Merge pull request #95 from cloudgraphdev/feature/CG-1164-azure-pci-sql-server-auditing-enabled-check

feat(CG-1164): add azure pci sql server auditing enabled check

Author: tyler-dunkel

src/azure/pci-dss-3.2.1/README.md

@@ -55,6 +55,7 @@ Policy Pack based on the [PCI DSS version 3.2.1](https://www.pcisecuritystandard
 
 | Rule                   | Description                                                                                                                          |
 | ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------ |
+| data-retention-check-1 | Activity Log Retention should be 365 days or greater                                                                                 |
 | encryption-check-1     | App Service web apps should have 'HTTPS only' enabled                                                                                |
 | encryption-check-2     | MySQL Database server 'enforce SSL connection' should be enabled                                                                     |
 | encryption-check-3     | PostgreSQL Database server 'enforce SSL connection' should be enabled                                                                |
@@ -72,6 +73,7 @@ Policy Pack based on the [PCI DSS version 3.2.1](https://www.pcisecuritystandard
 | monitoring-check-11    | Monitor Activity Log Alert should exist for Delete Network Security Group Rule                                                       |
 | monitoring-check-12    | Monitor Activity Log Alert should exist for Delete Security Solution                                                                 |
 | monitoring-check-13    | Monitor log profile should have activity logs for global services and all regions                                                    |
+| monitoring-check-14    | SQL Server auditing should be enabled                                                                                                |
 | network-access-check-1 | MySQL Database server firewall rules should not permit start and end IP addresses to be 0.0.0.0                                      |
 | network-access-check-2 | PostgreSQL Database server firewall rules should not permit start and end IP addresses to be 0.0.0.0                                 |
 | network-access-check-3 | SQL Server firewall rules should not permit start and end IP addresses to be 0.0.0.0                                                 |

src/azure/pci-dss-3.2.1/rules/index.ts

@@ -1,3 +1,4 @@
+import Azure_PCI_DSS_321_Data_Retention1 from './pci-dss-3.2.1-data-retention-check-1'
 import Azure_PCI_DSS_321_Encryption_1 from './pci-dss-3.2.1-encryption-check-1'
 import Azure_PCI_DSS_321_Encryption_2 from './pci-dss-3.2.1-encryption-check-2'
 import Azure_PCI_DSS_321_Encryption_3 from './pci-dss-3.2.1-encryption-check-3'
@@ -15,6 +16,7 @@ import Azure_PCI_DSS_321_Monitoring_10 from './pci-dss-3.2.1-monitoring-check-10
 import Azure_PCI_DSS_321_Monitoring_11 from './pci-dss-3.2.1-monitoring-check-11'
 import Azure_PCI_DSS_321_Monitoring_12 from './pci-dss-3.2.1-monitoring-check-12'
 import Azure_PCI_DSS_321_Monitoring_13 from './pci-dss-3.2.1-monitoring-check-13'
+import Azure_PCI_DSS_321_Monitoring_14 from './pci-dss-3.2.1-monitoring-check-14'
 import Azure_PCI_DSS_321_Network_Access_1 from './pci-dss-3.2.1-network-access-check-1'
 import Azure_PCI_DSS_321_Network_Access_2 from './pci-dss-3.2.1-network-access-check-2'
 import Azure_PCI_DSS_321_Network_Access_3 from './pci-dss-3.2.1-network-access-check-3'
@@ -26,6 +28,7 @@ import Azure_PCI_DSS_321_Policy_Version_1 from './pci-dss-3.2.1-policy-version-c
 import Azure_PCI_DSS_321_User_1 from './pci-dss-3.2.1-user-check-1'
 
 export default [
+  Azure_PCI_DSS_321_Data_Retention1,
   Azure_PCI_DSS_321_Encryption_1,
   Azure_PCI_DSS_321_Encryption_2,
   Azure_PCI_DSS_321_Encryption_3,
@@ -43,6 +46,7 @@ export default [
   Azure_PCI_DSS_321_Monitoring_11,
   Azure_PCI_DSS_321_Monitoring_12,
   Azure_PCI_DSS_321_Monitoring_13,
+  Azure_PCI_DSS_321_Monitoring_14,
   Azure_PCI_DSS_321_Network_Access_1,
   Azure_PCI_DSS_321_Network_Access_2,
   Azure_PCI_DSS_321_Network_Access_3,

