Benchmark: 3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions
Description
This requirement ensures that the contents of the audit record include the information needed to link the audit event to the actions of an individual to the extent feasible. Organizations consider logging for traceability including results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, communications at system boundaries, configuration settings, physical access, nonlocal maintenance, use of maintenance tools, temperature and humidity, equipment delivery and removal, system component inventory, use of mobile code, and use of Voice over Internet Protocol (VoIP).
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-azure-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions.
Run this benchmark in your terminal:
powerpipe benchmark run azure_compliance.benchmark.nist_sp_800_171_rev_2_3_3_2
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run azure_compliance.benchmark.nist_sp_800_171_rev_2_3_3_2 --share
Controls
- App Service apps should have resource logs enabled
- Log Analytics extension should be installed on your Linux Azure Arc machines
- Log Analytics extension should be installed on your Windows Azure Arc machines
- Resource logs in Batch accounts should be enabled
- Guest Configuration extension should be installed on your machines
- Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
- Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
- Network traffic data collection agent should be installed on Linux virtual machines
- Network traffic data collection agent should be installed on Windows virtual machines
- Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring
- Resource logs in Data Lake Analytics should be enabled
- Resource logs in Azure Data Lake Store should be enabled
- Resource logs in Event Hub should be enabled
- Resource logs in IoT Hub should be enabled
- Resource logs in Key Vault should be enabled
- Resource logs in Logic Apps should be enabled
- Network Watcher should be enabled
- Resource logs in Search services should be enabled
- Auto provisioning of the Log Analytics agent should be enabled on your subscription
- Azure Defender for App Service should be enabled
- Microsoft Defender for Containers should be enabled
- Ensure That Microsoft Defender for Databases is set to 'On'
- Azure Defender for Key Vault should be enabled
- Azure Defender for Resource Manager should be enabled
- Azure Defender for servers should be enabled
- Azure Defender for Azure SQL Database servers should be enabled
- Azure Defender for SQL should be enabled for unprotected SQL Managed Instances
- Microsoft Defender for Storage (Classic) should be enabled
- Resource logs in Service Bus should be enabled
- Auditing on SQL server should be enabled
- SQL servers with auditing to storage account destination should be configured with 90 days retention or higher
- Azure Defender for SQL should be enabled for unprotected Azure SQL servers
- Resource logs in Azure Stream Analytics should be enabled