Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
16Dashboards
1651Benchmarks
486Queries
8Variables
GitHub

Control: 5.3.3 Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL flexible Server

Description

Enable audit_log_enabled on MySQL flexible servers.

Enabling audit_log_enabled helps MySQL Database to log items such as connection attempts to the server, DDL/DML access, and more. Log data can be used to identify, troubleshoot, and repair configuration errors and suboptimal performance.

Remediation

From Azure Portal

Part 1 - Turn on audit logs

  1. Login to Azure Portal using https://portal.azure.com.
  2. Go to Azure Database for MySQL flexible servers.
  3. For each database, under Settings, click Server parameters.
  4. Set audit_log_enabled to ON.
  5. Click Save.

Part 2 - Capture audit logs (diagnostic settings is for example only, send these logs to the appropriate data sink for your logging needs)

  1. Under Monitoring, select Diagnostic settings.
  2. Select + Add diagnostic setting.
  3. Provide a diagnostic setting name.
  4. Under Categories, select MySQL Audit Logs.
  5. Specify destination details.
  6. Click Save.

It may take up to 10 minutes for the logs to appear in the configured destination.

From Azure CLI

Use the below command to enable audit_log_enabled :

az mysql flexible-server parameter set --resource-group <resourceGroup> --server-name <serverName> --name audit_log_enabled --value on

From PowerShell

Use the below command to enable audit_log_enabled :

Update-AzMySqlFlexibleServerConfiguration -ResourceGroupName <resourceGroup> -ServerName <serverName> -Name audit_log_enabled -Value on

Default Value

audit_log_enabled is set to OFF by default.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v300_5_3_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v300_5_3_3 --share

SQL

This control uses a named query:

with audit_log_enabled as(
  select
    id
  from
    azure_mysql_flexible_server,
    jsonb_array_elements(flexible_server_configurations) as config
  where
    config ->> 'Name' = 'audit_log_enabled'
    and config -> 'ConfigurationProperties' ->> 'value' = 'ON'
)
select
  s.id as resource,
  case
    when a.id is not null then 'ok'
    else 'alarm'
  end as status,
  case
    when a.id is not null then s.title || ' audit logging enabled.'
    else s.title || ' audit logging disabled.'
  end as reason
  
  , s.resource_group as resource_group
  , sub.display_name as subscription
from
  azure_mysql_flexible_server as s
  left join audit_log_enabled as a on s.id = a.id
  left join azure_subscription as sub on sub.subscription_id = s.subscription_id;

Tags

category = Compliance
cis = true
cis_item_id = 5.3.3
cis_level = 2
cis_section_id = 5.3
cis_type = automated
cis_version = v3.0.0
plugin = azure
service = Azure/MySQL