5.1.5 and 5.1.6

controls/azure-foundations-cis-5.1.5.rb

@@ -50,7 +50,43 @@
   ref 'https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-4-enable-data-at-rest-encryption-by-default'
   ref 'https://learn.microsoft.com/en-us/powershell/module/az.sql/set-azsqldatabasetransparentdataencryption?view=azps-9.2.0'
 
-  describe 'benchmark' do
-    skip 'The check for this control needs to be done manually'
+  sql_servers_script = <<-EOH
+    Get-AzSqlServer | ConvertTo-Json -Depth 10
+  EOH
+
+  sql_servers_output = powershell(sql_servers_script).stdout.strip
+  sql_servers = json(content: sql_servers_output).params
+  sql_servers = [sql_servers] unless sql_servers.is_a?(Array)
+
+  sql_servers.each do |server|
+    resource_group = server['ResourceGroupName']
+    server_name = server['ServerName']
+
+    databases_script = <<-EOH
+      Get-AzSqlDatabase -ServerName "#{server_name}" -ResourceGroupName "#{resource_group}" | ConvertTo-Json -Depth 10
+    EOH
+
+    databases_output = powershell(databases_script).stdout.strip
+    databases = json(content: databases_output).params
+    databases = [databases] unless databases.is_a?(Array)
+
+    databases.each do |db|
+      db_name = db['DatabaseName']
+
+      next if db_name.downcase == 'master'
+
+      describe "Transparent Data Encryption for database '#{db_name}' on SQL Server '#{server_name}' (Resource Group: #{resource_group})" do
+        tde_script = <<-EOH
+          Get-AzSqlDatabaseTransparentDataEncryption -ServerName "#{server_name}" -ResourceGroupName "#{resource_group}" -DatabaseName "#{db_name}" | ConvertTo-Json -Depth 10
+        EOH
+
+        tde_output = powershell(tde_script).stdout.strip
+        tde = json(content: tde_output).params
+
+        it 'should have DataEncryption (TDE) enabled' do
+          expect(tde['State']).to cmp 0
+        end
+      end
+    end
   end
 end

controls/azure-foundations-cis-5.1.6.rb

@@ -48,7 +48,46 @@
   ref 'https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverauditing?view=azurermps-5.2.0'
   ref 'https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-6-configure-log-storage-retention'
 
-  describe 'benchmark' do
-    skip 'The check for this control needs to be done manually'
+  sql_servers_script = <<-EOH
+    Get-AzSqlServer | ConvertTo-Json -Depth 10
+  EOH
+
+  sql_servers_output = powershell(sql_servers_script).stdout.strip
+  sql_servers = json(content: sql_servers_output).params
+  sql_servers = [sql_servers] unless sql_servers.is_a?(Array)
+
+  sql_servers.each do |server|
+    resource_group = server['ResourceGroupName']
+    server_name = server['ServerName']
+
+    describe "SQL Server Audit retention for #{server_name} (Resource Group: #{resource_group})" do
+      audit_script = <<-EOH
+        Get-AzSqlServerAudit -ResourceGroupName "#{resource_group}" -ServerName "#{server_name}" | ConvertTo-Json -Depth 10
+      EOH
+
+      audit_output = powershell(audit_script).stdout.strip
+      audit = json(content: audit_output).params
+
+      if audit['LogAnalyticsTargetState'].to_i == 0 && audit['WorkspaceResourceId'] && !audit['WorkspaceResourceId'].empty?
+        describe "Operational Insights Workspace retention for SQL Server #{server_name}" do
+          workspace_script = <<-EOH
+            Get-AzOperationalInsightsWorkspace | Where-Object { $_.ResourceId -eq "#{audit['WorkspaceResourceId']}" } | ConvertTo-Json -Depth 10
+          EOH
+
+          workspace_output = powershell(workspace_script).stdout.strip
+          workspace = json(content: workspace_output).params
+
+          it 'should have Workspace RetentionInDays set to more than 90 days' do
+            workspace_retention = workspace['retentionInDays'].to_i
+            expect(workspace_retention).to be > 90
+          end
+        end
+      else
+        it 'should have Audit RetentionInDays set to more than 90 days' do
+          retention = audit['RetentionInDays'].to_i
+          expect(retention).to be > 90
+        end
+      end
+    end
   end
 end