Skip to content

Commit

Permalink
feat: Added Azure snowflake dbt - cis v1.3 (#190)
Browse files Browse the repository at this point in the history 
* feat: Added Azure snowflake dbt

* Updated query network_udp_services_are_restricted_from_the_internet
  • Loading branch information
@ronsh12
ronsh12 authored Nov 16, 2023
1 parent 5690872 commit a259478
Show file tree
Hide file tree
Showing 71 changed files with 2,199 additions and 106 deletions.
59 changes: 58 additions & 1 deletion transformations/azure_compliance/macros/free/iam/custom_subscription_owner_roles.sql
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,10 @@
{% macro iam_custom_subscription_owner_roles(framework, check_id) %}
{{ return(adapter.dispatch('iam_custom_subscription_owner_roles')(framework, check_id)) }}
{% endmacro %}

--check if definition matches scopes
{% macro default__iam_custom_subscription_owner_roles(framework, check_id) %}{% endmacro %}

{% macro postgres__iam_custom_subscription_owner_roles(framework, check_id) %}
WITH custom_roles AS (
SELECT *
FROM azure_authorization_role_definitions
Expand Down Expand Up @@ -36,6 +40,59 @@ meets_actions AS (
FROM definition_actions
GROUP BY _cq_id
)
SELECT
_cq_sync_time As sync_time,
'{{framework}}' As framework,
'{{check_id}}' As check_id,
'Ensure That No Custom Subscription Administrator Roles Exist' AS title,
subscription_id AS subscription_id,
id AS resource_id,
CASE
WHEN has_wide_scope AND has_all_action
THEN 'fail'
ELSE 'pass'
END AS status
FROM custom_roles
JOIN meets_scopes USING (_cq_id) JOIN meets_actions USING (_cq_id)
{% endmacro %}

{% macro snowflake__iam_custom_subscription_owner_roles(framework, check_id) %}
--check if definition matches scopes
WITH custom_roles AS (
SELECT *
FROM azure_authorization_role_definitions
WHERE properties:type = 'CustomRole'
),
assignable_scopes AS (
SELECT
_cq_id,
value AS assignable_scope
FROM custom_roles,
LATERAL FLATTEN(input => properties:assignableScopes) AS scope
),
meets_scopes AS (
SELECT
_cq_id,
CASE WHEN MAX(CASE WHEN assignable_scope = '/' OR assignable_scope REGEXP '^\/subscriptions\/[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}$' THEN 1 ELSE 0 END) = 1 THEN 'pass' ELSE 'fail' END AS has_wide_scope
FROM assignable_scopes
GROUP BY _cq_id
),
--check if definition matches actions
definition_actions AS (
SELECT
_cq_id,
actions.value AS action
FROM custom_roles,
LATERAL FLATTEN(input => properties:permissions) AS p,
LATERAL FLATTEN(input => p.value:actions) AS actions
),
meets_actions AS (
SELECT
_cq_id,
CASE WHEN MAX(CASE WHEN action = '*' THEN 1 ELSE 0 END) = 1 THEN 'pass' ELSE 'fail' END AS has_all_action
FROM definition_actions
GROUP BY _cq_id
)
SELECT
_cq_sync_time As sync_time,
'{{framework}}' As framework,
Expand Down
21 changes: 21 additions & 0 deletions transformations/azure_compliance/macros/free/security/defender_on_for_app_service.sql
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
{% macro security_defender_on_for_app_service(framework, check_id) %}
{{ return(adapter.dispatch('security_defender_on_for_app_service')(framework, check_id)) }}
{% endmacro %}

{% macro default__security_defender_on_for_app_service(framework, check_id) %}{% endmacro %}

{% macro postgres__security_defender_on_for_app_service(framework, check_id) %}
SELECT
_cq_sync_time As sync_time,
'{{framework}}' As framework,
Expand All @@ -13,4 +18,20 @@ SELECT
end
FROM azure_security_pricings asp
WHERE "name" = 'AppServices'
{% endmacro %}

{% macro snowflake__security_defender_on_for_app_service(framework, check_id) %}
SELECT
_cq_sync_time As sync_time,
'{{framework}}' As framework,
'{{check_id}}' As check_id,
'Ensure that Azure Defender is set to On for App Service (Automatic)' as title,
subscription_id,
id,
case
when properties:pricingTier = 'Standard'
then 'pass' else 'fail'
end
FROM azure_security_pricings asp
WHERE name = 'AppServices'
{% endmacro %}
21 changes: 21 additions & 0 deletions ...ormations/azure_compliance/macros/free/security/defender_on_for_container_registeries.sql
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
{% macro security_defender_on_for_container_registeries(framework, check_id) %}
{{ return(adapter.dispatch('security_defender_on_for_container_registeries')(framework, check_id)) }}
{% endmacro %}

{% macro default__security_defender_on_for_container_registeries(framework, check_id) %}{% endmacro %}

