upd: added comment for all policies

non-compatible-policies/ecc-azure-005-cis_sec_email.yml

@@ -17,3 +17,4 @@ policies:
           - type: value
             key: properties.emails
             value: ""
+    comment: '0216181500'

non-compatible-policies/ecc-azure-006-cis_sec_high_sev_notifications.yml

@@ -14,3 +14,4 @@ policies:
         key: properties.alertNotifications
         value: "Off"
         op: eq
+    comment: '0216181500'

non-compatible-policies/ecc-azure-007-cis_sec_owners_email_notifications.yml

@@ -14,3 +14,4 @@ policies:
         key: properties.alertsToAdmins
         value: "Off"
         op: eq
+    comment: '0216181500'

non-compatible-policies/ecc-azure-011-cis_sa_soft_del.yml

@@ -21,3 +21,4 @@ policies:
           - key: delete_retention_policy.enabled
             op: eq
             value: false
+    comment: '0249041500'

non-compatible-policies/ecc-azure-013-cis_db_auditing_on.yml

@@ -14,3 +14,4 @@ policies:
         key: properties.state
         op: ne
         value: Enabled
+    comment: '0219061500'

non-compatible-policies/ecc-azure-015-cis_db_auditing_90d.yml

@@ -21,3 +21,4 @@ policies:
             op: eq
             value_type: integer
             value: 0
+    comment: '0219061500'

non-compatible-policies/ecc-azure-016-cis_db_sql_ads_atp.yml

@@ -13,3 +13,4 @@ policies:
       - type: sql-server-security-alert-policies
         key: state
         value: Disabled
+    comment: '0232061500'

non-compatible-policies/ecc-azure-020-cis_db_sql_va.yml

@@ -13,3 +13,4 @@ policies:
       - type: vulnerability-assessments
         property: storageContainerPath
         value: null
+    comment: '0216061500'

non-compatible-policies/ecc-azure-021-cis_db_sql_va_periodic_scan.yml

@@ -12,3 +12,4 @@ policies:
       - type: vulnerability-assessments
         property: recurringScans.isEnabled
         value: false
+    comment: '0216061500'

non-compatible-policies/ecc-azure-022-cis_db_sql_va_send_scan_report.yml

@@ -12,3 +12,4 @@ policies:
       - type: vulnerability-assessments
         property: recurringScans.emails
         value: []
+    comment: '0216061500'

non-compatible-policies/ecc-azure-023-cis_db_sql_va_email_notifications.yml

@@ -12,3 +12,4 @@ policies:
       - type: vulnerability-assessments
         property: recurringScans.emailSubscriptionAdmins
         value: false
+    comment: '0216061500'

non-compatible-policies/ecc-azure-025-cis_db_mysql_ssl.yml

@@ -13,3 +13,4 @@ policies:
       - type: value
         key: properties.sslEnforcement
         value: Disabled
+    comment: '0244061500'

non-compatible-policies/ecc-azure-026-cis_db_postgresql_log_checkpoints.yml

@@ -17,3 +17,4 @@ policies:
           - type: server-configuration
             property: log_checkpoints
             value: "OFF"
+    comment: '0219061500'

non-compatible-policies/ecc-azure-027-cis_db_postgresql_log_connections.yml

@@ -17,3 +17,4 @@ policies:
           - type: server-configuration
             property: log_connections
             value: "OFF"
+    comment: '0219061500'

non-compatible-policies/ecc-azure-028-cis_db_postgresql_log_disconnections.yml

@@ -17,3 +17,4 @@ policies:
           - type: server-configuration
             property: log_disconnections
             value: "OFF"
+    comment: '0219061500'

non-compatible-policies/ecc-azure-030-cis_db_postgresql_connection_throttling.yml

