Skip to content

Commit 10aa667

Browse files
silverhacksilverhack
committed
Add new rules and ruleset for Azure database services 2.0
1 parent b7b0497 commit 10aa667

334 files changed

Lines changed: 7462 additions & 0 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

rules/findings/azure/databases/azure_database_mysql/azure-mysql-entra-authentication-disabled.json

Lines changed: 125 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,125 @@
1+
{
2+
"args": [],
3+
"provider": "Azure",
4+
"serviceType": "Database for MySQL",
5+
"serviceName": "Databases",
6+
"displayName": "Ensure Azure Database for MySQL uses only Microsoft Entra Authentication",
7+
"description": "Ensuring that Microsoft Entra Authentication is the only authentication method prevents the local MySQL authentication from being used.",
8+
"rationale": "The use of a centralized Identity and Access Management (IAM) solution such as Microsoft Entra ID is highly recommended for all activity related to Identity, Authentication, Authorization, and Accountability.<br/><br/>Decentralized IAM *such as local authentication methods* may present additional vulnerability and introduce avoidable administrative complexity.",
9+
"impact": "",
10+
"remediation": {
11+
"text": "
12+
##### Audit from Azure Portal
13+
1. From Azure Database for MySQL select a server to remediate.
14+
2. Under the Security section, click Authentication
15+
3. In the main window, under the Authentication header where `Assign Access to:` provides three options, select Microsoft Entra authentication only.
16+
",
17+
"code": {
18+
"powerShell": null,
19+
"iac": null,
20+
"terraform": null,
21+
"other": null
22+
}
23+
},
24+
"recommendation": null,
25+
"references": [
26+
"https://learn.microsoft.com/en-us/azure/mysql/flexible-server/security-how-to-entra",
27+
"https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-identity-management"
28+
],
29+
"compliance": [
30+
{
31+
"name": "CIS Microsoft Azure Database Services",
32+
"version": "2.0.0",
33+
"reference": "5.2",
34+
"profile": [
35+
"Level 1"
36+
]
37+
}
38+
],
39+
"level": "medium",
40+
"tags": [],
41+
"rule": {
42+
"path": "az_mysql_servers",
43+
"subPath": null,
44+
"selectCondition": {},
45+
"query": [
46+
{
47+
"filter": [
48+
{
49+
"conditions": [
50+
[
51+
"sqlAd.enabled",
52+
"eq",
53+
"False"
54+
]
55+
]
56+
}
57+
]
58+
}
59+
],
60+
"shouldExist": null,
61+
"returnObject": null,
62+
"removeIfNotExists": null
63+
},
64+
"output": {
65+
"html": {
66+
"data": {
67+
"properties": {
68+
"name": "Name",
69+
"location": "location",
70+
"resourceGroupName": "Resource Group Name",
71+
"sqlAd.enabled": "Entra Authentication Enabled"
72+
},
73+
"expandObject": null
74+
},
75+
"table": "default",
76+
"decorate": [],
77+
"emphasis": [],
78+
"actions": {
79+
"objectData": {
80+
"properties": [
81+
"id",
82+
"name",
83+
"location",
84+
"sqlAd"
85+
],
86+
"expandObject": null,
87+
"limit": null
88+
},
89+
"showGoToButton": "True",
90+
"showModalButton": "True",
91+
"directLink": null
92+
}
93+
},
94+
"text": {
95+
"data": {
96+
"properties": {
97+
"name": "Name",
98+
"location": "location",
99+
"resourceGroupName": "Resource Group Name",
100+
"sqlAd.enabled": "Entra Authentication Enabled"
101+
},
102+
"expandObject": null
103+
},
104+
"status": {
105+
"keyName": ["name"],
106+
"message": "Ensure Azure Database for MySQL uses only Microsoft Entra Authentication for {name}",
107+
"defaultMessage": null
108+
},
109+
"properties": {
110+
"resourceName": "name",
111+
"resourceId": "id",
112+
"resourceType": "type"
113+
},
114+
"onlyStatus": false
115+
}
116+
},
117+
"idSuffix": "azure_mysql_entra_authentication_disabled",
118+
"notes": [],
119+
"categories": [],
120+
"immutable_properties": [
121+
"name",
122+
"id"
123+
],
124+
"id": "azure_mysql_002"
125+
}

rules/findings/azure/databases/azure_database_mysql/azure-mysql-lack-cmk-encryption.json