{% macro postgres__security_defender_on_for_container_registeries(framework, check_id) %}
SELECT
_cq_sync_time As sync_time,
'{{framework}}' As framework,
Expand All @@ -13,4 +18,20 @@ SELECT
end
FROM azure_security_pricings asp
WHERE "name" = 'ContainerRegistry'
{% endmacro %}

{% macro snowflake__security_defender_on_for_container_registeries(framework, check_id) %}
SELECT
_cq_sync_time As sync_time,
'{{framework}}' As framework,
'{{check_id}}' As check_id,
'Ensure that Azure Defender is set to On for Container Registries (Automatic)' as title,
subscription_id,
id,
case
when properties:pricingTier = 'Standard'
then 'pass' else 'fail'
end
FROM azure_security_pricings asp
WHERE name = 'ContainerRegistry'
{% endmacro %}
21 changes: 21 additions & 0 deletions transformations/azure_compliance/macros/free/security/defender_on_for_k8s.sql
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
{% macro security_defender_on_for_k8s(framework, check_id) %}
{{ return(adapter.dispatch('security_defender_on_for_k8s')(framework, check_id)) }}
{% endmacro %}

{% macro default__security_defender_on_for_k8s(framework, check_id) %}{% endmacro %}

{% macro postgres__security_defender_on_for_k8s(framework, check_id) %}
SELECT
_cq_sync_time As sync_time,
'{{framework}}' As framework,
Expand All @@ -13,4 +18,20 @@ SELECT
end
FROM azure_security_pricings asp
WHERE "name" = 'KubernetesService'
{% endmacro %}

{% macro snowflake__security_defender_on_for_k8s(framework, check_id) %}
SELECT
_cq_sync_time As sync_time,
'{{framework}}' As framework,
'{{check_id}}' As check_id,
'Ensure that Azure Defender is set to On for Kubernetes (Automatic)' as title,
subscription_id,
id,
case
when properties:pricingTier = 'Standard'
then 'pass' else 'fail'
end
FROM azure_security_pricings asp
WHERE name = 'KubernetesService'
{% endmacro %}
21 changes: 21 additions & 0 deletions transformations/azure_compliance/macros/free/security/defender_on_for_key_vault.sql
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
{% macro security_defender_on_for_key_vault(framework, check_id) %}
{{ return(adapter.dispatch('security_defender_on_for_key_vault')(framework, check_id)) }}
{% endmacro %}

{% macro default__security_defender_on_for_key_vault(framework, check_id) %}{% endmacro %}

{% macro postgres__security_defender_on_for_key_vault(framework, check_id) %}
SELECT
_cq_sync_time As sync_time,
'{{framework}}' As framework,
Expand All @@ -13,4 +18,20 @@ SELECT
end
FROM azure_security_pricings asp
WHERE "name" = 'KeyVaults'
{% endmacro %}

{% macro snowflake__security_defender_on_for_key_vault(framework, check_id) %}
SELECT
_cq_sync_time As sync_time,
'{{framework}}' As framework,
'{{check_id}}' As check_id,
'Ensure that Azure Defender is set to On for Key Vault (Manual)' as title,
subscription_id,
id,
case
when properties:pricingTier = 'Standard'
then 'pass' else 'fail'
end
FROM azure_security_pricings asp
WHERE name = 'KeyVaults'
{% endmacro %}
21 changes: 21 additions & 0 deletions transformations/azure_compliance/macros/free/security/defender_on_for_servers.sql
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
{% macro security_defender_on_for_servers(framework, check_id) %}
{{ return(adapter.dispatch('security_defender_on_for_servers')(framework, check_id)) }}
{% endmacro %}

{% macro default__security_defender_on_for_servers(framework, check_id) %}{% endmacro %}

{% macro postgres__security_defender_on_for_servers(framework, check_id) %}
SELECT
_cq_sync_time As sync_time,
'{{framework}}' As framework,
Expand All @@ -13,4 +18,20 @@ SELECT
end
FROM azure_security_pricings asp
WHERE "name" = 'VirtualMachines'
{% endmacro %}

{% macro snowflake__security_defender_on_for_servers(framework, check_id) %}
SELECT
_cq_sync_time As sync_time,
'{{framework}}' As framework,
'{{check_id}}' As check_id,
'Ensure that Azure Defender is set to On for Servers (Automatic)' as title,
subscription_id,
id,
case
when properties:pricingTier = 'Standard'
then 'pass' else 'fail'
end
FROM azure_security_pricings asp
WHERE name = 'VirtualMachines'
{% endmacro %}
23 changes: 22 additions & 1 deletion transformations/azure_compliance/macros/free/security/defender_on_for_sql_servers.sql
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
{% macro security_defender_on_for_sql_servers(framework, check_id) %}
{{ return(adapter.dispatch('security_defender_on_for_sql_servers')(framework, check_id)) }}
{% endmacro %}

{% macro default__security_defender_on_for_sql_servers(framework, check_id) %}{% endmacro %}

{% macro postgres__security_defender_on_for_sql_servers(framework, check_id) %}
SELECT
_cq_sync_time As sync_time,
'{{framework}}' As framework,
Expand All @@ -13,4 +18,20 @@ SELECT
end
FROM azure_security_pricings asp
WHERE "name" = 'SqlServers'
{% endmacro %}
{% endmacro %}

