Beta - Databricks Diagnostic Logging Unconfigured
- Query id: 0bd3630a-2ae9-4522-9d66-04049654b1df
- Query name: Beta - Databricks Diagnostic Logging Unconfigured
- Platform: Terraform
- Severity: Medium
- Category: Observability
- CWE: 778
- Risk score: 3.0
- URL: Github
Description¶
Ensure that logging for Azure Databricks is 'Enabled' for categories: 'accounts','Filesystem','clusters','notebook' and 'jobs', with one or more of the following destinations: 'Azure Log Analytics workspace', 'Azure Storage Account', 'Azure Event Hubs'
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "azurerm_databricks_workspace" "example_pos1" { # missing 5/5 required log categories
name = "secure-databricks-ws"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
sku = "premium"
# no association with "azurerm_monitor_diagnostic_setting" resource(s)
}
Positive test num. 2 - tf file
resource "azurerm_monitor_diagnostic_setting" "positive2_1" {
name = "diagnostic-settings-name"
target_resource_id = azurerm_databricks_workspace.example_pos2.id
log_analytics_workspace_id = azurerm_log_analytics_workspace.example.id
}
resource "azurerm_monitor_diagnostic_setting" "positive2_2" {
name = "diagnostic-settings-name"
target_resource_id = azurerm_databricks_workspace.example_pos2.id
storage_account_id = azurerm_storage_account.example.id
enabled_log {
category = "accounts"
}
}
resource "azurerm_monitor_diagnostic_setting" "positive2_3" {
name = "diagnostic-settings-name"
target_resource_id = azurerm_databricks_workspace.example_pos2.id
eventhub_authorization_rule_id = azurerm_eventhub_namespace_authorization_rule.example.id
eventhub_name = "your-eventhub-name"
enabled_log {
category = "accounts"
}
enabled_log {
category = "clusters"
}
}
resource "azurerm_databricks_workspace" "example_pos2" { # missing 3/5 required log categories
name = "secure-databricks-ws"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
sku = "premium"
}
Positive test num. 3 - tf file
# legacy syntax
resource "azurerm_monitor_diagnostic_setting" "positive3_1" {
name = "diagnostic-settings-name"
target_resource_id = azurerm_databricks_workspace.example_pos3.id
log_analytics_workspace_id = azurerm_log_analytics_workspace.example.id
log {
category = "accounts"
enabled = true
}
}
resource "azurerm_monitor_diagnostic_setting" "positive3_2" {
name = "diagnostic-settings-name"
target_resource_id = azurerm_databricks_workspace.example_pos3.id
log_analytics_workspace_id = azurerm_log_analytics_workspace.example.id
log {
category = "accounts"
enabled = false
}
}
resource "azurerm_monitor_diagnostic_setting" "positive3_3" {
name = "diagnostic-settings-name"
target_resource_id = azurerm_databricks_workspace.example_pos3.id
log_analytics_workspace_id = azurerm_log_analytics_workspace.example.id
log {
category = "accounts"
enabled = true
}
log {
category = "clusters"
enabled = true
}
}
resource "azurerm_monitor_diagnostic_setting" "positive3_4" {
name = "diagnostic-settings-name"
target_resource_id = azurerm_databricks_workspace.example_pos3.id
log_analytics_workspace_id = azurerm_log_analytics_workspace.example.id
log { # one or more "disabled" log blocks (array)
category = "accounts"
enabled = false
}
log {
category = "Filesystem"
enabled = true
}
log {
category = "clusters"
enabled = true
}
log {
category = "notebook"
enabled = false
}
log {
category = "jobs"
enabled = true
}
}
resource "azurerm_databricks_workspace" "example_pos3" { # missing 1/5 required log categories ("notebook" - enabled = false)
name = "secure-databricks-ws"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
sku = "premium"
}
Positive test num. 4 - tf file
resource "azurerm_monitor_diagnostic_setting" "positive4" {
name = "example"
target_resource_id = azurerm_databricks_workspace.not_example_pos4.id # incorrect referencing
log_analytics_workspace_id = azurerm_log_analytics_workspace.example.id
enabled_log {
category = "accounts"
}
enabled_log {
category = "Filesystem"
}
enabled_log {
category = "clusters"
}
enabled_log {
category = "notebook"
}
enabled_log {
category = "jobs"
}
}
resource "azurerm_databricks_workspace" "example_pos4" {
name = "secure-databricks-ws"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
sku = "premium"
}
Positive test num. 5 - tf file
resource "azurerm_monitor_diagnostic_setting" "positive5_1" {
name = "databricks-diagnostic-logs"
target_resource_id = azurerm_databricks_workspace.example_pos5.id
# missing valid destination
enabled_log {
category = "accounts"
}
enabled_log {
category = "Filesystem"
}
enabled_log {
category = "clusters"
}
enabled_log {
category = "notebook"
}
enabled_log {
category = "jobs"
}
}
resource "azurerm_monitor_diagnostic_setting" "positive5_2" {
name = "databricks-diagnostic-logs"
target_resource_id = azurerm_databricks_workspace.example_pos5.id
# missing valid destination
log {
category = "accounts"
enabled = true
}
log {
category = "Filesystem"
enabled = true
}
log {
category = "clusters"
enabled = true
}
log {
category = "notebook"
enabled = true
}
log {
category = "jobs"
enabled = true
}
}
resource "azurerm_databricks_workspace" "example_pos5" {