@@ -17,3 +17,4 @@ policies:
           - type: server-configuration
             property: connection_throttling
             value: "OFF"
+    comment: '0219061500'

non-compatible-policies/ecc-azure-031-cis_db_postgresql_log_retention_days.yml

@@ -14,3 +14,4 @@ policies:
         property: log_retention_days
         value: 4
         op: lt
+    comment: '0219061500'

non-compatible-policies/ecc-azure-033-cis_db_sql_tde_protector.yml

@@ -23,3 +23,4 @@ policies:
             key: uri
             value: null
             op: eq
+    comment: '0243061500'

non-compatible-policies/ecc-azure-036-cis_log_storage_cont_access.yml

@@ -18,3 +18,4 @@ policies:
             key: properties.publicAccess
             value: Container
       - storage-single-log-profile
+    comment: '0240011500'

non-compatible-policies/ecc-azure-037-cis_log_sa_activ_logs.yml

@@ -19,3 +19,4 @@ policies:
         value: null
       - and:
           - single-log-profile
+    comment: '0243011500'

non-compatible-policies/ecc-azure-038-cis_log_keyvaults.yml

@@ -21,3 +21,4 @@ policies:
               - type: diagnostic-settings
                 key: length(logs[?category == 'AuditEvent' && enabled == `true` && retention_policy.days > `0` && retention_policy.enabled == `true`])
                 value: 0
+    comment: '0219101500'

non-compatible-policies/ecc-azure-039-cis_log_create_policy.yml

@@ -24,3 +24,4 @@ policies:
                     key: alerts[].scopes[]
                     value: ^\/[a-z]{13}\/[a-z0-9A-Z]{8}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{12}$
                     op: regex
+    comment: '0216011500'

non-compatible-policies/ecc-azure-042-cis_log_create_upd_nsg.yml

@@ -24,3 +24,4 @@ policies:
                     key: alerts[].scopes[]
                     value: ^\/[a-z]{13}\/[a-z0-9A-Z]{8}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{12}$
                     op: regex
+    comment: '0232011500'

non-compatible-policies/ecc-azure-043-cis_log_del_nsg.yml

@@ -24,3 +24,4 @@ policies:
                     key: alerts[].scopes[]
                     value: ^\/[a-z]{13}\/[a-z0-9A-Z]{8}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{12}$
                     op: regex
+    comment: '0232011500'

non-compatible-policies/ecc-azure-044-cis_log_create_upd_solutions.yml

@@ -24,3 +24,4 @@ policies:
                     key: alerts[].scopes[]
                     value: ^\/[a-z]{13}\/[a-z0-9A-Z]{8}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{12}$
                     op: regex
+    comment: '0232011500'

non-compatible-policies/ecc-azure-045-cis_log_del_solutions.yml

@@ -24,3 +24,4 @@ policies:
                     key: alerts[].scopes[]
                     value: ^\/[a-z]{13}\/[a-z0-9A-Z]{8}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{12}$
                     op: regex
+    comment: '0232011500'

non-compatible-policies/ecc-azure-046-cis_log_create_update_sql.yml

@@ -24,3 +24,4 @@ policies:
                     key: alerts[].scopes[]
                     value: ^\/[a-z]{13}\/[a-z0-9A-Z]{8}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{12}$
                     op: regex
+    comment: '0232011500'

non-compatible-policies/ecc-azure-048-cis_net_rdp.yml

@@ -16,3 +16,4 @@ policies:
         ports: '3389'
         ipProtocol: 'TCP'
         sourceAddress: ['*', 'Internet', '0.0.0.0/0']
+    comment: '0242021500'

non-compatible-policies/ecc-azure-049-cis_net_ssh.yml

@@ -16,3 +16,4 @@ policies:
         ports: '22'
         ipProtocol: 'TCP'
         sourceAddress: ['*', 'Internet', '0.0.0.0/0']
+    comment: '0242021500'

non-compatible-policies/ecc-azure-052-cis_net_udp.yml

@@ -15,3 +15,4 @@ policies:
         access: 'Allow'
         ipProtocol: 'UDP'
         sourceAddress: ['*', 'Internet', '0.0.0.0/0']
+    comment: '0242021500'

non-compatible-policies/ecc-azure-057-cis_key_recoverable.yml

@@ -19,3 +19,4 @@ policies:
             key: properties.enablePurgeProtection
             value: true
             op: ne
+    comment: '0249101500'

non-compatible-policies/ecc-azure-059-cis_app_auth_set.yml

@@ -13,3 +13,4 @@ policies:
       - type: value
         key: properties.enabled
         value: false
+    comment: '0233171500'

non-compatible-policies/ecc-azure-066-cis_log_delete_policy.yml

@@ -24,3 +24,4 @@ policies:
                     key: alerts[].scopes[]
                     value: ^\/[a-z]{13}\/[a-z0-9A-Z]{8}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{12}$
                     op: regex
+    comment: '0232011500'

