Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

✨ Mondoo Azure Security : Adding flexible SQL Server checks #400

Merged
merged 8 commits into from
May 21, 2024
Merged

✨ Mondoo Azure Security : Adding flexible SQL Server checks #400

Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
f5c91d8
azure/flexible: Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP)
mm-weber May 18, 2024
646e2f7
azure/flexible: Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY …
mm-weber May 18, 2024
b08bb03
azure/flexible: mondoo-azure-security-ensure-that-ssl-enabled-postgre…
mm-weber May 18, 2024
36baf0f
azure/flexible: Ensure 'Enforce SSL connection' is set to 'Enabled' f…
mm-weber May 18, 2024
bd9c357
azure/flexible: Ensure SSL connection enabled for MySQL Database Serv…
mm-weber May 18, 2024
762eb29
azure/flexible: Ensure SSL connection enabled for MySQL Database Serv…
mm-weber May 18, 2024
b1c5104
azure/flexible: keeping -single vs. single-legacy
mm-weber May 18, 2024
a3b56a3
azure/rm: asset.kind checks
mm-weber May 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
71 changes: 30 additions & 41 deletions core/mondoo-azure-security.mql.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -205,13 +205,11 @@ queries:
- uid: mondoo-azure-security-ensure-os-disk-are-encrypted-single
filters: |
asset.platform == "azure-compute-vm-api"
asset.kind == "azure-object"
mql: |
azure.subscription.compute.vm.osDisk.properties.encryption.type == "EncryptionAtRestWithCustomerKey"
- uid: mondoo-azure-security-ensure-os-disk-are-encrypted-api
filters: |
asset.platform == "azure"
asset.kind == "api"
mql: |
azure.subscription.compute.vms.all(osDisk.properties.encryption.type == "EncryptionAtRestWithCustomerKey")
- uid: mondoo-azure-security-ssh-access-restricted-from-internet
Expand Down Expand Up @@ -298,7 +296,6 @@ queries:
- uid: mondoo-azure-security-ssh-access-restricted-from-internet-single
filters: |
asset.platform == "azure-network-security-group"
asset.kind == "azure-object"
mql: |
allNsgTCP = azure.subscription.network.securityGroup.securityRules
.where(
Expand All @@ -316,7 +313,6 @@ queries:
- uid: mondoo-azure-security-ssh-access-restricted-from-internet-api
filters: |
asset.platform == "azure"
asset.kind == "api"
mql: |
allNsgTCP = azure.subscription.network.securityGroups.where(securityRules
.where(
Expand Down Expand Up @@ -414,7 +410,6 @@ queries:
- uid: mondoo-azure-security-rdp-access-restricted-from-internet-single
filters: |
asset.platform == "azure-network-security-group"
asset.kind == "azure-object"
mql: |
allNsgTCP = azure.subscription.network.securityGroup.securityRules
.where(
Expand All @@ -432,7 +427,6 @@ queries:
- uid: mondoo-azure-security-rdp-access-restricted-from-internet-api
filters: |
asset.platform == "azure"
asset.kind == "api"
mql: |
allNsgTCP = azure.subscription.network.securityGroups.where(securityRules
.where(
Expand Down Expand Up @@ -500,13 +494,11 @@ queries:
- uid: mondoo-azure-security-secure-transfer-required-enabled-api
filters: |
asset.platform == "azure"
asset.kind == "api"
mql: |
azure.subscription.storage.accounts.all(properties.EnableHTTPSTrafficOnly == true)
- uid: mondoo-azure-security-secure-transfer-required-enabled-single
filters: |
asset.platform == "azure-storage-account"
asset.kind == "azure-object"
mql: |
azure.subscription.storage.account.properties.EnableHTTPSTrafficOnly == true
- uid: mondoo-azure-security-public-access-level-private-blob-containers
Expand Down Expand Up @@ -573,15 +565,13 @@ queries:
- uid: mondoo-azure-security-public-access-level-private-blob-containers-api
filters: |
asset.platform == "azure"
asset.kind == "api"
