feat(query): implements "Beta - Diagnostic Settings Without Appropriate Logging"

[cx-andre-pereira]

Reason for Proposed Changes

• Currently there is no query to ensure that a given "azurerm_monitor_diagnostic_setting" resource enables logging for the 4 main categories: 'Administrative', 'Alert', 'Policy', and 'Security'.

• Quoting CIS_Microsoft_Azure_Foundations_Benchmark_v5.0.0 page 199: "The diagnostic setting should be configured to log the appropriate activities from the control/management plane. and "Ensure the categories 'Administrative', 'Alert', 'Policy', and 'Security' set to: 'enabled: true'

Proposed Changes

• Implemented the missing query.

• The query was implemented with support of legacy "log" blocks in mind, alongside from the newer "enabled_log" blocks.

• As for the query implementation itself, the query can flag for 7 different scenarios, given a "azurerm_monitor_diagnostic_setting" resource :

  • 1- Without a single "enabled_log"/"log" block defined; (positive1_1)
  • 2- With a single "enabled_log" object inherently missing at least 3 of the required categories; (positive1_2)
  • 3- With multiple "enabled_log" objects missing one or more of the required categories; (positive1_3)
  • 4- With a single "log" object with "enabled" == true; (positive2_1)
  • 5- With a single "log" object with "enabled" != true; (positive2_2)
  • 6- With multiple "log" objects missing one or more of the required categories; (positive2_3)
  • 7- With multiple "log" objects missing none or some of the required categories and at least one with "enabled" != true; (positive2_4)

• Having multiple vs a single object are considered different scenarios mostly because the payload generated will differ, merging objects into an array if there are 2 or more.

• For scenario 4 vs 5 and 6 vs 7 the main difference in the results will be the fact that the "IssueType" will change from "MissingAttribute" on 4/6 to "IncorrectValue" on 5/7. Given that the "enabled" field is set to a value that is not "true" in scenarios 5 and 7, effectively being an explicit disabling of a main category rather than the implicit disabling when lacking a relevant "log" field, I prioritized the "IncorrectValue" issue type for those scenarios.

• This way a scenario like 7 (positive2_4) will properly flag the issue as an "IncorrectValue" and not a "MissingAttribute", since all attributes are present and the issue is that the log for "Administrative" has the "enabled" field set to "false".

I submit this contribution under the Apache-2.0 license.

[github-actions]

KICS version: v2.1.13

Category Results CRITICAL 0 HIGH 0 MEDIUM 0 LOW 0 INFO 0 TRACE 0 TOTAL 0	Metric Values Files scanned 1 Files parsed 1 Files failed to scan 0 Total executed queries 47 Queries failed to execute 0 Execution time 0