search

Azure / template-analyzer

Template scanner for security misconfiguration and best practices
MIT License
127 stars 39 forks source link

[Built-in Rule] SQL Auditing settings should have Action-Groups configured to capture critical activities #55

Open yane3628 opened 3 years ago

yane3628 commented 3 years ago

Azure policy: https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_ActionsAndGroups_Audit.json

{
  "name": "SQL_Auditing_Actions_And_Groups",
  "description": "SQL Auditing settings should have Action-Groups configured to capture critical activities",
  "recommendation": "The AuditActionsAndGroups property should contain at least SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP, BATCH_COMPLETED_GROUP to ensure a thorough audit logging",
  "helpUri": "https://github.com/Azure/template-analyzer/docs/built-in-bpa-rules.md/#sql-auditing-settings-should-have-action-groups-configured-to-capture-critical-activities",
  "evaluation": {
    "resourceType": "Microsoft.Sql/servers"
    "allOf": [
      {
        "resourceType": "Microsoft.Sql/servers/auditingSettings",
        "where": {
          "path": "name",
          "equals": "default"
        },
        "evaluate": {
          "path": "properties.auditActionsAndGroups[*]",
          "in": [
            "SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP",
            "FAILED_DATABASE_AUTHENTICATION_GROUP",
            "BATCH_COMPLETED_GROUP"
          ]
        }
      }
    ]
  }
}
yane3628 commented 3 years ago

I believe this rule needs the count feature. It's intent is for each of the values specified in the in array should be specified.

VeraBE commented 3 years ago

Could also be done with the not operator, like policy