Merge branch 'alpha' into feature/CG-1164-azure-pci-sql-server-auditing-enabled-check

Author: james-zhou-inspire11

README.md

@@ -29,7 +29,11 @@ cg scan aws gcp azure
 | [CIS Amazon Web Services Foundations 1.2.0](https://www.npmjs.com/package/@cloudgraph/policy-pack-aws-cis-1.2.0)         |
 | [CIS Amazon Web Services Foundations 1.3.0](https://www.npmjs.com/package/@cloudgraph/policy-pack-aws-cis-1.3.0)         |
 | [CIS Amazon Web Services Foundations 1.4.0](https://www.npmjs.com/package/@cloudgraph/policy-pack-aws-cis-1.4.0)         |
-| [CIS Google Cloud Platform Foundations 1.2.0](https://www.npmjs.com/package/@cloudgraph/policy-pack-gcp-cis-1.2.0)       |
-| [CIS Microsoft Azure Foundations 1.3.1](https://www.npmjs.com/package/@cloudgraph/policy-pack-azure-cis-1.3.1)           |
 | [AWS PCI Data Security Standard version 3.2.1](https://www.npmjs.com/package/@cloudgraph/policy-pack-aws-pci-dss-3.2.1)      |
 | [NIST 800-53 Rev. 4 for Amazon Web Services](https://www.npmjs.com/package/@cloudgraph/policy-pack-aws-nist-800-53-rev4) |
+| [CIS Google Cloud Platform Foundations 1.2.0](https://www.npmjs.com/package/@cloudgraph/policy-pack-gcp-cis-1.2.0)       |
+| [GCP PCI Data Security Standard version 3.2.1](https://www.npmjs.com/package/@cloudgraph/policy-pack-gcp-pci-dss-3.2.1)   |
+| [NIST 800-53 Rev. 4 for Google Cloud Services](https://www.npmjs.com/package/@cloudgraph/policy-pack-gcp-nist-800-53-rev4)   |
+| [CIS Microsoft Azure Foundations 1.3.1](https://www.npmjs.com/package/@cloudgraph/policy-pack-azure-cis-1.3.1)           |
+| [Azure PCI Data Security Standard version 3.2.1](https://www.npmjs.com/package/@cloudgraph/policy-pack-azure-pci-dss-3.2.1)   |
+| [NIST 800-53 Rev. 4 for Microsoft Azure Services](https://www.npmjs.com/package/@cloudgraph/policy-pack-azure-nist-800-53-rev4)   |

src/azure/pci-dss-3.2.1/README.md

@@ -53,13 +53,32 @@ Policy Pack based on the [PCI DSS version 3.2.1](https://www.pcisecuritystandard
 