src/azure/pci-dss-3.2.1/rules/pci-dss-3.2.1-data-retention-check-1.ts

@@ -0,0 +1,86 @@
+export default {
+  id: 'pci-dss-3.2.1-data-retention-check-1',
+  title: 'Activity Log Retention should be 365 days or greater',
+
+  description: 'A log profile controls how the activity log is exported and retained. Since the average time to detect a breach is 210 days, the activity log should be retained for 365 days or more in order to have time to respond to any incidents.',
+
+  audit: '',
+
+  rationale: '',
+
+  remediation: `**From Azure Console**
+  
+  Note that log profiles are now a legacy method for sending the activity log to Azure storage or event hubs.
+
+  - Navigate to [Monitoring > Activity Log](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/activityLog).
+  - Click Diagnostic settings and select “Looking for the legacy experience? Click here to launch the ‘Export activity log’ blade.”
+  - Select the Subscription from the drop-down.
+  - Select the desired regions.
+  - Select one or both of the following:
+    - Export to a storage account. Select a storage account.
+    - Export to an event hub. Select a service bus namespace.
+  - Set the retention period to 365 days or greater. 0 means logs are kept forever.
+  - Click Save.
+
+  **Azure CLI**  
+
+  List all log profiles:
+
+    az monitor log-profiles list
+
+  Remove the log-profile by using the value from the name property:
+
+    az monitor log-profiles delete --name "<log profile name>"
+
+    - To create a log profile, use the az monitor log-profiles create command with the desired flags (see the Azure documentation for details):
+  
+    az monitor log-profiles create --categories create
+                                --days
+                                --enabled true
+                                --location
+                                --locations
+                                --name
+                                [--service-bus-rule-id]
+                                [--storage-account-id]
+                                [--subscription]
+                                [--tags]
+  `,
+
+  references: [
+    'https://docs.microsoft.com/en-us/azure/azure-monitor/platform/platform-logs-overview',
+    'https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-log#legacy-collection-methods',
+    'https://docs.microsoft.com/en-us/cli/azure/monitor/log-profiles?view=azure-cli-latest#az-monitor-log-profiles-create',
+  ],
+  gql: `
+    queryazureLogProfile {
+      id
+      __typename
+      retentionPolicy {
+        enabled
+        days
+      }
+    }
+  `,
+  resource: 'queryazureLogProfile[*]',
+  severity: 'medium',
+  conditions: {
+    and: [
+      {
+        path: '@.retentionPolicy.enabled',
+        equal: true,
+      },
+      {
+        or: [
+          {
+            path: '@.retentionPolicy.days',
+            equal: 0,
+          },
+          {
+            path: '@.retentionPolicy.days',
+            greaterThanInclusive: 365,
+          },
+        ]
+      },
+    ], 
+  },
+}

src/azure/pci-dss-3.2.1/rules/pci-dss-3.2.1-monitoring-check-14.ts

@@ -0,0 +1,53 @@
+// similar to NIST 2.5
+export default {
+  id: 'pci-dss-3.2.1-monitoring-check-14',
+  title: 'Monitoring Check 14: SQL Server auditing should be enabled',
+  
+  description: 'The Azure platform allows a SQL server to be created as a service. Enabling auditing at the server level ensures that all existing and newly created databases on the SQL server instance are audited. Auditing policy applied on the SQL database does not override auditing policy and settings applied on the particular SQL server where the database is hosted.',
+  
+  audit: '',
+  
+  rationale: '',
+  
+  remediation: `**From Azure Console**
+  
+  - Navigate to [SQL Servers](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Sql%2Fservers).
+  - Select the SQL server.
+  - In the left navigation in the Security section, select Auditing.
+  - Set Auditing to On.
+  
+  **Using PowerShell:**
+  
+  - To enable auditing for SQL Server, get a list of all SQL servers:
+  
+          Get-AzureRmSqlServer
+  
+  - Enable auditing for each server:
+  
+          Set-AzureRmSqlServerAuditingPolicy -ResourceGroupName <resource group name> -ServerName <server name> -AuditType <audit type> -StorageAccountName <storage account name>`,
+  
+  references: [
+      'https://docs.microsoft.com/en-us/azure/security-center/security-center-sql-service-recommendations',
+      'https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverauditing?view=azurermps-6.13.0&viewFallbackFrom=azurermps-5.2.0',
+      'https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverauditingpolicy?view=azurermps-6.13.0&viewFallbackFrom=azurermps-5.2.0',
+      'https://docs.microsoft.com/en-us/azure/azure-sql/database/auditing-overview',
+  ],
+  gql: `{
+    queryazureSqlServer {
+      id
+      __typename
+      serverBlobAuditingPolicies {
+        state
+      }
+    }
+  }`,
+  resource: 'queryazureSqlServer[*]',
+  severity: 'medium',
+  conditions: {
+    path: '@.serverBlobAuditingPolicies',
+    array_any: {
+      path: '[*].state', 
+      equal: 'Enabled' 
+    },
+  },
+}

