diff --git a/core/mondoo-azure-security.mql.yaml b/core/mondoo-azure-security.mql.yaml index 82a54df5..e53c0ee1 100644 --- a/core/mondoo-azure-security.mql.yaml +++ b/core/mondoo-azure-security.mql.yaml @@ -337,7 +337,7 @@ queries: title: Ensure that 'OS' disks are encrypted impact: 80 mql: | - azure.compute.vms { + azure.subscription.compute.vms { osDisk { properties['encryption'] != null } @@ -354,7 +354,7 @@ queries: 2. Run the following query: ```bash - cnspec run azure -c "azure.compute.vms { osDisk { properties['encryption'] } }" + cnspec run azure -c "azure.subscription.compute.vms { osDisk { properties['encryption'] } }" ``` __cnspec shell__ @@ -371,7 +371,7 @@ queries: 3. Run the following query: ```mql - azure.compute.vms { osDisk { properties['encryption'] } } + azure.subscription.compute.vms { osDisk { properties['encryption'] } } ``` remediation: | ###Terraform @@ -453,7 +453,7 @@ queries: title: Ensure that SSH access is restricted from the internet impact: 80 mql: | - azure.network.securityGroups { + azure.subscription.network.securityGroups { securityRules.where( properties['access'] == 'Allow' && properties['direction'] == 'Inbound' && properties['protocol'] == /TCP|\*/ && properties['sourceAddressPrefix'] == /\*|0\.0\.0\.0|\/0|\/0|internet|any/ ) } { securityRules { @@ -479,7 +479,7 @@ queries: 2. Run the following query: ```bash - cnspec run azure -c "azure.network.securityGroups { securityRules }" + cnspec run azure -c "azure.subscription.network.securityGroups { securityRules }" ``` __cnspec shell__ @@ -496,7 +496,7 @@ queries: 3. Run the following query: ```mql - azure.network.securityGroups { securityRules } + azure.subscription.network.securityGroups { securityRules } ``` remediation: | ###Terraform @@ -526,7 +526,7 @@ queries: title: Ensure that RDP access is restricted from the internet impact: 80 mql: | - azure.network.securityGroups { + azure.subscription.network.securityGroups { securityRules.where( properties['access'] == 'Allow' && properties['direction'] == 'Inbound' && properties['protocol'] == /TCP|\*/ && properties['sourceAddressPrefix'] == /\*|0\.0\.0\.0|\/0|\/0|internet|any/ ) } { securityRules { @@ -552,7 +552,7 @@ queries: 2. Run the following query: ```bash - cnspec run azure -c "azure.network.securityGroups { securityRules }" + cnspec run azure -c "azure.subscription.network.securityGroups { securityRules }" ``` __cnspec shell__ @@ -569,7 +569,7 @@ queries: 3. Run the following query: ```mql - azure.network.securityGroups { securityRules } + azure.subscription.network.securityGroups { securityRules } ``` remediation: | ###Terraform @@ -599,7 +599,7 @@ queries: title: Ensure that 'Secure transfer required' is set to 'Enabled' impact: 80 mql: | - azure.storage.accounts { + azure.subscription.storage.accounts { properties['supportsHttpsTrafficOnly'] == true || properties['enableHttpsTrafficOnly'] == true } docs: @@ -614,7 +614,7 @@ queries: 2. Run the following query: ```bash - cnspec run azure -c "azure.storage.accounts { properties['supportsHttpsTrafficOnly'] }" + cnspec run azure -c "azure.subscription.storage.accounts { properties['supportsHttpsTrafficOnly'] }" ``` __cnspec shell__ @@ -631,7 +631,7 @@ queries: 3. Run the following query: ```mql - azure.storage.accounts { properties['supportsHttpsTrafficOnly'] } + azure.subscription.storage.accounts { properties['supportsHttpsTrafficOnly'] } ``` remediation: | ###Terraform @@ -646,7 +646,7 @@ queries: title: Ensure that 'Public access level' is set to Private for blob containers impact: 80 mql: | - azure.storage.accounts.all( properties["allowBlobPublicAccess"] == "false" ) || azure.storage.accounts.all ( containers { properties["publicAccess"] == "None" } ) + azure.subscription.storage.accounts.all( properties["allowBlobPublicAccess"] == "false" ) || azure.subscription.storage.accounts.all ( containers { properties["publicAccess"] == "None" } ) docs: desc: | This check ensures that anonymous access to blob containers is disabled, and public access on storage accounts is disabled. @@ -659,7 +659,7 @@ queries: 2. Run the following query: ```bash - cnspec run azure -c "azure.storage.accounts { containers { properties['publicAccess'] == "None" } }" + cnspec run azure -c "azure.subscription.storage.accounts { containers { properties['publicAccess'] == "None" } }" ``` __cnspec shell__ @@ -676,7 +676,7 @@ queries: 3. Run the following query: ```mql - azure.storage.accounts { containers { properties['publicAccess'] == "None" } } + azure.subscription.storage.accounts { containers { properties['publicAccess'] == "None" } } ``` remediation: | ###Terraform @@ -713,7 +713,7 @@ queries: title: Ensure the default network access rule for Storage Accounts is set to deny impact: 80 mql: | - azure.storage.accounts.all( properties["networkAcls"]["defaultAction"] == "Deny" ) + azure.subscription.storage.accounts.all( properties["networkAcls"]["defaultAction"] == "Deny" ) docs: desc: | This check ensures that access to the default network for storage accounts is set to deny. @@ -726,7 +726,7 @@ queries: 2. Run the following query: ```bash - cnspec run azure -c "azure.storage.accounts { containers { properties['publicAccess'] == "None" } }" + cnspec run azure -c "azure.subscription.storage.accounts { containers { properties['publicAccess'] == "None" } }" ``` __cnspec shell__ @@ -743,7 +743,7 @@ queries: 3. Run the following query: ```mql - azure.storage.accounts { containers { properties['publicAccess'] == "None" } } + azure.subscription.storage.accounts { containers { properties['publicAccess'] == "None" } } ``` remediation: | ###Terraform @@ -776,7 +776,7 @@ queries: title: Ensure 'Trusted Microsoft Services' is enabled for Storage Account access impact: 80 mql: | - azure.storage.accounts.all ( properties['networkAcls']['bypass'] == "AzureServices") + azure.subscription.storage.accounts.all ( properties['networkAcls']['bypass'] == "AzureServices") docs: desc: | This check ensures that 'Trusted Microsoft Services' is enabled for Storage Account access. @@ -789,7 +789,7 @@ queries: 2. Run the following query: ```bash - cnspec run azure -c "azure.storage.accounts.all ( properties['networkAcls']['bypass'] == "AzureServices")" + cnspec run azure -c "azure.subscription.storage.accounts.all ( properties['networkAcls']['bypass'] == "AzureServices")" ``` __cnspec shell__ @@ -806,7 +806,7 @@ queries: 3. Run the following query: ```mql - azure.storage.accounts.all ( properties['networkAcls']['bypass'] == "AzureServices") + azure.subscription.storage.accounts.all ( properties['networkAcls']['bypass'] == "AzureServices") ``` remediation: | ###Terraform @@ -825,7 +825,7 @@ queries: title: Ensure that 'Auditing' is set to 'On' for SQL Server impact: 80 mql: | - azure.sql.servers { + azure.subscription.sql.servers { auditingPolicy['state'] == "Enabled" } docs: @@ -840,7 +840,7 @@ queries: 2. Run the following query: ```bash - cnspec run azure -c "azure.sql.servers { auditingPolicy['state'] }" + cnspec run azure -c "azure.subscription.sql.servers { auditingPolicy['state'] }" ``` __cnspec shell__ @@ -857,7 +857,7 @@ queries: 3. Run the following query: ```mql - azure.sql.servers { auditingPolicy['state'] } + azure.subscription.sql.servers { auditingPolicy['state'] } ``` remediation: | ###Terraform @@ -878,7 +878,7 @@ queries: title: Ensure that 'Auditing' Retention is 'greater than 30 days' impact: 80 mql: | - azure.sql.servers { + azure.subscription.sql.servers { auditingPolicy['retentionDays'] >= 30 } docs: @@ -893,7 +893,7 @@ queries: 2. Run the following query: ```bash - cnspec run azure -c "azure.sql.servers { auditingPolicy['retentionDays'] }" + cnspec run azure -c "azure.subscription.sql.servers { auditingPolicy['retentionDays'] }" ``` __cnspec shell__ @@ -910,7 +910,7 @@ queries: 3. Run the following query: ```mql - azure.sql.servers { auditingPolicy['retentionDays'] } + azure.subscription.sql.servers { auditingPolicy['retentionDays'] } ``` remediation: | ###Terraform @@ -930,25 +930,25 @@ queries: title: Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP) impact: 80 mql: | - azure.sql.servers { + azure.subscription.sql.servers { firewallRules.length >= 1 firewallRules { startIpAddress != '0.0.0.0' } } - azure.postgreSql.servers { + azure.subscription.postgreSql.servers { firewallRules.length >= 1 firewallRules { startIpAddress != '0.0.0.0' } } - azure.mySql.servers { + azure.subscription.mySql.servers { firewallRules.length >= 1 firewallRules { startIpAddress != '0.0.0.0' } } - azure.mariaDb.servers { + azure.subscription.mariaDb.servers { firewallRules.length >= 1 firewallRules { startIpAddress != '0.0.0.0' @@ -966,10 +966,10 @@ queries: 2. Run the following query: ```bash - cnspec run azure -c "azure.sql.servers { firewallRules { startIpAddress } }" - cnspec run azure -c "azure.postgreSql.servers { firewallRules { startIpAddress } }" - cnspec run azure -c "azure.mariaDb.servers { firewallRules { startIpAddress } }" - cnspec run azure -c "azure.mySql.servers { firewallRules { startIpAddress } }" + cnspec run azure -c "azure.subscription.sql.servers { firewallRules { startIpAddress } }" + cnspec run azure -c "azure.subscription.postgreSql.servers { firewallRules { startIpAddress } }" + cnspec run azure -c "azure.subscription.mariaDb.servers { firewallRules { startIpAddress } }" + cnspec run azure -c "azure.subscription.mySql.servers { firewallRules { startIpAddress } }" ``` __cnspec shell__ @@ -986,10 +986,10 @@ queries: 3. Run the following query: ```mql - azure.sql.servers { firewallRules { startIpAddress } } - azure.postgreSql.servers { firewallRules { startIpAddress } } - azure.mariaDb.servers { firewallRules { startIpAddress } } - azure.mySql.servers { firewallRules { startIpAddress } } + azure.subscription.sql.servers { firewallRules { startIpAddress } } + azure.subscription.postgreSql.servers { firewallRules { startIpAddress } } + azure.subscription.mariaDb.servers { firewallRules { startIpAddress } } + azure.subscription.mySql.servers { firewallRules { startIpAddress } } ``` remediation: | ###Terraform @@ -1045,7 +1045,7 @@ queries: title: Ensure that App Services can authenticate with Active Directory impact: 80 mql: | - azure.web.apps { + azure.subscription.web.apps { identity["type"] == "SystemAssigned" || identity["principalId"] != null } docs: @@ -1063,7 +1063,7 @@ queries: Run the following query: ```bash - cnspec run azure -c "azure.web.apps { identity["type"] == "SystemAssigned" || identity["principalId"] != null }" --certificate-path <*.pem> --tenant-id --client-id + cnspec run azure -c "azure.subscription.web.apps { identity["type"] == "SystemAssigned" || identity["principalId"] != null }" --certificate-path <*.pem> --tenant-id --client-id ``` __cnspec shell__ @@ -1079,7 +1079,7 @@ queries: 2. Run the following query: ```mql - azure.web.apps { identity["type"] == "SystemAssigned" || identity["principalId"] != null } + azure.subscription.web.apps { identity["type"] == "SystemAssigned" || identity["principalId"] != null } ``` remediation: | ### Microsoft Azure Portal @@ -1093,7 +1093,7 @@ queries: title: Ensure that Web Apps use the latest available version of TLS encryption impact: 80 mql: | - azure.web.apps { + azure.subscription.web.apps { configuration.properties["minTlsVersion"] == "1.2" } docs: @@ -1109,7 +1109,7 @@ queries: Run the following query: ```bash - cnspec run azure -c "azure.web.apps { configuration.properties["minTlsVersion"] == "1.2" }" --certificate-path <*.pem> --tenant-id --client-id + cnspec run azure -c "azure.subscription.web.apps { configuration.properties["minTlsVersion"] == "1.2" }" --certificate-path <*.pem> --tenant-id --client-id ``` __cnspec shell__ @@ -1125,7 +1125,7 @@ queries: 2. Run the following query: ```mql - azure.web.apps { configuration.properties["minTlsVersion"] == "1.2" } + azure.subscription.web.apps { configuration.properties["minTlsVersion"] == "1.2" } ``` remediation: | ### Microsoft Azure Portal @@ -1139,10 +1139,10 @@ queries: title: Ensure that the expiration date is set for all keys and secrets in key vaults impact: 80 mql: | - azure.keyvault.vaults { + azure.subscription.keyVault.vaults { keys.all( enabled && expires != null ) } - azure.keyvault.vaults { + azure.subscription.keyVault.vaults { secrets.all( enabled == true && expires != null ) } docs: @@ -1159,8 +1159,8 @@ queries: Run the following query: ```bash - cnspec run azure -c "azure.keyvault.vaults { keys.all( enabled && expires != null ) }" --certificate-path <*.pem> --tenant-id --client-id - cnspec run azure -c "azure.keyvault.vaults { secrets.all( enabled == true && expires != null ) }" --certificate-path <*.pem> --tenant-id --client-id + cnspec run azure -c "azure.subscription.keyVault.vaults { keys.all( enabled && expires != null ) }" --certificate-path <*.pem> --tenant-id --client-id + cnspec run azure -c "azure.subscription.keyVault.vaults { secrets.all( enabled == true && expires != null ) }" --certificate-path <*.pem> --tenant-id --client-id ``` __cnspec shell__ @@ -1176,8 +1176,8 @@ queries: 2. Run the following query: ```mql - azure.keyvault.vaults { keys.all( enabled && expires != null ) } - azure.keyvault.vaults { secrets.all( enabled == true && expires != null ) } + azure.subscription.keyVault.vaults { keys.all( enabled && expires != null ) } + azure.subscription.keyVault.vaults { secrets.all( enabled == true && expires != null ) } ``` remediation: | ### Microsoft Azure Portal @@ -1191,7 +1191,7 @@ queries: title: Ensure it is possible to recover key vaults impact: 80 mql: | - azure.keyvault.vaults { + azure.subscription.keyVault.vaults { properties["enablePurgeProtection"] == "true" properties["enableSoftDelete"] == "true" } @@ -1214,7 +1214,7 @@ queries: Run the following query: ```bash - cnspec run azure -c "azure.keyvault.vaults { properties["enablePurgeProtection"] == "true" properties["enableSoftDelete"] == "true" }" --certificate-path <*.pem> --tenant-id --client-id + cnspec run azure -c "azure.subscription.keyVault.vaults { properties["enablePurgeProtection"] == "true" properties["enableSoftDelete"] == "true" }" --certificate-path <*.pem> --tenant-id --client-id ``` __cnspec shell__ @@ -1230,7 +1230,7 @@ queries: 2. Run the following query: ```mql - azure.keyvault.vaults { properties["enablePurgeProtection"] == "true" properties["enableSoftDelete"] == "true" } + azure.subscription.keyVault.vaults { properties["enablePurgeProtection"] == "true" properties["enableSoftDelete"] == "true" } ``` remediation: | ### Microsoft Azure Portal @@ -1244,7 +1244,7 @@ queries: title: Ensure all operations on Key Vault is logged impact: 80 mql: | - azure.keyvault.vaults { + azure.subscription.keyVault.vaults { diagnosticSettings.any( properties["logs"].where( _["category"] == "AuditEvent" && _["retentionPolicy"]["days"] >= 180 ) ) } docs: @@ -1262,7 +1262,7 @@ queries: Run the following query: ```bash - cnspec run azure -c "azure.keyvault.vaults { diagnosticSettings.any( properties["logs"].where( _["category"] == "AuditEvent" && _["retentionPolicy"]["days"] >= 180 ) ) }" --certificate-path <*.pem> --tenant-id --client-id + cnspec run azure -c "azure.subscription.keyVault.vaults { diagnosticSettings.any( properties["logs"].where( _["category"] == "AuditEvent" && _["retentionPolicy"]["days"] >= 180 ) ) }" --certificate-path <*.pem> --tenant-id --client-id ``` __cnspec shell__ @@ -1278,7 +1278,7 @@ queries: 2. Run the following query: ```mql - azure.keyvault.vaults { diagnosticSettings.any( properties["logs"].where( _["category"] == "AuditEvent" && _["retentionPolicy"]["days"] >= 180 ) ) } + azure.subscription.keyVault.vaults { diagnosticSettings.any( properties["logs"].where( _["category"] == "AuditEvent" && _["retentionPolicy"]["days"] >= 180 ) ) } ``` remediation: | ### Microsoft Azure Portal @@ -1292,8 +1292,8 @@ queries: title: Ensure that activity log alerts exist for the commands Create, Update, and Delete Network Security Group impact: 80 mql: | - azure.monitor.activityLog.alerts.where( actions.length > 0 ).any( conditions.any( _["equals"] == "Microsoft.Network/networkSecurityGroups/write" && _["fieldName"] == "operationName" ) ) - azure.monitor.activityLog.alerts.where( actions.length > 0 ).any( conditions.any( _["equals"] == "Microsoft.Network/networkSecurityGroups/delete" && _["fieldName"] == "operationName" ) ) + azure.subscription.monitor.activityLog.alerts.where( actions.length > 0 ).any( conditions.any( _["equals"] == "Microsoft.Network/networkSecurityGroups/write" && _["fieldName"] == "operationName" ) ) + azure.subscription.monitor.activityLog.alerts.where( actions.length > 0 ).any( conditions.any( _["equals"] == "Microsoft.Network/networkSecurityGroups/delete" && _["fieldName"] == "operationName" ) ) docs: desc: | Monitoring Network Security Group events can give clear insight into network access changes and it is very useful for detecting suspicious activity. @@ -1307,8 +1307,8 @@ queries: Run the following query: ```bash - cnspec run azure -c "azure.monitor.activityLog.alerts.where( actions.length > 0 ).any( conditions.any( _["equals"] == "Microsoft.Network/networkSecurityGroups/write" && _["fieldName"] == "operationName" ) )" --certificate-path <*.pem> --tenant-id --client-id - cnspec run azure -c "azure.monitor.activityLog.alerts.where( actions.length > 0 ).any( conditions.any( _["equals"] == "Microsoft.Network/networkSecurityGroups/delete" && _["fieldName"] == "operationName" ) )" --certificate-path <*.pem> --tenant-id --client-id + cnspec run azure -c "azure.subscription.monitor.activityLog.alerts.where( actions.length > 0 ).any( conditions.any( _["equals"] == "Microsoft.Network/networkSecurityGroups/write" && _["fieldName"] == "operationName" ) )" --certificate-path <*.pem> --tenant-id --client-id + cnspec run azure -c "azure.subscription.monitor.activityLog.alerts.where( actions.length > 0 ).any( conditions.any( _["equals"] == "Microsoft.Network/networkSecurityGroups/delete" && _["fieldName"] == "operationName" ) )" --certificate-path <*.pem> --tenant-id --client-id ``` __cnspec shell__ @@ -1324,8 +1324,8 @@ queries: 2. Run the following query: ```mql - azure.monitor.activityLog.alerts.where( actions.length > 0 ).any( conditions.any( _["equals"] == "Microsoft.Network/networkSecurityGroups/write" && _["fieldName"] == "operationName" ) ) - azure.monitor.activityLog.alerts.where( actions.length > 0 ).any( conditions.any( _["equals"] == "Microsoft.Network/networkSecurityGroups/delete" && _["fieldName"] == "operationName" ) ) + azure.subscription.monitor.activityLog.alerts.where( actions.length > 0 ).any( conditions.any( _["equals"] == "Microsoft.Network/networkSecurityGroups/write" && _["fieldName"] == "operationName" ) ) + azure.subscription.monitor.activityLog.alerts.where( actions.length > 0 ).any( conditions.any( _["equals"] == "Microsoft.Network/networkSecurityGroups/delete" && _["fieldName"] == "operationName" ) ) ``` remediation: | ### Microsoft Azure Portal @@ -1361,7 +1361,7 @@ queries: title: Ensure that "Notify about alerts with high severity" is enabled impact: 80 mql: | - azure.cloudDefender.securityContacts.all( alertNotifications["minimalSeverity"] == "High" && alertNotifications["state"] == "On" ) + azure.subscription.cloudDefender.securityContacts.all( alertNotifications["minimalSeverity"] == "High" && alertNotifications["state"] == "On" ) docs: desc: | Enabling security alert emails ensures that security alert emails are received from Microsoft. @@ -1376,7 +1376,7 @@ queries: Run the following query: ```bash - cnspec run azure -c "azure.cloudDefender.securityContacts.all( alertNotifications["minimalSeverity"] == "High" && alertNotifications["state"] == "On" )" --certificate-path <*.pem> --tenant-id --client-id + cnspec run azure -c "azure.subscription.cloudDefender.securityContacts.all( alertNotifications["minimalSeverity"] == "High" && alertNotifications["state"] == "On" )" --certificate-path <*.pem> --tenant-id --client-id ``` __cnspec shell__ @@ -1392,7 +1392,7 @@ queries: 2. Run the following query: ```mql - azure.cloudDefender.securityContacts.all( alertNotifications["minimalSeverity"] == "High" && alertNotifications["state"] == "On" ) + azure.subscription.cloudDefender.securityContacts.all( alertNotifications["minimalSeverity"] == "High" && alertNotifications["state"] == "On" ) ``` remediation: | ### Microsoft Azure Portal @@ -1406,7 +1406,7 @@ queries: title: Ensure SSL connection enabled for PostgreSQL Database Server impact: 80 mql: | - azure.postgreSql.servers.all( properties["sslEnforcement"] == "Enabled" ) + azure.subscription.postgreSql.servers.all( properties["sslEnforcement"] == "Enabled" ) docs: desc: | All communications between the clients and the PostgreSQL server should be through SSL/TLS to add a layer of encryption to prevent any man in the middle attacks. @@ -1420,7 +1420,7 @@ queries: Run the following query: ```bash - cnspec run azure -c "azure.postgreSql.servers.all( properties["sslEnforcement"] == "Enabled" )" --certificate-path <*.pem> --tenant-id --client-id + cnspec run azure -c "azure.subscription.postgreSql.servers.all( properties["sslEnforcement"] == "Enabled" )" --certificate-path <*.pem> --tenant-id --client-id ``` __cnspec shell__ @@ -1436,7 +1436,7 @@ queries: 2. Run the following query: ```mql - azure.postgreSql.servers.all( properties["sslEnforcement"] == "Enabled" ) + azure.subscription.postgreSql.servers.all( properties["sslEnforcement"] == "Enabled" ) ``` remediation: | ### Microsoft Azure Portal @@ -1450,8 +1450,8 @@ queries: title: Ensure SSL connection enabled for MariaDB Database Server with the latest version impact: 80 mql: | - azure.mariaDb.servers.all( properties["sslEnforcement"] == "Enabled" ) - azure.mariaDb.servers.all( properties["minimalTlsVersion"] == "TLS1_2" ) + azure.subscription.mariaDb.servers.all( properties["sslEnforcement"] == "Enabled" ) + azure.subscription.mariaDb.servers.all( properties["minimalTlsVersion"] == "TLS1_2" ) docs: desc: | All communications between the clients and the Mariadb server should be through SSL/TLS to add a layer of encryption to prevent any man in the middle attacks. @@ -1465,7 +1465,7 @@ queries: Run the following query: ```bash - cnspec run azure -c "azure.mariaDb.servers.all( properties["sslEnforcement"] == "Enabled" )" --certificate-path <*.pem> --tenant-id --client-id + cnspec run azure -c "azure.subscription.mariaDb.servers.all( properties["sslEnforcement"] == "Enabled" )" --certificate-path <*.pem> --tenant-id --client-id ``` __cnspec shell__ @@ -1481,7 +1481,7 @@ queries: 2. Run the following query: ```mql - azure.mariaDb.servers.all( properties["sslEnforcement"] == "Enabled" ) + azure.subscription.mariaDb.servers.all( properties["sslEnforcement"] == "Enabled" ) ``` remediation: | ### Microsoft Azure Portal @@ -1496,7 +1496,7 @@ queries: title: Ensure Public Network access for MariaDB is disabled impact: 80 mql: | - azure.mariaDb.servers.all( properties["publicNetworkAccess"] == "Disabled" ) + azure.subscription.mariaDb.servers.all( properties["publicNetworkAccess"] == "Disabled" ) docs: desc: | All public access to MariaDB should be blocked, and only connections through private endpoints should be allowed to further enhance network security. @@ -1510,7 +1510,7 @@ queries: Run the following query: ```bash - cnspec run azure -c "azure.mariaDb.servers.all( properties["publicNetworkAccess"] == "Disabled" )" --certificate-path <*.pem> --tenant-id --client-id + cnspec run azure -c "azure.subscription.mariaDb.servers.all( properties["publicNetworkAccess"] == "Disabled" )" --certificate-path <*.pem> --tenant-id --client-id ``` __cnspec shell__ @@ -1526,7 +1526,7 @@ queries: 2. Run the following query: ```mql - azure.mariaDb.servers.all( properties["publicNetworkAccess"] == "Disabled" ) + azure.subscription.mariaDb.servers.all( properties["publicNetworkAccess"] == "Disabled" ) ``` remediation: | ### Microsoft Azure Portal @@ -1540,8 +1540,8 @@ queries: title: Ensure SSL connection enabled for MySQL Database Server with the latest version impact: 80 mql: | - azure.mySql.servers.all ( properties["sslEnforcement"] == "Enabled" ) - azure.mySql.servers.all ( properties["minimalTlsVersion"] == "TLS1_2" ) + azure.subscription.mySql.servers.all ( properties["sslEnforcement"] == "Enabled" ) + azure.subscription.mySql.servers.all ( properties["minimalTlsVersion"] == "TLS1_2" ) docs: desc: | All communications between the clients and the MySQL server should be through SSL/TLS to add a layer of encryption to prevent any man in the middle attacks. @@ -1555,8 +1555,8 @@ queries: Run the following query: ```bash - cnspec run azure -c "azure.mySql.servers.all ( properties["sslEnforcement"] == "Enabled" )" --certificate-path <*.pem> --tenant-id --client-id - cnspec run azure -c "azure.mySql.servers.all ( properties["minimalTlsVersion"] == "TLS1_2" )" --certificate-path <*.pem> --tenant-id --client-id + cnspec run azure -c "azure.subscription.mySql.servers.all ( properties["sslEnforcement"] == "Enabled" )" --certificate-path <*.pem> --tenant-id --client-id + cnspec run azure -c "azure.subscription.mySql.servers.all ( properties["minimalTlsVersion"] == "TLS1_2" )" --certificate-path <*.pem> --tenant-id --client-id ``` __cnspec shell__ @@ -1572,8 +1572,8 @@ queries: 2. Run the following query: ```mql - azure.mySql.servers.all ( properties["sslEnforcement"] == "Enabled" ) - azure.mySql.servers.all ( properties["minimalTlsVersion"] == "TLS1_2" ) + azure.subscription.mySql.servers.all ( properties["sslEnforcement"] == "Enabled" ) + azure.subscription.mySql.servers.all ( properties["minimalTlsVersion"] == "TLS1_2" ) ``` remediation: | ### Microsoft Azure Portal @@ -1588,7 +1588,7 @@ queries: title: Ensure Public Network access for SQL server is disabled or only possible through firewall rules impact: 80 mql: | - azure.sql.servers.all ( properties["publicNetworkAccess"] == "Disabled" || properties["publicNetworkAccess"] == "Enabled" && firewallRules.length > 0 ) + azure.subscription.sql.servers.all ( properties["publicNetworkAccess"] == "Disabled" || properties["publicNetworkAccess"] == "Enabled" && firewallRules.length > 0 ) docs: desc: | Customers can choose to connect to a database by using one of the following ways: @@ -1606,7 +1606,7 @@ queries: Run the following query: ```bash - cnspec run azure -c "azure.sql.servers.all ( properties["publicNetworkAccess"] == "Disabled" || properties["publicNetworkAccess"] == "Enabled" && firewallRules.length > 0" --certificate-path <*.pem> --tenant-id --client-id + cnspec run azure -c "azure.subscription.sql.servers.all ( properties["publicNetworkAccess"] == "Disabled" || properties["publicNetworkAccess"] == "Enabled" && firewallRules.length > 0" --certificate-path <*.pem> --tenant-id --client-id ``` __cnspec shell__ @@ -1622,7 +1622,7 @@ queries: 2. Run the following query: ```mql - azure.sql.servers.all ( properties["publicNetworkAccess"] == "Disabled" || properties["publicNetworkAccess"] == "Enabled" && firewallRules.length > 0 ) + azure.subscription.sql.servers.all ( properties["publicNetworkAccess"] == "Disabled" || properties["publicNetworkAccess"] == "Enabled" && firewallRules.length > 0 ) ``` remediation: | ### Microsoft Azure