SQL Server Database With Unrecommended Retention Days

  • Query id: c09cdac2-7670-458a-bf6c-efad6880973a
  • Query name: SQL Server Database With Unrecommended Retention Days
  • Platform: AzureResourceManager
  • Severity: Low
  • Category: Observability
  • CWE: 778
  • URL: Github

Description

SQL Server Database Auditing Settings should keep the audit logs in the storage account for at least 90 days
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - bicep file
resource sqlServer1 'Microsoft.Sql/servers@2021-02-01-preview' = {
  name: 'sqlServer1'
  location: resourceGroup().location
  tags: {
    displayName: 'sqlServer1'
  }
  properties: {
    administratorLogin: 'adminUsername'
    administratorLoginPassword: 'adminPassword'
  }
}

resource sqlServer1_sqlDatabase1 'Microsoft.Sql/servers/databases@2021-02-01-preview' = {
  parent: sqlServer1
  name: 'sqlDatabase1'
  location: resourceGroup().location
  tags: {
    displayName: 'sqlDatabase1'
  }
  properties: {
    collation: 'SQL_Latin1_General_CP1_CI_AS'
    edition: 'Basic'
    maxSizeBytes: '1073741824'
    requestedServiceObjectiveName: 'Basic'
  }
}

resource sqlServer1_sqlDatabase1_default 'Microsoft.Sql/servers/databases/auditingSettings@2021-02-01-preview' = {
  parent: sqlServer1_sqlDatabase1
  name: 'default'
  properties: {
    auditActionsAndGroups: ['DATABASE_LOGOUT_GROUP']
    isAzureMonitorTargetEnabled: true
    isStorageSecondaryKeyInUse: true
    queueDelayMs: 1000
    retentionDays: 50
    state: 'Enabled'
    dependsOn: [sqlServer1_sqlDatabase1.id]
  }
}
Positive test num. 2 - json file
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {},
  "functions": [],
  "variables": {},
  "resources": [
    {
      "name": "sqlServer1",
      "type": "Microsoft.Sql/servers",
      "apiVersion": "2021-02-01-preview",
      "location": "[resourceGroup().location]",
      "tags": {
        "displayName": "sqlServer1"
      },
      "properties": {
        "administratorLogin": "adminUsername",
        "administratorLoginPassword": "adminPassword"
      },
      "resources": [
        {
          "name": "sqlServer1/sqlDatabase1",
          "type": "Microsoft.Sql/servers/databases",
          "apiVersion": "2021-02-01-preview",
          "location": "[resourceGroup().location]",
          "tags": {
            "displayName": "sqlDatabase1"
          },
          "dependsOn": [
            "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]"
          ],
          "properties": {
            "collation": "SQL_Latin1_General_CP1_CI_AS",
            "edition": "Basic",
            "maxSizeBytes": "1073741824",
            "requestedServiceObjectiveName": "Basic"
          },
          "resources": [
            {
              "type": "Microsoft.Sql/servers/databases/auditingSettings",
              "apiVersion": "2021-02-01-preview",
              "name": "sqlServer1/sqlDatabase1/default",
              "properties": {
                "auditActionsAndGroups": [ "DATABASE_LOGOUT_GROUP" ],
                "isAzureMonitorTargetEnabled": true,
                "isStorageSecondaryKeyInUse": true,
                "queueDelayMs": 1000,
                "retentionDays": 50,
                "state": "Enabled",
                "dependsOn": [
                  "[resourceId('Microsoft.Sql/servers/databases', 'sqlServer1/sqlDatabase1')]"
                ]
              }
            }
          ]
        }
      ]
    }
  ],
  "outputs": {}
}
Positive test num. 3 - bicep file
resource sqlServer1 'Microsoft.Sql/servers@2021-02-01-preview' = {
  name: 'sqlServer1'
  location: resourceGroup().location
  tags: {
    displayName: 'sqlServer1'
  }
  properties: {
    administratorLogin: 'adminUsername'
    administratorLoginPassword: 'adminPassword'
  }
}

