": {

"impact": "**NOTE:** You must have your key vault setup to utilize this.\nAll Audit Logs will be encrypted with a key you provide. You will need to set up customer managed keys separately, and you will select which key to use via the instructions here. You will be responsible for the lifecycle of the keys, and will need to manually replace them at your own determined intervals to keep the data secure.",

"default_value": "",

"references": "1. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-5-encrypt-sensitive-data-at-rest\n2. https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log?tabs=cli#managing-legacy-log-profiles",

"id": "01629238-aea8-5737-a59b-45baf8dab404",

"name": "Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key",

"profile_applicability": "* Level 2",

"description": "Storage accounts with the activity log exports can be configured to use Customer Managed Keys (CMK).",

"rationale": "Configuring the storage account with the activity log export container to use CMKs provides additional confidentiality controls on log data, as a given user must have read permission on the corresponding storage account and must be granted decrypt permission by the CMK.",

"audit": "**From Azure Portal**\n\n1. Go to `Activity log`\n2. Select `Export`\n3. Select `Subscription`\n4. In section `Storage Account`, note the name of the Storage account\n5. Close the `Export Audit Logs` blade. Close the `Monitor - Activity Log` blade.\n6. In right column, Click service `Storage Accounts` to access Storage account blade\n7. Click on the storage account name noted in step 4. This will open blade specific to that storage account\n8. Under `Security + networking`, click `Encryption`.\n9. Ensure `Customer-managed keys` is selected and `Key URI` is set.\n\n**From Azure CLI**\n\n10. Get storage account id configured with log profile:\n\n```\naz monitor diagnostic-settings subscription list --subscription <subscription id> --query 'value[*].storageAccountId'\n```\n\n11. Ensure the storage account is encrypted with CMK:\n\n```\naz storage account list --query \"[?name=='<Storage Account Name>']\"\n```\n\nIn command output ensure `keySource` is set to `Microsoft.Keyvault` and `keyVaultProperties` is not set to `null`\n\n**From PowerShell**\n\n```\nGet-AzStorageAccount -ResourceGroupName <resource group name> -Name <storage account name>|select-object -ExpandProperty encryption|format-list\n```\n\nEnsure the value of `KeyVaultProperties` is not `null` or empty, and ensure `KeySource` is not set to `Microsoft.Storage`.",

"remediation": "**From Azure Portal**\n\n1. Navigate to the Storage accounts blade.\n2. Click on the storage account.\n3. Under `Security + networking`, click `Encryption`.\n4. Next to `Encryption type`, select `Customer-managed keys`.\n5. Complete the steps to configure a customer-managed key for encryption of the storage account.\n\n**From Azure CLI**\n\n```\naz storage account update --name <name of the storage account> --resource-group <resource group for a storage account> --encryption-key-source=Microsoft.Keyvault --encryption-key-vault <Key Vault URI> --encryption-key-name <KeyName> --encryption-key-version <Key Version> \n```\n\n**From PowerShell**\n\n```\nSet-AzStorageAccount -ResourceGroupName <resource group name> -Name <storage account name> -KeyvaultEncryption -KeyVaultUri <key vault URI> -KeyName <key name>\n```",

"section": "Configuring Diagnostic Settings",

"version": "1.0",

"tags": [

"CIS",

"AZURE",

"CIS 5.1.4",

"Configuring Diagnostic Settings"

],

"benchmark": {

"name": "CIS Microsoft Azure Foundations",

"version": "v2.0.0",

"id": "cis_azure",

"rule_number": "5.1.4",

"posture_type": "cspm"

},

"rego_rule_id": "cis_5_1_4"

}

},

"migrationVersion": {

"csp-rule-template": "8.7.0"

},

"coreMigrationVersion": "8.7.0"

}

{

"id": "02da047f-bc78-5565-86a0-e121850f76c0",

"type": "csp-rule-template",

"attributes": {

"metadata": {

"impact": "",

"default_value": "",

"references": "1. https://docs.microsoft.com/en-us/azure/mysql/concepts-ssl-connection-security\n2. https://docs.microsoft.com/en-us/azure/mysql/howto-configure-ssl\n3. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-4-enable-data-at-rest-encryption-by-default",

"id": "02da047f-bc78-5565-86a0-e121850f76c0",

"name": "Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server",

"profile_applicability": "* Level 1",

"description": "Ensure `TLS version` on `MySQL flexible` servers is set to the default value.",

"rationale": "TLS connectivity helps to provide a new layer of security by connecting database server to client applications using Transport Layer Security (TLS).\nEnforcing TLS connections between database server and client applications helps protect against \"man in the middle\" attacks by encrypting the data stream between the server and application.",