name = "secure-databricks-ws"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
sku = "premium"
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "azurerm_monitor_diagnostic_setting" "negative1" {
name = "databricks-diagnostic-logs"
target_resource_id = azurerm_databricks_workspace.example_neg1.id
log_analytics_workspace_id = azurerm_log_analytics_workspace.example.id
storage_account_id = azurerm_storage_account.example.id
eventhub_authorization_rule_id = azurerm_eventhub_namespace_authorization_rule.example.id
eventhub_name = "your-eventhub-name"
enabled_log {
category = "accounts"
}
enabled_log {
category = "Filesystem"
}
enabled_log {
category = "clusters"
}
enabled_log {
category = "notebook"
}
enabled_log {
category = "jobs"
}
}
resource "azurerm_databricks_workspace" "example_neg1" {
name = "secure-databricks-ws"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
sku = "premium"
}
Negative test num. 2 - tf file
resource "azurerm_databricks_workspace" "example_neg2" {
name = "secure-databricks-ws"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
sku = "premium"
}
resource "azurerm_monitor_diagnostic_setting" "negative2_1" {
name = "databricks-diagnostic-logs"
target_resource_id = azurerm_databricks_workspace.example_neg2.id
log_analytics_workspace_id = azurerm_log_analytics_workspace.example.id
storage_account_id = azurerm_storage_account.example.id
eventhub_authorization_rule_id = azurerm_eventhub_namespace_authorization_rule.example.id
eventhub_name = "your-eventhub-name"
log {
category = "accounts"
enabled = true
}
log {
category = "Filesystem"
enabled = true
}
log {
category = "clusters"
enabled = true
}
log {
category = "notebook"
enabled = true
}
log {
category = "jobs"
enabled = true
}
}
resource "azurerm_monitor_diagnostic_setting" "negative2_2" {
name = "databricks-diagnostic-logs"
target_resource_id = azurerm_databricks_workspace.example_neg2.id
log_analytics_workspace_id = azurerm_log_analytics_workspace.example.id
storage_account_id = azurerm_storage_account.example.id
eventhub_authorization_rule_id = azurerm_eventhub_namespace_authorization_rule.example.id
eventhub_name = "your-eventhub-name"
log { # missing "enabled" - defaults to true
category = "accounts"
}
log {
category = "Filesystem"
}
log {
category = "clusters"
}
log {
category = "notebook"
}
log {
category = "jobs"
}
}
Negative test num. 3 - tf file
resource "azurerm_monitor_diagnostic_setting" "negative3_1" {
name = "diagnostic-settings-name"
target_resource_id = azurerm_databricks_workspace.example_neg3.id
log_analytics_workspace_id = azurerm_log_analytics_workspace.example.id
enabled_log { # "accounts"
category = "accounts"
}
}
resource "azurerm_monitor_diagnostic_setting" "negative3_2" {
name = "diagnostic-settings-name"
target_resource_id = azurerm_databricks_workspace.example_neg3.id
storage_account_id = azurerm_storage_account.example.id
enabled_log { # "clusters" and "Filesystem"
category = "clusters"
}
enabled_log {
category = "Filesystem"
}
}
resource "azurerm_monitor_diagnostic_setting" "negative3_3" {
name = "diagnostic-settings-name"
target_resource_id = azurerm_databricks_workspace.example_neg3.id
eventhub_authorization_rule_id = azurerm_eventhub_namespace_authorization_rule.example.id
eventhub_name = "your-eventhub-name"
enabled_log { # "notebook" and "jobs"
category = "notebook"
}
enabled_log {
category = "jobs"
}
}
resource "azurerm_databricks_workspace" "example_neg3" {
name = "secure-databricks-ws"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
sku = "premium"
}
Negative test num. 4 - tf file
# legacy syntax
resource "azurerm_monitor_diagnostic_setting" "negative4_1" {
name = "diagnostic-settings-name"
target_resource_id = azurerm_databricks_workspace.example_neg4.id
log_analytics_workspace_id = azurerm_log_analytics_workspace.example.id
log { # "accounts"
category = "accounts"
# missing "enabled" - defaults to true
}
}
resource "azurerm_monitor_diagnostic_setting" "negative4_2" {
name = "diagnostic-settings-name"
target_resource_id = azurerm_databricks_workspace.example_neg4.id
log_analytics_workspace_id = azurerm_log_analytics_workspace.example.id
log {
category = "accounts"
enabled = false
}
}
resource "azurerm_monitor_diagnostic_setting" "negative4_3" {
name = "diagnostic-settings-name"
target_resource_id = azurerm_databricks_workspace.example_neg4.id
storage_account_id = azurerm_storage_account.example.id
log { # "clusters" and "Filesystem"
category = "clusters"
enabled = true
}
log {
category = "Filesystem"
enabled = true
}
}
resource "azurerm_monitor_diagnostic_setting" "negative4_4" {
name = "diagnostic-settings-name"
target_resource_id = azurerm_databricks_workspace.example_neg4.id
eventhub_authorization_rule_id = azurerm_eventhub_namespace_authorization_rule.example.id
eventhub_name = "your-eventhub-name"
log { # "notebook" and "jobs"
category = "Filesystem"
enabled = false
}
log {
category = "notebook"
enabled = true
}
log {
category = "jobs"
enabled = true
}
}
resource "azurerm_databricks_workspace" "example_neg4" {
name = "secure-databricks-ws"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
sku = "premium"
}