feat(compliance): Add new CIS 2.0 / 2.1 compliance framework for Azure (

#3626) Co-authored-by: Sergio <[email protected]>
prowler-cloud · Apr 2, 2024 · 5c29808 · 5c29808
1 parent be19ec5
commit 5c29808
Show file tree

Hide file tree

Showing 10 changed files with 6,600 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -8,7 +8,7 @@
 <p align="center">
 <b>Learn more at <a href="https://prowler.com">prowler.com</i></b>
 </p>
-  
+
 <p align="center">
 <a href="https://join.slack.com/t/prowler-workspace/shared_invite/zt-1hix76xsl-2uq222JIXrC7Q8It~9ZNog"><img width="30" height="30" alt="Prowler community on Slack" src="https://github.com/prowler-cloud/prowler/assets/3985464/3617e470-670c-47c9-9794-ce895ebdb627"></a>
   <br>
@@ -49,7 +49,7 @@ It contains hundreds of controls covering CIS, NIST 800, NIST CSF, CISA, RBI, Fe
 |---|---|---|---|---|
 | AWS | 304 | 61 -> `prowler aws --list-services` | 28 -> `prowler aws --list-compliance` | 6 -> `prowler aws --list-categories` |
 | GCP | 75 | 11 -> `prowler gcp --list-services` | 1 -> `prowler gcp --list-compliance` | 2 -> `prowler gcp --list-categories`|
-| Azure | 126 | 16 -> `prowler azure --list-services` | CIS soon | 2 -> `prowler azure --list-categories` |
+| Azure | 126 | 16 -> `prowler azure --list-services` | 2 -> `prowler azure --list-compliance` | 2 -> `prowler azure --list-categories` |
 | Kubernetes | Work In Progress | - | CIS soon | - |
 
 # 📖 Documentation

diff --git a/docs/tutorials/compliance.md b/docs/tutorials/compliance.md
@@ -17,6 +17,8 @@ Currently, the available frameworks are:
 - `cis_1.5_aws`
 - `cis_2.0_aws`
 - `cis_2.0_gcp`
+- `cis_2.0_azure`
+- `cis_2.1_azure`
 - `cis_3.0_aws`
 - `cisa_aws`
 - `ens_rd2022_aws`

diff --git a/prowler/compliance/azure/cis_2.0_azure.json b/prowler/compliance/azure/cis_2.0_azure.json
diff --git a/prowler/compliance/azure/cis_2.1_azure.json b/prowler/compliance/azure/cis_2.1_azure.json
diff --git a/prowler/lib/check/compliance_models.py b/prowler/lib/check/compliance_models.py
@@ -87,6 +87,7 @@ class CIS_Requirement_Attribute(BaseModel):
     RemediationProcedure: str
     AuditProcedure: str
     AdditionalInformation: str
+    DefaultValue: Optional[str]
     References: str
 
 

diff --git a/prowler/lib/outputs/compliance.py b/prowler/lib/outputs/compliance.py
@@ -11,6 +11,7 @@
     Check_Output_CSV_AWS_CIS,
     Check_Output_CSV_AWS_ISO27001_2013,
     Check_Output_CSV_AWS_Well_Architected,
+    Check_Output_CSV_AZURE_CIS,
     Check_Output_CSV_ENS_RD2022,
     Check_Output_CSV_GCP_CIS,
     Check_Output_CSV_Generic_Compliance,
@@ -35,6 +36,7 @@ def add_manual_controls(output_options, audit_info, file_descriptors):
             manual_finding.region = ""
             manual_finding.location = ""
             manual_finding.project_id = ""
+            manual_finding.subscription = ""
             fill_compliance(
                 output_options, manual_finding, audit_info, file_descriptors
             )
@@ -161,7 +163,36 @@ def fill_compliance(output_options, finding, audit_info, file_descriptors):
                                 csv_header = generate_csv_fields(
                                     Check_Output_CSV_GCP_CIS
                                 )
-
+                            elif compliance.Provider == "AZURE":
+                                compliance_row = Check_Output_CSV_AZURE_CIS(
+                                    Provider=finding.check_metadata.Provider,
+                                    Description=compliance.Description,
+                                    Subscription=finding.subscription,
+                                    AssessmentDate=outputs_unix_timestamp(
+                                        output_options.unix_timestamp, timestamp
+                                    ),
+                                    Requirements_Id=requirement_id,
+                                    Requirements_Description=requirement_description,
+                                    Requirements_Attributes_Section=attribute.Section,
+                                    Requirements_Attributes_Profile=attribute.Profile,
+                                    Requirements_Attributes_AssessmentStatus=attribute.AssessmentStatus,
+                                    Requirements_Attributes_Description=attribute.Description,
+                                    Requirements_Attributes_RationaleStatement=attribute.RationaleStatement,
+                                    Requirements_Attributes_ImpactStatement=attribute.ImpactStatement,
+                                    Requirements_Attributes_RemediationProcedure=attribute.RemediationProcedure,
+                                    Requirements_Attributes_AuditProcedure=attribute.AuditProcedure,
+                                    Requirements_Attributes_AdditionalInformation=attribute.AdditionalInformation,
+                                    Requirements_Attributes_DefaultValue=attribute.DefaultValue,
+                                    Requirements_Attributes_References=attribute.References,
+                                    Status=finding.status,
+                                    StatusExtended=finding.status_extended,
+                                    ResourceId=finding.resource_id,
+                                    ResourceName=finding.resource_name,
+                                    CheckId=finding.check_metadata.CheckID,
+                                )
+                                csv_header = generate_csv_fields(
+                                    Check_Output_CSV_AZURE_CIS
+                                )
             elif (
                 "AWS-Well-Architected-Framework" in compliance.Framework
                 and compliance.Provider == "AWS"

