search

turbot / steampipe-mod-azure-compliance

Run individual configuration, compliance and security controls or full compliance benchmarks for CIS, HIPAA HITRUST, NIST, and more across all of your Azure subscriptions using Powerpipe and Steampipe.
https://hub.powerpipe.io/mods/turbot/azure_compliance
Apache License 2.0
55 stars 14 forks source link

Missing implementation of CIS 4.3.7 #159

Closed KingBrewer closed 1 year ago

KingBrewer commented 1 year ago

Describe the bug CIS check 4.3.7 "Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled" is missing implementation, being attributed as a manual control: https://github.com/turbot/steampipe-mod-azure-compliance/blob/v0.24/cis_v200/section_4.sp#L336

Steampipe version (steampipe -v) v0.19.4

Plugin version (steampipe plugin list) steampipe-mod-azure-compliance@v0.24

+------------------------------------------------+---------+-------------+
| Installed Plugin                               | Version | Connections |
+------------------------------------------------+---------+-------------+
| hub.steampipe.io/plugins/turbot/azure@latest   | 0.41.0  | azure       |
| hub.steampipe.io/plugins/turbot/azuread@latest | 0.9.0   | azuread     |
+------------------------------------------------+---------+-------------+

To reproduce Run assessment of 4.3.7 control: steampipe check control.cis_v200_4_3_7

Expected behavior Firewall rules should be evaluated for each of Postgres servers. Currently the check is marked as manual, what is incorrect.

misraved commented 1 year ago

Welcome to Steampipe @KingBrewer and apologies for the bump!!

When tables or columns (REST APIs) are unavailable to assist us in creating a SQL query for any compliance check, we designate such controls as manual.

However, in this case, the azure_postgresql_server table seems to have a column firewall_rules.

@khushboo9024 could you please verify if we can create a query for this control?

rajlearner17 commented 1 year ago

Linking plugin referenced issue