resource sqlServer1_sqlDatabase1 'Microsoft.Sql/servers/databases@2021-02-01-preview' = {
  parent: sqlServer1
  name: 'sqlDatabase1'
  location: resourceGroup().location
  tags: {
    displayName: 'sqlDatabase1'
  }
  properties: {
    collation: 'SQL_Latin1_General_CP1_CI_AS'
    edition: 'Basic'
    maxSizeBytes: '1073741824'
    requestedServiceObjectiveName: 'Basic'
  }
}

resource sqlServer1_sqlDatabase1_default 'Microsoft.Sql/servers/databases/auditingSettings@2021-02-01-preview' = {
  parent: sqlServer1_sqlDatabase1
  name: 'default'
  properties: {
    auditActionsAndGroups: ['DATABASE_LOGOUT_GROUP']
    isAzureMonitorTargetEnabled: true
    isStorageSecondaryKeyInUse: true
    queueDelayMs: 1000
    state: 'Enabled'
    dependsOn: [sqlServer1_sqlDatabase1.id]
  }
}

Positive test num. 4 - json file
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {},
  "functions": [],
  "variables": {},
  "resources": [
    {
      "name": "sqlServer1",
      "type": "Microsoft.Sql/servers",
      "apiVersion": "2021-02-01-preview",
      "location": "[resourceGroup().location]",
      "tags": {
        "displayName": "sqlServer1"
      },
      "properties": {
        "administratorLogin": "adminUsername",
        "administratorLoginPassword": "adminPassword"
      },
      "resources": [
        {
          "name": "sqlServer1/sqlDatabase1",
          "type": "Microsoft.Sql/servers/databases",
          "apiVersion": "2021-02-01-preview",
          "location": "[resourceGroup().location]",
          "tags": {
            "displayName": "sqlDatabase1"
          },
          "dependsOn": [
            "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]"
          ],
          "properties": {
            "collation": "SQL_Latin1_General_CP1_CI_AS",
            "edition": "Basic",
            "maxSizeBytes": "1073741824",
            "requestedServiceObjectiveName": "Basic"
          },
          "resources": [
            {
              "type": "Microsoft.Sql/servers/databases/auditingSettings",
              "apiVersion": "2021-02-01-preview",
              "name": "sqlServer1/sqlDatabase1/default",
              "properties": {
                "auditActionsAndGroups": [ "DATABASE_LOGOUT_GROUP" ],
                "isAzureMonitorTargetEnabled": true,
                "isStorageSecondaryKeyInUse": true,
                "queueDelayMs": 1000,
                "state": "Enabled",
                "dependsOn": [
                  "[resourceId('Microsoft.Sql/servers/databases', 'sqlServer1/sqlDatabase1')]"
                ]
              }
            }
          ]
        }
      ]
    }
  ],
  "outputs": {}
}
Positive test num. 5 - bicep file
resource sqlServer1 'Microsoft.Sql/servers@2021-02-01-preview' = {
  name: 'sqlServer1'
  location: resourceGroup().location
  tags: {
    displayName: 'sqlServer1'
  }
  properties: {
    administratorLogin: 'adminUsername'
    administratorLoginPassword: 'adminPassword'
  }
}

resource sqlServer1_sqlDatabase1 'Microsoft.Sql/servers/databases@2021-02-01-preview' = {
  parent: sqlServer1
  name: 'sqlDatabase1'
  location: resourceGroup().location
  tags: {
    displayName: 'sqlDatabase1'
  }
  properties: {
    collation: 'SQL_Latin1_General_CP1_CI_AS'
    edition: 'Basic'
    maxSizeBytes: '1073741824'
    requestedServiceObjectiveName: 'Basic'
  }
}