src/azure/pci-dss-3.2.1/tests/pci-dss-3.2.1-data-retention-check.test.ts

@@ -0,0 +1,83 @@
+import { Rule, Result, Engine } from '@cloudgraph/sdk'
+import cuid from 'cuid'
+import { initRuleEngine } from '../../../utils/test'
+
+import Azure_PCI_DSS_321_Data_Retention_Check_1 from '../rules/pci-dss-3.2.1-data-retention-check-1'
+
+export interface RetentionPolicy {
+  enabled: boolean
+  days: number
+}
+
+export interface QueryazureLogProfile {
+  id: string
+  name?: string
+  locations?: string[]
+  categories?: string[]
+  retentionPolicy?: RetentionPolicy | null
+}
+
+export interface PCIQueryResponse {
+  queryazureLogProfile?: QueryazureLogProfile[]
+}
+
+describe('PCI Data Security Standard: 3.2.1', () => {
+  let rulesEngine: Engine
+  beforeAll(() => {
+    rulesEngine = initRuleEngine('azure', 'PCI')
+  })
+
+  describe('Retention Check 1: Activity Log Retention should be 365 days or greater', () => {
+    const getTestRuleFixture = (
+      enabled: boolean,
+      days: number,
+    ): PCIQueryResponse => {
+      return {
+        queryazureLogProfile: [
+          {
+            id: cuid(),
+            retentionPolicy: {
+              enabled,
+              days,
+            },
+          },
+        ],
+      }
+    }
+
+    // Act
+    const testRule = async (
+      data: PCIQueryResponse,
+      expectedResult: Result
+    ): Promise<void> => {
+      // Act
+      const [processedRule] = await rulesEngine.processRule(
+        Azure_PCI_DSS_321_Data_Retention_Check_1 as Rule,
+        { ...data }
+      )
+
+      // Asserts
+      expect(processedRule.result).toBe(expectedResult)
+    }
+
+    test('No Security Issue when Monitor audit profile log retention day is 0 means logs are kept forever', async () => {
+      const data: PCIQueryResponse = getTestRuleFixture(true, 0)
+      await testRule(data, Result.PASS)
+    })
+
+    test('Security Issue when Monitor audit profile log is less than 365 days', async () => {
+      const data: PCIQueryResponse = getTestRuleFixture(true, 364)
+      await testRule(data, Result.FAIL)
+    })
+
+    test('No Security Issue when Monitor audit profile log retention day is 365 days', async () => {
+      const data: PCIQueryResponse = getTestRuleFixture(true, 365)
+      await testRule(data, Result.PASS)
+    })
+
+    test('No Security Issue when Monitor audit profile log retention day is more than 365 days', async () => {
+      const data: PCIQueryResponse = getTestRuleFixture(true, 366)
+      await testRule(data, Result.PASS)
+    })
+  })
+})

src/azure/pci-dss-3.2.1/tests/pci-dss-3.2.1-monitoring-checks.test.ts

@@ -15,6 +15,7 @@ import Azure_PCI_DSS_321_Monitoring_10 from '../rules/pci-dss-3.2.1-monitoring-c
 import Azure_PCI_DSS_321_Monitoring_11 from '../rules/pci-dss-3.2.1-monitoring-check-11'
 import Azure_PCI_DSS_321_Monitoring_12 from '../rules/pci-dss-3.2.1-monitoring-check-12'
 import Azure_PCI_DSS_321_Monitoring_13 from '../rules/pci-dss-3.2.1-monitoring-check-13'
+import Azure_PCI_DSS_321_Monitoring_14 from '../rules/pci-dss-3.2.1-monitoring-check-14'
 
 export interface azureActivityLogAlertLeafCondition {
   id: string
@@ -65,11 +66,18 @@ export interface QueryazurePolicyAssignment {
   displayName: string
   parameters: Parameter[]
 }
-
+export interface ServerBlobAuditingPolicy {
+  state: string
+}
+export interface QueryazureSqlServer {
+  id: string
+  serverBlobAuditingPolicies: ServerBlobAuditingPolicy[]
+}
 export interface PCIQueryResponse {
   queryazureLogProfile?: QueryazureLogProfile[]
   queryazureSubscription?: QueryazureSubscription[]
   queryazurePolicyAssignment?: QueryazurePolicyAssignment[]
+  queryazureSqlServer?: QueryazureSqlServer[]
 }
 
 describe('PCI Data Security Standard: 3.2.1', () => {
@@ -956,4 +964,48 @@ describe('PCI Data Security Standard: 3.2.1', () => {
       await testRule(data, Result.FAIL)
     })
   })
+
+  describe('Monitoring Check 14: SQL Server auditing should be enabled', () => {
+    const getTestRuleFixture = (
+      state: string
+      ): PCIQueryResponse => {
+      return {
+        queryazureSqlServer: [
+          {
+            id: cuid(),
+            serverBlobAuditingPolicies: [
+              {
+                state
+              }
+            ]
+          },
+        ],
+      }
+    }
+
+    // Act
+    const testRule = async (
+      data: PCIQueryResponse,
+      expectedResult: Result
+    ): Promise<void> => {
+      // Act
+      const [processedRule] = await rulesEngine.processRule(
+        Azure_PCI_DSS_321_Monitoring_14 as Rule,
+        { ...data }
+      )
+
+      // Asserts
+      expect(processedRule.result).toBe(expectedResult)
+    }
+
+    test('No Security Issue when SQL Server auditing is enabled', async () => {
+      const data: PCIQueryResponse = getTestRuleFixture('Enabled')
+      await testRule(data, Result.PASS)
+    })
+
+    test('Security Issue when SQL Server auditing is disabled', async () => {
+      const data: PCIQueryResponse = getTestRuleFixture('Disabled')
+      await testRule(data, Result.FAIL)
+    })
+  })
 })