From 7c0ff1ff6a9a7ab521e8c84df519780fb299e2f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pedro=20Mart=C3=ADn?= Date: Mon, 5 Feb 2024 10:58:44 +0100 Subject: [PATCH] feat(azure): New Azure SQLServer related check `sqlserver_auditing_retention_90_days` (#3345) --- .../__init__.py | 0 ...r_auditing_retention_90_days.metadata.json | 30 +++ .../sqlserver_auditing_retention_90_days.py | 33 +++ tests/lib/check/check_test.py | 32 +++ ...lserver_auditing_retention_90_days_test.py | 239 ++++++++++++++++++ 5 files changed, 334 insertions(+) create mode 100644 prowler/providers/azure/services/sqlserver/sqlserver_auditing_retention_90_days/__init__.py create mode 100644 prowler/providers/azure/services/sqlserver/sqlserver_auditing_retention_90_days/sqlserver_auditing_retention_90_days.metadata.json create mode 100644 prowler/providers/azure/services/sqlserver/sqlserver_auditing_retention_90_days/sqlserver_auditing_retention_90_days.py create mode 100644 tests/providers/azure/services/sqlserver/sqlserver_auditing_retention_90_days/sqlserver_auditing_retention_90_days_test.py diff --git a/prowler/providers/azure/services/sqlserver/sqlserver_auditing_retention_90_days/__init__.py b/prowler/providers/azure/services/sqlserver/sqlserver_auditing_retention_90_days/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/prowler/providers/azure/services/sqlserver/sqlserver_auditing_retention_90_days/sqlserver_auditing_retention_90_days.metadata.json b/prowler/providers/azure/services/sqlserver/sqlserver_auditing_retention_90_days/sqlserver_auditing_retention_90_days.metadata.json new file mode 100644 index 00000000..31396a0b --- /dev/null +++ b/prowler/providers/azure/services/sqlserver/sqlserver_auditing_retention_90_days/sqlserver_auditing_retention_90_days.metadata.json @@ -0,0 +1,30 @@ +{ + "Provider": "azure", + "CheckID": "sqlserver_auditing_retention_90_days", + "CheckTitle": "Ensure that 'Auditing' Retention is 'greater than 90 days'", + "CheckType": [], + "ServiceName": "sqlserver", + "SubServiceName": "", + "ResourceIdTemplate": "", + "Severity": "medium", + "ResourceType": "SQLServer", + "Description": "SQL Server Audit Retention should be configured to be greater than 90 days.", + "Risk": "Audit Logs can be used to check for anomalies and give insight into suspected breaches or misuse of information and access.", + "RelatedUrl": "https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing", + "Remediation": { + "Code": { + "CLI": "Set-AzSqlServerAudit -ResourceGroupName resource_group_name -ServerName SQL_Server_name -RetentionInDays 100 -LogAnalyticsTargetState Enabled -WorkspaceResourceId '/subscriptions/subscription_ID/resourceGroups/insights-integration/providers/Microsoft.OperationalInsights/workspaces/workspace_name'", + "NativeIaC": "", + "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/Sql/auditing-retention.html#", + "Terraform": "https://docs.bridgecrew.io/docs/bc_azr_logging_3" + }, + "Recommendation": { + "Text": "1. Go to SQL servers 2. For each server instance 3. Click on Auditing 4. If storage is selected, expand Advanced properties 5. Set the Retention (days) setting greater than 90 days or 0 for unlimited retention. 6. Select Save", + "Url": "https://learn.microsoft.com/en-us/purview/audit-log-retention-policies" + } + }, + "Categories": [], + "DependsOn": [], + "RelatedTo": [], + "Notes": "" +} diff --git a/prowler/providers/azure/services/sqlserver/sqlserver_auditing_retention_90_days/sqlserver_auditing_retention_90_days.py b/prowler/providers/azure/services/sqlserver/sqlserver_auditing_retention_90_days/sqlserver_auditing_retention_90_days.py new file mode 100644 index 00000000..bad55d69 --- /dev/null +++ b/prowler/providers/azure/services/sqlserver/sqlserver_auditing_retention_90_days/sqlserver_auditing_retention_90_days.py @@ -0,0 +1,33 @@ +from