non-compatible-policies/ecc-azure-067-cis_log_create_upd_nsg_rule.yml

@@ -24,3 +24,4 @@ policies:
                     key: alerts[].scopes[]
                     value: ^\/[a-z]{13}\/[a-z0-9A-Z]{8}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{12}$
                     op: regex
+    comment: '0232011500'

non-compatible-policies/ecc-azure-068-cis_log_del_nsg_rule.yml

@@ -24,3 +24,4 @@ policies:
                     key: alerts[].scopes[]
                     value: ^\/[a-z]{13}\/[a-z0-9A-Z]{8}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{12}$
                     op: regex
+    comment: '0216011500'

non-compatible-policies/ecc-azure-105-cis_sa_keys_regen.yml

@@ -26,3 +26,4 @@ policies:
                 value: Succeeded
               - key: status.value
                 value: Succeeded
+    comment: '0229041500'

non-compatible-policies/ecc-azure-106-cis_sa_logging_queue.yml

@@ -27,3 +27,4 @@ policies:
           - key: logging.delete
             value: false
             op: eq
+    comment: '0219041400'

non-compatible-policies/ecc-azure-109-cis_sa_logging_blob.yml

@@ -27,3 +27,4 @@ policies:
           - key: logging.delete
             value: false
             op: eq
+    comment: '0219041500'

non-compatible-policies/ecc-azure-110-cis_sa_logging_table.yml

@@ -27,3 +27,4 @@ policies:
           - key: logging.delete
             value: false
             op: eq
+    comment: '0219041500'

non-compatible-policies/ecc-azure-111-cis_db_postgre_access.yml

@@ -18,3 +18,4 @@ policies:
           - type: firewall-rules
             include:
               - '0.0.0.0'
+    comment: '0233061500'

non-compatible-policies/ecc-azure-112-cis_net_netwatcher.yml

@@ -11,3 +11,4 @@ policies:
       Network Watcher is disabled across the subscription
     filters:
       - type: network-watcher-filter
+    comment: '0216021500'

non-compatible-policies/ecc-azure-119-nsg_all.yml

@@ -16,3 +16,4 @@ policies:
         ports: '0-65535'
         ipProtocol: 'TCP'
         sourceAddress: ['*', 'Internet', '0.0.0.0/0']
+    comment: '0242022000'

non-compatible-policies/ecc-azure-120-nsg_dns.yml

@@ -16,3 +16,4 @@ policies:
         ports: '53'
         ipProtocol: 'TCP'
         sourceAddress: ['*', 'Internet', '0.0.0.0/0']
+    comment: '0242022000'

non-compatible-policies/ecc-azure-121-nsg_ftp.yml

@@ -16,3 +16,4 @@ policies:
         ports: '21'
         ipProtocol: 'TCP'
         sourceAddress: ['*', 'Internet', '0.0.0.0/0']
+    comment: '0242022000'

non-compatible-policies/ecc-azure-122-cis_nsg_http.yml

@@ -16,3 +16,4 @@ policies:
         ports: '80'
         ipProtocol: 'TCP'
         sourceAddress: ['*', 'Internet', '0.0.0.0/0']
+    comment: '0242021500'

non-compatible-policies/ecc-azure-123-nsg_microsoft_ds.yml

@@ -16,3 +16,4 @@ policies:
         ports: '445'
         ipProtocol: 'TCP'
         sourceAddress: ['*', 'Internet', '0.0.0.0/0']
+    comment: '0242022000'

non-compatible-policies/ecc-azure-124-nsg_mongo_db.yml

@@ -16,3 +16,4 @@ policies:
         ports: '27017'
         ipProtocol: 'TCP'
         sourceAddress: ['*', 'Internet', '0.0.0.0/0']
+    comment: '0242022000'

non-compatible-policies/ecc-azure-125-nsg_mysql.yml

@@ -16,3 +16,4 @@ policies:
         ports: '3306'
         ipProtocol: 'TCP'
         sourceAddress: ['*', 'Internet', '0.0.0.0/0']
+    comment: '0242022000'

non-compatible-policies/ecc-azure-126-nsg_netbios.yml

@@ -16,3 +16,4 @@ policies:
         ports: '139'
         ipProtocol: 'TCP'
         sourceAddress: ['*', 'Internet', '0.0.0.0/0']
+    comment: '0242022000'