mql: |
azure.subscription.storage.accounts.all(properties.AllowBlobPublicAccess == "false" )
azure.subscription.storage.accounts.all(containers.all(properties.publicAccess == "None" ))
azure.subscription.storage.accounts.all(properties.PublicNetworkAccess == "Disabled")
- uid: mondoo-azure-security-public-access-level-private-blob-containers-single
filters: |
asset.platform == "azure-storage-account"
asset.kind == "azure-object"
mql: |
azure.subscription.storage.account.properties.AllowBlobPublicAccess == "false"
azure.subscription.storage.account.containers.all(properties.publicAccess == "None")
Expand Down Expand Up @@ -661,13 +651,11 @@ queries:
- uid: mondoo-azure-security-default-network-access-rule-storage-accounts-deny-api
filters: |
asset.platform == "azure"
asset.kind == "api"
mql: |
azure.subscription.storage.accounts.all(properties.NetworkRuleSet.defaultAction == "Deny")
- uid: mondoo-azure-security-default-network-access-rule-storage-accounts-deny-single
filters: |
asset.platform == "azure-storage-account"
asset.kind == "azure-object"
mql: |
azure.subscription.storage.account.properties.NetworkRuleSet.defaultAction == "Deny"
- uid: mondoo-azure-security-trusted-microsoft-services-enabled-for-storage-account-access
Expand Down Expand Up @@ -726,13 +714,11 @@ queries:
- uid: mondoo-azure-security-trusted-microsoft-services-enabled-for-storage-account-access-api
filters: |
asset.platform == "azure"
asset.kind == "api"
mql: |
azure.subscription.storage.accounts.all(properties.NetworkRuleSet.bypass.contains("AzureServices"))
- uid: mondoo-azure-security-trusted-microsoft-services-enabled-for-storage-account-access-single
filters: |
asset.platform == "azure-storage-account"
asset.kind == "azure-object"
mql: |
azure.subscription.storage.account.properties.NetworkRuleSet.bypass.contains("AzureServices")
- uid: mondoo-azure-security-ensure-auditing-retention-greater-than-30-days
Expand Down Expand Up @@ -793,15 +779,13 @@ queries:
- uid: mondoo-azure-security-ensure-auditing-retention-greater-than-30-days-single
filters: |
asset.platform == "azure-sql-server"
asset.kind == "azure-object"
mql: |
azure.subscription.sql.server.auditingPolicy.state == "Enabled"
azure.subscription.sql.server.auditingPolicy.retentionDays >= 30 ||
azure.subscription.sql.server.auditingPolicy.retentionDays == 0
- uid: mondoo-azure-security-ensure-auditing-retention-greater-than-30-days-api
filters: |
asset.platform == "azure"
asset.kind == "api"
mql: |
azure.subscription.sql.servers.all(auditingPolicy.state == "Enabled")
azure.subscription.sql.servers.all(auditingPolicy.retentionDays >= 30) ||
Expand All @@ -813,6 +797,8 @@ queries:
- uid: mondoo-azure-security-no-sql-databases-allow-ingress-0-0-0-0-0-single-azuresql
- uid: mondoo-azure-security-no-sql-databases-allow-ingress-0-0-0-0-0-single-postgresql
- uid: mondoo-azure-security-no-sql-databases-allow-ingress-0-0-0-0-0-single-mysql
- uid: mondoo-azure-security-no-sql-databases-allow-ingress-0-0-0-0-0-single-postgresql-flexible
- uid: mondoo-azure-security-no-sql-databases-allow-ingress-0-0-0-0-0-single-mysql-flexible
- uid: mondoo-azure-security-no-sql-databases-allow-ingress-0-0-0-0-0-single-mariadb
- uid: mondoo-azure-security-no-sql-databases-allow-ingress-0-0-0-0-0-api
docs:
Expand Down Expand Up @@ -904,35 +890,42 @@ queries:
- uid: mondoo-azure-security-no-sql-databases-allow-ingress-0-0-0-0-0-single-azuresql
filters: |
asset.platform == "azure-sql-server"
asset.kind == "azure-object"
mql: |
azure.subscription.sql.server.firewallRules.all(startIpAddress != "0.0.0.0")
- uid: mondoo-azure-security-no-sql-databases-allow-ingress-0-0-0-0-0-single-postgresql
