Control: 5.1.2 Ensure Diagnostic Setting captures appropriate categories
Description
A Diagnostic Setting must exist. If a Diagnostic Setting does not exist, the navigation and options within this recommendation will not be available. Please review the recommendation at the beginning of this subsection titled: "Ensure that a 'Diagnostic Setting' exists."
The diagnostic setting should be configured to log the appropriate activities from the control/management plane.
A diagnostic setting controls how the diagnostic log is exported. Capturing the diagnostic setting categories for appropriate control/management plane activities allows proper alerting.
Remediation
From Azure Portal
- Go to
Azure Monitor - Click
Activity log - Click on
Diagnostic settings - Click on
Add diagnostic setting - Enter a name for your new Diagnostic Setting
- Check the following categories:
Administrative, Alert, Policy, and Security - Choose the destination details according to your organization's needs.
Using ARM Template via AZ PowerShell cmdlets
Create a file to hold the JSON
{ "$schema": "https://schema.management.azure.com/schemas/2019-04- 01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "settingName": { "type": "String" }, "workspaceId": { "type": "String" } }, "resources": [ { "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2017-05-01-preview", "name": "[parameters('settingName')]", "dependsOn": [], "properties": { "workspaceId": "[parameters('workspaceId')]", "logs": [ { "category": "Administrative", "enabled": true }, { "category": "Alert", "enabled": true }, { "category": "Autoscale", "enabled": false }, { "category": "Policy", "enabled": true }, { "category": "Recommendation", "enabled": false }, { "category": "ResourceHealth", "enabled": false }, { "category": "Security", "enabled": true }, { "category": "ServiceHealth", "enabled": false } ] } } ]}
Reference the JSON in the New-AzSubscriptionDeployment call
$OMSWorkspace = Get-AzResource -ResourceType"Microsoft.OperationalInsights/workspaces" -Name <Workspace Name>New-AzSubscriptionDeployment -Name CreateDiagnosticSetting -location eastus -TemplateFile CreateDiagnosticSetting.jsonc -settingName "Send Activity log toworkspace" -workspaceId $OMSWorkspace.ResourceId
Default Value
When the diagnostic setting is created using Azure Portal, by default no categories are selected.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v150_5_1_2Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v150_5_1_2 --shareSQL
This control uses a named query:
with enabled_settings as ( select name, id, _ctx, resource_group, subscription_id, count(*) filter (where l ->> 'enabled' = 'true' and l ->> 'category' in ('Administrative', 'Security', 'Alert', 'Policy') ) as valid_category_count, string_agg(l ->> 'category', ', ') filter (where l ->> 'enabled' = 'true' and l ->> 'category' in ('Administrative', 'Security', 'Alert', 'Policy') ) as valid_categories from azure_diagnostic_setting, jsonb_array_elements(logs) as l group by name, id, _ctx, resource_group, subscription_id)select sett.id as resource, case when valid_category_count = 4 then 'ok' else 'alarm' end as status, case when valid_category_count = 4 then name || ' logs enabled for required categories administrative, security, alert and policy.' when valid_category_count > 0 then sett.name || ' logs enabled for ' || valid_categories || ' categories.' else sett.name || ' logs not enabled for categories administrative, security, alert and policy.' end as reason , sett.resource_group as resource_group , sub.display_name as subscriptionfrom enabled_settings sett, azure_subscription subwhere sub.subscription_id = sett.subscription_id;