feat(query): implements "Beta - Service Without Resource Logging"

[cx-andre-pereira]

Reason for Proposed Changes

• Currently there is no query to ensure that there is a "azurerm_monitor_diagnostic_setting" resource configured for all resources that support it.

• Quoting CIS_Microsoft_Azure_Foundations_Benchmark_v5.0.0 page 275: "A lack of monitoring reduces the visibility into the data plane, and therefore an organization's ability to detect reconnaissance, authorization attempts or other malicious activity. Unlike Activity Logs, Resource Logs are not enabled by default. Specifically, without monitoring it would be impossible to tell which entities had accessed a data store that was breached. In addition, alerts for failed attempts to access APIs for Web Services or Databases are only possible when logging is enabled."

• In this initial implementation it was decided that the query should support the 12 main resources outlined in the CIS Benchmark(page 277) :

 - Name: 'Resource logs in Key Vault should be enabled'
 - Name: 'App Service apps should have resource logs enabled'
 - Name: 'Resource logs in Batch accounts should be enabled'
 - Name: 'Resource logs in Azure Data Lake Store should be enabled'  *
 - Name: 'Resource logs in Data Lake Analytics should be enabled' *
 - Name: 'Resource logs in Event Hub should be enabled'
 - Name: 'Resource logs in IoT Hub should be enabled'
 - Name: 'Resource logs in Logic Apps should be enabled'
 - Name: 'Resource logs in Search services should be enabled'
 - Name: 'Resource logs in Service Bus should be enabled'
 - Name: 'Resource logs in Azure Stream Analytics should be enabled'
 - Name: 'Azure Application Gateway should have Resource logs enabled

• For 'Key Vault' the analog terraform resource is the 'azurerm_key_vault', but this exact check is already done by the "Vault Auditing Disabled" query.

• For all resources the naming schemes make association easy except for "Azure Data Lake Store"(*) and "Data Lake Analytics"(*). Resource association is as follows :

  • azurerm_app_service(legacy), azurerm_linux_web_app and azurerm_windows_web_app - App Service
  • azurerm_batch_account - Batch accounts
  • azurerm_eventhub - Event Hub
  • azurerm_iothub - IoT Hub
  • azurerm_logic_app_standard - Logic Apps
  • azurerm_search_service - Search services
  • azurerm_servicebus_namespace - Service Bus
  • azurerm_stream_analytics_job - Azure Stream Analytics
  • azurerm_application_gateway - Application Gateway

• "Azure Data Lake Store"(*) and "Data Lake Analytics"(*) are harder to pinpoint. From what i can tell from current terraform documentation to define a "Data Lake Store" we use a "azurerm_storage_account" and associate a "azurerm_storage_data_lake_gen2_filesystem" resource with it.

• The truth is gen1 "Data Lake Store" and "Data Lake Analytics" support is deprecated and has been for years as we can see in the official documentation's 3.0-upgrade-guide. Still given the simplicity of the query implementation it was easy to include the "azurerm_data_lake_store" and "azurerm_data_lake_analytics_account" legacy resources.

Proposed Changes

• Implemented the missing query.
• The query is as simple as the "Vault Auditing Disabled" analog, given a resource with one of the types specified before, it simply checks if at least one "azurerm_monitor_diagnostic_setting" resource is associated with it through its "target_resource_id" field.

I submit this contribution under the Apache-2.0 license.

[github-actions]

KICS version: v2.1.17

Category Results CRITICAL 0 HIGH 0 MEDIUM 0 LOW 0 INFO 0 TRACE 0 TOTAL 0	Metric Values Files scanned 1 Files parsed 1 Files failed to scan 0 Total executed queries 47 Queries failed to execute 0 Execution time 0

[cx-eduardo-semanas]

LGTM

[cx-eduardo-semanas]

LGTM