feat(CG-1176): merge from alpha conflict resolved

cloudgraphdev · Sep 14, 2022 · 8be4624 · 8be4624
2 parents 257254f + 97ff5d5
commit 8be4624
Show file tree

Hide file tree

Showing 11 changed files with 1,859 additions and 0 deletions.
diff --git a/src/azure/pci-dss-3.2.1/README.md b/src/azure/pci-dss-3.2.1/README.md
@@ -59,6 +59,14 @@ Policy Pack based on the [PCI DSS version 3.2.1](https://www.pcisecuritystandard
 | monitoring-check-2     | Monitor audit profile should log all activities                                                                                      |
 | monitoring-check-3     | Security Center default policy setting ‘Monitor Endpoint Protection’ should be enabled                                               |
 | monitoring-check-4     | Monitor log profile should be created                                                                                                |
+| monitoring-check-5     | Monitor Activity Log Alert should exist for Create or Update Network Security Group                                                  |
+| monitoring-check-6     | Monitor Activity Log Alert should exist for Create or Update Network Security Group Rule                                             |
+| monitoring-check-7     | Monitor Activity Log Alert should exist for Create or Update or Delete SQL Server Firewall Rule                                      |
+| monitoring-check-8     | Monitor Activity Log Alert should exist for Create or Update Security Solution                                                       |
+| monitoring-check-9     | Monitor Activity Log Alert should exist for Create Policy Assignment                                                                 |
+| monitoring-check-10    | Monitor Activity Log Alert should exist for Delete Network Security Group                                                            |
+| monitoring-check-11    | Monitor Activity Log Alert should exist for Delete Network Security Group Rule                                                       |
+| monitoring-check-12    | Monitor Activity Log Alert should exist for Delete Security Solution                                                                 |
 | network-access-check-1 | MySQL Database server firewall rules should not permit start and end IP addresses to be 0.0.0.0                                      |
 | network-access-check-2 | PostgreSQL Database server firewall rules should not permit start and end IP addresses to be 0.0.0.0                                 |
 | network-access-check-3 | SQL Server firewall rules should not permit start and end IP addresses to be 0.0.0.0                                                 |

diff --git a/src/azure/pci-dss-3.2.1/rules/index.ts b/src/azure/pci-dss-3.2.1/rules/index.ts
@@ -1,23 +1,43 @@
 import Azure_PCI_DSS_321_Monitoring_1 from './pci-dss-3.2.1-monitoring-check-1'
 import Azure_PCI_DSS_321_Monitoring_2 from './pci-dss-3.2.1-monitoring-check-2'
 import Azure_PCI_DSS_321_Monitoring_3 from './pci-dss-3.2.1-monitoring-check-3'
+import Azure_PCI_DSS_321_Monitoring_4 from './pci-dss-3.2.1-monitoring-check-4'
+import Azure_PCI_DSS_321_Monitoring_5 from './pci-dss-3.2.1-monitoring-check-5'
+import Azure_PCI_DSS_321_Monitoring_6 from './pci-dss-3.2.1-monitoring-check-6'
+import Azure_PCI_DSS_321_Monitoring_7 from './pci-dss-3.2.1-monitoring-check-7'
+import Azure_PCI_DSS_321_Monitoring_8 from './pci-dss-3.2.1-monitoring-check-8'
+import Azure_PCI_DSS_321_Monitoring_9 from './pci-dss-3.2.1-monitoring-check-9'
+import Azure_PCI_DSS_321_Monitoring_10 from './pci-dss-3.2.1-monitoring-check-10'
+import Azure_PCI_DSS_321_Monitoring_11 from './pci-dss-3.2.1-monitoring-check-11'
+import Azure_PCI_DSS_321_Monitoring_12 from './pci-dss-3.2.1-monitoring-check-12'
 import Azure_PCI_DSS_321_Network_Access_1 from './pci-dss-3.2.1-network-access-check-1'
 import Azure_PCI_DSS_321_Network_Access_2 from './pci-dss-3.2.1-network-access-check-2'
 import Azure_PCI_DSS_321_Network_Access_3 from './pci-dss-3.2.1-network-access-check-3'
 import Azure_PCI_DSS_321_Network_Access_4 from './pci-dss-3.2.1-network-access-check-4'
 import Azure_PCI_DSS_321_Networking_1 from './pci-dss-3.2.1-networking-check-1'
 import Azure_PCI_DSS_321_Networking_2 from './pci-dss-3.2.1-networking-check-2'
+import Azure_PCI_DSS_321_Networking_3 from './pci-dss-3.2.1-networking-check-3'
