Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: Added queries for Azure CIS for BigQuery - Premuim
Browse files Browse the repository at this point in the history
ronsh12 committed Jan 17, 2024
1 parent 69307d8 commit 31b985b
Showing 64 changed files with 1,551 additions and 77 deletions.
Original file line number Diff line number Diff line change
@@ -1,146 +1,145 @@
{{ config(enabled=block_bigquery()) }}

with
aggregated as (
({{iam_custom_subscription_owner_roles('cis_v1.3.0','1.21')}})
union
{{ union() }}
({{security_defender_on_for_servers('cis_v1.3.0','2.1')}})
union
{{ union() }}
({{security_defender_on_for_app_service('cis_v1.3.0','2.2')}})
union
{{ union() }}
({{security_defender_on_for_sql_servers('cis_v1.3.0','2.3')}})
union
{{ union() }}
({{security_defender_on_for_sql_servers_on_machines('cis_v1.3.0','2.4')}})
union
{{ union() }}
({{security_defender_on_for_storage('cis_v1.3.0','2.5')}})
union
{{ union() }}
({{security_defender_on_for_k8s('cis_v1.3.0','2.6')}})
union
{{ union() }}
({{security_defender_on_for_container_registeries('cis_v1.3.0','2.7')}})
union
{{ union() }}
({{security_defender_on_for_key_vault('cis_v1.3.0','2.8')}})
union
{{ union() }}
({{security_auto_provisioning_monitoring_agent_enabled('cis_v1.3.0','2.11')}})
union
{{ union() }}
({{security_default_policy_disabled('cis_v1.3.0','2.12')}})
union
{{ union() }}
({{storage_secure_transfer_to_storage_accounts_should_be_enabled('cis_v1.3.0','3.1')}})
union
{{ union() }}
({{storage_no_public_blob_container('cis_v1.3.0','3.5')}})
union
{{ union() }}
({{storage_default_network_access_rule_is_deny('cis_v1.3.0','3.6')}})
union
{{ union() }}
({{storage_soft_delete_is_enabled('cis_v1.3.0','3.8')}})
union
{{ union() }}
({{storage_encrypt_with_cmk('cis_v1.3.0','3.9')}})
union
{{ union() }}
({{sql_auditing_off('cis_v1.3.0','4.1.1')}})
union
{{ union() }}
({{sql_data_encryption_off('cis_v1.3.0','4.1.2')}})
union
{{ union() }}
({{sql_auditing_retention_less_than_90_days('cis_v1.3.0','4.1.3')}})
union
{{ union() }}
({{sql_atp_on_sql_server_disabled('cis_v1.3.0','4.2.1')}})
union
{{ union() }}
({{sql_va_is_enabled_on_sql_server_by_storage_account('cis_v1.3.0','4.2.2')}})
union
{{ union() }}
({{sql_va_periodic_scans_enabled_on_sql_server('cis_v1.3.0','4.2.3')}})
union
{{ union() }}
({{sql_va_send_scan_report_enabled_on_sql_server('cis_v1.3.0','4.2.4')}})
union
{{ union() }}
({{sql_va_send_email_to_admins_and_owners_enabled('cis_v1.3.0','4.2.5')}})
union
{{ union() }}
({{sql_postgresql_ssl_enforcment_disabled('cis_v1.3.0','4.3.1')}})
union
{{ union() }}
({{sql_mysql_ssl_enforcment_disabled('cis_v1.3.0','4.3.2')}})
union
{{ union() }}
({{sql_postgresql_log_checkpoints_disabled('cis_v1.3.0','4.3.3')}})
union
{{ union() }}
({{sql_postgresql_log_connections_disabled('cis_v1.3.0','4.3.4')}})
union
{{ union() }}
({{sql_postgresql_log_disconnections_disabled('cis_v1.3.0','4.3.5')}})
union
{{ union() }}
({{sql_postgresql_connection_throttling_disabled('cis_v1.3.0','4.3.6')}})
union
{{ union() }}
({{sql_postgresql_log_retention_days_less_than_3_days('cis_v1.3.0','4.3.7')}})
union
{{ union() }}
({{sql_postgresql_allow_access_to_azure_services_enabled('cis_v1.3.0','4.3.8')}})
