Skip to content

fix(azure): Fix detecting logic for CIS Azure Benchmark v1.3.0 - 2.12 #7807

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kodiakhq merged 3 commits into from
Feb 8, 2023
Merged

fix(azure): Fix detecting logic for CIS Azure Benchmark v1.3.0 - 2.12 #7807

kodiakhq merged 3 commits into from
Feb 8, 2023

Conversation

@aruneko
Copy link
Contributor

@aruneko aruneko commented Feb 8, 2023

Summary

I found a bug in the logic of CIS Azure Benchmark v1.3.0 Section 2.12 (policy_assignment_parameters.sql and default_policy_disabled.sql).

The current query takes json keys in the property column of the azure_policy_assignments table to make a view. But, an actual value of the column is below.

{
    "scope": "/subscriptions/cc9a41f6-4e32-4f28-8326-a3c49e7036a3",
    "metadata": {
        "createdBy": "ae1999e6-b000-4f94-8e1c-ece7b864e35b",
        "createdOn": "2022-08-19T01:36:48.5129096Z",
        "updatedBy": "64fd25ee-36e3-44e9-bf7a-96e411ae909f",
        "updatedOn": "2023-02-08T03:00:27.2551198Z",
        "assignedBy": "Security Center",
        "parameterScopes": {},
        "excludedOutOfTheBoxStandards": [
            "PCI DSS 3.2.1",
            "ISO 27001",
            "SOC TSP"
        ]
    },
    "notScopes": [],
    "parameters": {
        "sqlServerAuditingMonitoringEffect": {
            "value": "Disabled"
        },
        "adaptiveApplicationControlsUpdateMonitoringEffect": {
            "value": "Disabled"
        }
    },
    "description": "This is the default set of policies monitored by Azure Security Center. It was automatically assigned as part of onboarding to Security Center. The default assignment contains only audit policies. For more information please visit https://aka.ms/ascpolicies",
    "displayName": "ASC Default (subscription: cc9a41f6-4e32-4f28-8326-a3c49e7036a3)",
    "enforcementMode": "Default",
    "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8",
    "nonComplianceMessages": []
}

Therefore, the result of taking keys is always the array [scope, metadata, notStopes, parameters, description, displayName, enforcementMode, policyDefinitionId]. It is useless for checking the condition in the rule. The correct logic is taking json keys in the parameters field.

And then, when the policy sql writes in the result table, it only saves the id column on the table. But the id is always same among the result. We cannot identify which policies are disabled. That's way, I concated id and param filed with / to do that.

@cq-bot cq-bot added the azure label Feb 8, 2023
@aruneko aruneko changed the title fix(azure): fix detecting logic for CIS Azure Benchmark v1.3.0 - 2.12 fix(azure): Fix detecting logic for CIS Azure Benchmark v1.3.0 - 2.12 Feb 8, 2023
erezrokah
erezrokah approved these changes Feb 8, 2023
View reviewed changes
Copy link
Member

@erezrokah erezrokah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great find @aruneko 🚀

@erezrokah erezrokah added the automerge Automatically merge once required checks pass label Feb 8, 2023
@kodiakhq kodiakhq bot merged commit 56b7ee2 into cloudquery:main Feb 8, 2023
@cq-bot cq-bot mentioned this pull request Feb 8, 2023
Merged
@aruneko aruneko deleted the fix/azure-cis-policies branch February 8, 2023 12:00
kodiakhq bot pushed a commit that referenced this pull request Feb 14, 2023
@cq-bot
chore(main): Release plugins-source-azure v4.1.1 (#7808)
e0050e7 
🤖 I have created a release *beep* *boop*
---


## [4.1.1](plugins-source-azure-v4.1.0...plugins-source-azure-v4.1.1) (2023-02-14)


### Bug Fixes

* **azure:** Fix detecting logic for CIS Azure Benchmark v1.3.0 - 2.12 ([#7807](#7807)) ([56b7ee2](56b7ee2))
* **deps:** Update module github.com/cloudquery/plugin-sdk to v1.36.0 ([#7809](#7809)) ([c85a9cb](c85a9cb))
* **deps:** Update module github.com/cloudquery/plugin-sdk to v1.36.1 ([#7930](#7930)) ([39dccc1](39dccc1))
* **deps:** Update module github.com/cloudquery/plugin-sdk to v1.37.0 ([#7933](#7933)) ([dc9cffb](dc9cffb))
* **deps:** Update module github.com/cloudquery/plugin-sdk to v1.37.1 ([#8008](#8008)) ([c47aac0](c47aac0))

---
This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@erezrokah erezrokah erezrokah approved these changes

@yevgenypats yevgenypats Awaiting requested review from yevgenypats

Assignees

No one assigned

Labels

automerge Automatically merge once required checks pass

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@aruneko @erezrokah @cq-bot