resource sqlServer1_sqlDatabase1_default 'Microsoft.Sql/servers/databases/auditingSettings@2021-02-01-preview' = {
  parent: sqlServer1_sqlDatabase1
  name: 'default'
  properties: {
    auditActionsAndGroups: ['DATABASE_LOGOUT_GROUP']
    isAzureMonitorTargetEnabled: true
    isStorageSecondaryKeyInUse: true
    queueDelayMs: 1000
    retentionDays: 50
    state: 'Enabled'
    dependsOn: [sqlServer1_sqlDatabase1.id]
  }
}
Positive test num. 6 - json file
{
  "properties": {
    "template": {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "1.0.0.0",
      "parameters": {},
      "functions": [],
      "variables": {},
      "resources": [
        {
          "name": "sqlServer1",
          "type": "Microsoft.Sql/servers",
          "apiVersion": "2021-02-01-preview",
          "location": "[resourceGroup().location]",
          "tags": {
            "displayName": "sqlServer1"
          },
          "properties": {
            "administratorLogin": "adminUsername",
            "administratorLoginPassword": "adminPassword"
          },
          "resources": [
            {
              "name": "sqlServer1/sqlDatabase1",
              "type": "Microsoft.Sql/servers/databases",
              "apiVersion": "2021-02-01-preview",
              "location": "[resourceGroup().location]",
              "tags": {
                "displayName": "sqlDatabase1"
              },
              "dependsOn": [
                "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]"
              ],
              "properties": {
                "collation": "SQL_Latin1_General_CP1_CI_AS",
                "edition": "Basic",
                "maxSizeBytes": "1073741824",
                "requestedServiceObjectiveName": "Basic"
              },
              "resources": [
                {
                  "type": "Microsoft.Sql/servers/databases/auditingSettings",
                  "apiVersion": "2021-02-01-preview",
                  "name": "sqlServer1/sqlDatabase1/default",
                  "properties": {
                    "auditActionsAndGroups": [ "DATABASE_LOGOUT_GROUP" ],
                    "isAzureMonitorTargetEnabled": true,
                    "isStorageSecondaryKeyInUse": true,
                    "queueDelayMs": 1000,
                    "retentionDays": 50,
                    "state": "Enabled",
                    "dependsOn": [
                      "[resourceId('Microsoft.Sql/servers/databases', 'sqlServer1/sqlDatabase1')]"
                    ]
                  }
                }
              ]
            }
          ]
        }
      ],
      "outputs": {}
    },
    "parameters": {}
  },
  "kind": "template",
  "type": "Microsoft.Blueprint/blueprints/artifacts",
  "name": "myTemplate"
}
Positive test num. 7 - bicep file
resource sqlServer1 'Microsoft.Sql/servers@2021-02-01-preview' = {
  name: 'sqlServer1'
  location: resourceGroup().location
  tags: {
    displayName: 'sqlServer1'
  }
  properties: {
    administratorLogin: 'adminUsername'
    administratorLoginPassword: 'adminPassword'
  }
}

resource sqlServer1_sqlDatabase1 'Microsoft.Sql/servers/databases@2021-02-01-preview' = {
  parent: sqlServer1
  name: 'sqlDatabase1'
  location: resourceGroup().location
  tags: {
    displayName: 'sqlDatabase1'
  }
  properties: {
    collation: 'SQL_Latin1_General_CP1_CI_AS'
    edition: 'Basic'
    maxSizeBytes: '1073741824'
    requestedServiceObjectiveName: 'Basic'
  }
}