 import Azure_PCI_DSS_321_Policy_Version_1 from './pci-dss-3.2.1-policy-version-check-1'
 
 export default [
   Azure_PCI_DSS_321_Monitoring_1,
   Azure_PCI_DSS_321_Monitoring_2,
   Azure_PCI_DSS_321_Monitoring_3,
+  Azure_PCI_DSS_321_Monitoring_4,
+  Azure_PCI_DSS_321_Monitoring_5,
+  Azure_PCI_DSS_321_Monitoring_6,
+  Azure_PCI_DSS_321_Monitoring_7,
+  Azure_PCI_DSS_321_Monitoring_8,
+  Azure_PCI_DSS_321_Monitoring_9,
+  Azure_PCI_DSS_321_Monitoring_10,
+  Azure_PCI_DSS_321_Monitoring_11,
+  Azure_PCI_DSS_321_Monitoring_12,
   Azure_PCI_DSS_321_Network_Access_1,
   Azure_PCI_DSS_321_Network_Access_2,
   Azure_PCI_DSS_321_Network_Access_3,
   Azure_PCI_DSS_321_Network_Access_4,
   Azure_PCI_DSS_321_Networking_1,
   Azure_PCI_DSS_321_Networking_2,
+  Azure_PCI_DSS_321_Networking_3,
   Azure_PCI_DSS_321_Policy_Version_1,
 ]
diff --git a/src/azure/pci-dss-3.2.1/rules/pci-dss-3.2.1-monitoring-check-10.ts b/src/azure/pci-dss-3.2.1/rules/pci-dss-3.2.1-monitoring-check-10.ts
@@ -0,0 +1,168 @@
+export default {
+  id: 'pci-dss-3.2.1-monitoring-check-10',  
+  title: 'Monitoring Check 10: Monitor Activity Log Alert should exist for Delete Network Security Group',  
+
+  description: 'Create an activity log alert for the Delete Network Security Group event.',
+
+  audit: `**From Azure Console**
+  
+  1. Navigate to Monitor' / 'Alerts
+  2. Select Manage alert rules
+  3. Click on the Alert Name where Condition contains operationName equals
+  Microsoft.Network/networkSecurityGroups/delete
+  4. Hover a mouse over Condition to ensure it is set to Whenever the Administrative
+  Activity Log "Delete Network Security Group (networkSecurityGroups)"
+  has "any" level with "any" status and event is initiated by "any"
+  
+  **Using Azure Command Line Interface 2.0**  
+  
+    az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1
+    bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type:application/json" https://management.azure.com/subscriptions/$0/providers/microsoft.insights/activityLogAlerts?api-version=2017-04-01' | jq '.|.value[]|{location:.location,scopes:.properties.scopes,"condition":.properties.condition.allOf|.[]|select(.field=="operationName" and .equals=="microsoft.network/networksecuritygroups/delete"),enabled:.properties.enabled}'
+  
+  Ensure that an alert exists where:
+  - location is set to Global
+  - Scopes is set to entire subscription that is /subscriptions/<Subscription_ID>
+  - Enabled set to True
+  - Condition Matches:
+
+    {
+      "location": "Global",
+      "scopes": [
+        "/subscriptions/<Subscription_ID>"
+      ],
+      "condition": {
+        "field": "operationName",
+        "equals": "microsoft.network/networksecuritygroups/delete",
+        "containsAny": null
+      },
+      "enabled": true
+    }`,
+
+  rationale: 'Monitoring for "Delete Network Security Group" events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.',  
+
+  remediation: `**From Azure Console**
+  
+  1. Go to Monitor
+  2. Select Alerts
+  3. Click On New Alert Rule
+  4. Under Scope, click Select resource
+  5. Select the appropriate subscription under Filter by subscription
+  6. Select Network Security Groups under Filter by resource type
+  7. Select All for Filter by location
+  8. Click on the subscription resource from the entries populated under Resource
+  9. Click Done
+  10. Verify Selection preview shows Network Security Groups and your selected
+  subscription name
+  11. Under Condition click Add Condition
+  12. Select Delete Network Security Group signal
+  13. Click Done
+  14. Under Action group, select Add action groups and complete creation process or
+  select appropriate action group
+  15. Under Alert rule details, enter Alert rule name and Description
+  16. Select appropriate resource group to save the alert to
+  17. Check Enable alert rule upon creation checkbox
+  18. Click Create alert rule
+  
+  Use the below command to create an Activity Log Alert for Delete Network Security Groups
+  
+    az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1
+    bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type:application/json" https://management.azure.com/subscriptions/$0/resourceGroups/<Resource_Group_ToCreate_Alert_In>/providers/microsoft.insights/activityLogAlerts/<Unique_Alert_Name>?api-version=2017-04-01 -d@"input.json"'
+  
+  Where input.json contains the Request body JSON data as mentioned below.