 ## Available Ruleset
 
-| Rule                | Description                                                                                                                          |
-| ------------------- | ------------------------------------------------------------------------------------------------------------------------------------ |
-| monitoring-check-1  | Monitor audit profile should log all activities                                                                                      |
-| monitoring-check-2  | Monitor audit profile should log all activities                                                                                      |
-| monitoring-check-3  | Security Center default policy setting ‘Monitor Endpoint Protection’ should be enabled                                               |
-| monitoring-check-4  | Monitor log profile should be created                                                                                                |
-| monitoring-check-14 | SQL Server auditing should be enabled                                                                                                |
-| networking-check-1  | Virtual Network security groups should not permit ingress from ‘0.0.0.0/0’ to TCP port 3389 (RDP)                                    |
-| networking-check-2  | Virtual Network security groups attached to SQL Server instances should not permit ingress from 0.0.0.0/0 to all ports and protocols |
-| networking-check-3  | Virtual Network security groups should not permit ingress from '0.0.0.0/0' to TCP/UDP port 22 (SSH)                                  |
+| Rule                   | Description                                                                                                                          |
+| ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------ |
+| encryption-check-1     | App Service web apps should have 'HTTPS only' enabled                                                                                |
+| encryption-check-2     | MySQL Database server 'enforce SSL connection' should be enabled                                                                     |
+| encryption-check-3     | PostgreSQL Database server 'enforce SSL connection' should be enabled                                                                |
+| encryption-check-4     | Storage Accounts 'Secure transfer required' should be enabled                                                                        |
+| monitoring-check-1     | Monitor audit profile should log all activities                                                                                      |
+| monitoring-check-2     | Monitor audit profile should log all activities                                                                                      |
+| monitoring-check-3     | Security Center default policy setting ‘Monitor Endpoint Protection’ should be enabled                                               |
+| monitoring-check-4     | Monitor log profile should be created                                                                                                |
+| monitoring-check-5     | Monitor Activity Log Alert should exist for Create or Update Network Security Group                                                  |
+| monitoring-check-6     | Monitor Activity Log Alert should exist for Create or Update Network Security Group Rule                                             |
+| monitoring-check-7     | Monitor Activity Log Alert should exist for Create or Update or Delete SQL Server Firewall Rule                                      |
+| monitoring-check-8     | Monitor Activity Log Alert should exist for Create or Update Security Solution                                                       |
+| monitoring-check-9     | Monitor Activity Log Alert should exist for Create Policy Assignment                                                                 |
+| monitoring-check-10    | Monitor Activity Log Alert should exist for Delete Network Security Group                                                            |
+| monitoring-check-11    | Monitor Activity Log Alert should exist for Delete Network Security Group Rule                                                       |
+| monitoring-check-12    | Monitor Activity Log Alert should exist for Delete Security Solution                                                                 |
+| monitoring-check-13    | Monitor log profile should have activity logs for global services and all regions                                                    |
+| monitoring-check-14    | SQL Server auditing should be enabled                                                                                                |
+| network-access-check-1 | MySQL Database server firewall rules should not permit start and end IP addresses to be 0.0.0.0                                      |
+| network-access-check-2 | PostgreSQL Database server firewall rules should not permit start and end IP addresses to be 0.0.0.0                                 |
+| network-access-check-3 | SQL Server firewall rules should not permit start and end IP addresses to be 0.0.0.0                                                 |
+| network-access-check-4 | Ensure default network access rule for Storage Accounts is set to deny                                                               |
+| networking-check-1     | Virtual Network security groups should not permit ingress from ‘0.0.0.0/0’ to TCP port 3389 (RDP)                                    |
+| networking-check-2     | Virtual Network security groups attached to SQL Server instances should not permit ingress from 0.0.0.0/0 to all ports and protocols |
+| networking-check-3     | Virtual Network security groups should not permit ingress from '0.0.0.0/0' to TCP/UDP port 22 (SSH)                                  |
+| policy-version-check-1 | App Service web apps should have 'Minimum TLS Version' set to '1.2'                                                                  |
+| user-check-1           | Active Directory custom subscription owner roles should not be created                                                               |

src/azure/pci-dss-3.2.1/rules/index.ts

@@ -1,17 +1,57 @@
+import Azure_PCI_DSS_321_Encryption_1 from './pci-dss-3.2.1-encryption-check-1'
+import Azure_PCI_DSS_321_Encryption_2 from './pci-dss-3.2.1-encryption-check-2'
+import Azure_PCI_DSS_321_Encryption_3 from './pci-dss-3.2.1-encryption-check-3'
+import Azure_PCI_DSS_321_Encryption_4 from './pci-dss-3.2.1-encryption-check-4'
 import Azure_PCI_DSS_321_Monitoring_1 from './pci-dss-3.2.1-monitoring-check-1'
 import Azure_PCI_DSS_321_Monitoring_2 from './pci-dss-3.2.1-monitoring-check-2'
 import Azure_PCI_DSS_321_Monitoring_3 from './pci-dss-3.2.1-monitoring-check-3'
 import Azure_PCI_DSS_321_Monitoring_4 from './pci-dss-3.2.1-monitoring-check-4'
+import Azure_PCI_DSS_321_Monitoring_5 from './pci-dss-3.2.1-monitoring-check-5'
+import Azure_PCI_DSS_321_Monitoring_6 from './pci-dss-3.2.1-monitoring-check-6'
+import Azure_PCI_DSS_321_Monitoring_7 from './pci-dss-3.2.1-monitoring-check-7'
+import Azure_PCI_DSS_321_Monitoring_8 from './pci-dss-3.2.1-monitoring-check-8'
+import Azure_PCI_DSS_321_Monitoring_9 from './pci-dss-3.2.1-monitoring-check-9'
+import Azure_PCI_DSS_321_Monitoring_10 from './pci-dss-3.2.1-monitoring-check-10'
+import Azure_PCI_DSS_321_Monitoring_11 from './pci-dss-3.2.1-monitoring-check-11'
+import Azure_PCI_DSS_321_Monitoring_12 from './pci-dss-3.2.1-monitoring-check-12'
+import Azure_PCI_DSS_321_Monitoring_13 from './pci-dss-3.2.1-monitoring-check-13'
 import Azure_PCI_DSS_321_Monitoring_14 from './pci-dss-3.2.1-monitoring-check-14'
+import Azure_PCI_DSS_321_Network_Access_1 from './pci-dss-3.2.1-network-access-check-1'
+import Azure_PCI_DSS_321_Network_Access_2 from './pci-dss-3.2.1-network-access-check-2'
+import Azure_PCI_DSS_321_Network_Access_3 from './pci-dss-3.2.1-network-access-check-3'
+import Azure_PCI_DSS_321_Network_Access_4 from './pci-dss-3.2.1-network-access-check-4'
 import Azure_PCI_DSS_321_Networking_1 from './pci-dss-3.2.1-networking-check-1'
 import Azure_PCI_DSS_321_Networking_2 from './pci-dss-3.2.1-networking-check-2'
+import Azure_PCI_DSS_321_Networking_3 from './pci-dss-3.2.1-networking-check-3'
+import Azure_PCI_DSS_321_Policy_Version_1 from './pci-dss-3.2.1-policy-version-check-1'
+import Azure_PCI_DSS_321_User_1 from './pci-dss-3.2.1-user-check-1'
 