resource sqlServer1_sqlDatabase1_default 'Microsoft.Sql/servers/databases/auditingSettings@2021-02-01-preview' = {
  parent: sqlServer1_sqlDatabase1
  name: 'default'
  properties: {
    auditActionsAndGroups: ['DATABASE_LOGOUT_GROUP']
    isAzureMonitorTargetEnabled: true
    isStorageSecondaryKeyInUse: true
    queueDelayMs: 1000
    state: 'Enabled'
    dependsOn: [sqlServer1_sqlDatabase1.id]
  }
}
Positive test num. 8 - json file
{
  "properties": {
    "template": {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "1.0.0.0",
      "parameters": {},
      "functions": [],
      "variables": {},
      "resources": [
        {
          "name": "sqlServer1",
          "type": "Microsoft.Sql/servers",
          "apiVersion": "2021-02-01-preview",
          "location": "[resourceGroup().location]",
          "tags": {
            "displayName": "sqlServer1"
          },
          "properties": {
            "administratorLogin": "adminUsername",
            "administratorLoginPassword": "adminPassword"
          },
          "resources": [
            {
              "name": "sqlServer1/sqlDatabase1",
              "type": "Microsoft.Sql/servers/databases",
              "apiVersion": "2021-02-01-preview",
              "location": "[resourceGroup().location]",
              "tags": {
                "displayName": "sqlDatabase1"
              },
              "dependsOn": [
                "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]"
              ],
              "properties": {
                "collation": "SQL_Latin1_General_CP1_CI_AS",
                "edition": "Basic",
                "maxSizeBytes": "1073741824",
                "requestedServiceObjectiveName": "Basic"
              },
              "resources": [
                {
                  "type": "Microsoft.Sql/servers/databases/auditingSettings",
                  "apiVersion": "2021-02-01-preview",
                  "name": "sqlServer1/sqlDatabase1/default",
                  "properties": {
                    "auditActionsAndGroups": [ "DATABASE_LOGOUT_GROUP" ],
                    "isAzureMonitorTargetEnabled": true,
                    "isStorageSecondaryKeyInUse": true,
                    "queueDelayMs": 1000,
                    "state": "Enabled",
                    "dependsOn": [
                      "[resourceId('Microsoft.Sql/servers/databases', 'sqlServer1/sqlDatabase1')]"
                    ]
                  }
                }
              ]
            }
          ]
        }
      ],
      "outputs": {}
    },
    "parameters": {}
  },
  "kind": "template",
  "type": "Microsoft.Blueprint/blueprints/artifacts",
  "name": "myTemplate"
}

Code samples without security vulnerabilities

Negative test num. 1 - bicep file
resource sqlServer1 'Microsoft.Sql/servers@2021-02-01-preview' = {
  name: 'sqlServer1'
  location: resourceGroup().location
  tags: {
    displayName: 'sqlServer1'
  }
  properties: {
    administratorLogin: 'adminUsername'
    administratorLoginPassword: 'adminPassword'
  }
}

resource sqlServer1_sqlDatabase1 'Microsoft.Sql/servers/databases@2021-02-01-preview' = {
  parent: sqlServer1
  name: 'sqlDatabase1'
  location: resourceGroup().location
  tags: {
    displayName: 'sqlDatabase1'
  }
  properties: {
    collation: 'SQL_Latin1_General_CP1_CI_AS'
    edition: 'Basic'
    maxSizeBytes: '1073741824'
    requestedServiceObjectiveName: 'Basic'
  }
}

resource sqlServer1_sqlDatabase1_default 'Microsoft.Sql/servers/databases/auditingSettings@2021-02-01-preview' = {
  parent: sqlServer1_sqlDatabase1
  name: 'default'
  properties: {
    auditActionsAndGroups: ['DATABASE_LOGOUT_GROUP']
    isAzureMonitorTargetEnabled: true
    isStorageSecondaryKeyInUse: true
    queueDelayMs: 1000
    retentionDays: 100
    state: 'Enabled'
    dependsOn: [sqlServer1_sqlDatabase1.id]
  }
}
Negative test num. 2 - json file
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {},
  "functions": [],
  "variables": {},
  "resources": [
    {
      "name": "sqlServer1",
      "type": "Microsoft.Sql/servers",
      "apiVersion": "2021-02-01-preview",
      "location": "[resourceGroup().location]",
      "tags": {
        "displayName": "sqlServer1"
      },
      "properties": {
        "administratorLogin": "adminUsername",
        "administratorLoginPassword": "adminPassword"
      },
      "resources": [
        {
          "name": "sqlServer1/sqlDatabase1",
          "type": "Microsoft.Sql/servers/databases",
          "apiVersion": "2021-02-01-preview",
          "location": "[resourceGroup().location]",
          "tags": {
            "displayName": "sqlDatabase1"
          },
          "dependsOn": [
            "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]"
          ],
          "properties": {
            "collation": "SQL_Latin1_General_CP1_CI_AS",
            "edition": "Basic",
            "maxSizeBytes": "1073741824",
            "requestedServiceObjectiveName": "Basic"
          },
          "resources": [
            {
              "type": "Microsoft.Sql/servers/databases/auditingSettings",
              "apiVersion": "2021-02-01-preview",
              "name": "sqlServer1/sqlDatabase1/default",
              "properties": {
                "auditActionsAndGroups": [ "DATABASE_LOGOUT_GROUP" ],
                "isAzureMonitorTargetEnabled": true,
                "isStorageSecondaryKeyInUse": true,
                "queueDelayMs": 1000,
                "retentionDays": 100,
                "state": "Enabled",
                "dependsOn": [
                  "[resourceId('Microsoft.Sql/servers/databases', 'sqlServer1/sqlDatabase1')]"
                ]
              }
            }
          ]
        }
      ]
    }
  ],
  "outputs": {}
}
Negative test num. 3 - bicep file
resource sqlServer1 'Microsoft.Sql/servers@2021-02-01-preview' = {
  name: 'sqlServer1'
  location: resourceGroup().location
  tags: {
    displayName: 'sqlServer1'
  }
  properties: {
    administratorLogin: 'adminUsername'
    administratorLoginPassword: 'adminPassword'
  }
}