{% macro snowflake__security_defender_on_for_sql_servers(framework, check_id) %}
SELECT
_cq_sync_time As sync_time,
'{{framework}}' As framework,
'{{check_id}}' As check_id,
'Ensure that Azure Defender is set to On for Azure SQL database servers (Automatic)' as title,
subscription_id,
id,
case
when properties:pricingTier = 'Standard'
then 'pass' else 'fail'
end
FROM azure_security_pricings asp
WHERE name = 'SqlServers'
{% endmacro %}
21 changes: 21 additions & 0 deletions ...mations/azure_compliance/macros/free/security/defender_on_for_sql_servers_on_machines.sql
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
{% macro security_defender_on_for_sql_servers_on_machines(framework, check_id) %}
{{ return(adapter.dispatch('security_defender_on_for_sql_servers_on_machines')(framework, check_id)) }}
{% endmacro %}

{% macro default__security_defender_on_for_sql_servers_on_machines(framework, check_id) %}{% endmacro %}

{% macro postgres__security_defender_on_for_sql_servers_on_machines(framework, check_id) %}
SELECT
_cq_sync_time As sync_time,
'{{framework}}' As framework,
Expand All @@ -13,4 +18,20 @@ SELECT
end
FROM azure_security_pricings asp
WHERE "name" = 'SqlserverVirtualMachines'
{% endmacro %}

{% macro snowflake__security_defender_on_for_sql_servers_on_machines(framework, check_id) %}
SELECT
_cq_sync_time As sync_time,
'{{framework}}' As framework,
'{{check_id}}' As check_id,
'Ensure that Azure Defender is set to On for SQL servers on machines (Automatic)' as title,
subscription_id,
id,
case
when properties:pricingTier = 'Standard'
then 'pass' else 'fail'
end
FROM azure_security_pricings asp
WHERE name = 'SqlserverVirtualMachines'
{% endmacro %}
21 changes: 21 additions & 0 deletions transformations/azure_compliance/macros/free/security/defender_on_for_storage.sql
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
{% macro security_defender_on_for_storage(framework, check_id) %}
{{ return(adapter.dispatch('security_defender_on_for_storage')(framework, check_id)) }}
{% endmacro %}

{% macro default__security_defender_on_for_storage(framework, check_id) %}{% endmacro %}

{% macro postgres__security_defender_on_for_storage(framework, check_id) %}
SELECT
_cq_sync_time As sync_time,
'{{framework}}' As framework,
Expand All @@ -13,4 +18,20 @@ SELECT
end
FROM azure_security_pricings asp
WHERE "name" = 'StorageAccounts'
{% endmacro %}

{% macro snowflake__security_defender_on_for_storage(framework, check_id) %}
SELECT
_cq_sync_time As sync_time,
'{{framework}}' As framework,
'{{check_id}}' As check_id,
'Ensure that Azure Defender is set to On for Storage (Automatic)' as title,
subscription_id,
id,
case
when properties:pricingTier = 'Standard'
then 'pass' else 'fail'
end
FROM azure_security_pricings asp
WHERE name = 'StorageAccounts'
{% endmacro %}
24 changes: 23 additions & 1 deletion transformations/azure_compliance/macros/pro/compute/os_and_data_disks_encrypted_with_cmk.sql
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
{% macro compute_os_and_data_disks_encrypted_with_cmk(framework, check_id) %}
{{ return(adapter.dispatch('compute_os_and_data_disks_encrypted_with_cmk')(framework, check_id)) }}
{% endmacro %}

{% macro default__compute_os_and_data_disks_encrypted_with_cmk(framework, check_id) %}{% endmacro %}

{% macro postgres__compute_os_and_data_disks_encrypted_with_cmk(framework, check_id) %}
SELECT v._cq_sync_time As sync_time,
'{{framework}}' As framework,
'{{check_id}}' As check_id,
Expand All @@ -14,4 +19,21 @@ SELECT v._cq_sync_time As sync_time,
FROM azure_compute_virtual_machines v
JOIN azure_compute_disks d ON
LOWER(v.id) = LOWER(d.properties ->> 'managedBy')
{% endmacro %}
{% endmacro %}

{% macro snowflake__compute_os_and_data_disks_encrypted_with_cmk(framework, check_id) %}
SELECT v._cq_sync_time As sync_time,
'{{framework}}' As framework,
'{{check_id}}' As check_id,
'Ensure that ''OS and Data'' disks are encrypted with CMK (Automated)' AS title,
v.subscription_id AS subscription_id,
v.id AS resource_id,
CASE
WHEN d.properties:encryption:type NOT LIKE '%CustomerKey%'
THEN 'fail'
ELSE 'pass'
END AS status
FROM azure_compute_virtual_machines v
JOIN azure_compute_disks d ON
LOWER(v.id) = LOWER(d.properties:managedBy)
{% endmacro %}
Loading

0 comments on commit a259478

Please sign in to comment.