 export default [
+  Azure_PCI_DSS_321_Encryption_1,
+  Azure_PCI_DSS_321_Encryption_2,
+  Azure_PCI_DSS_321_Encryption_3,
+  Azure_PCI_DSS_321_Encryption_4,
   Azure_PCI_DSS_321_Monitoring_1,
   Azure_PCI_DSS_321_Monitoring_2,
   Azure_PCI_DSS_321_Monitoring_3,
   Azure_PCI_DSS_321_Monitoring_4,
+  Azure_PCI_DSS_321_Monitoring_5,
+  Azure_PCI_DSS_321_Monitoring_6,
+  Azure_PCI_DSS_321_Monitoring_7,
+  Azure_PCI_DSS_321_Monitoring_8,
+  Azure_PCI_DSS_321_Monitoring_9,
+  Azure_PCI_DSS_321_Monitoring_10,
+  Azure_PCI_DSS_321_Monitoring_11,
+  Azure_PCI_DSS_321_Monitoring_12,
+  Azure_PCI_DSS_321_Monitoring_13,
   Azure_PCI_DSS_321_Monitoring_14,
+  Azure_PCI_DSS_321_Network_Access_1,
+  Azure_PCI_DSS_321_Network_Access_2,
+  Azure_PCI_DSS_321_Network_Access_3,
+  Azure_PCI_DSS_321_Network_Access_4,
   Azure_PCI_DSS_321_Networking_1,
   Azure_PCI_DSS_321_Networking_2,
+  Azure_PCI_DSS_321_Networking_3,
+  Azure_PCI_DSS_321_Policy_Version_1,
+  Azure_PCI_DSS_321_User_1,
 ]

src/azure/pci-dss-3.2.1/rules/pci-dss-3.2.1-encryption-check-1.ts

@@ -0,0 +1,55 @@
+// similar to CIS 9.2
+export default {
+  id: 'pci-dss-3.2.1-encryption-check-1',  
+  title: 'Encryption Check 1: App Service web apps should have \'HTTPS only\' enabled',
+  
+  description: 'Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.',
+  
+  audit: `**From Azure Console**
+  
+  1. Login to Azure Portal using https://portal.azure.com
+  2. Go to App Services
+  3. Click on each App
+  4. Under Setting section, Click on SSL settings
+  5. Ensure that HTTPS Only set to On under Protocol Settings
+  
+  **Using Azure Command Line Interface**  
+  To check HTTPS-only traffic value for an existing app, run the following command,
+  
+      az webapp show --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --query httpsOnly
+  
+  The output should return true if HTTPS-only traffic value is set to On.`,
+  
+  rationale: 'Enabling HTTPS-only traffic will redirect all non-secure HTTP request to HTTPS ports. HTTPS uses the SSL/TLS protocol to provide a secure connection, which is both encrypted and authenticated. So it is important to support HTTPS for the security benefits.',
+  
+  remediation: `**From Azure Console**
+  
+  1. Login to Azure Portal using https://portal.azure.com
+  2. Go to App Services
+  3. Click on each App
+  4. Under Setting section, Click on SSL settings
+  5. Set HTTPS Only to On under Protocol Settings section
+  
+  Using Azure Command Line Interface To set HTTPS-only traffic value for an existing app, run the following command:
+  
+      az webapp update --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --set httpsOnly=true`,
+  
+  references: [
+      'https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-https',
+      'https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit',
+      'https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic',
+  ],
+  gql: `{
+    queryazureAppServiceWebApp {
+      id
+      __typename
+      httpsOnly
+    }
+  }`,
+  resource: 'queryazureAppServiceWebApp[*]',
+  severity: 'medium',
+  conditions: {
+    path: '@.httpsOnly',
+    equal: true,
+  },
+}