prowler.lib.check.models import Check, Check_Report_Azure +from prowler.providers.azure.services.sqlserver.sqlserver_client import sqlserver_client + + +class sqlserver_auditing_retention_90_days(Check): + def execute(self) -> Check_Report_Azure: + findings = [] + for subscription, sql_servers in sqlserver_client.sql_servers.items(): + for sql_server in sql_servers: + report = Check_Report_Azure(self.metadata()) + report.subscription = subscription + report.resource_name = sql_server.name + report.resource_id = sql_server.id + has_failed = False + for policy in sql_server.auditing_policies: + if has_failed: + break + if policy.state == "Enabled": + if policy.retention_days <= 90: + report.status = "FAIL" + report.status_extended = f"SQL Server {sql_server.name} from subscription {subscription} has auditing retention less than 91 days." + has_failed = True + else: + report.status = "PASS" + report.status_extended = f"SQL Server {sql_server.name} from subscription {subscription} has auditing retention greater than 90 days." + else: + report.status = "FAIL" + report.status_extended = f"SQL Server {sql_server.name} from subscription {subscription} has auditing disabled." + has_failed = True + + findings.append(report) + + return findings diff --git a/tests/lib/check/check_test.py b/tests/lib/check/check_test.py index 72a517be..c3ffb6a6 100644 --- a/tests/lib/check/check_test.py +++ b/tests/lib/check/check_test.py @@ -101,6 +101,20 @@ expected_packages = [ name="prowler.providers.azure.services.sqlserver.sqlserver_tde_encryption_enabled.sqlserver_tde_encryption_enabled", ispkg=False, ), + ModuleInfo( + module_finder=FileFinder( + "/root_dir/prowler/providers/azure/services/sqlserver" + ), + name="prowler.providers.azure.services.sqlserver.sqlserver_auditing_retention_90_days", + ispkg=True, + ), + ModuleInfo( + module_finder=FileFinder( + "/root_dir/prowler/providers/azure/services/sqlserver/sqlserver_auditing_retention_90_days" + ), + name="prowler.providers.azure.services.sqlserver.sqlserver_auditing_retention_90_days.sqlserver_auditing_retention_90_days", + ispkg=False, + ), ] @@ -180,6 +194,20 @@ def mock_list_modules(*_): name="prowler.providers.azure.services.sqlserver.sqlserver_tde_encryption_enabled.sqlserver_tde_encryption_enabled", ispkg=False, ), + ModuleInfo( + module_finder=FileFinder( + "/root_dir/prowler/providers/azure/services/sqlserver" + ), + name="prowler.providers.azure.services.sqlserver.sqlserver_auditing_retention_90_days", + ispkg=True, + ), + ModuleInfo( + module_finder=FileFinder( + "/root_dir/prowler/providers/azure/services/sqlserver/sqlserver_auditing_retention_90_days" + ), + name="prowler.providers.azure.services.sqlserver.sqlserver_auditing_retention_90_days.sqlserver_auditing_retention_90_days", + ispkg=False, + ), ] return modules @@ -569,6 +597,10 @@ class Test_Check: "sqlserver_tde_encryption_enabled", "/root_dir/prowler/providers/azure/services/sqlserver/sqlserver_tde_encryption_enabled", ), + ( + "sqlserver_auditing_retention_90_days", + "/root_dir/prowler/providers/azure/services/sqlserver/sqlserver_auditing_retention_90_days", + ), ] returned_checks = recover_checks_from_provider(provider, service) assert returned_checks == expected_checks diff --git a/tests/providers/azure/services/sqlserver/sqlserver_auditing_retention_90_days/sqlserver_auditing_retention_90_days_test.py b/tests/providers/azure/services/sqlserver/sqlserver_auditing_retention_90_days/sqlserver_auditing_retention_90_days_test.py new file mode 100644 index 00000000..2c873aad --- /dev/null +++ b/tests/providers/azure/services/sqlserver/sqlserver_auditing_retention_90_days/sqlserver_auditing_retention_90_days_test.py @@ -0,0 +1,239 @@ +from unittest import mock +from uuid import uuid4 + +from azure.mgmt.sql.models import ServerBlobAuditingPolicy + +from