union
{{ union() }}
({{sql_ad_admin_configured('cis_v1.3.0','4.4')}})
union
{{ union() }}
({{sql_sqlserver_tde_not_encrypted_with_cmek('cis_v1.3.0','4.5')}})
union
{{ union() }}
({{monitor_no_diagnostic_setting('cis_v1.3.0','5.1.1')}})
union
{{ union() }}
({{monitor_insufficient_diagnostic_capturing_settings('cis_v1.3.0','5.1.2')}})
union
{{ union() }}
({{storage_no_publicly_accessible_insights_activity_logs('cis_v1.3.0','5.1.3')}})
union
{{ union() }}
({{storage_encrypt_with_cmk_for_activity_log('cis_v1.3.0','5.1.4')}})
union
{{ union() }}
({{monitor_logging_key_valut_is_enabled('cis_v1.3.0','5.1.5')}})
union
{{ union() }}
({{monitor_log_alert_for_create_policy_assignment('cis_v1.3.0','5.2.1')}})
union
{{ union() }}
({{monitor_log_alert_for_delete_policy_assignment('cis_v1.3.0','5.2.2')}})
union
{{ union() }}
({{monitor_log_alert_for_create_or_update_network_sg('cis_v1.3.0','5.2.3')}})
union
{{ union() }}
({{monitor_log_alert_for_delete_network_sg('cis_v1.3.0','5.2.4')}})
union
{{ union() }}
({{monitor_log_alert_for_create_or_update_network_sg_rule('cis_v1.3.0','5.2.5')}})
union
{{ union() }}
({{monitor_log_alert_for_delete_network_sg_rule('cis_v1.3.0','5.2.6')}})
union
{{ union() }}
({{monitor_log_alert_for_create_or_update_security_solution('cis_v1.3.0','5.2.7')}})
union
{{ union() }}
({{monitor_log_alert_for_delete_security_solution('cis_v1.3.0','5.2.8')}})
union
{{ union() }}
({{monitor_log_alert_for_create_or_update_or_delete_sql_server_firewall_rule('cis_v1.3.0','5.2.9')}})
union
{{ union() }}
({{monitor_diagnostic_logs_for_all_services('cis_v1.3.0','5.3')}})
union
{{ union() }}
({{network_rdp_services_are_restricted_from_the_internet('cis_v1.3.0','6.1')}})
union
{{ union() }}
({{network_ssh_services_are_restricted_from_the_internet('cis_v1.3.0','6.2')}})
union
{{ union() }}
({{sql_no_sql_allow_ingress_from_any_ip('cis_v1.3.0','6.3')}})
union
{{ union() }}
({{network_nsg_log_retention_period('cis_v1.3.0','6.4')}})
union
{{ union() }}
({{network_udp_services_are_restricted_from_the_internet('cis_v1.3.0','6.6')}})
union
{{ union() }}
({{compute_vms_utilizing_managed_disks('cis_v1.3.0','7.1')}})
union
{{ union() }}
({{compute_os_and_data_disks_encrypted_with_cmk('cis_v1.3.0','7.2')}})
union
{{ union() }}
({{compute_unattached_disks_are_encrypted_with_cmk('cis_v1.3.0','7.3')}})
union
{{ union() }}
({{compute_vhds_not_encrypted('cis_v1.3.0','7.7')}})
union
{{ union() }}
({{keyvault_keys_without_expiration_date('cis_v1.3.0','8.1')}})
union
{{ union() }}
({{keyvault_secrets_without_expiration_date('cis_v1.3.0','8.2')}})
union
{{ union() }}
({{keyvault_not_recoverable('cis_v1.3.0','8.4')}})
union
{{ union() }}
({{container_aks_rbac_disabled('cis_v1.3.0','8.5')}})
union
{{ union() }}
({{web_app_auth_unset('cis_v1.3.0','9.1')}})
union
{{ union() }}
({{web_app_allow_http('cis_v1.3.0','9.2')}})
union
{{ union() }}
({{web_app_using_old_tls('cis_v1.3.0','9.3')}})
union
{{ union() }}
({{web_app_client_cert_disabled('cis_v1.3.0','9.4')}})
union
{{ union() }}
({{web_app_register_with_ad_disabled('cis_v1.3.0','9.5')}})
union
{{ union() }}
({{web_app_ftp_deployment_enabled('cis_v1.3.0','9.10')}})