Portal @@ -1636,7 +1636,7 @@ queries: title: Ensure default Public Network access for Key Vault is disabled impact: 80 mql: | - azure.keyVault.vaults.all ( properties["publicNetworkAccess"] == "Disabled" ) + azure.subscription.keyVault.vaults.all ( properties["publicNetworkAccess"] == "Disabled" ) docs: desc: | The default Public Network Access to the Key Vault must be disabled in order to add a layer of security to one of the most important component in the Azure environment. @@ -1653,7 +1653,7 @@ queries: Run the following query: ```bash - cnspec run azure -c "azure.keyVault.vaults.all ( properties["publicNetworkAccess"] == "Disabled" )" --certificate-path <*.pem> --tenant-id --client-id + cnspec run azure -c "azure.subscription.keyVault.vaults.all ( properties["publicNetworkAccess"] == "Disabled" )" --certificate-path <*.pem> --tenant-id --client-id ``` __cnspec shell__ @@ -1669,7 +1669,7 @@ queries: 2. Run the following query: ```mql - azure.keyVault.vaults.all ( properties["publicNetworkAccess"] == "Disabled" ) + azure.subscription.keyVault.vaults.all ( properties["publicNetworkAccess"] == "Disabled" ) ``` remediation: | ### Microsoft Azure Portal @@ -1683,7 +1683,7 @@ queries: title: Ensure that all activities on SQL server is audited impact: 60 mql: | - azure.sql.servers.all( auditingPolicy["state"] == "Enabled" ) + azure.subscription.sql.servers.all( auditingPolicy["state"] == "Enabled" ) docs: desc: | Auditing is a very important feature and should be configured for every database or server in your deployment in Azure. @@ -1702,7 +1702,7 @@ queries: Run the following query: ```bash - cnspec run azure -c "azure.sql.servers.all( auditingPolicy["state"] == "Enabled" )" --certificate-path <*.pem> --tenant-id --client-id + cnspec run azure -c "azure.subscription.sql.servers.all( auditingPolicy["state"] == "Enabled" )" --certificate-path <*.pem> --tenant-id --client-id ``` __cnspec shell__ @@ -1718,7 +1718,7 @@ queries: 2. Run the following query: ```mql - azure.sql.servers.all( auditingPolicy["state"] == "Enabled" ) + azure.subscription.sql.servers.all( auditingPolicy["state"] == "Enabled" ) ``` remediation: | ### Microsoft Azure Portal @@ -1731,7 +1731,7 @@ queries: title: Ensure that transparent data encryption is enabled on SQL Server impact: 60 mql: | - azure.sql.servers { databases.where (name != "master").all( transparentDataEncryption["state"] == "Enabled" ) } + azure.subscription.sql.servers { databases.where (name != "master").all( transparentDataEncryption["state"] == "Enabled" ) } docs: desc: | Transparent data encryption (TDE) encrypts SQL Server, Azure SQL Database, and Azure Synapse Analytics data files. This encryption is known as encrypting data at rest. @@ -1751,7 +1751,7 @@ queries: Run the following query: ```bash - cnspec run azure -c "azure.sql.servers { databases.where (name != "master").all( transparentDataEncryption["state"] == "Enabled" ) }" --certificate-path <*.pem> --tenant-id --client-id + cnspec run azure -c "azure.subscription.sql.servers { databases.where (name != "master").all( transparentDataEncryption["state"] == "Enabled" ) }" --certificate-path <*.pem> --tenant-id --client-id ``` __cnspec shell__ @@ -1767,7 +1767,7 @@ queries: 2. Run the following query: ```mql - azure.sql.servers { databases.where (name != "master").all( transparentDataEncryption["state"] == "Enabled" ) } + azure.subscription.sql.servers { databases.where (name != "master").all( transparentDataEncryption["state"] == "Enabled" ) } ``` remediation: | ### Microsoft Azure Portal @@ -1780,7 +1780,7 @@ queries: title: Ensure that diagnostic settings exist for the subscription impact: 80 mql: | - azure.monitor.diagnosticSettings.length > 0 + azure.subscription.monitor.diagnosticSettings.length > 0 docs: desc: | The diagnostic settings is an important piece in the security puzzle, and it is highly recommended by Microsoft in Azure Security Center. @@ -1816,7 +1816,7 @@ queries: Run the following query: ```bash - cnspec run azure -c "azure.monitor.diagnosticSettings.length > 0" --certificate-path <*.pem> --tenant-id --client-id + cnspec run azure -c "azure.subscription.monitor.diagnosticSettings.length > 0" --certificate-path <*.pem> --tenant-id --client-id ``` __cnspec shell__ @@ -1832,7 +1832,7 @@ queries: 2. Run the following query: ```mql - azure.monitor.diagnosticSettings.length > 0 + azure.subscription.monitor.diagnosticSettings.length > 0 ``` remediation: | ### Microsoft Azure Portal @@ -1845,9 +1845,9 @@ queries: title: Ensure that Diagnostic