feat(CG-1164): add azure pci sql server auditing enabled check

james-zhou-inspire11 · james-zhou-inspire11 · commit a9e34a717d8f · 2022-09-10T23:20:46.000-05:00
diff --git a/src/azure/pci-dss-3.2.1/README.md b/src/azure/pci-dss-3.2.1/README.md
@@ -53,12 +53,13 @@ Policy Pack based on the [PCI DSS version 3.2.1](https://www.pcisecuritystandard
 
 ## Available Ruleset
 
-| Rule               | Description                                                                                                                          |
-| ------------------ | ------------------------------------------------------------------------------------------------------------------------------------ |
-| monitoring-check-1 | Monitor audit profile should log all activities                                                                                      |
-| monitoring-check-2 | Monitor audit profile should log all activities                                                                                      |
-| monitoring-check-3 | Security Center default policy setting ‘Monitor Endpoint Protection’ should be enabled                                               |
-| monitoring-check-4 | Monitor log profile should be created                                                                                                |
-| networking-check-1 | Virtual Network security groups should not permit ingress from ‘0.0.0.0/0’ to TCP port 3389 (RDP)                                    |
-| networking-check-2 | Virtual Network security groups attached to SQL Server instances should not permit ingress from 0.0.0.0/0 to all ports and protocols |
-| networking-check-3 | Virtual Network security groups should not permit ingress from '0.0.0.0/0' to TCP/UDP port 22 (SSH)                                  |
+| Rule                | Description                                                                                                                          |
+| ------------------- | ------------------------------------------------------------------------------------------------------------------------------------ |
+| monitoring-check-1  | Monitor audit profile should log all activities                                                                                      |
+| monitoring-check-2  | Monitor audit profile should log all activities                                                                                      |
+| monitoring-check-3  | Security Center default policy setting ‘Monitor Endpoint Protection’ should be enabled                                               |
+| monitoring-check-4  | Monitor log profile should be created                                                                                                |
+| monitoring-check-14 | SQL Server auditing should be enabled                                                                                                |
+| networking-check-1  | Virtual Network security groups should not permit ingress from ‘0.0.0.0/0’ to TCP port 3389 (RDP)                                    |
+| networking-check-2  | Virtual Network security groups attached to SQL Server instances should not permit ingress from 0.0.0.0/0 to all ports and protocols |
+| networking-check-3  | Virtual Network security groups should not permit ingress from '0.0.0.0/0' to TCP/UDP port 22 (SSH)                                  |
diff --git a/src/azure/pci-dss-3.2.1/rules/index.ts b/src/azure/pci-dss-3.2.1/rules/index.ts
@@ -1,13 +1,17 @@
 import Azure_PCI_DSS_321_Monitoring_1 from './pci-dss-3.2.1-monitoring-check-1'
 import Azure_PCI_DSS_321_Monitoring_2 from './pci-dss-3.2.1-monitoring-check-2'
 import Azure_PCI_DSS_321_Monitoring_3 from './pci-dss-3.2.1-monitoring-check-3'
+import Azure_PCI_DSS_321_Monitoring_4 from './pci-dss-3.2.1-monitoring-check-4'
+import Azure_PCI_DSS_321_Monitoring_14 from './pci-dss-3.2.1-monitoring-check-14'
 import Azure_PCI_DSS_321_Networking_1 from './pci-dss-3.2.1-networking-check-1'
 import Azure_PCI_DSS_321_Networking_2 from './pci-dss-3.2.1-networking-check-2'
 
