Merge pull request #292 from turbot/release/v1.2.0

Release/v1.2.0
turbot · Nov 14, 2024 · 1b21691 · 1b21691
2 parents 0745116 + e576d83
commit 1b21691
Show file tree

Hide file tree

Showing 14 changed files with 143 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,26 @@
+## v1.2.0 [2024-11-14]
+
+_Dependencies_
+
+- Azure plugin `v1.1.0` or higher is now required. ([#290](https://github.com/turbot/steampipe-mod-azure-compliance/pull/290))
+
+_Enhancements_
+
+- Added the following controls to the `All Controls` benchmark: ([#290](https://github.com/turbot/steampipe-mod-azure-compliance/pull/290))
+  - `mysql_flexible_server_audit_logging_enabled`
+  - `mysql_flexible_server_audit_logging_events_connection_set`
+  - `mysql_flexible_server_min_tls_1_2`
+  - `mysql_flexible_server_ssl_enabled`
+  - `postgres_flexible_server_allow_access_to_azure_services_disabled`
+  - `postgres_flexible_server_connection_throttling_on`
+  - `postgres_flexible_server_log_checkpoints_on`
+  - `postgres_flexible_server_log_retention_days_3`
+  - `postgres_sql_flexible_server_ssl_enabled`
+
+_Bug fixes_
+
+- Fixed the `cis_v300_5_2_5` control to correctly use `postgres_flexible_server_allow_access_to_azure_services_disabled` query instead of `postgres_db_server_allow_access_to_azure_services_disabled` query. ([#290](https://github.com/turbot/steampipe-mod-azure-compliance/pull/290))
+
 ## v1.1.0 [2024-10-30]
 
 _What's new?_

diff --git a/README.md b/README.md
@@ -6,7 +6,7 @@ Run checks in a dashboard:
 ![image](https://raw.githubusercontent.com/turbot/steampipe-mod-azure-compliance/main/docs/azure_compliance_dashboard.png)
 
 Or in a terminal:
-![image](https://raw.githubusercontent.com/turbot/steampipe-mod-azure-compliance/main/docs/azure_cis_v200_console.png)
+![image](https://raw.githubusercontent.com/turbot/steampipe-mod-azure-compliance/main/docs/azure_cis_v300_console.png)
 
 ## Documentation
 

diff --git a/all_controls/mysql.pp b/all_controls/mysql.pp
@@ -11,6 +11,10 @@
     control.mssql_managed_instance_encryption_at_rest_using_cmk,
     control.mssql_managed_instance_vulnerability_assessment_enabled,
     control.mysql_db_server_geo_redundant_backup_enabled,
+    control.mysql_flexible_server_audit_logging_enabled,
+    control.mysql_flexible_server_audit_logging_events_connection_set,
+    control.mysql_flexible_server_min_tls_1_2,
+    control.mysql_flexible_server_ssl_enabled,
     control.mysql_server_audit_logging_enabled,
     control.mysql_server_audit_logging_events_connection_set,
     control.mysql_server_encrypted_at_rest_using_cmk,

diff --git a/all_controls/postgres.pp b/all_controls/postgres.pp
@@ -17,7 +17,12 @@
     control.postgres_db_server_log_disconnections_on,
     control.postgres_db_server_log_duration_on,
     control.postgres_db_server_log_retention_days_3,
+    control.postgres_flexible_server_allow_access_to_azure_services_disabled,
+    control.postgres_flexible_server_connection_throttling_on,
+    control.postgres_flexible_server_log_checkpoints_on,
+    control.postgres_flexible_server_log_retention_days_3,
     control.postgres_server_private_link_used,
+    control.postgres_sql_flexible_server_ssl_enabled,
     control.postgres_sql_server_encrypted_at_rest_using_cmk,
     control.postgres_sql_ssl_enabled,
     control.postgresql_server_infrastructure_encryption_enabled,