prowler.providers.azure.services.sqlserver.sqlserver_service import SQL_Server +from tests.providers.azure.azure_fixtures import AZURE_SUSCRIPTION + + +class Test_sqlserver_auditing_retention_90_days: + def test_no_sql_servers(self): + sqlserver_client = mock.MagicMock + sqlserver_client.sql_servers = {} + + with mock.patch( + "prowler.providers.azure.services.sqlserver.sqlserver_auditing_retention_90_days.sqlserver_auditing_retention_90_days.sqlserver_client", + new=sqlserver_client, + ): + from prowler.providers.azure.services.sqlserver.sqlserver_auditing_retention_90_days.sqlserver_auditing_retention_90_days import ( + sqlserver_auditing_retention_90_days, + ) + + check = sqlserver_auditing_retention_90_days() + result = check.execute() + assert len(result) == 0 + + def test_sql_servers_auditing_policy_disabled(self): + sqlserver_client = mock.MagicMock + sql_server_name = "SQL Server Name" + sql_server_id = str(uuid4()) + sqlserver_client.sql_servers = { + AZURE_SUSCRIPTION: [ + SQL_Server( + id=sql_server_id, + name=sql_server_name, + public_network_access="", + minimal_tls_version="", + administrators=None, + auditing_policies=[ServerBlobAuditingPolicy(state="Disabled")], + firewall_rules=None, + databases=None, + encryption_protector=None, + ) + ] + } + + with mock.patch( + "prowler.providers.azure.services.sqlserver.sqlserver_auditing_retention_90_days.sqlserver_auditing_retention_90_days.sqlserver_client", + new=sqlserver_client, + ): + from prowler.providers.azure.services.sqlserver.sqlserver_auditing_retention_90_days.sqlserver_auditing_retention_90_days import ( + sqlserver_auditing_retention_90_days, + ) + + check = sqlserver_auditing_retention_90_days() + result = check.execute() + assert len(result) == 1 + assert result[0].status == "FAIL" + assert ( + result[0].status_extended + == f"SQL Server {sql_server_name} from subscription {AZURE_SUSCRIPTION} has auditing disabled." + ) + assert result[0].subscription == AZURE_SUSCRIPTION + assert result[0].resource_name == sql_server_name + assert result[0].resource_id == sql_server_id + + def test_sql_servers_auditing_retention_less_than_90_days(self): + sqlserver_client = mock.MagicMock + sql_server_name = "SQL Server Name" + sql_server_id = str(uuid4()) + sqlserver_client.sql_servers = { + AZURE_SUSCRIPTION: [ + SQL_Server( + id=sql_server_id, + name=sql_server_name, + public_network_access="", + minimal_tls_version="", + administrators=None, + auditing_policies=[ + ServerBlobAuditingPolicy(state="Enabled", retention_days=89) + ], + firewall_rules=None, + databases=None, + encryption_protector=None, + ) + ] + } + + with mock.patch( + "prowler.providers.azure.services.sqlserver.sqlserver_auditing_retention_90_days.sqlserver_auditing_retention_90_days.sqlserver_client", + new=sqlserver_client, + ): + from prowler.providers.azure.services.sqlserver.sqlserver_auditing_retention_90_days.sqlserver_auditing_retention_90_days import ( + sqlserver_auditing_retention_90_days, + ) + + check = sqlserver_auditing_retention_90_days() + result = check.execute() + assert len(result) == 1 + assert result[0].status == "FAIL" + assert ( + result[0].status_extended + == f"SQL Server {sql_server_name} from subscription {AZURE_SUSCRIPTION} has auditing retention less than 91 days." + ) + assert result[0].subscription == AZURE_SUSCRIPTION + assert result[0].resource_name == sql_server_name + assert result[0].resource_id == sql_server_id + + def test_sql_servers_auditing_retention_greater_than_90_days(self): + sqlserver_client = mock.MagicMock + sql_server_name = "SQL Server Name" + sql_server_id = str(uuid4()) + sqlserver_client.sql_servers = { + AZURE_SUSCRIPTION: [ + SQL_Server( + id=sql_server_id, + name=sql_server_name, + public_network_access="", + minimal_tls_version="", + administrators=None, + auditing_policies=[ + ServerBlobAuditingPolicy(state="Enabled", retention_days=91) + ], + firewall_rules=None, + databases=None, + encryption_protector=None, + ) + ] + } + + with mock.patch( + "prowler.providers.azure.services.sqlserver.sqlserver_auditing_retention_90_days.sqlserver_auditing_retention_90_days.sqlserver_client", + new=sqlserver_client, + ): + from prowler.providers.azure.services.sqlserver.sqlserver_auditing_retention_90_days.sqlserver_auditing_retention_90_days import ( + sqlserver_auditing_retention_90_days, + ) + + check = sqlserver_auditing_retention_90_days() + result = check.execute() + assert len(result) == 1 + assert result[0].status == "PASS" + assert ( + result[0].status_extended + == f"SQL Server {sql_server_name} from subscription {AZURE_SUSCRIPTION} has auditing retention greater than 90 days." + ) + assert result[0].subscription == AZURE_SUSCRIPTION + assert result[0].resource_name == sql_server_name + assert result[0].resource_id == sql_server_id + + def test_sql_servers_two_auditing_policies_with_auditing_retention_greater_than_90_days( + self, + ): + sqlserver_client = mock.MagicMock + sql_server_name = "SQL Server Name" + sql_server_id = str(uuid4()) + sqlserver_client.sql_servers = { + AZURE_SUSCRIPTION: [ + SQL_Server( + id=sql_server_id, + name=sql_server_name, + public_network_access="", + minimal_tls_version="", + administrators=None, + auditing_policies=[ + ServerBlobAuditingPolicy(state="Enabled", retention_days=91), + ServerBlobAuditingPolicy(state="Enabled", retention_days=100), + ], + firewall_rules=None, + databases=None, + encryption_protector=None, + ) + ] + } + + with mock.patch( + "prowler.providers.azure.services.sqlserver.sqlserver_auditing_retention_90_days.sqlserver_auditing_retention_90_days.sqlserver_client", + new=sqlserver_client, + ): + from prowler.providers.azure.services.sqlserver.sqlserver_auditing_retention_90_days.sqlserver_auditing_retention_90_days import ( + sqlserver_auditing_retention_90_days, + ) + + check = sqlserver_auditing_retention_90_days() + result = check.execute() + assert len(result) == 1 + assert result[0].status == "PASS" + assert ( + result[0].status_extended + == f"SQL Server {sql_server_name} from subscription {AZURE_SUSCRIPTION} has auditing retention greater than 90 days." + ) + assert result[0].subscription == AZURE_SUSCRIPTION + assert result[0].resource_name == sql_server_name + assert result[0].resource_id == sql_server_id + + def test_sql_servers_two_auditing_policies_with_one_auditing_retention_less_than_90_days( + self, + ): + sqlserver_client = mock.MagicMock + sql_server_name = "SQL Server Name" + sql_server_id = str(uuid4()) + sqlserver_client.sql_servers = { + AZURE_SUSCRIPTION: [ + SQL_Server( + id=sql_server_id, + name=sql_server_name, + public_network_access="", + minimal_tls_version="", + administrators=None, + auditing_policies=[ + ServerBlobAuditingPolicy(state="Enabled", retention_days=91), + ServerBlobAuditingPolicy(state="Enabled", retention_days=80), + ], + firewall_rules=None, + databases=None, + encryption_protector=None, + ) + ] + } + + with mock.patch( + "prowler.providers.azure.services.sqlserver.sqlserver_auditing_retention_90_days.sqlserver_auditing_retention_90_days.sqlserver_client", + new=sqlserver_client, + ): + from prowler.providers.azure.services.sqlserver.sqlserver_auditing_retention_90_days.sqlserver_auditing_retention_90_days import ( + sqlserver_auditing_retention_90_days, + ) + + check = sqlserver_auditing_retention_90_days() + result = check.execute() + assert len(result) == 1 + assert result[0].status == "FAIL" + assert ( + result[0].status_extended + == f"SQL Server {sql_server_name} from subscription {AZURE_SUSCRIPTION} has auditing retention less than 91 days." + ) + assert result[0].subscription == AZURE_SUSCRIPTION + assert result[0].resource_name == sql_server_name + assert result[0].resource_id == sql_server_id