control.cis_v200_5_1_3 is returning false negatives
KingBrewer opened this issue · 2 comments
KingBrewer commented
Describe the bug
In CIS Benchmark for Azure v2.0.0 the audit steps changed, following Microsoft's update to the container name which stores activity logs. The previous insights-operational-logs name was changed to insights-activity-logs. The current implementation is looking for the former name, what leads to false negatives (resources are not being flagged as non-compliant).
Steampipe version (steampipe -v)
v0.20.6
Plugin version (steampipe plugin list)
v0.28
To reproduce
- Enable public access on a container storing activity logs
- steampipe check --mod-location steampipe-mod-azure-compliance control.cis_v200_5_1_3
- Result:
+ 5.1.3 Ensure the Storage Container Storing the Activity L… 0 / 0 [ ] Summary OK ............................................................. 0 [ ] SKIP ........................................................... 0 [ ] INFO ........................................................... 0 [ ] ALARM .......................................................... 0 [ ] ERROR .......................................................... 0 [ ] TOTAL ...................................................... 0 / 0 [ ]
Expected behavior
- At least one container should be in ALARM
Additional context
select name, public_access from azure_storage_container sc, azure_subscription sub, where name in ('insights-operational-logs','insights-activity-logs') and sub.subscription_id = sc.subscription_id;- Result:
+------------------------+---------------+ | name | public_access | +------------------------+---------------+ | insights-activity-logs | Blob | +------------------------+---------------+
References
- Ticket that was used to justify the audit procedure change of 5.1.3: https://workbench.cisecurity.org/benchmarks/8528/tickets/16383
KingBrewer commented
Resolved by #185
misraved commented
Thanks @KingBrewer for the fixes 🎉 !!