Wrong Query for "Control: Azure DDoS Protection Standard should be enabled"

[fgomesz]

Describe the bug The site refers to another query.

To reproduce Visit https://hub.steampipe.io/mods/turbot/azure_compliance/controls/control.network_security_group_udp_service_restricted?context=benchmark.nist_sp_800_53_rev_5/benchmark.nist_sp_800_53_rev_5_sc/benchmark.nist_sp_800_53_rev_5_sc_5 the query is pointed to https://github.com/turbot/steampipe-mod-azure-compliance/blob/v0.8/regulatory_compliance/network.sp#L90-L98

Expected behavior A query for DDOS Protection Standard should be used.

[misraved]

Thanks @fgomesz for using Steampipe 👍 , hope you are having a good experience !!

The concern mentioned in this issue does look valid. Thanks for highlighting this, we will dig in a bit more and add the correct query to the control 👍

[rajlearner17]

@fgomesz Appreciate this catch. Thanks Definitely a few observations while reviewing this issue, let me know if it explains

The link for control Azure DDoS Protection Standard should be enabled in Steampipe Azure Mods holds the control for NIST, however, tagged wrongly to hipaa_hitrust_v92 = true > we will correct this

In mods, we re-use some of these queries to avoid re-work.

The same query (network_security_group_udp_service_restricted.sql) is used in the below controls

• Cis_v130_6_6 >> (Cis > 6.6 Ensure that UDP Services are restricted from the Internet (Automated)
• Nist_sp_800_53_rev_5_sc_5 >> DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. (Ref)

The reason, why the same query was referenced Neither CIS nor Nist steps are mentioned in their respective content with specific steps.

• CIS has stressed on to use Azure NSG in the audit steps.
• When we analyzed Azure in its policy, there is no direct validation steps included
• Considering the CIS audit steps more reliable, we developed the query in the same model.

But, we understand it might be confusing, we are checking this internally to separate this as well.

The table azure_virtual_network inherently supports enable_ddos_protection attribute as mentioned here, we can bring this part of the NIST control validation PR reference - Still we are checking further to re-validate before release next week.

Share your feedback.

[fgomesz]

Thank you for looking into this and sorry for wasting your time.

[e-gineer]

@fgomesz Definitely not a waste of time!

You found a bug in our tagging of the control 👍 and we really appreciate people working through these in detail - it's critical to keeping them as well described and accurate as possible!

Thank you. Please keep those issues (and PRs) coming!