Skip to content

security

Sample rules

A few rules that use objects from this package:

non_car_auto_provisioning_log_analytics_agent_enabled 
from typing import List, Dict

from cloudrail.knowledge.context.azure.azure_environment_context import AzureEnvironmentContext
from cloudrail.knowledge.rules.azure.azure_base_rule import AzureBaseRule
from cloudrail.knowledge.rules.base_rule import Issue
from cloudrail.knowledge.rules.rule_parameters.base_paramerter import ParameterType


class AutoProvisioningLogAnalyticsAgentDisabledRule(AzureBaseRule):
    def get_id(self) -> str:
        return 'non_car_auto_provisioning_log_analytics_agent_enabled'

    def execute(self, env_context: AzureEnvironmentContext, parameters: Dict[ParameterType, any]) -> List[Issue]:
        issues: List[Issue] = []
        for security_center_auto_provisioning in env_context.security_center_auto_provisioning:
            if not security_center_auto_provisioning.auto_provision_is_on:
                issues.append(
                    Issue(f'The auto provisioning of the Log Analytics agent is not enabled for the '
                          f'subscription `{security_center_auto_provisioning.subscription_id}`.',
                          security_center_auto_provisioning,
                          security_center_auto_provisioning))
        return issues

    def should_run_rule(self, environment_context: AzureEnvironmentContext) -> bool:
        return bool(environment_context.security_center_auto_provisioning)
non_car_email_notification_high_severity_alerts_enabled 
from typing import List, Dict

from cloudrail.knowledge.context.azure.azure_environment_context import AzureEnvironmentContext
from cloudrail.knowledge.rules.azure.azure_base_rule import AzureBaseRule
from cloudrail.knowledge.rules.base_rule import Issue
from cloudrail.knowledge.rules.rule_parameters.base_paramerter import ParameterType


class EmailNotificationHighSeverityAlertsEnabledRule(AzureBaseRule):
    def get_id(self) -> str:
        return 'non_car_email_notification_high_severity_alerts_enabled'

    def execute(self, env_context: AzureEnvironmentContext, parameters: Dict[ParameterType, any]) -> List[Issue]:
        issues: List[Issue] = []
        for security_center_contact in env_context.security_center_contacts:
            if not security_center_contact.alert_notifications:
                issues.append(
                    Issue(
                        f'The email notification for high severity alerts is not enabled for '
                        f'the subscription {security_center_contact.subscription_id}',
                        security_center_contact,
                        security_center_contact))
        return issues

    def should_run_rule(self, environment_context: AzureEnvironmentContext) -> bool:
        return bool(environment_context.security_center_contacts)

AzureSecurityCenterAutoProvisioning (AzureResource)

Attributes:

Name Type Description
auto_provision_is_on bool

A flag indicating if auto provision is on

custom_invalidation(self) inherited

A list of manual reasons why this resource should be invalidated

exclude_from_invalidation(self) inherited

A list of attributes that should be excluded from the invalidation process

AzureSecurityCenterContact (AzureResource)

Attributes:

Name Type Description
alert_notifications bool

A flag indicating if alert notifications is on

custom_invalidation(self) inherited

A list of manual reasons why this resource should be invalidated

exclude_from_invalidation(self) inherited

A list of attributes that should be excluded from the invalidation process