filters: |
asset.platform == "azure-postgresql-server"
asset.kind == "azure-object"
mql: |
azure.subscription.postgreSql.server.firewallRules.all(startIpAddress != "0.0.0.0")
- uid: mondoo-azure-security-no-sql-databases-allow-ingress-0-0-0-0-0-single-mysql
filters: |
asset.platform == "azure-mysql-server"
asset.kind == "azure-object"
mql: |
azure.subscription.mySql.server.firewallRules.all(startIpAddress != "0.0.0.0")
- uid: mondoo-azure-security-no-sql-databases-allow-ingress-0-0-0-0-0-single-postgresql-flexible
filters: |
asset.platform == "azure-postgresql-flexible-server"
mql: |
azure.subscription.postgreSql.flexibleServer.firewallRules.all(startIpAddress != "0.0.0.0")
- uid: mondoo-azure-security-no-sql-databases-allow-ingress-0-0-0-0-0-single-mysql-flexible
filters: |
asset.platform == "azure-mysql-flexible-server"
mql: |
azure.subscription.mySql.flexibleServer.firewallRules.all(startIpAddress != "0.0.0.0")
- uid: mondoo-azure-security-no-sql-databases-allow-ingress-0-0-0-0-0-single-mariadb
filters: |
asset.platform == "azure-mariadb-server"
asset.kind == "azure-object"
mql: |
azure.subscription.mariaDb.server.firewallRules.all(startIpAddress != "0.0.0.0")
- uid: mondoo-azure-security-no-sql-databases-allow-ingress-0-0-0-0-0-api
filters: |
asset.platform == "azure"
asset.kind == "api"
mql: |
azure.subscription.sql.servers.all(firewallRules.all(startIpAddress != "0.0.0.0"))
azure.subscription.postgreSql.servers.all(firewallRules.all(startIpAddress != "0.0.0.0"))
azure.subscription.mySql.servers.all(firewallRules.all(startIpAddress != "0.0.0.0"))
azure.subscription.postgreSql.flexibleServers.all(firewallRules.all(startIpAddress != "0.0.0.0"))
azure.subscription.mySql.flexibleServers.all(firewallRules.all(startIpAddress != "0.0.0.0"))
azure.subscription.mariaDb.servers.all(firewallRules.all(startIpAddress != "0.0.0.0"))
- uid: mondoo-azure-security-ensure-register-with-ad-is-enabled-on-app-service
title: Enable Managed Identities for App services to Authenticate via Microsoft Entra ID
Expand Down Expand Up @@ -1037,13 +1030,11 @@ queries:
- uid: mondoo-azure-security-ensure-the-kv-is-recoverable-single
filters: |
asset.platform == "azure-keyvault-vault"
asset.kind == "azure-object"
mql: |
azure.subscription.keyVault.vault.properties.enablePurgeProtection == true
- uid: mondoo-azure-security-ensure-the-kv-is-recoverable-api
filters: |
asset.platform == "azure"
asset.kind == "api"
mql: |
azure.subscription.keyVault.vaults.all(properties.enablePurgeProtection == "true")
- uid: mondoo-azure-security-ensure-web-app-is-using-the-latest-tls
Expand Down Expand Up @@ -1229,14 +1220,12 @@ queries:
- uid: mondoo-azure-security-ensure-the-expiration-date-is-set-for-all-keys-and-secrets-in-kv-single
filters: |
asset.platform == "azure-keyvault-vault"
asset.kind == "azure-object"
mql: |
azure.subscription.keyVault.vault.keys.where(enabled == true).all(expires != empty)
azure.subscription.keyVault.vault.secrets.where(enabled == true).all(expires != empty)
- uid: mondoo-azure-security-ensure-the-expiration-date-is-set-for-all-keys-and-secrets-in-kv-api
filters: |
asset.platform == "azure"
asset.kind == "api"
mql: |
azure.subscription.keyVault.vaults.all(keys.where(enabled == true).all(expires != empty))
azure.subscription.keyVault.vaults.all(secrets.where(enabled == true).all(expires != empty))
Expand Down Expand Up @@ -1345,7 +1334,6 @@ queries:
- uid: mondoo-azure-security-ensure-logging-enabled-kv-single
filters: |
asset.platform == "azure-keyvault-vault"
asset.kind == "azure-object"
mql: |
// Step 1: Verify that diagnostic settings are configured for the Key Vault vaults.
