Severity Framework
CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Snyk CCSS
Rule category
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Logging/ Configuration
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
CIS-AzureCIS-ControlsHIPAAISO-27001NIST-800-53PCI-DSSSOC-2
- Snyk IDSNYK-CC-00478
- creditSnyk Research Team
Description
Not capturing the diagnostic setting AuditEvent category for appropriate management activities can lead to missing important alerts.
How to fix?
Set properties.logs.category to AuditEvent and properties.logs.enabled to true.
Example Configuration
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"resources": [
{
"type": "Microsoft.Insights/diagnosticSettings",
"apiVersion": "2021-05-01-preview",
"scope": "mykeyvault",
"name": "allowed1",
"properties": {
"workspaceId": "myworkspaceId",
"storageAccountId": "myaccountId",
"eventHubAuthorizationRuleId": "myeventHubAuthorizationRuleId",
"eventHubName": "myeventHubName",
"logs": [
{
"category": "AuditEvent",
"enabled": true
}
],
"metrics": [
{
"category": "AllMetrics",
"enabled": true
}
]
}
}
]
}
Set log.category to AuditEvent and log.enabled to true.
- For AzureRM provider < v4.0.0, set
log.categorytoAuditEventandlog.enabledtotrue. Note thelogattribute was deprecated in v3.63.0. - For AzureRM provider >= v4.0.0, set
enabled_log.categorytoAuditEventorenabled_log.category_groupto one ofauditorallLogs.
Example Configuration
# For AzureRM provider < v4.0.0
resource "azurerm_monitor_diagnostic_setting" "allowed" {
name = "exampleallowed"
target_resource_id = azurerm_key_vault.example.id
storage_account_id = azurerm_storage_account.example.id
log {
category = "AuditEvent"
enabled = true
}
}
# For AzureRM provider >= v4.0.0
resource "azurerm_monitor_diagnostic_setting" "allowed" {
name = "exampleallowed"
target_resource_id = azurerm_key_vault.example478.id
storage_account_id = azurerm_storage_account.example478.id
enabled_log {
category = "AuditEvent"
}
}
OR
# For AzureRM provider >= v4.0.0
resource "azurerm_monitor_diagnostic_setting" "allowed" {
name = "example478allowed"
target_resource_id = azurerm_key_vault.example478.id
storage_account_id = azurerm_storage_account.example478.id
enabled_log {
category_group = "audit"
}
}