 export default [
   Azure_PCI_DSS_321_Monitoring_1,
   Azure_PCI_DSS_321_Monitoring_2,
   Azure_PCI_DSS_321_Monitoring_3,
+  Azure_PCI_DSS_321_Monitoring_4,
+  Azure_PCI_DSS_321_Monitoring_14,
   Azure_PCI_DSS_321_Networking_1,
   Azure_PCI_DSS_321_Networking_2,
 ]
diff --git a/src/azure/pci-dss-3.2.1/rules/pci-dss-3.2.1-monitoring-check-14.ts b/src/azure/pci-dss-3.2.1/rules/pci-dss-3.2.1-monitoring-check-14.ts
@@ -0,0 +1,53 @@
+// similar to NIST 2.5
+export default {
+  id: 'pci-dss-3.2.1-monitoring-check-14',
+  title: 'Monitoring Check 14: SQL Server auditing should be enabled',
+  
+  description: 'The Azure platform allows a SQL server to be created as a service. Enabling auditing at the server level ensures that all existing and newly created databases on the SQL server instance are audited. Auditing policy applied on the SQL database does not override auditing policy and settings applied on the particular SQL server where the database is hosted.',
+  
+  audit: '',
+  
+  rationale: '',
+  
+  remediation: `**From Azure Console**
+  
+  - Navigate to [SQL Servers](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Sql%2Fservers).
+  - Select the SQL server.
+  - In the left navigation in the Security section, select Auditing.
+  - Set Auditing to On.
+  
+  **Using PowerShell:**
+  
+  - To enable auditing for SQL Server, get a list of all SQL servers:
+  
+          Get-AzureRmSqlServer
+  
+  - Enable auditing for each server:
+  
+          Set-AzureRmSqlServerAuditingPolicy -ResourceGroupName <resource group name> -ServerName <server name> -AuditType <audit type> -StorageAccountName <storage account name>`,
+  
+  references: [
+      'https://docs.microsoft.com/en-us/azure/security-center/security-center-sql-service-recommendations',
+      'https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverauditing?view=azurermps-6.13.0&viewFallbackFrom=azurermps-5.2.0',
+      'https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverauditingpolicy?view=azurermps-6.13.0&viewFallbackFrom=azurermps-5.2.0',
+      'https://docs.microsoft.com/en-us/azure/azure-sql/database/auditing-overview',
+  ],
+  gql: `{
+    queryazureSqlServer {
+      id
+      __typename
+      serverBlobAuditingPolicies {
+        state
+      }
+    }
+  }`,
+  resource: 'queryazureSqlServer[*]',
+  severity: 'medium',
+  conditions: {
+    path: '@.serverBlobAuditingPolicies',
+    array_any: {
+      path: '[*].state', 
+      equal: 'Enabled' 
+    },
+  },
+}
diff --git a/src/azure/pci-dss-3.2.1/tests/pci-dss-3.2.1-monitoring-checks.test.ts b/src/azure/pci-dss-3.2.1/tests/pci-dss-3.2.1-monitoring-checks.test.ts
@@ -6,6 +6,7 @@ import Azure_PCI_DSS_321_Monitoring_1 from '../rules/pci-dss-3.2.1-monitoring-ch
 import Azure_PCI_DSS_321_Monitoring_2 from '../rules/pci-dss-3.2.1-monitoring-check-2'
 import Azure_PCI_DSS_321_Monitoring_3 from '../rules/pci-dss-3.2.1-monitoring-check-3'
 import Azure_PCI_DSS_321_Monitoring_4 from '../rules/pci-dss-3.2.1-monitoring-check-4'
+import Azure_PCI_DSS_321_Monitoring_14 from '../rules/pci-dss-3.2.1-monitoring-check-14'
 
 export interface azureActivityLogAlertLeafCondition {
   id: string
@@ -54,11 +55,18 @@ export interface QueryazurePolicyAssignment {
   displayName: string
   parameters: Parameter[]
 }
-
+export interface ServerBlobAuditingPolicy {
+  state: string
+}
+export interface QueryazureSqlServer {
+  id: string
+  serverBlobAuditingPolicies: ServerBlobAuditingPolicy[]
+}
 export interface PCIQueryResponse {
   queryazureLogProfile?: QueryazureLogProfile[]
   queryazureSubscription?: QueryazureSubscription[]
   queryazurePolicyAssignment?: QueryazurePolicyAssignment[]
+  queryazureSqlServer?: QueryazureSqlServer[]
 }
 
 describe('PCI Data Security Standard: 3.2.1', () => {
@@ -397,4 +405,48 @@ describe('PCI Data Security Standard: 3.2.1', () => {
       await testRule(data, Result.FAIL)
     })
   })
+
+  describe('Monitoring Check 14: SQL Server auditing should be enabled', () => {
+    const getTestRuleFixture = (
+      state: string
+      ): PCIQueryResponse => {
+      return {
+        queryazureSqlServer: [
+          {
+            id: cuid(),
+            serverBlobAuditingPolicies: [
+              {
+                state
+              }
+            ]
+          },
+        ],
+      }
+    }
+
+    // Act
+    const testRule = async (
+      data: PCIQueryResponse,
+      expectedResult: Result
+    ): Promise<void> => {
+      // Act
+      const [processedRule] = await rulesEngine.processRule(
+        Azure_PCI_DSS_321_Monitoring_14 as Rule,
+        { ...data }
+      )
+
+      // Asserts
+      expect(processedRule.result).toBe(expectedResult)
+    }
+
+    test('No Security Issue when SQL Server auditing is enabled', async () => {
+      const data: PCIQueryResponse = getTestRuleFixture('Enabled')
+      await testRule(data, Result.PASS)
+    })
+
+    test('Security Issue when SQL Server auditing is disabled', async () => {
+      const data: PCIQueryResponse = getTestRuleFixture('Disabled')
+      await testRule(data, Result.FAIL)
+    })
+  })
 })
