rules/findings/azure/databases/azure_sql/azure-sql-lack-auditing.json
|
{
"args": [], "provider": "Azure", "serviceType": "SQL Database", "serviceName": "Databases", "displayName": "Ensure that 'Auditing' is set to 'On'", "description": "Enable auditing on SQL Servers.", "rationale": "The Azure platform allows a SQL server to be created as a service. Enabling auditing at the server level ensures that all existing and newly created databases on the SQL server instance are audited. Auditing policy applied on the SQL database does not override auditing policy and settings applied on the particular SQL server where the database is hosted.<br/><br/>Auditing tracks database events and writes them to an audit log in the Azure storage account. It also helps to maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.", "impact": "", "remediation": { "text": " ##### Remediate From Azure Portal 1. Go to SQL servers 2. Select the SQL server instance 3. Under Security, click Auditing 4. Click the toggle next to Enable Azure SQL Auditing 5. Select an Audit log destination 6. Click Save ", "code": { "powerShell": null, "iac": null, "terraform": null, "other": null } }, "recommendation": null, "references": [ "https://learn.microsoft.com/en-us/azure/defender-for-cloud/implement-security-recommendations", "https://learn.microsoft.com/en-us/azure/azure-sql/database/auditing-overview?view=azuresql", "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation" ], "compliance": [ { "name": "CIS Microsoft Azure Database Services", "version": "2.0.0", "reference": "9.1", "profile": [ "Level 1" ] } ], "level": "medium", "tags": [], "rule": { "path": "az_sql_servers", "subPath": null, "selectCondition": {}, "query": [ { "filter": [ { "conditions": [ [ "auditing.enabled", "eq", "Disabled" ] ] } ] } ], "shouldExist": null, "returnObject": null, "removeIfNotExists": null }, "output": { "html": { "data": { "properties": { "name": "Name", "location": "location", "resourceGroupName": "Resource Group Name", "auditing.enabled":"Auditing" }, "expandObject": null }, "table": "default", "decorate": [], "emphasis": [], "actions": { "objectData": { "properties": [ "id", "name", "location", "auditing" ], "expandObject": null, "limit": null }, "showGoToButton": "True", "showModalButton": "True", "directLink": null } }, "text": { "data": { "properties": { "name": "Name", "location": "location", "resourceGroupName": "Resource Group Name", "auditing.enabled":"Auditing" }, "expandObject": null }, "status": { "keyName": ["name"], "message": "Ensure that 'Auditing' is set to 'On' for {name}", "defaultMessage": null }, "properties": { "resourceName": "name", "resourceId": "id", "resourceType": "type" }, "onlyStatus": false } }, "idSuffix": "azure_sql_auditing_not_configured", "notes": [], "categories": [], "immutable_properties": [ "name", "id" ], "id": "azure_sql_001" } |