non-compatible-policies/ecc-azure-127-nsg_oracle_db.yml

@@ -16,3 +16,4 @@ policies:
         ports: '1521'
         ipProtocol: 'TCP'
         sourceAddress: ['*', 'Internet', '0.0.0.0/0']
+    comment: '0242022000'

non-compatible-policies/ecc-azure-128-nsg_pop3.yml

@@ -16,3 +16,4 @@ policies:
         ports: '110'
         ipProtocol: 'TCP'
         sourceAddress: ['*', 'Internet', '0.0.0.0/0']
+    comment: '0242022000'

non-compatible-policies/ecc-azure-129-nsg_postgresql.yml

@@ -16,3 +16,4 @@ policies:
         ports: '5432'
         ipProtocol: 'TCP'
         sourceAddress: ['*', 'Internet', '0.0.0.0/0']
+    comment: '0242022000'

non-compatible-policies/ecc-azure-130-nsg_smtp.yml

@@ -16,3 +16,4 @@ policies:
         ports: '25'
         ipProtocol: 'TCP'
         sourceAddress: ['*', 'Internet', '0.0.0.0/0']
+    comment: '0242022000'

non-compatible-policies/ecc-azure-131-nsg_telnet.yml

@@ -16,3 +16,4 @@ policies:
         ports: '23'
         ipProtocol: 'TCP'
         sourceAddress: ['*', 'Internet', '0.0.0.0/0']
+    comment: '0242022000'

non-compatible-policies/ecc-azure-139-snapshots.yml

@@ -14,3 +14,4 @@ policies:
           - type: snapshots
             exist: true
             max-age: 14
+    comment: '0249032000'

non-compatible-policies/ecc-azure-141-asb_fw_traffic_route.yml

@@ -23,3 +23,4 @@ policies:
       - type: value
         key: properties.subnets[?name=='AzureFirewallSubnet'].id
         value: empty
+    comment: '0224020000'

non-compatible-policies/ecc-azure-142-asb_vm_net_ports_restrict.yml

@@ -25,3 +25,4 @@ policies:
             key: properties.networkInterfaces[].id
             value: \/subscriptions.+\/networkInterfaces\/.+
             op: regex
+    comment: '0242020000'

non-compatible-policies/ecc-azure-146-asb_keyvault_disable_public_access.yml

@@ -14,3 +14,4 @@ policies:
           - type: value
             key: properties.networkAcls.defaultAction
             value: Deny
+    comment: '0240100000'

non-compatible-policies/ecc-azure-152-asb_vm_jit_port_protection.yml

@@ -11,3 +11,4 @@ policies:
     resource: azure.vm
     filters:
       - type: security-jit-policy
+    comment: '0224030000'

non-compatible-policies/ecc-azure-156-asb_mariadb_public_access_disabled.yml

@@ -13,3 +13,4 @@ policies:
       - type: value
         key: properties.publicNetworkAccess
         value: Enabled
+    comment: '0240060000'

non-compatible-policies/ecc-azure-157-asb_mysql_public_access_disabled.yml

@@ -17,3 +17,4 @@ policies:
           - type: value
             key: properties.publicNetworkAccess
             value: null
+    comment: '0240060000'

non-compatible-policies/ecc-azure-161-asb_appconfig_private_link.yml

@@ -13,3 +13,4 @@ policies:
       - type: value
         key: properties.privateEndpointConnections
         value: absent
+    comment: '0240020000'

non-compatible-policies/ecc-azure-163-asb_eg_domains_private_link.yml

@@ -15,3 +15,4 @@ policies:
             key: properties.privateEndpointConnections[].properties.privateLinkServiceConnectionState.status
             value: Approved
             op: contains
+    comment: '0240020000'

non-compatible-policies/ecc-azure-164-asb_eg_topics_private_link.yml

@@ -13,3 +13,4 @@ policies:
       - type: value
         key: properties.privateEndpointConnections
         value: absent
+    comment: '0240020000'

non-compatible-policies/ecc-azure-165-asb_ml_workspaces_private_link.yml

@@ -13,3 +13,4 @@ policies:
       - type: value
         key: properties.privateEndpointConnections
         value: absent
+    comment: '0240110000'