diff --git a/prowler/lib/outputs/file_descriptors.py b/prowler/lib/outputs/file_descriptors.py
@@ -15,6 +15,7 @@
     Check_Output_CSV_AWS_CIS,
     Check_Output_CSV_AWS_ISO27001_2013,
     Check_Output_CSV_AWS_Well_Architected,
+    Check_Output_CSV_AZURE_CIS,
     Check_Output_CSV_ENS_RD2022,
     Check_Output_CSV_GCP_CIS,
     Check_Output_CSV_Generic_Compliance,
@@ -23,6 +24,7 @@
 )
 from prowler.lib.utils.utils import file_exists, open_file
 from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
+from prowler.providers.azure.lib.audit_info.models import Azure_Audit_Info
 from prowler.providers.common.outputs import get_provider_output_model
 from prowler.providers.gcp.lib.audit_info.models import GCP_Audit_Info
 
@@ -113,7 +115,16 @@ def fill_file_descriptors(output_modes, output_directory, output_filename, audit
                             filename, output_mode, audit_info, Check_Output_CSV_GCP_CIS
                         )
                         file_descriptors.update({output_mode: file_descriptor})
-
+                elif isinstance(audit_info, Azure_Audit_Info):
+                    filename = f"{output_directory}/{output_filename}_{output_mode}{csv_file_suffix}"
+                    if "cis_" in output_mode:
+                        file_descriptor = initialize_file_descriptor(
+                            filename,
+                            output_mode,
+                            audit_info,
+                            Check_Output_CSV_AZURE_CIS,
+                        )
+                        file_descriptors.update({output_mode: file_descriptor})
                 elif isinstance(audit_info, AWS_Audit_Info):
                     if output_mode == "json-asff":
                         filename = f"{output_directory}/{output_filename}{json_asff_file_suffix}"

diff --git a/prowler/lib/outputs/models.py b/prowler/lib/outputs/models.py
@@ -591,6 +591,35 @@ class Check_Output_CSV_GCP_CIS(BaseModel):
     Requirements_Attributes_RemediationProcedure: str
     Requirements_Attributes_AuditProcedure: str
     Requirements_Attributes_AdditionalInformation: str
+    Requirements_Attributes_DefaultValue: str
+    Requirements_Attributes_References: str
+    Status: str
+    StatusExtended: str
+    ResourceId: str
+    ResourceName: str
+    CheckId: str
+
+
+class Check_Output_CSV_AZURE_CIS(BaseModel):
+    """
+    Check_Output_CSV_CIS generates a finding's output in CSV CIS format.
+    """
+
+    Provider: str
+    Description: str
+    Subscription: str
+    AssessmentDate: str
+    Requirements_Id: str
+    Requirements_Description: str
+    Requirements_Attributes_Section: str
+    Requirements_Attributes_Profile: str
+    Requirements_Attributes_AssessmentStatus: str
+    Requirements_Attributes_Description: str
+    Requirements_Attributes_RationaleStatement: str
+    Requirements_Attributes_ImpactStatement: str
+    Requirements_Attributes_RemediationProcedure: str
+    Requirements_Attributes_AuditProcedure: str
+    Requirements_Attributes_AdditionalInformation: str
     Requirements_Attributes_References: str
     Status: str
     StatusExtended: str

diff --git a/...ers/azure/services/monitor/monitor_alert_create_update_public_ip_address_rule/__init__.py b/...ers/azure/services/monitor/monitor_alert_create_update_public_ip_address_rule/__init__.py
diff --git a/...reate_update_public_ip_address_rule/monitor_alert_create_update_public_ip_address_rule.py b/...reate_update_public_ip_address_rule/monitor_alert_create_update_public_ip_address_rule.py
@@ -29,5 +29,4 @@ def execute(self) -> Check_Report_Azure:
                     break
 
             findings.append(report)
-
         return findings