)
select
('{{ run_started_at }}')::timestamp as policy_execution_time,
{{ gen_timestamp() }},
aggregated.*
from aggregated

Original file line number Diff line number Diff line change
@@ -36,4 +36,21 @@ SELECT
FROM azure_compute_virtual_machines v
JOIN azure_compute_disks d ON
LOWER(v.id) = LOWER(d.properties:managedBy)
{% endmacro %}

{% macro bigquery__compute_os_and_data_disks_encrypted_with_cmk(framework, check_id) %}
SELECT
v.id AS resource_id,
'{{framework}}' As framework,
'{{check_id}}' As check_id,
'Ensure that "OS and Data" disks are encrypted with CMK (Automated)' AS title,
v.subscription_id AS subscription_id,
CASE
WHEN JSON_VALUE(d.properties.encryption.type) NOT LIKE '%CustomerKey%'
THEN 'fail'
ELSE 'pass'
END AS status
FROM {{ full_table_name("azure_compute_virtual_machines") }} v
JOIN {{ full_table_name("azure_compute_disks") }} d ON
LOWER(v.id) = LOWER(JSON_VALUE(d.properties.managedBy))
{% endmacro %}
Original file line number Diff line number Diff line change
@@ -34,4 +34,20 @@ SELECT
END AS status
FROM azure_compute_disks
WHERE properties:diskState = 'Unattached'
{% endmacro %}

{% macro bigquery__compute_unattached_disks_are_encrypted_with_cmk(framework, check_id) %}
SELECT
id AS resource_id,
'{{framework}}' As framework,
'{{check_id}}' As check_id,
'Ensure that "Unattached disks" are encrypted with CMK (Automated)' AS title,
subscription_id AS subscription_id,
CASE
WHEN JSON_VALUE(properties.encryption.type) NOT LIKE '%CustomerKey%'
THEN 'fail'
ELSE 'pass'
END AS status
FROM {{ full_table_name("azure_compute_disks") }}
WHERE JSON_VALUE(properties.diskState) = 'Unattached'
{% endmacro %}
15 changes: 15 additions & 0 deletions transformations/azure/macros/compute/vhds_not_encrypted.sql
Original file line number Diff line number Diff line change
@@ -32,4 +32,19 @@ SELECT
ELSE 'pass'
END AS status
FROM azure_compute_disks
{% endmacro %}

{% macro bigquery__compute_vhds_not_encrypted(framework, check_id) %}
SELECT
id AS resource_id,
'{{framework}}' As framework,
'{{check_id}}' As check_id,
'Ensure that VHDs are encrypted (Manual)' AS title,
subscription_id AS subscription_id,
CASE
WHEN CAST( JSON_VALUE(properties.encryptionSettingsCollection.enabled) AS BOOL) IS DISTINCT FROM TRUE
THEN 'fail'
ELSE 'pass'
END AS status
FROM {{ full_table_name("azure_compute_disks") }}
{% endmacro %}
Original file line number Diff line number Diff line change
@@ -32,4 +32,19 @@ SELECT
ELSE 'pass'
END AS status
FROM azure_compute_virtual_machines
{% endmacro %}

{% macro bigquery__compute_vms_utilizing_managed_disks(framework, check_id) %}
SELECT
id AS resource_id,
'{{framework}}' As framework,
'{{check_id}}' As check_id,
'Ensure Virtual Machines are utilizing Managed Disks (Manual)' AS title,
subscription_id AS subscription_id,
CASE
WHEN JSON_VALUE(properties.storageProfile.osDisk.managedDisk.id) IS NULL
THEN 'fail'
ELSE 'pass'
END AS status
FROM {{ full_table_name("azure_compute_virtual_machines") }}
{% endmacro %}
15 changes: 15 additions & 0 deletions transformations/azure/macros/container/aks_rbac_disabled.sql
Original file line number Diff line number Diff line change
@@ -32,4 +32,19 @@ SELECT
ELSE 'pass'
END AS status
FROM azure_containerservice_managed_clusters
{% endmacro %}

