github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/azure/network/retention_policy_set.go (about)

     1  package network
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     7  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  )
    10  
    11  var CheckRetentionPolicySet = rules.Register(
    12  	scan.Rule{
    13  		AVDID:      "AVD-AZU-0049",
    14  		Provider:   providers.AzureProvider,
    15  		Service:    "network",
    16  		ShortCode:  "retention-policy-set",
    17  		Summary:    "Retention policy for flow logs should be enabled and set to greater than 90 days",
    18  		Impact:     "Not enabling retention or having short expiry on flow logs could lead to compromise being undetected limiting time for analysis",
    19  		Resolution: "Ensure flow log retention is turned on with an expiry of >90 days",
    20  		Explanation: `Flow logs are the source of truth for all network activity in your cloud environment. 
    21  To enable analysis in security event that was detected late, you need to have the logs available. 
    22  			
    23  Setting an retention policy will help ensure as much information is available for review.`,
    24  		Links: []string{
    25  			"https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview",
    26  		},
    27  		Terraform: &scan.EngineMetadata{
    28  			GoodExamples:        terraformRetentionPolicySetGoodExamples,
    29  			BadExamples:         terraformRetentionPolicySetBadExamples,
    30  			Links:               terraformRetentionPolicySetLinks,
    31  			RemediationMarkdown: terraformRetentionPolicySetRemediationMarkdown,
    32  		},
    33  		Severity: severity.Low,
    34  	},
    35  	func(s *state.State) (results scan.Results) {
    36  		for _, flowLog := range s.Azure.Network.NetworkWatcherFlowLogs {
    37  			if flowLog.Metadata.IsUnmanaged() {
    38  				continue
    39  			}
    40  			if flowLog.RetentionPolicy.Enabled.IsFalse() {
    41  				results.Add(
    42  					"Flow log does not enable the log retention policy.",
    43  					flowLog.RetentionPolicy.Enabled,
    44  				)
    45  			} else if flowLog.RetentionPolicy.Days.LessThan(90) {
    46  				results.Add(
    47  					"Flow log has a log retention policy of less than 90 days.",
    48  					flowLog.RetentionPolicy.Days,
    49  				)
    50  			} else {
    51  				results.AddPassed(&flowLog)
    52  			}
    53  		}
    54  		return
    55  	},
    56  )