Missing implementation of CIS 4.3.7

Question

Missing implementation of CIS 4.3.7

KingBrewer opened this issue 2 years ago · 2 comments

Describe the bug
CIS check 4.3.7 "Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled" is missing implementation, being attributed as a manual control: https://github.com/turbot/steampipe-mod-azure-compliance/blob/v0.24/cis_v200/section_4.sp#L336

Steampipe version (steampipe -v)
v0.19.4

Plugin version (steampipe plugin list)
steampipe-mod-azure-compliance@v0.24

+------------------------------------------------+---------+-------------+
| Installed Plugin                               | Version | Connections |
+------------------------------------------------+---------+-------------+
| hub.steampipe.io/plugins/turbot/azure@latest   | 0.41.0  | azure       |
| hub.steampipe.io/plugins/turbot/azuread@latest | 0.9.0   | azuread     |
+------------------------------------------------+---------+-------------+

To reproduce
Run assessment of 4.3.7 control: steampipe check control.cis_v200_4_3_7

Expected behavior
Firewall rules should be evaluated for each of Postgres servers. Currently the check is marked as manual, what is incorrect.

Answer 1 · 2023-05-24T11:00:43.000Z

Welcome to Steampipe @KingBrewer and apologies for the bump!!

When tables or columns (REST APIs) are unavailable to assist us in creating a SQL query for any compliance check, we designate such controls as manual.

However, in this case, the azure_postgresql_server table seems to have a column firewall_rules.

@khushboo9024 could you please verify if we can create a query for this control?

Answer 2 · 2023-05-26T05:47:34.000Z

Linking plugin referenced issue