non-compatible-policies/ecc-azure-166-asb_signalr_private_link.yml

@@ -15,3 +15,4 @@ policies:
             key: properties.privateEndpointConnections[].properties.privateLinkServiceConnectionState.status
             value: Approved
             op: contains
+    comment: '0240020000'

non-compatible-policies/ecc-azure-167-asb_spring_cloud_net_injection.yml

@@ -18,3 +18,4 @@ policies:
             key: properties.networkProfile.serviceRuntimeSubnetId
             value: \/.+\/virtualNetworks\/.+\/subnets\/.+
             op: regex
+    comment: '0224020000'

non-compatible-policies/ecc-azure-168-asb_acs_private_link.yml

@@ -13,3 +13,4 @@ policies:
       - type: value
         key: length(properties.privateEndpointConnections)
         value: 0
+    comment: '0240080000'

non-compatible-policies/ecc-azure-170-asb_keyvault_private_endpoint.yml

@@ -13,3 +13,4 @@ policies:
       - type: value
         key: properties.privateEndpointConnections
         value: absent
+    comment: '0240100000'

non-compatible-policies/ecc-azure-171-asb_mariadb_private_endpoint.yml

@@ -22,3 +22,4 @@ policies:
                 key: properties.privateEndpointConnections[].properties.privateLinkServiceConnectionState.status
                 value: Approved
                 op: contains
+    comment: '0240060000'

non-compatible-policies/ecc-azure-172-asb_mysql_private_endpoint.yml

@@ -22,3 +22,4 @@ policies:
                 key: properties.privateEndpointConnections[].properties.privateLinkServiceConnectionState.status
                 value: Approved
                 op: contains
+    comment: '0240060000'

non-compatible-policies/ecc-azure-176-asb_ddos_protection_enabled.yml

@@ -19,3 +19,4 @@ policies:
             key: properties.ddosProtectionPlan.id
             value: \/.+\/ddosProtectionPlans\/.+
             op: regex
+    comment: '0232020000'

non-compatible-policies/ecc-azure-196-asb_sql_managed_instance_atp.yml

@@ -13,3 +13,4 @@ policies:
       - type: managed-server-security-alert-policies
         key: state
         value: Disabled
+    comment: '0232060000'

non-compatible-policies/ecc-azure-200-asb_auto_acc_encrypted.yml

@@ -14,3 +14,4 @@ policies:
         key: is_encrypted
         value: false
         op: eq
+    comment: '0243090000'

non-compatible-policies/ecc-azure-202-asb_AZL_encrypt_cmk.yml

@@ -14,3 +14,4 @@ policies:
           - type: value
             key: properties.encryption.status
             value: Enabled
+    comment: '0243090000'

non-compatible-policies/ecc-azure-207-asb_sql_managed_inst_cmk.yml

@@ -13,3 +13,4 @@ policies:
       - type: encryption-protector
         key: kind
         value: servicemanaged
+    comment: '0243060000'

non-compatible-policies/ecc-azure-217-asb_reslogs_datalakestore.yml

@@ -17,3 +17,4 @@ policies:
           - type: diagnostic-settings
             key: length(logs[?(category == 'Audit' || category == 'Requests') && enabled == `true` && retention_policy.enabled == `true` && retention_policy.days > `0`])
             value: 0
+    comment: '0219010000'

non-compatible-policies/ecc-azure-218-asb_reslogs_stream.yml

@@ -17,3 +17,4 @@ policies:
           - type: diagnostic-settings
             key: length(logs[?(category == 'Execution' || category == 'Authoring') && enabled == `true` && retention_policy.enabled == `true` && retention_policy.days > `0`])
             value: 0
+    comment: '0219010000'

non-compatible-policies/ecc-azure-219-asb_reslogs_batch.yml

@@ -17,3 +17,4 @@ policies:
           - type: diagnostic-settings
             key: length(logs[?category == 'ServiceLog' && enabled == `true` && retention_policy.enabled == `true` && retention_policy.days > `0`])
             value: 0
+    comment: '0219010000'

non-compatible-policies/ecc-azure-220-asb_reslogs_datalakeanalytics.yml

@@ -17,3 +17,4 @@ policies:
           - type: diagnostic-settings
             key: length(logs[?(category == 'Audit' || category == 'Requests') && enabled == `true` && retention_policy.enabled == `true` && retention_policy.days > `0`])
             value: 0
+    comment: '0219010000'