Control: 5.1.2 Ensure Diagnostic Setting captures appropriate categories

Description

Prerequisite: A Diagnostic Setting must exist. If a Diagnostic Setting does not exist, the navigation and options within this recommendation will not be available. Please review the recommendation at the beginning of this subsection titled: "Ensure that a 'Diagnostic Setting' exists."

The diagnostic setting should be configured to log the appropriate activities from the control/management plane.

A diagnostic setting controls how the diagnostic log is exported. Capturing the diagnostic setting categories for appropriate control/management plane activities allows proper alerting.

Remediation

From Azure Portal

Go to Azure Monitor.
Click Activity log.
Click on Export Activity Logs.
Select the Subscription from the drop down menu.
Click on Add diagnostic setting.
Enter a name for your new Diagnostic Setting.
Check the following categories: Administrative, Alert, Policy, and Security.
Choose the destination details according to your organization's needs.

From Az CLI

az monitor diagnostic-settings subscription create --subscription <subscription id> --name <diagnostic settings name> --location <location> <[- -event-hub <event hub ID> --event-hub-auth-rule <event hub auth rule ID>] [-- storage-account <storage account ID>] [--workspace <log analytics workspace ID>] --logs "[{category:Security,enabled:true},{category:Administrative,enabled:true},{ca tegory:Alert,enabled:true},{category:Policy,enabled:true}]"

From Powershell

$logCategories = @();
$logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject - Category Administrative -Enabled $true
$logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject - Category Security -Enabled $true
$logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject - Category Alert -Enabled $true
$logCategories += New-AzDiagnosticSettingSubscriptionLogSettingsObject - Category Policy -Enabled $true

New-AzSubscriptionDiagnosticSetting -SubscriptionId <subscription ID> -Name <Diagnostic settings name> <[-EventHubAuthorizationRule <event hub auth rule ID> -EventHubName <event hub name>] [-StorageAccountId <storage account ID>] [-WorkSpaceId <log analytics workspace ID>] [-MarketplacePartner ID <full ARM Marketplace resource ID>]> -Log $logCategories

Default Value

When the diagnostic setting is created using Azure Portal, by default no categories are selected.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v200_5_1_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v200_5_1_2 --share

SQL

This control uses a named query:

with enabled_settings as (
  select
    name,
    id,
    _ctx,
    resource_group,
    subscription_id,
    count(*) filter (where l ->> 'enabled' = 'true'
      and l ->> 'category' in ('Administrative', 'Security', 'Alert', 'Policy')
    ) as valid_category_count,
    string_agg(l ->> 'category', ', ') filter (where l ->> 'enabled' = 'true'
      and l ->> 'category' in ('Administrative', 'Security', 'Alert', 'Policy')
    ) as valid_categories
  from
    azure_diagnostic_setting,
    jsonb_array_elements(logs) as l
  group by
    name,
    id,
    _ctx,
    resource_group,
    subscription_id
)
select
  sett.id as resource,
  case
    when valid_category_count = 4 then 'ok'
    else 'alarm'
  end as status,
  case
    when valid_category_count = 4
      then name || ' logs enabled for required categories administrative, security, alert and policy.'
    when valid_category_count > 0
      then sett.name || ' logs enabled for ' || valid_categories || ' categories.'
      else sett.name || ' logs not enabled for categories administrative, security, alert and policy.'
  end as reason
  , sett.resource_group as resource_group
  , sub.display_name as subscription
from
  enabled_settings sett,
  azure_subscription sub
where
  sub.subscription_id = sett.subscription_id;