diff --git a/cis_v300/section_5.pp b/cis_v300/section_5.pp
@@ -229,7 +229,7 @@
 control "cis_v300_5_2_5" {
   title         = "5.2.5 Ensure 'Allow public access from any Azure service within Azure to this server' for PostgreSQL flexible server is disabled"
   description   = "Disable access from Azure services to PostgreSQL flexible server."
-  query         = query.postgres_db_server_allow_access_to_azure_services_disabled
+  query         = query.postgres_flexible_server_allow_access_to_azure_services_disabled
   documentation = file("./cis_v300/docs/cis_v300_5_2_5.md")
 
   tags = merge(local.cis_v300_5_2_common_tags, {

diff --git a/docs/azure_cis_v200_console.png b/docs/azure_cis_v200_console.png
diff --git a/docs/azure_cis_v200_dashboard.png b/docs/azure_cis_v200_dashboard.png
diff --git a/docs/azure_cis_v300_console.png b/docs/azure_cis_v300_console.png
diff --git a/docs/azure_cis_v300_dashboard.png b/docs/azure_cis_v300_dashboard.png
diff --git a/docs/azure_compliance_dashboard.png b/docs/azure_compliance_dashboard.png
diff --git a/docs/index.md b/docs/index.md
@@ -3,8 +3,8 @@
 Run individual configuration, compliance and security controls or full `CIS`, `HIPAA HITRUST`, `NIST` and `PCI DSS` compliance benchmarks across all your Azure subscriptions.
 
 <img src="https://raw.githubusercontent.com/turbot/steampipe-mod-azure-compliance/main/docs/azure_compliance_dashboard.png" width="50%" type="thumbnail"/>
-<img src="https://raw.githubusercontent.com/turbot/steampipe-mod-azure-compliance/main/docs/azure_cis_v200_dashboard.png" width="50%" type="thumbnail"/>
-<img src="https://raw.githubusercontent.com/turbot/steampipe-mod-azure-compliance/main/docs/azure_cis_v200_console.png" width="50%" type="thumbnail"/>
+<img src="https://raw.githubusercontent.com/turbot/steampipe-mod-azure-compliance/main/docs/azure_cis_v300_dashboard.png" width="50%" type="thumbnail"/>
+<img src="https://raw.githubusercontent.com/turbot/steampipe-mod-azure-compliance/main/docs/azure_cis_v300_console.png" width="50%" type="thumbnail"/>
 <img src="https://raw.githubusercontent.com/turbot/steampipe-mod-azure-compliance/main/docs/azure_hipaa_hitrust_dashboard.png" width="50%" type="thumbnail"/>
 
 ## Documentation

diff --git a/mod.pp b/mod.pp
@@ -15,7 +15,7 @@
 
   require {
     plugin "azure" {
-      min_version = "0.66.0"
+      min_version = "1.1.0"
     }
     plugin "azuread" {
       min_version = "0.0.3"

diff --git a/regulatory_compliance/mysql.pp b/regulatory_compliance/mysql.pp
@@ -133,6 +133,38 @@
   tags = local.regulatory_compliance_mysql_common_tags
 }
 
+control "mysql_flexible_server_ssl_enabled" {
+  title         = "Ensure server parameter 'require_secure_transport' is set to 'ON' for MySQL flexible server"
+  description   = "Enable require_secure_transport on MySQL flexible servers."
+  query         = query.mysql_flexible_server_ssl_enabled
+
+  tags = local.regulatory_compliance_mysql_common_tags
+}
+
+control "mysql_flexible_server_min_tls_1_2" {
+  title         = "Ensure server parameter 'tls_version' is set to 'TLSv1.2' (or higher) for MySQL flexible server"
+  description   = "Ensure tls_version on MySQL flexible servers is set to use TLS version 1.2 or higher."
+  query         = query.mysql_flexible_server_min_tls_1_2
+
+  tags = local.regulatory_compliance_mysql_common_tags
+}
+
+control "mysql_flexible_server_audit_logging_enabled" {
+  title         = "Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL flexible Server"
+  description   = "Enable audit_log_enabled on MySQL flexible Servers."
+  query         = query.mysql_flexible_server_audit_logging_enabled
+
+  tags = local.regulatory_compliance_mysql_common_tags
+}
+
+control "mysql_flexible_server_audit_logging_events_connection_set" {
+  title         = "Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL flexible Server"
+  description   = "Set audit_log_enabled to include CONNECTION on MySQL flexible servers."
+  query         = query.mysql_flexible_server_audit_logging_events_connection_set
+
+  tags = local.regulatory_compliance_mysql_common_tags
+}
+
 query "mysql_ssl_enabled" {
   sql = <<-EOQ
     select

diff --git a/regulatory_compliance/postgres.pp b/regulatory_compliance/postgres.pp
@@ -153,6 +153,46 @@
   tags = local.regulatory_compliance_postgres_common_tags
 }
 