"audit": "**From Azure Portal**\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to `Azure Database for MySQL flexible servers`\n3. For each database, click on `Server parameters` under `Settings`\n4. In the search box, type in `tls_version`\n5. Ensure `tls_version` is set to `TLSV1.2`\n\n**From Azure CLI**\n\nEnsure the output of the below command contains the key value pair `\"values\": \"TLSV1.2\"`.\n ```\n az mysql flexible-server parameter show --name tls_version --resource-group <resourceGroupName> --server-name <serverName>\n```\n\nExample output:\n```\n{\n \"allowedValues\": \"TLSv1,TLSv1.1,TLSv1.2\",\n \"dataType\": \"Set\",\n \"defaultValue\": \"TLSv1.2\",\n \"description\": \"Which protocols the server permits for encrypted connections.\nBy default, TLS 1.2 is enforced\",\n \"id\": \"/subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.DBforMySQL/flexibleServers/<serverName>/configurations/tls_version\",\n \"isConfigPendingRestart\": \"False\",\n \"isDynamicConfig\": \"False\",\n \"isReadOnly\": \"False\",\n \"name\": \"tls_version\",\n \"resourceGroup\": \"<resourceGroupName>\",\n \"source\": \"system-default\",\n \"systemData\": null,\n \"type\": \"Microsoft.DBforMySQL/flexibleServers/configurations\",\n \"value\": \"TLSv1.2\"\n}\n```",

"remediation": "**From Azure Portal**\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to `Azure Database for MySQL flexible servers`\n3. For each database, click on `Server parameters` under `Settings`\n4. In the search box, type in `tls_version`\n5. Click on the VALUE dropdown, and ensure only `TLSV1.2` is selected for `tls_version`\n\n**From Azure CLI**\n\nUse the below command to set MYSQL flexible databases to used version 1.2 for the `tls_version` parameter.\n```\n az mysql flexible-server parameter set --name tls_version --resource-group <resourceGroupName> --server-name <serverName> --value TLSV1.2\n```",

"section": "MySQL Database",

"version": "1.0",

"tags": [

"CIS",

"AZURE",

"CIS 4.4.2",

"MySQL Database"

],

"benchmark": {

"name": "CIS Microsoft Azure Foundations",

"version": "v2.0.0",

"id": "cis_azure",

"rule_number": "4.4.2",

"posture_type": "cspm"

},

"rego_rule_id": "cis_4_4_2"

}

},

"migrationVersion": {

"csp-rule-template": "8.7.0"

},

"coreMigrationVersion": "8.7.0"

}

{

"id": "090923c7-e599-572b-bad3-703f768c262a",

"type": "csp-rule-template",

"attributes": {

"metadata": {

"impact": "Being a level 2, enabling this setting can have a high impact on the cost of data storage used for logging more data per each request. Do not enable this without determining your need for this level of logging or forget to check in on data usage and projected cost.",

"default_value": "",

"references": "1. https://docs.microsoft.com/en-us/rest/api/storageservices/about-storage-analytics-logging\n2. https://docs.microsoft.com/en-us/cli/azure/storage/logging?view=azure-cli-latest\n3. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-4-enable-logging-for-azure-resources",

"id": "090923c7-e599-572b-bad3-703f768c262a",

"name": "Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests",

"profile_applicability": "* Level 2",

"description": "Azure Table storage is a service that stores structured NoSQL data in the cloud, providing a key/attribute store with a schema-less design.\nStorage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account.\nThese logs allow users to see the details of read, write, and delete operations against the tables.\nStorage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages.",

"rationale": "Storage Analytics logs contain detailed information about successful and failed requests to a storage service.\nThis information can be used to monitor each individual request to a storage service for increased security or diagnostics.\nRequests are logged on a best-effort basis.\n\nStorage Analytics logging is not enabled by default for your storage account.",

"audit": "**From Azure Portal**\n\n1. From the default portal page select `Storage Accounts`.\n2. Select the specific Storage Account.\n3. Click the `Diagnostics settings` under the `Monitoring` section in the left column.\n4. Select the 'table' tab indented below the storage account. Then select the diagnostic setting listed.\n5. Ensure `StorageRead`, `StorageWrite`, and `StorageDelete` options are selected under the `Logging section` and that they are sent to the correct destination.\n\n**From Azure CLI**\n\nEnsure the below command's output contains properties delete, read and write set to true.\n\n```\naz storage logging show --services t --account-name <storageAccountName>\n```",