azure.subscription.keyVault.vault.diagnosticSettings != empty
Expand All @@ -1366,7 +1354,6 @@ queries:
- uid: mondoo-azure-security-ensure-logging-enabled-kv-api
filters: |
asset.platform == "azure"
asset.kind == "api"
mql: |
// Step 1: Verify that diagnostic settings are configured for the Key Vault vaults.
azure.subscription.keyVault.vaults.all(diagnosticSettings != empty)
Expand Down Expand Up @@ -1516,6 +1503,7 @@ queries:
variants:
- uid: mondoo-azure-security-ensure-that-ssl-enabled-postgresql-api
- uid: mondoo-azure-security-ensure-that-ssl-enabled-postgresql-single
- uid: mondoo-azure-security-ensure-that-ssl-enabled-postgresql-single-flexible
docs:
desc: |
Ensuring that SSL/TLS is enforced for all connections to PostgreSQL database servers is crucial for safeguarding data in transit. This security measure helps prevent eavesdropping and man-in-the-middle attacks, maintaining the confidentiality and integrity of data.
Expand Down Expand Up @@ -1585,20 +1573,25 @@ queries:
- uid: mondoo-azure-security-ensure-that-ssl-enabled-postgresql-single
filters: |
asset.platform == "azure-postgresql-server"
asset.kind == "azure-object"
mql: |
azure.subscription.postgreSql.server.properties.sslEnforcement == "Enabled"
- uid: mondoo-azure-security-ensure-that-ssl-enabled-postgresql-single-flexible
filters: |
asset.platform == "azure-postgresql-flexible-server"
mql: |
azure.subscription.postgreSql.flexibleServer.configuration.where(name == 'ssl').all(value.downcase == "on")
- uid: mondoo-azure-security-ensure-that-ssl-enabled-postgresql-api
filters: |
asset.platform == "azure"
asset.kind == "api"
mql: |
azure.subscription.postgreSql.servers.all(properties.sslEnforcement == "Enabled")
azure.subscription.postgreSql.flexibleServers.all(configuration.where(name == 'ssl').all(value.downcase == "on"))
- uid: mondoo-azure-security-ensure-that-ssl-enabled-latest-version-mysql
title: Ensure SSL connection enabled for MySQL Database Server with the latest version
impact: 80
variants:
- uid: mondoo-azure-security-ensure-that-ssl-enabled-latest-version-mysql-single
- uid: mondoo-azure-security-ensure-that-ssl-enabled-latest-version-mysql-single-flexible
- uid: mondoo-azure-security-ensure-that-ssl-enabled-latest-version-mysql-api
docs:
desc: |
Expand Down Expand Up @@ -1643,20 +1636,26 @@ queries:
```

For enhancing data security during transmission, it's pivotal to use the latest TLS version. Currently, the most advanced standard available is TLS 1.3, known for its enhanced security and performance benefits. However, it's important to note that, as of the latest information, Azure's MySQL service supports up to TLS 1.2. While TLS 1.2 provides robust security, the adoption of TLS 1.3 across various platforms, including Azure, is anticipated.
