MSSQL Server Database With Alerts Disabled
- Query id: 25cd1853-7e80-4106-9ac3-03f8636c25be
- Query name: MSSQL Server Database With Alerts Disabled
- Platform: Terraform
- Severity: Medium
- Category: Best Practices
- CWE: 778
- Risk score: 3.0
- URL: Github
Description¶
All Alerts should be enabled in MSSQL Database Server SecurityAlerts Policy Properties
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "azurerm_mssql_server" "example" {
name = "my-mssql-server"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
version = "12.0"
administrator_login = "sqladmin"
administrator_login_password = "SuperSecurePassword123!"
}
resource "azurerm_mssql_server_security_alert_policy" "positive1" {
resource_group_name = azurerm_resource_group.example.name
server_name = azurerm_sql_server.example.name
state = "Enabled"
storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint
storage_account_access_key = azurerm_storage_account.example.primary_access_key
disabled_alerts = [
"Sql_Injection",
"Data_Exfiltration"
]
retention_days = 20
}
Positive test num. 2 - tf file
resource "azurerm_mssql_server" "example" {
name = "my-mssql-server"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
version = "12.0"
administrator_login = "sqladmin"
administrator_login_password = "SuperSecurePassword123!"
}
resource "azurerm_mssql_server_security_alert_policy" "positive2" {
resource_group_name = azurerm_resource_group.example.name
server_name = azurerm_sql_server.example.name
state = "Disabled"
storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint
storage_account_access_key = azurerm_storage_account.example.primary_access_key
retention_days = 20
email_account_admins = false
}
Positive test num. 3 - tf file
resource "azurerm_mssql_server" "example" {
name = "my-mssql-server"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
version = "12.0"
administrator_login = "sqladmin"
administrator_login_password = "SuperSecurePassword123!"
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "azurerm_mssql_server" "example" {
name = "my-mssql-server"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
version = "12.0"
administrator_login = "sqladmin"
administrator_login_password = "SuperSecurePassword123!"
}
resource "azurerm_mssql_server_security_alert_policy" "negative" {
resource_group_name = azurerm_resource_group.example.name
server_name = azurerm_sql_server.example.name
state = "Enabled"
storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint
storage_account_access_key = azurerm_storage_account.example.primary_access_key
retention_days = 20
email_account_admins = true
}
Negative test num. 2 - tf file
resource "azurerm_mssql_server" "example" {
name = "my-mssql-server"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
version = "12.0"
administrator_login = "sqladmin"
administrator_login_password = "SuperSecurePassword123!"
}
resource "azurerm_mssql_server_security_alert_policy" "negative2" {
resource_group_name = azurerm_resource_group.example.name
server_name = azurerm_sql_server.example.name
state = "Enabled"
storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint
storage_account_access_key = azurerm_storage_account.example.primary_access_key
disabled_alerts = []
retention_days = 20
email_account_admins = true
}
Negative test num. 3 - tf file
resource "azurerm_mssql_server_security_alert_policy" "negative2" {
resource_group_name = azurerm_resource_group.example.name
server_name = azurerm_sql_server.example.name
state = "Enabled"
storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint
storage_account_access_key = azurerm_storage_account.example.primary_access_key
disabled_alerts = []
retention_days = 20
email_account_admins = true
}