+  
+    {
+      "location": "Global",
+      "tags": {},
+      "properties": {
+      "scopes": [
+        "/subscriptions/<Subscription_ID>"
+      ],
+      "enabled": true,
+      "condition": {
+        "allOf": [
+        {
+          "containsAny": null,
+          "equals": "Administrative",
+          "field": "category"
+        },
+        {
+          "containsAny": null,
+          "equals": "Microsoft.Network/networkSecurityGroups/delete",
+          "field": "operationName"
+        }
+        ]
+      },
+      "actions": {
+        "actionGroups": [
+        {
+          "actionGroupId": "/subscriptions/<Subscription_ID>/resourceGroups/<Resource_Group_For_Alert_Group>/providers/microsoft.insights/actionGroups/<Alert_Group>",
+          "webhookProperties": null
+        }
+        ]
+      },
+      }
+    }
+
+  Configurable Parameters for command line:
+
+    <Resource_Group_To Create_Alert_In>
+    <Unique_Alert_Name>
+
+  Configurable Parameters for input.json:
+
+    <Subscription_ID> in scopes
+    <Subscription_ID> in actionGroupId
+    <Resource_Group_For_Alert_Group> in actionGroupId
+    <Alert_Group> in actionGroupId`,
+
+  references: [
+    'https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement',
+    'https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log',
+    'https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate',
+    'https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid',
+    'https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources'
+  ],  
+  gql: `{
+    queryazureSubscription {
+      id
+      __typename
+      activityLogAlerts {
+        enabled
+        condition {
+          allOf {
+            field
+            equals
+          }
+        }
+      }
+    }
+  }`,
+  resource: 'queryazureSubscription[*]',
+  severity: 'medium',
+  conditions: {
+    path: '@.activityLogAlerts',
+    array_any: {
+      and: [
+        {
+          path: '[*].enabled',
+          equal: true,
+        },
+        {
+          path: '[*].condition.allOf',
+          array_any: {
+            and: [
+              {
+                path: '[*].field',
+                equal: 'operationName',
+              },
+              {
+                path: '[*].equals',
+                equal: 'microsoft.network/networksecuritygroups/delete',
+              },
+            ],
+          },
+        },
+      ],
+    },
+  },
+}
diff --git a/src/azure/pci-dss-3.2.1/rules/pci-dss-3.2.1-monitoring-check-11.ts b/src/azure/pci-dss-3.2.1/rules/pci-dss-3.2.1-monitoring-check-11.ts
@@ -0,0 +1,169 @@
+export default {
+  id: 'pci-dss-3.2.1-monitoring-check-11',  
+  title: 'Monitoring Check 11: Monitor Activity Log Alert should exist for Delete Network Security Group Rule',  
+
+  description: 'Create an activity log alert for the Delete Network Security Group Rule event.',
+
+  audit: `**From Azure Console**
+  
+  1. Navigate to Monitor' / 'Alerts
+  2. Select Manage alert rules
+  3. Click on the Alert Name where Condition contains operationName equals
+  Microsoft.Network/networkSecurityGroups/securityRules/delete
+  4. Hover a mouse over Condition to ensure it is set to Whenever the Administrative
+  Activity Log "Delete Security Rule
+  (networkSecurityGroups/securityRules)" has "any" level with "any"
+  status and event is initiated by "any"
+  
+  **Using Azure Command Line Interface 2.0**  
+  
+    az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1
+    bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type:application/json" https://management.azure.com/subscriptions/$0/providers/microsoft.insights/activityLogAlerts?api-version=2017-04-01' | jq '.|.value[]|{location:.location,scopes:.properties.scopes,"condition":.properties.condition.allOf|.[]|select(.field=="operationName" and .equals=="microsoft.network/networksecuritygroups/securityrules/delete"),enabled:.properties.enabled}'
+  
+  Ensure that an alert exists where:
+  - location is set to Global
+  - Scopes is set to entire subscription that is /subscriptions/<Subscription_ID>
+  - Enabled set to True
+  - Condition Matches:
+
+    {
+      "location": "Global",
+      "scopes": [
+        "/subscriptions/<Subscription_ID>"
+      ],
+      "condition": {
+        "field": "operationName",
