Beta - Diagnostic Settings Without Appropriate Logging
- Query id: 21fa1872-47b3-46ec-9775-f41e85d80cb4
- Query name: Beta - Diagnostic Settings Without Appropriate Logging
- Platform: Terraform
- Severity: Medium
- Category: Observability
- CWE: 778
- Risk score: 3.0
- URL: Github
Description¶
All 'azurerm_monitor_diagnostic_setting' resources should have logging for all main categories: 'Administrative', 'Alert', 'Policy', and 'Security' enabled
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "azurerm_monitor_diagnostic_setting" "positive1_1" {
name = "diagnostic-settings-name"
target_resource_id = azurerm_key_vault.example.id
# Not declaring a single "enabled_log"/"log" block
}
resource "azurerm_monitor_diagnostic_setting" "positive1_2" {
name = "diagnostic-settings-name"
target_resource_id = azurerm_key_vault.example.id
enabled_log {
category = "Administrative" # single "enabled_log" block (object)
}
}
resource "azurerm_monitor_diagnostic_setting" "positive1_3" {
name = "diagnostic-settings-name"
target_resource_id = azurerm_key_vault.example.id
enabled_log {
category = "Administrative" # "enabled_log" blocks do not cover all 4 categories (array)
}
enabled_log {
category = "Alert"
}
}
Positive test num. 2 - tf file
# legacy syntax
resource "azurerm_monitor_diagnostic_setting" "positive2_1" {
name = "diagnostic-settings-name"
target_resource_id = azurerm_key_vault.example.id
log { # single "enabled" log block (object)
category = "Administrative"
enabled = true
}
}
resource "azurerm_monitor_diagnostic_setting" "positive2_2" {
name = "diagnostic-settings-name"
target_resource_id = azurerm_key_vault.example.id
log { # single "disabled" log block (object)
category = "Administrative"
enabled = false
}
}
resource "azurerm_monitor_diagnostic_setting" "positive2_3" {
name = "diagnostic-settings-name"
target_resource_id = azurerm_key_vault.example.id
log { # "log" blocks do not cover all 4 categories (array)
category = "Administrative"
enabled = true
}
log {
category = "Security"
enabled = true
}
}
resource "azurerm_monitor_diagnostic_setting" "positive2_4" {
name = "diagnostic-settings-name"
target_resource_id = azurerm_key_vault.example.id
log { # one or more "disabled" log blocks (array)
category = "Administrative"
enabled = false
}
log {
category = "Alert"
enabled = true
}
log {
category = "Policy"
enabled = true
}
log {
category = "Security"
enabled = true
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "azurerm_monitor_diagnostic_setting" "negative_1" {
name = "diagnostic-settings-name"
target_resource_id = azurerm_key_vault.example.id
enabled_log { # "enabled_log" for all 4 categories
category = "Administrative"
}
enabled_log {
category = "Alert"
}
enabled_log {
category = "Policy"
}
enabled_log {
category = "Security"
}
}
resource "azurerm_monitor_diagnostic_setting" "negative_2" {
name = "diagnostic-settings-name"
target_resource_id = azurerm_key_vault.example.id
log { # legacy syntax - "log" with "enabled" set to true for all 4 categories
category = "Administrative"
enabled = true
}
log {
category = "Alert"
enabled = true
}
log {
category = "Policy"
enabled = true
}
log {
category = "Security"
enabled = true
}
}
resource "azurerm_monitor_diagnostic_setting" "negative_3" {
name = "diagnostic-settings-name"
target_resource_id = azurerm_key_vault.example.id
log { # legacy syntax - "log" with "enabled" set to true for all 4 categories
category = "Administrative" # "enabled" defaults to true
}
log {
category = "Alert"
}
log {
category = "Policy"
enabled = true
}
log {
category = "Security"
}
}