{% macro bigquery__container_aks_rbac_disabled(framework, check_id) %}
SELECT
id AS resource_id,
'{{framework}}' As framework,
'{{check_id}}' As check_id,
'Role-Based Access Control (RBAC) should be used on Kubernetes Services' AS title,
subscription_id AS subscription_id,
CASE
WHEN CAST( JSON_VALUE(properties.enableRBAC) AS BOOL) IS distinct from TRUE
THEN 'fail'
ELSE 'pass'
END AS status
FROM {{ full_table_name("azure_containerservice_managed_clusters") }}
{% endmacro %}
Original file line number Diff line number Diff line change
@@ -38,4 +38,22 @@ SELECT
FROM azure_keyvault_keyvault akv
JOIN azure_keyvault_keyvault_keys akvk
ON akv._cq_id = akvk._cq_parent_id
{% endmacro %}

{% macro bigquery__keyvault_keys_without_expiration_date(framework, check_id) %}
SELECT
akvk.id AS resource_id,
'{{framework}}' As framework,
'{{check_id}}' As check_id,
'Ensure that the expiration date is set on all keys (Automated)' AS title,
akv.subscription_id AS subscription_id,
CASE
WHEN CAST( JSON_VALUE(akvk.properties.attributes.enabled) AS BOOL) = TRUE
AND JSON_VALUE(akvk.properties.attributes.exp) IS NULL
THEN 'fail'
ELSE 'pass'
END AS status
FROM {{ full_table_name("azure_keyvault_keyvault") }} akv
JOIN {{ full_table_name("azure_keyvault_keyvault_keys") }} akvk
ON akv._cq_id = akvk._cq_parent_id
{% endmacro %}
15 changes: 15 additions & 0 deletions transformations/azure/macros/keyvault/not_recoverable.sql
Original file line number Diff line number Diff line change
@@ -32,4 +32,19 @@ SELECT
ELSE 'pass'
END AS status
FROM azure_keyvault_keyvault
{% endmacro %}

{% macro bigquery__keyvault_not_recoverable(framework, check_id) %}
SELECT
id AS resource_id,
'{{framework}}' As framework,
'{{check_id}}' As check_id,
'Ensure the key vault is recoverable (Automated)' AS title,
subscription_id AS subscription_id,
CASE
WHEN (CAST( JSON_VALUE(properties.enableSoftDelete) AS BOOL) != TRUE) OR (CAST( JSON_VALUE(properties.enablePurgeProtection) AS BOOL) != TRUE)
THEN 'fail'
ELSE 'pass'
END AS status
FROM {{ full_table_name("azure_keyvault_keyvault") }}
{% endmacro %}
Original file line number Diff line number Diff line change
@@ -38,4 +38,22 @@ SELECT
FROM azure_keyvault_keyvault akv
JOIN azure_keyvault_keyvault_secrets akvs
ON akv._cq_id = akvs._cq_parent_id
{% endmacro %}

{% macro bigquery__keyvault_secrets_without_expiration_date(framework, check_id) %}
SELECT
akvs.id AS resource_id,
'{{framework}}' As framework,
'{{check_id}}' As check_id,
'Ensure that the expiration date is set on all Secrets (Automated)' AS title,
akv.subscription_id AS subscription_id,
CASE
WHEN CAST( JSON_VALUE(akvs.properties.attributes.enabled) AS BOOL) = TRUE
AND JSON_VALUE(akvs.properties.attributes.exp) IS NULL
THEN 'fail'
ELSE 'pass'
END AS status
FROM {{ full_table_name("azure_keyvault_keyvault") }} akv
JOIN {{ full_table_name("azure_keyvault_keyvault_secrets") }} akvs
ON akv._cq_id = akvs._cq_parent_id
{% endmacro %}
Loading

0 comments on commit 31b985b

Please sign in to comment.