resource sqlServer1_sqlDatabase1 'Microsoft.Sql/servers/databases@2021-02-01-preview' = {
  parent: sqlServer1
  name: 'sqlDatabase1'
  location: resourceGroup().location
  tags: {
    displayName: 'sqlDatabase1'
  }
  properties: {
    collation: 'SQL_Latin1_General_CP1_CI_AS'
    edition: 'Basic'
    maxSizeBytes: '1073741824'
    requestedServiceObjectiveName: 'Basic'
  }
}

resource sqlServer1_sqlDatabase1_default 'Microsoft.Sql/servers/databases/auditingSettings@2021-02-01-preview' = {
  parent: sqlServer1_sqlDatabase1
  name: 'default'
  properties: {
    auditActionsAndGroups: ['DATABASE_LOGOUT_GROUP']
    isAzureMonitorTargetEnabled: true
    isStorageSecondaryKeyInUse: true
    queueDelayMs: 1000
    retentionDays: 100
    state: 'Enabled'
    dependsOn: [sqlServer1_sqlDatabase1.id]
  }
}

Negative test num. 4 - json file
{
  "properties": {
    "template": {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "1.0.0.0",
      "parameters": {},
      "functions": [],
      "variables": {},
      "resources": [
        {
          "name": "sqlServer1",
          "type": "Microsoft.Sql/servers",
          "apiVersion": "2021-02-01-preview",
          "location": "[resourceGroup().location]",
          "tags": {
            "displayName": "sqlServer1"
          },
          "properties": {
            "administratorLogin": "adminUsername",
            "administratorLoginPassword": "adminPassword"
          },
          "resources": [
            {
              "name": "sqlServer1/sqlDatabase1",
              "type": "Microsoft.Sql/servers/databases",
              "apiVersion": "2021-02-01-preview",
              "location": "[resourceGroup().location]",
              "tags": {
                "displayName": "sqlDatabase1"
              },
              "dependsOn": [
                "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]"
              ],
              "properties": {
                "collation": "SQL_Latin1_General_CP1_CI_AS",
                "edition": "Basic",
                "maxSizeBytes": "1073741824",
                "requestedServiceObjectiveName": "Basic"
              },
              "resources": [
                {
                  "type": "Microsoft.Sql/servers/databases/auditingSettings",
                  "apiVersion": "2021-02-01-preview",
                  "name": "sqlServer1/sqlDatabase1/default",
                  "properties": {
                    "auditActionsAndGroups": [ "DATABASE_LOGOUT_GROUP" ],
                    "isAzureMonitorTargetEnabled": true,
                    "isStorageSecondaryKeyInUse": true,
                    "queueDelayMs": 1000,
                    "retentionDays": 100,
                    "state": "Enabled",
                    "dependsOn": [
                      "[resourceId('Microsoft.Sql/servers/databases', 'sqlServer1/sqlDatabase1')]"
                    ]
                  }
                }
              ]
            }
          ]
        }
      ],
      "outputs": {}
    },
    "parameters": {}
  },
  "kind": "template",
  "type": "Microsoft.Blueprint/blueprints/artifacts",
  "name": "myTemplate"
}