Lines changed: 126 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,126 @@
1+
{
2+
"args": [],
3+
"provider": "Azure",
4+
"serviceType": "Database for MySQL",
5+
"serviceName": "Databases",
6+
"displayName": "Ensure Azure Database for MySQL uses Customer Managed Keys for Encryption at Rest",
7+
"description": "Enable sensitive data encryption at rest using Customer Managed Keys (CMK) rather than Microsoft Managed keys (MMK).",
8+
"rationale": "By default, data in Azure Database for MySQL is encrypted using Microsoft Service- Managed Keys (MMK) which constitutes an implied trust. If an organization wishes to control and manage encryption keys, however, customer-managed keys (CMK) can be supplied. The provided key is used to protect and control access to the key that encrypts the data. You can also choose to automatically update the key version used for Azure Database for MySQL encryption whenever a new version is available in the associated Key Vault.<br/><br/>NOTE: This is primarily recommended where control of encryption keys is specified by compliance or security framework requirements. In many circumstances, Microsoft Managed Key encryption is an acceptable method of accomplishing encryption at rest.",
9+
"impact": "If the key expires by setting the 'activation date' and 'expiration date', the user must rotate the key manually.<br/><br/>Using Customer Managed Keys may also incur additional man-hour requirements to create, store, manage, and protect the keys as needed.",
10+
"remediation": {
11+
"text": "
12+
##### Remediate from Azure Portal
13+
1. From Azure Database for MySQL select the server you wish to audit.
14+
2. In the left column expand > Security.
15+
3. Select Data Encryption.
16+
4. Select Customer-managed key.
17+
5. In the window that opens, use a User assigned managed identity by either creating or selecting one.
18+
6. Choose a key selection method. For Enter a key identifier, enter the for URL for the key in Azure Key vault. For Select a key, navigate through the menu and choose the location of your key store by subscription, and whether it is a key vault or managed HSM.
19+
7. Once a key is chosen, select Save. Verify on the next window that your changes have taken effect.
20+
",
21+
"code": {
22+
"powerShell": null,
23+
"iac": null,
24+
"terraform": null,
25+
"other": null
26+
}
27+
},
28+
"recommendation": null,
29+
"references": [
30+
"https://learn.microsoft.com/en-us/azure/mysql/flexible-server/security-customer-managed-key"
31+
],
32+
"compliance": [
33+
{
34+
"name": "CIS Microsoft Azure Database Services",
35+
"version": "2.0.0",
36+
"reference": "5.1",
37+
"profile": [
38+
"Level 2"
39+
]
40+
}
41+
],
42+
"level": "medium",
43+
"tags": [],
44+
"rule": {
45+
"path": "az_mysql_servers",
46+
"subPath": null,
47+
"selectCondition": {},
48+
"query": [
49+
{
50+
"filter": [
51+
{
52+
"conditions": [
53+
[
54+
"encryption.type",
55+
"eq",
56+
"AzureKeyVault"
57+
]
58+
]
59+
}
60+
]
61+
}
62+
],
63+
"shouldExist": "true",
64+
"returnObject": null,
65+
"removeIfNotExists": null
66+
},
67+
"output": {
68+
"html": {
69+
"data": {
70+
"properties": {
71+
"name": "Name",
72+
"location": "location",
73+
"resourceGroupName": "Resource Group Name"
74+
},
75+
"expandObject": null
76+
},
77+
"table": "default",
78+
"decorate": [],
79+
"emphasis": [],
80+
"actions": {
81+
"objectData": {
82+
"properties": [
83+
"id",
84+
"name",
85+
"location",
86+
"encryption"
87+
],
88+
"expandObject": null,
89+
"limit": null
90+
},
91+
"showGoToButton": "True",
92+
"showModalButton": "True",
93+
"directLink": null
94+
}
95+
},
96+
"text": {
97+
"data": {
98+
"properties": {
99+
"name": "Name",
100+
"location": "location",
101+
"resourceGroupName": "Resource Group Name"
102+
},
103+
"expandObject": null
104+
},
105+
"status": {
106+
"keyName": ["name"],
107+
"message": "Ensure Azure Database for MySQL uses Customer Managed Keys for {name}",
108+
"defaultMessage": null
109+
},
110+
"properties": {
111+
"resourceName": "name",
112+
"resourceId": "id",
113+
"resourceType": "type"
114+
},
115+
"onlyStatus": false
116+
}
117+
},
118+
"idSuffix": "azure_mysql_lacks_customer_managed_key",
119+
"notes": [],
120+
"categories": [],
121+
"immutable_properties": [
122+
"name",
123+
"id"
124+
],
125+
"id": "azure_mysql_001"
126+
}

rules/findings/azure/databases/azure_database_mysql/azure-mysql-lack-private-endpoint.json

