Azure / PSRule.Rules.Azure

Rules to validate Azure resources and infrastructure as code (IaC) using PSRule.

https://azure.github.io/PSRule.Rules.Azure/

MIT License

389 stars 84 forks source link

Diagnostic logs in Service Bus should be enabled #1862

Closed BenjaminEngeset closed 1 year ago

BenjaminEngeset commented 1 year ago

Rule request

Suggested rule change

Diagnostic logs in Service Bus should be enabled.

Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.

This is an official Defender for Cloud recommendation.

Security pillar for this one.

Applies to the following

The rule applies to the following:

Resource type: [Microsoft.ServiceBus/namespaces]

Additional context

Diagnostic logs in Service Bus should be enabled Template reference

BernieWhite commented 1 year ago

@bengeset96 I think we need to confirm which diagnostic logs are actually required from an audit perspective. Suggesting that a customer should turn on all logs without guidance can increase cost unnecessarily.

For service bus, the Runtime Audit Logs is the only log category in the audit category group.

Something like this could be used: https://github.com/Azure/PSRule.Rules.Azure/blob/192e9465c0ddea7e7fcff1a04dd168c8d88b289a/src/PSRule.Rules.Azure/rules/Azure.Automation.Rule.ps1#L33-L47

Another call out is retention setting only applies to storage accounts, and generally for most cases customers should actually use Azure Monitor Logs as the target. Also I think retention is a fairly opinionated thing, really it depends. If we add retention in it should be configurable but I think specific retention may be better suited to the CAF instead of WAF.

https://learn.microsoft.com/azure/architecture/framework/security/monitor-logs-alerts#audit-logging

BenjaminEngeset commented 1 year ago

@BernieWhite

Great feedback. In all honesty, do you see any business value in creating rules for those issues I've created regarding diagnostic logs besides this one that actually have an audit log? It will be kinda hard to create rule documentation and suggestion what/when to enable even if we check for atleast the property has some sort of value. I'm now starting to rather think twice about these suggestions of mine.

BernieWhite commented 1 year ago

@bengeset96 I think there is value, but I think we just need to balance the WAF across all pillars. Some Azure services are extremely verbose in their logging, others less so. In terms of the retention, I don't think the guidance is clear enough to say that all customers should use the same retention and we should exclude this from the rule.

For a security rule we should be targeting the recommend audit event categories only. For general monitoring we should use the recommended event categories and allow it the be configured, if the customer wants more or less logs.

Separate rules are good because a customer can easily exclude or suppress the rule if they care less about one or the other.

In both cases it might require a bit of investigation on which log categories are required.

:) also I don't expect you to raise a PR for all of these, there is quite a bit of work to get them out the door. but it's good that we have these issues logged.