+        "equals": "microsoft.network/networksecuritygroups/securityrules/delete",
+        "containsAny": null
+      },
+      "enabled": true
+    }`,
+
+  rationale: 'Monitoring for Delete Network Security Group Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.',  
+
+  remediation: `**From Azure Console**
+  
+  1. Go to Monitor
+  2. Select Alerts
+  3. Click On New Alert Rule
+  4. Under Scope, click Select resource
+  5. Select the appropriate subscription under Filter by subscription
+  6. Select Network Security Group Rules under Filter by resource type
+  7. Select All for Filter by location
+  8. Click on the subscription resource from the entries populated under Resource
+  9. Click Done
+  10. Verify Selection preview shows Network Security Group Rules and your selected
+  subscription name
+  11. Under Condition click Add Condition
+  12. Select Delete Network Security Group Rule signal
+  13. Click Done
+  14. Under Action group, select Add action groups and complete creation process or
+  select appropriate action group
+  15. Under Alert rule details, enter Alert rule name and Description
+  16. Select appropriate resource group to save the alert to
+  17. Check Enable alert rule upon creation checkbox
+  18. Click Create alert rule
+  
+  Use the below command to create an Activity Log Alert for Delete Network Security Groups rule
+  
+    az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1
+    bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type:application/json" https://management.azure.com/subscriptions/$0/resourceGroups/<Resource_Group_ToCreate_Alert_In>/providers/microsoft.insights/activityLogAlerts/<Unique_Alert_Name>?api-version=2017-04-01 -d@"input.json"'
+  
+  Where input.json contains the Request body JSON data as mentioned below.
+  
+    {
+      "location": "Global",
+      "tags": {},
+      "properties": {
+        "scopes": [
+          "/subscriptions/<Subscription_ID>"
+        ],
+        "enabled": true,
+        "condition": {
+        "allOf": [
+        {
+          "containsAny": null,
+          "equals": "Administrative",
+          "field": "category"
+        },
+        {
+          "containsAny": null,
+          "equals": "Microsoft.Network/networkSecurityGroups/securityRules/delete",
+          "field": "operationName"
+        }
+        ]
+      },
+      "actions": {
+        "actionGroups": [
+        {
+          "actionGroupId": "/subscriptions/<Subscription_ID>/resourceGroups/<Resource_Group_For_Alert_Group>/providers/microsoft.insights/actionGroups/<Alert_Group>",
+          "webhookProperties": null
+        }
+        ]
+      },
+      }
+    }
+
+  Configurable Parameters for command line:
+
+    <Resource_Group_To Create_Alert_In>
+    <Unique_Alert_Name>
+
+  Configurable Parameters for input.json:
+
+    <Subscription_ID> in scopes
+    <Subscription_ID> in actionGroupId
+    <Resource_Group_For_Alert_Group> in actionGroupId
+    <Alert_Group> in actionGroupId`,
+
+  references: [
+    'https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement',
+    'https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log',
+    'https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate',
+    'https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid',
+    'https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources',
+  ],  
+  gql: `{
+    queryazureSubscription {
+      id
+      __typename
+      activityLogAlerts {
+        enabled
+        condition {
+          allOf {
+            field
+            equals
+          }
+        }
+      }
+    }
+  }`,
+  resource: 'queryazureSubscription[*]',
+  severity: 'medium',
+  conditions: {
+    path: '@.activityLogAlerts',
+    array_any: {
+      and: [
+        {
+          path: '[*].enabled',
+          equal: true,
+        },
+        {
+          path: '[*].condition.allOf',
+          array_any: {
+            and: [
+              {
+                path: '[*].field',
+                equal: 'operationName',
+              },
+              {
+                path: '[*].equals',
+                equal: 'microsoft.network/networksecuritygroups/securityrules/delete',
+              },
+            ],
+          },
+        },
+      ],
+    },
+  },
+}