src/azure/pci-dss-3.2.1/rules/pci-dss-3.2.1-encryption-check-2.ts

@@ -0,0 +1,61 @@
+// similar to CIS 4.3.2
+export default {
+  id: 'pci-dss-3.2.1-encryption-check-2',  
+  title: 'Encryption Check 2: MySQL Database server \'enforce SSL connection\' should be enabled',
+  
+  description: 'Enable SSL connection on MYSQL Servers.',
+  
+  audit: `**From Azure Console:**
+  
+  1. Login to Azure Portal using https://portal.azure- list text here.com
+  2. Go to Azure Database for MySQL server
+  3. For each database, click on Connection security
+  4. In SSL settings
+  5. Ensure Enforce SSL connection is set to ENABLED.
+  
+  **Using Azure Command Line Interface 2.0**  
+  Ensure the output of the below command returns ENABLED.
+  
+    az mysql server show --resource-group myresourcegroup --name <resourceGroupName> --query sslEnforcement`,
+  
+  rationale: `SSL connectivity helps to provide a new layer of security, by connecting database server to
+  client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between
+  database server and client applications helps protect against "man in the middle" attacks
+  by encrypting the data stream between the server and application.`,
+  
+  remediation: `**From Azure Console:**
+  
+  1. Login to Azure Portal using https://portal.azure.com
+  2. Go to Azure Database for MySQL server
+  3. For each database, click on Connection security
+  4. In SSL settings
+  5. Click on ENABLED for Enforce SSL connection
+  
+  **Using Azure Command Line Interface 2.0**  
+  Use the below command to set MYSQL Databases to Enforce SSL connection.
+  
+    az mysql server update --resource-group <resourceGroupName> --name <serverName> --ssl-enforcement Enabled`,
+  
+  references: [
+    'https://docs.microsoft.com/en-us/azure/mysql/concepts-ssl-connection-security',
+    'https://docs.microsoft.com/en-us/azure/mysql/howto-configure-ssl',
+    'https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit',
+  ],  
+  gql: `{
+    queryazureMySqlServer {
+      id
+      __typename       
+      sslEnforcement
+    }
+  }`,
+  resource: 'queryazureMySqlServer[*]',
+  severity: 'medium',
+  conditions: {
+    and: [
+      {
+        path: '@.sslEnforcement',
+        equal: 'Enabled',
+      },
+    ],
+  },
+}

src/azure/pci-dss-3.2.1/rules/pci-dss-3.2.1-encryption-check-3.ts

@@ -0,0 +1,60 @@
+// similar to CIS 4.3.1
+export default {
+  id: 'pci-dss-3.2.1-encryption-check-3',  
+  title: 'Encryption Check 3: PostgreSQL Database server \'enforce SSL connection\' should be enabled',
+  
+  description: 'Enable SSL connection on PostgreSQL Servers.',
+  
+  audit: `**From Azure Console:**
+  
+  1. Login to Azure Portal using https://portal.azure.com
+  2. Go to Azure Database for PostgreSQL server
+  3. For each database, click on Connection security
+  4. In SSL settings
+  5. Ensure Enforce SSL connection is set to ENABLED.
+  
+  **Using Azure Command Line Interface 2.0**  
+  Ensure the output of the below command returns ENABLED.
+  
+    az postgres server show --resource-group myresourcegroup --name <resourceGroupName> --query sslEnforcement`,
+  
+  rationale: `SSL connectivity helps to provide a new layer of security, by connecting database server
+  to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between
+  database server and client applications helps protect against "man in the middle" attacks
+  by encrypting the data stream between the server and application.`,
+  
+  remediation: `**From Azure Console:**
+  
+  1. Login to Azure Portal using https://portal.azure.com
+  2. Go to Azure Database for PostgreSQL server
+  3. For each database, click on Connection security
+  4. In SSL settings.
+  5. Click on ENABLED to Enforce SSL connection
+  
+  **Using Azure Command Line Interface 2.0**  
+  Use the below command to enforce ssl connection for PostgreSQL Database.
+  
+    az postgres server update --resource-group <resourceGroupName> --name <serverName> --ssl-enforcement Enabled`,
+  
+  references: [
+    'https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security',
+    'https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit',
+  ],  
+  gql: `{
+    queryazurePostgreSqlServer {
+      id
+      __typename       
+      sslEnforcement
+    }
+  }`,
+  resource: 'queryazurePostgreSqlServer[*]',
+  severity: 'medium',
+  conditions: {
+    and: [
+      {
+        path: '@.sslEnforcement',
+        equal: 'Enabled',
+      },
+    ],
+  },
+}