Skip to main content

Traceability Loss - Azure

Description

The Azure configurations do not enable the log service with enough granularity. Ommiting relevant information may hinder the detection of anomalous behaviours or security breaches.

Impact

Hinder the detection of security issues.

Recommendation

Configure the logs with the necessary granularity level to detect and identify potentially harmful behaviors by enabling logging for read, write and delete requests.

Threat

Authenticated attacker from the Internet.

Expected Remediation Time

⌚ 60 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: H
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: N
  • Integrity: L
  • Availability: N

Temporal

  • Exploit code madurity: P
  • Remediation level: O
  • Report confidence: R

Result

  • Vector string: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:R
  • Score:
    • Base: 3.1
    • Temporal: 2.7
  • Severity:
    • Base: Low
    • Temporal: Low

Code Examples

Compliant code

The resource correctly enables logging for sensitive requests

resource "azurerm_storage_account" "not_vulnerable" {
name = "example"
resource_group_name = data.azurerm_resource_group.example.name
location = data.azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "GRS"
min_tls_version = "TLS1_2"
queue_properties {
logging {
delete = true
read = true
write = true
version = "1.0"
retention_policy_days = 10
}
}
}

The resource has the logs properties correctly configured

resource "azurerm_app_service" "not_vulnerable" {
name = "example-app-service"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
app_service_plan_id = azurerm_app_service_plan.example.id
https_only = true
logs {
failed_request_tracing_enabled = true
detailed_error_messages_enabled = true
}
auth_settings {
enabled = true
}
}

Non compliant code

The resource does not enable logging for sensitive requests

resource "azurerm_storage_account" "vulnerable" {
name = "example"
resource_group_name = data.azurerm_resource_group.example.name
location = data.azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "GRS"
min_tls_version = "TLS1_2"
queue_properties {
logging {
delete = false
read = false
version = "1.0"
retention_policy_days = 10
}
}
}

The resource does not have a failed request tracing mechanism

resource "azurerm_app_service" "vulnerable" {
name = "example-app-service"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
app_service_plan_id = azurerm_app_service_plan.example.id
https_only = true
logs {
failed_request_tracing_enabled = false
}
auth_settings {
enabled = true
}
}

All sensitive changes should have an alert mechanism, for example, using the Azure CLI, the following command checks that an alert is configured for "Update Security Service" events

$ az monitor activity-log alert show
--ids {alert_rule_id}
--query 'condition'

Check the command output for the object with the "field" property set to "operationName". If the object's "equals" property is not set to "Microsoft.Security/policies/write", the selected alert rule is not configured to detect "Update Security Policy" events.

Details

https://docs.bridgecrew.io/docs/enable-requests-on-storage-logging-for-queue-service

Requirements