feat(CG-1164): add Activity Log Retention

james-zhou-inspire11 · james-zhou-inspire11 · commit ec03e276159d · 2022-10-01T23:07:24.000-05:00
diff --git a/src/azure/pci-dss-3.2.1/README.md b/src/azure/pci-dss-3.2.1/README.md
@@ -55,6 +55,7 @@ Policy Pack based on the [PCI DSS version 3.2.1](https://www.pcisecuritystandard
 
 | Rule                   | Description                                                                                                                          |
 | ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------ |
+| data-retention-check-1 | Activity Log Retention should be 365 days or greater                                                                                 |
 | encryption-check-1     | App Service web apps should have 'HTTPS only' enabled                                                                                |
 | encryption-check-2     | MySQL Database server 'enforce SSL connection' should be enabled                                                                     |
 | encryption-check-3     | PostgreSQL Database server 'enforce SSL connection' should be enabled                                                                |
diff --git a/src/azure/pci-dss-3.2.1/rules/index.ts b/src/azure/pci-dss-3.2.1/rules/index.ts
@@ -1,3 +1,4 @@
+import Azure_PCI_DSS_321_Data_Retention1 from './pci-dss-3.2.1-data-retention-check-1'
 import Azure_PCI_DSS_321_Encryption_1 from './pci-dss-3.2.1-encryption-check-1'
 import Azure_PCI_DSS_321_Encryption_2 from './pci-dss-3.2.1-encryption-check-2'
 import Azure_PCI_DSS_321_Encryption_3 from './pci-dss-3.2.1-encryption-check-3'
@@ -27,6 +28,7 @@ import Azure_PCI_DSS_321_Policy_Version_1 from './pci-dss-3.2.1-policy-version-c
 import Azure_PCI_DSS_321_User_1 from './pci-dss-3.2.1-user-check-1'
 
