Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CheckActivityLogRetentionSet = rules.Register( rules.Rule{ AVDID: "AVD-AZU-0031", Provider: providers.AzureProvider, Service: "monitor", ShortCode: "activity-log-retention-set", Summary: "Ensure the activity retention log is set to at least a year", Impact: "Short life activity logs can lead to missing records when investigating a breach", Resolution: "Set a retention period that will allow for delayed investigation", Explanation: `The average time to detect a breach is up to 210 days, to ensure that all the information required for an effective investigation is available, the retention period should allow for delayed starts to investigating.`, Links: []string{ "https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/platform-logs-overview", }, Terraform: &rules.EngineMetadata{ GoodExamples: terraformActivityLogRetentionSetGoodExamples, BadExamples: terraformActivityLogRetentionSetBadExamples, Links: terraformActivityLogRetentionSetLinks, RemediationMarkdown: terraformActivityLogRetentionSetRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results rules.Results) { for _, profile := range s.Azure.Monitor.LogProfiles { if profile.IsUnmanaged() { continue } if profile.RetentionPolicy.Enabled.IsFalse() { results.Add( "Profile does not enable the log retention policy.", profile.RetentionPolicy.Enabled, ) } else if profile.RetentionPolicy.Days.LessThan(365) { results.Add( "Profile has a log retention policy of less than 1 year.", profile.RetentionPolicy.Days, ) } else { results.AddPassed(&profile) } } return }, )
View Source
var CheckCaptureAllActivities = rules.Register( rules.Rule{ AVDID: "AVD-AZU-0033", Provider: providers.AzureProvider, Service: "monitor", ShortCode: "capture-all-activities", Summary: "Ensure log profile captures all activities", Impact: "Log profile must capture all activity to be able to ensure that all relevant information possible is available for an investigation", Resolution: "Configure log profile to capture all activities", Explanation: `Log profiles should capture all categories to ensure that all events are logged`, Links: []string{ "https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log", "https://docs.microsoft.com/en-us/cli/azure/monitor/log-profiles?view=azure-cli-latest#az_monitor_log_profiles_create-required-parameters", }, Terraform: &rules.EngineMetadata{ GoodExamples: terraformCaptureAllActivitiesGoodExamples, BadExamples: terraformCaptureAllActivitiesBadExamples, Links: terraformCaptureAllActivitiesLinks, RemediationMarkdown: terraformCaptureAllActivitiesRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results rules.Results) { required := []string{ "Action", "Write", "Delete", } for _, profile := range s.Azure.Monitor.LogProfiles { if profile.IsUnmanaged() { continue } var failed bool for _, cat := range required { if !hasCategory(profile, cat) { failed = true results.Add( fmt.Sprintf("Log profile does not require the '%s' category.", cat), &profile, ) } } if !failed { results.AddPassed(&profile) } } return }, )
View Source
var CheckCaptureAllRegions = rules.Register( rules.Rule{ AVDID: "AVD-AZU-0032", Provider: providers.AzureProvider, Service: "monitor", ShortCode: "capture-all-regions", Summary: "Ensure activitys are captured for all locations", Impact: "Activity may be occurring in locations that aren't being monitored", Resolution: "Enable capture for all locations", Explanation: `Log profiles should capture all regions to ensure that all events are logged`, Links: []string{ "https://docs.microsoft.com/en-us/cli/azure/monitor/log-profiles?view=azure-cli-latest#az_monitor_log_profiles_create-required-parameters", }, Terraform: &rules.EngineMetadata{ GoodExamples: terraformCaptureAllRegionsGoodExamples, BadExamples: terraformCaptureAllRegionsBadExamples, Links: terraformCaptureAllRegionsLinks, RemediationMarkdown: terraformCaptureAllRegionsRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results rules.Results) { for _, profile := range s.Azure.Monitor.LogProfiles { if missing := findMissingRegions(profile); len(missing) > 0 { details := fmt.Sprintf("%d regions missing", len(missing)) if len(missing) < 10 { details = fmt.Sprintf("missing: %s", strings.Join(missing, ", ")) } results.Add( fmt.Sprintf("Log profile does not log to all regions (%s).", details), &profile, ) } else { results.AddPassed(&profile) } } return }, )
Functions ¶
This section is empty.
Types ¶
This section is empty.
Click to show internal directories.
Click to hide internal directories.