Lines changed: 138 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,138 @@
1+
{
2+
"args": [],
3+
"provider": "Azure",
4+
"serviceType": "Database for MySQL",
5+
"serviceName": "Databases",
6+
"displayName": "Ensure Private Endpoints Are Used for Azure MySQL",
7+
"description": "Private links make resources available via a private endpoint to a network you select.<br/><br/>Tunneling between subscriptions, resource groups, without the need for traditional network routing.",
8+
"rationale": "For sensitive data, private endpoints allow granular control of which services can communicate with Azure MySQL and ensure that this network traffic is private. This can be set this up on a case by case basis for each service to be connected.",
9+
"impact": "A private endpoint will expose your MySQL database to the network selected, where it can be accessed by either IP or FQDN.",
10+
"remediation": {
11+
"text": "
12+
##### Audit from Azure Portal
13+
1. From Azure Database for MySQL flexible servers select a server to audit.
14+
2. In the column expand > Settings.
15+
3. Select Networking.
16+
4. Scroll down to the bottom, and select + Create private endpoint.
17+
5. Select a subscription and resource group.
18+
6. Enter an instance name, network interface name, and select the same region that your MySQL server is in.
19+
7. Verify that the information on Resource is correct. Then select Next
20+
8. Select the virtual network, and subnet and select Next.
21+
9. Choose whether to use a dynamic or static IP address and select Next.
22+
10. Choose Yes or No on Integreate with private DNS zone.
23+
11. If Yes then select the subscription and resource group, then select Next.
24+
12. Enter any desired tags, then select Next.
25+
13. Verify the information, then select Create.
26+
",
27+
"code": {
28+
"powerShell": null,
29+
"iac": null,
30+
"terraform": null,
31+
"other": null
32+
}
33+
},
34+
"recommendation": null,
35+
"references": [
36+
"https://learn.microsoft.com/en-us/azure/azure-sql/database/private-endpoint-overview?view=azuresql",
37+
"https://learn.microsoft.com/en-us/azure/private-link/create-private-endpoint-powershell?tabs=dynamic-ip"
38+
],
39+
"compliance": [
40+
{
41+
"name": "CIS Microsoft Azure Database Services",
42+
"version": "2.0.0",
43+
"reference": "5.4",
44+
"profile": [
45+
"Level 2"
46+
]
47+
}
48+
],
49+
"level": "low",
50+
"tags": [],
51+
"rule": {
52+
"path": "az_mysql_servers",
53+
"subPath": null,
54+
"selectCondition": {},
55+
"query": [
56+
{
57+
"filter": [
58+
{
59+
"conditions": [
60+
[
61+
"ne",
62+
"privateEndpointConnections.id"
63+
],
64+
[
65+
"networking.privateEndpointConnections.privateLinkServiceConnectionState.status",
66+
"eq",
67+
"Approved"
68+
]
69+
],
70+
"operator":"and"
71+
}
72+
]
73+
}
74+
],
75+
"shouldExist": null,
76+
"returnObject": null,
77+
"removeIfNotExists": null
78+
},
79+
"output": {
80+
"html": {
81+
"data": {
82+
"properties": {
83+
"name": "Name",
84+
"location": "location",
85+
"resourceGroupName": "Resource Group Name"
86+
},
87+
"expandObject": null
88+
},
89+
"table": "default",
90+
"decorate": [],
91+
"emphasis": [],
92+
"actions": {
93+
"objectData": {
94+
"properties": [
95+
"id",
96+
"name",
97+
"location",
98+
"networking"
99+
],
100+
"expandObject": null,
101+
"limit": null
102+
},
103+
"showGoToButton": "True",
104+
"showModalButton": "True",
105+
"directLink": null
106+
}
107+
},
108+
"text": {
109+
"data": {
110+
"properties": {
111+
"name": "Name",
112+
"location": "location",
113+
"resourceGroupName": "Resource Group Name"
114+
},
115+
"expandObject": null
116+
},
117+
"status": {
118+
"keyName": ["name"],
119+
"message": "Ensure Private Endpoints Are Used for {name}",
120+
"defaultMessage": null
121+
},
122+
"properties": {
123+
"resourceName": "name",
124+
"resourceId": "id",
125+
"resourceType": "type"
126+
},
127+
"onlyStatus": false
128+
}
129+
},
130+
"idSuffix": "azure_mysql_private_endpoint_not_enabled",
131+
"notes": [],
132+
"categories": [],
133+
"immutable_properties": [
134+
"name",
135+
"id"
136+
],
137+
"id": "azure_mysql_004"
138+
}

0 commit comments

Comments
 (0)