 export default [
+  Azure_PCI_DSS_321_Data_Retention1,
   Azure_PCI_DSS_321_Encryption_1,
   Azure_PCI_DSS_321_Encryption_2,
   Azure_PCI_DSS_321_Encryption_3,
diff --git a/src/azure/pci-dss-3.2.1/rules/pci-dss-3.2.1-data-retention-check-1.ts b/src/azure/pci-dss-3.2.1/rules/pci-dss-3.2.1-data-retention-check-1.ts
@@ -0,0 +1,86 @@
+export default {
+  id: 'pci-dss-3.2.1-data-retention-check-1',
+  title: 'Activity Log Retention should be 365 days or greater',
+
+  description: 'A log profile controls how the activity log is exported and retained. Since the average time to detect a breach is 210 days, the activity log should be retained for 365 days or more in order to have time to respond to any incidents.',
+
+  audit: '',
+
+  rationale: '',
+
+  remediation: `**From Azure Console**
+  
+  Note that log profiles are now a legacy method for sending the activity log to Azure storage or event hubs.
+
+  - Navigate to [Monitoring > Activity Log](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/activityLog).
+  - Click Diagnostic settings and select “Looking for the legacy experience? Click here to launch the ‘Export activity log’ blade.”
+  - Select the Subscription from the drop-down.
+  - Select the desired regions.
+  - Select one or both of the following:
+    - Export to a storage account. Select a storage account.
+    - Export to an event hub. Select a service bus namespace.
+  - Set the retention period to 365 days or greater. 0 means logs are kept forever.
+  - Click Save.
+
+  **Azure CLI**  
+
+  List all log profiles:
+
+    az monitor log-profiles list
+
+  Remove the log-profile by using the value from the name property:
+
+    az monitor log-profiles delete --name "<log profile name>"
+
+    - To create a log profile, use the az monitor log-profiles create command with the desired flags (see the Azure documentation for details):
+  
+    az monitor log-profiles create --categories create
+                                --days
+                                --enabled true
+                                --location
+                                --locations
+                                --name
+                                [--service-bus-rule-id]
+                                [--storage-account-id]
+                                [--subscription]
+                                [--tags]
+  `,
+
+  references: [
+    'https://docs.microsoft.com/en-us/azure/azure-monitor/platform/platform-logs-overview',
+    'https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-log#legacy-collection-methods',
+    'https://docs.microsoft.com/en-us/cli/azure/monitor/log-profiles?view=azure-cli-latest#az-monitor-log-profiles-create',
+  ],
+  gql: `
+    queryazureLogProfile {
+      id
+      __typename
+      retentionPolicy {
+        enabled
+        days
+      }
+    }
+  `,
+  resource: 'queryazureLogProfile[*]',
+  severity: 'medium',
+  conditions: {
+    and: [
+      {
+        path: '@.retentionPolicy.enabled',
+        equal: true,
+      },
+      {
+        or: [
+          {
+            path: '@.retentionPolicy.days',
+            equal: 0,
+          },
+          {
+            path: '@.retentionPolicy.days',
+            greaterThanInclusive: 365,
+          },
+        ]
+      },
+    ], 
+  },
+}
diff --git a/src/azure/pci-dss-3.2.1/tests/pci-dss-3.2.1-data-retention-check.test.ts b/src/azure/pci-dss-3.2.1/tests/pci-dss-3.2.1-data-retention-check.test.ts
@@ -0,0 +1,83 @@
+import { Rule, Result, Engine } from '@cloudgraph/sdk'
+import cuid from 'cuid'
+import { initRuleEngine } from '../../../utils/test'
+
+import Azure_PCI_DSS_321_Data_Retention_Check_1 from '../rules/pci-dss-3.2.1-data-retention-check-1'
+
+export interface RetentionPolicy {
+  enabled: boolean
+  days: number
+}
+
+export interface QueryazureLogProfile {
+  id: string
+  name?: string
+  locations?: string[]
+  categories?: string[]
+  retentionPolicy?: RetentionPolicy | null
+}
+
+export interface PCIQueryResponse {
+  queryazureLogProfile?: QueryazureLogProfile[]
+}
+
+describe('PCI Data Security Standard: 3.2.1', () => {
+  let rulesEngine: Engine
+  beforeAll(() => {
+    rulesEngine = initRuleEngine('azure', 'PCI')
+  })
+
+  describe('Retention Check 1: Activity Log Retention should be 365 days or greater', () => {
+    const getTestRuleFixture = (
+      enabled: boolean,
+      days: number,
+    ): PCIQueryResponse => {
+      return {
+        queryazureLogProfile: [
+          {
+            id: cuid(),
+            retentionPolicy: {
+              enabled,
+              days,
+            },
+          },
+        ],
+      }
+    }
+
+    // Act
+    const testRule = async (
+      data: PCIQueryResponse,
+      expectedResult: Result
+    ): Promise<void> => {
+      // Act
+      const [processedRule] = await rulesEngine.processRule(
+        Azure_PCI_DSS_321_Data_Retention_Check_1 as Rule,
+        { ...data }
+      )
+
+      // Asserts
+      expect(processedRule.result).toBe(expectedResult)
+    }
+
+    test('No Security Issue when Monitor audit profile log retention day is 0 means logs are kept forever', async () => {
+      const data: PCIQueryResponse = getTestRuleFixture(true, 0)
+      await testRule(data, Result.PASS)
+    })
+
+    test('Security Issue when Monitor audit profile log is less than 365 days', async () => {
+      const data: PCIQueryResponse = getTestRuleFixture(true, 364)
+      await testRule(data, Result.FAIL)
+    })
+
+    test('No Security Issue when Monitor audit profile log retention day is 365 days', async () => {
+      const data: PCIQueryResponse = getTestRuleFixture(true, 365)
+      await testRule(data, Result.PASS)
+    })
+
+    test('No Security Issue when Monitor audit profile log retention day is more than 365 days', async () => {
+      const data: PCIQueryResponse = getTestRuleFixture(true, 366)
+      await testRule(data, Result.PASS)
+    })
+  })
+})
