search

mondoohq / cnquery

open source, cloud-native, graph-based asset inventory
https://cnquery.io
Other
293 stars 20 forks source link

Azure : Issue Accessing 'days' and 'enabled' Fields in Azure Key Vault Logging Configuration #3122

Open HRouhani opened 7 months ago

HRouhani commented 7 months ago

related to: Ensure that logging for Azure Key Vault is 'Enabled'

Context:

This issue relates to the CIS requirement to ensure that logging for Azure Key Vault is enabled.

Problem:

Currently, in our implementation, accessing the specific fields 'days' and 'enabled' within the Azure Key Vault's diagnostic settings is not straightforward. The structure of the returned JSON object from azure.subscription.keyVault.vaults does not allow direct comparison or retrieval of these fields.

azure.subscription.keyVault.vaults: [
  0: {
    diagnosticSettings: [
      0: {
        properties.logs: [
          0: {
            retentionPolicy: {
              days: 0.000000
              enabled: false
            }
          }
          1: {
            retentionPolicy: {
              days: 0.000000
              enabled: false
            }
          }
        ]
      }
    ]
  }
]

Example of Current Data Structure:

azure.subscription.keyVault.vaults { diagnosticSettings {properties.logs.where(category == "AuditEvent") {retentionPolicy {days} } }}

Here, both 'days' and 'enabled' fields are nested and not directly accessible for comparison.

Potential Solution:

We need an enhancement or a workaround to access the 'days' value for comparison. A provisional query is available but it does not fully meet our requirements.

Affected function in cnquery:

monitor.go 

mqlAzure, err := CreateResource(runtime, "azure.subscription.monitorService.diagnosticsetting",
                map[string]*llx.RawData{
                    "id":               llx.StringData(convert.ToString(entry.ID)),
                    "name":             llx.StringData(convert.ToString(entry.Name)),
                    "type":             llx.StringData(convert.ToString(entry.Type)),
                    "properties":       llx.DictData(properties),
                    "storageAccountId": llx.StringDataPtr(entry.Properties.StorageAccountID),
                })
HRouhani commented 5 months ago

I put this on hold, as they changed their requirements in the new CIS version 2.1.0.