Open yane3628 opened 3 years ago
Azure policy: https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_ActionsAndGroups_Audit.json
{ "name": "SQL_Auditing_Actions_And_Groups", "description": "SQL Auditing settings should have Action-Groups configured to capture critical activities", "recommendation": "The AuditActionsAndGroups property should contain at least SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP, BATCH_COMPLETED_GROUP to ensure a thorough audit logging", "helpUri": "https://github.com/Azure/template-analyzer/docs/built-in-bpa-rules.md/#sql-auditing-settings-should-have-action-groups-configured-to-capture-critical-activities", "evaluation": { "resourceType": "Microsoft.Sql/servers" "allOf": [ { "resourceType": "Microsoft.Sql/servers/auditingSettings", "where": { "path": "name", "equals": "default" }, "evaluate": { "path": "properties.auditActionsAndGroups[*]", "in": [ "SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP", "FAILED_DATABASE_AUTHENTICATION_GROUP", "BATCH_COMPLETED_GROUP" ] } } ] } }
I believe this rule needs the count feature. It's intent is for each of the values specified in the in array should be specified.
Could also be done with the not operator, like policy
Azure policy: https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_ActionsAndGroups_Audit.json