"remediation": "**From Azure Portal**\n\n1. From the default portal page select `Storage Accounts`.\n2. Select the specific Storage Account.\n3. Click the `Diagnostics settings` under the `Monitoring` section in the left column.\n4. Select the 'table' tab indented below the storage account. \n5. Click '+ Add diagnostic setting'.\n6. Select `StorageRead`, `StorageWrite` and `StorageDelete` options under the `Logging` section to enable Storage Logging for Table service.\n7. Select a destination for your logs to be sent to.\n\n**From Azure CLI**\n\nUse the below command to enable the Storage Logging for Table service.\n\n```\naz storage logging update --account-name <storageAccountName> --account-key <storageAccountKey> --services t --log rwd --retention 90\n```",

"section": "Storage Accounts",

"version": "1.0",

"tags": [

"CIS",

"AZURE",

"CIS 3.14",

"Storage Accounts"

],

"benchmark": {

"name": "CIS Microsoft Azure Foundations",

"version": "v2.0.0",

"id": "cis_azure",

"rule_number": "3.14",

"posture_type": "cspm"

},

"rego_rule_id": "cis_3_14"

}

},

"migrationVersion": {

"csp-rule-template": "8.7.0"

},

"coreMigrationVersion": "8.7.0"

}

{

"id": "213e2b33-f2b1-575b-8753-f239b278c25a",

"type": "csp-rule-template",

"attributes": {

"metadata": {

"impact": "",

"default_value": "",

"references": "1. https://docs.microsoft.com/en-us/rest/api/postgresql/singleserver/configurations/list-by-server\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n4. https://learn.microsoft.com/en-us/azure/postgresql/single-server/concepts-server-logs#configure-logging\n5. https://learn.microsoft.com/en-us/powershell/module/az.postgresql/get-azpostgresqlconfiguration?view=azps-9.2.0#example-2-get-specified-postgresql-configuration-by-name\n6. https://learn.microsoft.com/en-us/powershell/module/az.postgresql/update-azpostgresqlconfiguration?view=azps-9.2.0#example-1-update-postgresql-configuration-by-name",

"id": "213e2b33-f2b1-575b-8753-f239b278c25a",

"name": "Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server",

"profile_applicability": "* Level 1",

"description": "Enable `log_checkpoints` on `PostgreSQL Servers`.",

"rationale": "Enabling `log_checkpoints` helps the PostgreSQL Database to `Log each checkpoint` in turn generates query and error logs.\nHowever, access to transaction logs is not supported.\nQuery and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.",

"audit": "**From Azure Portal**\n\n1. From Azure Home select the Portal Menu.\n2. Go to `Azure Database for PostgreSQL servers`.\n3. For each database, click on `Server parameters`.\n4. Search for `log_checkpoints`.\n5. Ensure that value is set to `ON`.\n\n**From Azure CLI**\n\nEnsure value is set to `ON`\n```\naz postgres server configuration show --resource-group <resourceGroupName> --server-name <serverName> --name log_checkpoints\n```\n\n**From PowerShell**\n\nEnsure value is set to `ON`\n\n```\nGet-AzPostgreSqlConfiguration -ResourceGroupName <ResourceGroupName> -ServerName <ServerName> -Name log_checkpoints\n```",

"remediation": "**From Azure Portal**\n\n1. From Azure Home select the Portal Menu.\n2. Go to `Azure Database for PostgreSQL servers`.\n3. For each database, click on `Server parameters`.\n4. Search for `log_checkpoints`.\n5. Click `ON` and save.\n\n**From Azure CLI**\n\nUse the below command to update `log_checkpoints` configuration.\n```\naz postgres server configuration set --resource-group <resourceGroupName> --server-name <serverName> --name log_checkpoints --value on\n```\n\n**From PowerShell**\n\n```\nUpdate-AzPostgreSqlConfiguration -ResourceGroupName <ResourceGroupName> -ServerName <ServerName> -Name log_checkpoints -Value on\n```",

"section": "PostgreSQL Database Server",

"version": "1.0",

"tags": [

"CIS",

"AZURE",

"CIS 4.3.2",

"PostgreSQL Database Server"

],

"benchmark": {

"name": "CIS Microsoft Azure Foundations",

"version": "v2.0.0",

"id": "cis_azure",

"rule_number": "4.3.2",

"posture_type": "cspm"

},

"rego_rule_id": "cis_4_3_2"

}

},

"migrationVersion": {

"csp-rule-template": "8.7.0"

},

"coreMigrationVersion": "8.7.0"

}