- uid: mondoo-azure-security-ensure-that-ssl-enabled-latest-version-mysql-single-flexible
filters: |
asset.platform == "azure-mysql-flexible-server"
mql: |
azure.subscription.mySql.flexibleServer.configuration.where(name == "require_secure_transport").all(value.downcase == "on")
azure.subscription.mySql.flexibleServer.configuration.where(name == "tls_version").all(value.downcase == "tlsv1.2")
- uid: mondoo-azure-security-ensure-that-ssl-enabled-latest-version-mysql-single
filters: |
asset.platform == "azure-mysql-server"
asset.kind == "azure-object"
mql: |
azure.subscription.mySql.server.properties.sslEnforcement == "Enabled"
azure.subscription.mySql.server.properties.minimalTlsVersion == "TLS1_2"
- uid: mondoo-azure-security-ensure-that-ssl-enabled-latest-version-mysql-api
filters: |
asset.platform == "azure"
asset.kind == "api"
mql: |
azure.subscription.mySql.servers.all(properties.sslEnforcement == "Enabled")
azure.subscription.mySql.servers.all(properties.minimalTlsVersion == "TLS1_2")
azure.subscription.mySql.flexibleServers.all(configuration.where(name == "require_secure_transport").all(value.downcase == "on"))
azure.subscription.mySql.flexibleServers.all(configuration.where(name == "tls_version").all(value.downcase == "tlsv1.2"))
- uid: mondoo-azure-security-ensure-disabled-public-access-sql
title: Ensure public network access for SQL server is blocked or Limited to Use Selected Networks Instead of All Networks
impact: 80
Expand Down Expand Up @@ -1714,14 +1713,12 @@ queries:
- uid: mondoo-azure-security-ensure-disabled-public-access-sql-single
filters: |
asset.platform == "azure-sql-server"
asset.kind == "azure-object"
mql: |
azure.subscription.sql.server.properties.publicNetworkAccess == "Disabled"
|| azure.subscription.sql.server.virtualNetworkRules != empty || azure.subscription.sql.server.firewallRules != empty
- uid: mondoo-azure-security-ensure-disabled-public-access-sql-api
filters: |
asset.platform == "azure"
asset.kind == "api"
mql: |
azure.subscription.sql.servers.all(properties.publicNetworkAccess == "Disabled") ||
azure.subscription.sql.servers.where(properties.publicNetworkAccess == "Enabled").all(virtualNetworkRules != empty || firewallRules != empty)
Expand Down Expand Up @@ -1780,15 +1777,13 @@ queries:
- uid: mondoo-azure-security-keyvault-public-access-disabled-single
filters: |
asset.platform == "azure-keyvault-vault"
asset.kind == "azure-object"
mql: |
azure.subscription.keyVault.vault.properties.all(publicNetworkAccess == "Disabled")
|| azure.subscription.keyVault.vault.properties.networkAcls.ipRules != empty
|| azure.subscription.keyVault.vault.properties.networkAcls.virtualNetworkRules != empty
- uid: mondoo-azure-security-keyvault-public-access-disabled-api
filters: |
asset.platform == "azure"
asset.kind == "api"
mql: |
azure.subscription.keyVault.vaults.all(properties.publicNetworkAccess == "Disabled") ||
azure.subscription.keyVault.vaults.where(properties.publicNetworkAccess == "Enabled").all(properties.networkAcls.virtualNetworkRules != empty || properties.networkAcls.ipRules != empty)
Expand Down Expand Up @@ -1847,13 +1842,11 @@ queries:
- uid: mondoo-azure-security-sql-server-audit-on-single
filters: |
asset.platform == "azure-sql-server"
asset.kind == "azure-object"
mql: |
azure.subscription.sql.server.auditingPolicy.state == "Enabled"
- uid: mondoo-azure-security-sql-server-audit-on-api
filters: |
asset.platform == "azure"
asset.kind == "api"
mql: |
azure.subscription.sql.servers.all(auditingPolicy.state == "Enabled")
- uid: mondoo-azure-security-sql-server-tde-on
Expand Down Expand Up @@ -1925,14 +1918,12 @@ queries:
- uid: mondoo-azure-security-sql-server-tde-on-single
filters: |
asset.platform == "azure-sql-server"
asset.kind == "azure-object"
azure.subscription.sql.server.databases.any(name != "master")
mql: |
azure.subscription.sql.server.databases.where(name != "master").all(transparentDataEncryption.state == "Enabled")
- uid: mondoo-azure-security-sql-server-tde-on-api
filters: |
asset.platform == "azure"
asset.kind == "api"
mql: |
azure.subscription.sql.servers.all(databases.where(name != "master").all(transparentDataEncryption.state == "Enabled"))
- uid: mondoo-azure-security-diagnostic-settings-exist
Expand Down Expand Up @@ -2165,7 +2156,6 @@ queries:
- uid: mondoo-azure-security-disable-udp-virtualmachines-single
filters: |
asset.platform == "azure-network-security-group"
asset.kind == "azure-object"
mql: |
allNsgUDP = azure.subscription.network.securityGroup.securityRules
.where(
Expand All @@ -2183,7 +2173,6 @@ queries:
- uid: mondoo-azure-security-disable-udp-virtualmachines-api
filters: |
asset.platform == "azure"
asset.kind == "api"
mql: |
allNsgUDP = azure.subscription.network.securityGroups.where(securityRules
.where(
Expand Down
Loading