module/ConfigurationProvider/ControlConfigurations/Services/DBForMariaDB.json
|
{
"FeatureName": "DBForMariaDB", "Reference": "", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_DBForMariaDB_NetSec_Dont_Allow_Public_Network_Access_MCSB", "Description": "[MCSB] Public network access should be disabled for MariaDB servers", "Id": "DBForMariaDB100", "ControlSeverity": "High", "Automated": "Yes", "DisplayName": "[MCSB] Public network access should be disabled for MariaDB servers", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "Rationale": "Disabling the public network access property improves security by ensuring your Maria DB servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules.", "Recommendation": "To restrict public network access, please refer: https://learn.microsoft.com/en-us/azure/mariadb/howto-deny-public-network-access#set-deny-public-network-access", "ControlScanSource": "MDC", "AssessmentProperties": { "AssessmentNames": [ "ab153e43-2fb5-0670-2117-70340851ea9b" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Tags": [ "Automated", "Baseline", "NetSec", "DBForMariaDB" ], "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_DBForMariaDB_NetSec_Enable_Private_Endpoint_MCSB", "Description": "[MCSB] Private endpoint should be enabled for MariaDB servers", "Id": "DBForMariaDB110", "ControlSeverity": "High", "Automated": "Yes", "DisplayName": "[MCSB] Private endpoint should be enabled for MariaDB servers", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "Rationale": "Private endpoint connections enforce secure communication by enabling private connectivity to Azure Maria DB Database.", "Recommendation": "To enable private endpoint, please refer: https://learn.microsoft.com/en-us/azure/mariadb/howto-configure-privatelink-portal or to remediate from Azure CLI Refer: https://learn.microsoft.com/en-us/azure/mariadb/howto-configure-privatelink-cli", "ControlScanSource": "MDC", "AssessmentProperties": { "AssessmentNames": [ "ca9b93fe-6f1f-676c-2f31-d20f88fdbe56" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Tags": [ "Automated", "Baseline", "NetSec", "DBForMariaDB" ], "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_DBForMariaDB_BCDR_Enable_Geo_Redundant_Backup_MCSB", "Description": "[MCSB] Geo-redundant backup should be enabled for Azure Database for MariaDB", "Id": "DBForMariaDB120", "ControlSeverity": "High", "Automated": "Yes", "DisplayName": "[MCSB] Geo-redundant backup should be enabled for Azure Database for MariaDB", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure.", "Recommendation": "After a server is created, the kind of redundancy it has, geographically redundant vs locally redundant, can't be switched, please create a new one with geo-redundant backup enabled. Refer: https://learn.microsoft.com/en-us/azure/mariadb/howto-restore-server-portal#set-backup-configuration", "ControlScanSource": "MDC", "AssessmentProperties": { "AssessmentNames": [ "2ce368b5-7882-89fd-6645-885b071a2409" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Tags": [ "Automated", "Baseline", "BCDR", "DBForMariaDB" ], "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_DBForMariaDB_Enable_Diagnostic_Settings", "Description": "Diagnostic logs must be enabled for Azure Database for MariaDB", "Id": "DBForMariaDB130", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckDiagnosticsSettings", "DisplayName": "Diagnostic logs must be enabled for Azure Database for MariaDB", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Diagnostic logs must be enabled as they provide details for investigation in case of a security breach for threats.", "Recommendation": "To Configure 'Diagnostic settings' for Azure Database for MariaDB (refer to https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/create-diagnostic-settings?tabs=portal for more details), go to Azure Portal --> Your Database for MariaDB server --> Diagnostic settings --> Enable [MariaDB Audit Logs] category with a minimum retention period of 90 days.", "Tags": [ "Automated", "Audit", "Diagnostics", "DBForMariaDB", "Baseline" ], "ControlEvaluationDetails": { "RequiredProperties": [ "DiagnosticSettings" ] }, "Enabled": true, "ControlSettings": { "DiagnosticForeverRetentionValue": "0", "DiagnosticMinRetentionPeriod": "90", "DiagnosticLogs": [ "MySqlAuditLogs" ] }, "CustomTags": [ "Weekly" ] } ] } |