github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/azure/monitor/capture_all_activities.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/azure/monitor/capture_all_activities.go (about)

     1  package monitor
     2  
     3  import (
     4  	"fmt"
     5  
     6  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     7  
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  
    10  	"github.com/khulnasoft-lab/defsec/pkg/scan"
    11  
    12  	"github.com/khulnasoft-lab/defsec/internal/rules"
    13  
    14  	"github.com/khulnasoft-lab/defsec/pkg/providers"
    15  	"github.com/khulnasoft-lab/defsec/pkg/providers/azure/monitor"
    16  )
    17  
    18  var CheckCaptureAllActivities = rules.Register(
    19  	scan.Rule{
    20  		AVDID:       "AVD-AZU-0033",
    21  		Provider:    providers.AzureProvider,
    22  		Service:     "monitor",
    23  		ShortCode:   "capture-all-activities",
    24  		Summary:     "Ensure log profile captures all activities",
    25  		Impact:      "Log profile must capture all activity to be able to ensure that all relevant information possible is available for an investigation",
    26  		Resolution:  "Configure log profile to capture all activities",
    27  		Explanation: `Log profiles should capture all categories to ensure that all events are logged`,
    28  		Links: []string{
    29  			"https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log",
    30  			"https://docs.microsoft.com/en-us/cli/azure/monitor/log-profiles?view=azure-cli-latest#az_monitor_log_profiles_create-required-parameters",
    31  		},
    32  		Terraform: &scan.EngineMetadata{
    33  			GoodExamples:        terraformCaptureAllActivitiesGoodExamples,
    34  			BadExamples:         terraformCaptureAllActivitiesBadExamples,
    35  			Links:               terraformCaptureAllActivitiesLinks,
    36  			RemediationMarkdown: terraformCaptureAllActivitiesRemediationMarkdown,
    37  		},
    38  		Severity: severity.Medium,
    39  	},
    40  	func(s *state.State) (results scan.Results) {
    41  		required := []string{
    42  			"Action", "Write", "Delete",
    43  		}
    44  		for _, profile := range s.Azure.Monitor.LogProfiles {
    45  			if profile.Metadata.IsUnmanaged() {
    46  				continue
    47  			}
    48  			var failed bool
    49  			for _, cat := range required {
    50  				if !hasCategory(profile, cat) {
    51  					failed = true
    52  					results.Add(
    53  						fmt.Sprintf("Log profile does not require the '%s' category.", cat),
    54  						&profile,
    55  					)
    56  				}
    57  			}
    58  
    59  			if !failed {
    60  				results.AddPassed(&profile)
    61  			}
    62  		}
    63  		return
    64  	},
    65  )
    66  
    67  func hasCategory(profile monitor.LogProfile, cgry string) bool {
    68  	for _, category := range profile.Categories {
    69  		if category.EqualTo(cgry) {
    70  			return true
    71  		}
    72  	}
    73  	return false
    74  }