+control "postgres_flexible_server_allow_access_to_azure_services_disabled" {
+  title         = "Ensure 'Allow public access from any Azure service within Azure to this server' for PostgreSQL flexible server is disabled"
+  description   = "Disable access from Azure services to PostgreSQL flexible server."
+  query         = query.postgres_flexible_server_allow_access_to_azure_services_disabled
+
+  tags = local.regulatory_compliance_postgres_common_tags
+}
+
+control "postgres_sql_flexible_server_ssl_enabled" {
+  title         = "Ensure server parameter 'require_secure_transport' is set to 'ON' for PostgreSQL flexible server"
+  description   = "Enable 'require_secure_transport' on 'PostgreSQL flexible servers'."
+  query         = query.postgres_sql_flexible_server_ssl_enabled
+
+  tags = local.regulatory_compliance_postgres_common_tags
+}
+
+control "postgres_flexible_server_log_checkpoints_on" {
+  title         = "Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL flexible Server"
+  description   = "Enable 'log_checkpoints' on 'PostgreSQL Servers'."
+  query         = query.postgres_flexible_server_log_checkpoints_on
+
+  tags = local.regulatory_compliance_postgres_common_tags
+}
+
+control "postgres_flexible_server_connection_throttling_on" {
+  title         = "Ensure server parameter 'connection_throttle.enable' is set to 'ON' for PostgreSQL flexible Server"
+  description   = "Enable connection_throttling on PostgreSQL flexible Servers."
+  query         = query.postgres_flexible_server_connection_throttling_on
+
+  tags = local.regulatory_compliance_postgres_common_tags
+}
+
+control "postgres_flexible_server_log_retention_days_3" {
+  title         = "Ensure Server Parameter 'logfiles.retention_days' is greater than 3 days for PostgreSQL flexible Server"
+  description   = "Ensure logfiles.retention_days on PostgreSQL flexible Servers is set to an appropriate value."
+  query         = query.postgres_flexible_server_log_retention_days_3
+
+  tags = local.regulatory_compliance_postgres_common_tags
+}
+
 query "postgres_db_server_geo_redundant_backup_enabled" {
   sql = <<-EOQ
     select
@@ -633,3 +673,37 @@
       and sub.subscription_id = s.subscription_id;
   EOQ
 }
+
+query "postgres_flexible_server_allow_access_to_azure_services_disabled" {
+  sql = <<-EOQ
+    with postgres_flexible_server_with_allow_access_to_azure_services as (
+      select
+        id
+      from
+        azure_postgresql_flexible_server,
+        jsonb_array_elements(firewall_rules) as r
+      where
+        r -> 'properties' ->> 'endIpAddress' = '0.0.0.0'
+        or r -> 'properties' ->> 'startIpAddress' = '0.0.0.0'
+    )
+    select
+      s.id as resource,
+      case
+        when a.id is not null then 'alarm'
+        else 'ok'
+      end as status,
+      case
+        when a.id is not null then s.title || ' does not restrict access to azure services.'
+        else s.title || ' restricts access to azure services.'
+      end as reason
+      ${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "s.")}
+      ${replace(local.common_dimensions_qualifier_sql, "__QUALIFIER__", "s.")}
+      ${replace(local.common_dimensions_qualifier_subscription_sql, "__QUALIFIER__", "sub.")}
+    from
+      azure_postgresql_flexible_server as s
+      left join postgres_flexible_server_with_allow_access_to_azure_services as a on a.id = s.id,
+      azure_subscription as sub
+    where
+      sub.subscription_id = s.subscription_id;
+  EOQ
+}