Setting collects essential security categories impact: 80 mql: | - azure.monitor.diagnosticSettings.all( properties["logs"].where( _["enabled"] == "true" ).any( _["category"] == "Administrative" ) ) - azure.monitor.diagnosticSettings.all( properties["logs"].where( _["enabled"] == "true" ).any( _["category"] == "Security" ) ) - azure.monitor.diagnosticSettings.all( properties["logs"].where( _["enabled"] == "true" ).any( _["category"] == "Alert" ) ) + azure.subscription.monitor.diagnosticSettings.all( properties["logs"].where( _["enabled"] == "true" ).any( _["category"] == "Administrative" ) ) + azure.subscription.monitor.diagnosticSettings.all( properties["logs"].where( _["enabled"] == "true" ).any( _["category"] == "Security" ) ) + azure.subscription.monitor.diagnosticSettings.all( properties["logs"].where( _["enabled"] == "true" ).any( _["category"] == "Alert" ) ) docs: desc: | Diagnostic setting controls how the diagnostic logs are exported and what type of data need to be collected and be exported to the defined destination. @@ -1868,9 +1868,9 @@ queries: Run the following query: ```bash - cnspec run azure -c "azure.monitor.diagnosticSettings.all( properties["logs"].where( _["enabled"] == "true" ).any( _["category"] == "Administrative" ) )" --certificate-path <*.pem> --tenant-id --client-id - cnspec run azure -c "azure.monitor.diagnosticSettings.all( properties["logs"].where( _["enabled"] == "true" ).any( _["category"] == "Security" ) )" --certificate-path <*.pem> --tenant-id --client-id - cnspec run azure -c "azure.monitor.diagnosticSettings.all( properties["logs"].where( _["enabled"] == "true" ).any( _["category"] == "Alert" ) )" --certificate-path <*.pem> --tenant-id --client-id + cnspec run azure -c "azure.subscription.monitor.diagnosticSettings.all( properties["logs"].where( _["enabled"] == "true" ).any( _["category"] == "Administrative" ) )" --certificate-path <*.pem> --tenant-id --client-id + cnspec run azure -c "azure.subscription.monitor.diagnosticSettings.all( properties["logs"].where( _["enabled"] == "true" ).any( _["category"] == "Security" ) )" --certificate-path <*.pem> --tenant-id --client-id + cnspec run azure -c "azure.subscription.monitor.diagnosticSettings.all( properties["logs"].where( _["enabled"] == "true" ).any( _["category"] == "Alert" ) )" --certificate-path <*.pem> --tenant-id --client-id ``` __cnspec shell__ @@ -1886,9 +1886,9 @@ queries: 2. Run the following query: ```mql - azure.monitor.diagnosticSettings.all( properties["logs"].where( _["enabled"] == "true" ).any( _["category"] == "Administrative" ) ) - azure.monitor.diagnosticSettings.all( properties["logs"].where( _["enabled"] == "true" ).any( _["category"] == "Security" ) ) - azure.monitor.diagnosticSettings.all( properties["logs"].where( _["enabled"] == "true" ).any( _["category"] == "Alert" ) ) + azure.subscription.monitor.diagnosticSettings.all( properties["logs"].where( _["enabled"] == "true" ).any( _["category"] == "Administrative" ) ) + azure.subscription.monitor.diagnosticSettings.all( properties["logs"].where( _["enabled"] == "true" ).any( _["category"] == "Security" ) ) + azure.subscription.monitor.diagnosticSettings.all( properties["logs"].where( _["enabled"] == "true" ).any( _["category"] == "Alert" ) ) ``` remediation: | ### Microsoft Azure Portal @@ -1901,7 +1901,7 @@ queries: title: Ensure direct UDP access to Azure Virtual Machines from the Internet is restricted impact: 80 mql: | - azure.network.securityGroups { + azure.subscription.network.securityGroups { securityRules.where( properties['access'] == 'Allow' && properties['direction'] == 'Inbound' && properties['protocol'] == /UDP/ && properties['sourceAddressPrefix'] == /\*|0\.0\.0\.0|\/0|\/0|internet|any/ ) } { securityRules { @@ -1975,7 +1975,7 @@ queries: Run the following query: ```bash - cnspec run azure -c "azure.network.securityGroups { + cnspec run azure -c "azure.subscription.network.securityGroups { securityRules.where( properties['access'] == 'Allow' && properties['direction'] == 'Inbound' && properties['protocol'] == /UDP/ && properties['sourceAddressPrefix'] == /\*|0\.0\.0\.0|\/0|\/0|internet|any/ ) } { securityRules { @@ -2032,7 +2032,7 @@ queries: 2. Run the following query: ```mql - azure.network.securityGroups { + azure.subscription.network.securityGroups { securityRules.where( properties['access'] == 'Allow' && properties['direction'] == 'Inbound' && properties['protocol'] == /UDP/ && properties['sourceAddressPrefix'] == /\*|0\.0\.0\.0|\/0|\/0|internet|any/ ) } { securityRules {