diff --git a/non-compatible-policies/ecc-azure-005-cis_sec_email.yml b/non-compatible-policies/ecc-azure-005-cis_sec_email.yml index 310ef53b..4b09fd9f 100644 --- a/non-compatible-policies/ecc-azure-005-cis_sec_email.yml +++ b/non-compatible-policies/ecc-azure-005-cis_sec_email.yml @@ -17,3 +17,4 @@ policies: - type: value key: properties.emails value: "" + comment: '0216181500' diff --git a/non-compatible-policies/ecc-azure-006-cis_sec_high_sev_notifications.yml b/non-compatible-policies/ecc-azure-006-cis_sec_high_sev_notifications.yml index 055be18b..b330ad55 100644 --- a/non-compatible-policies/ecc-azure-006-cis_sec_high_sev_notifications.yml +++ b/non-compatible-policies/ecc-azure-006-cis_sec_high_sev_notifications.yml @@ -14,3 +14,4 @@ policies: key: properties.alertNotifications value: "Off" op: eq + comment: '0216181500' diff --git a/non-compatible-policies/ecc-azure-007-cis_sec_owners_email_notifications.yml b/non-compatible-policies/ecc-azure-007-cis_sec_owners_email_notifications.yml index f0ac7203..55af77e9 100644 --- a/non-compatible-policies/ecc-azure-007-cis_sec_owners_email_notifications.yml +++ b/non-compatible-policies/ecc-azure-007-cis_sec_owners_email_notifications.yml @@ -14,3 +14,4 @@ policies: key: properties.alertsToAdmins value: "Off" op: eq + comment: '0216181500' diff --git a/non-compatible-policies/ecc-azure-011-cis_sa_soft_del.yml b/non-compatible-policies/ecc-azure-011-cis_sa_soft_del.yml index a08ef3ec..a7098fd8 100644 --- a/non-compatible-policies/ecc-azure-011-cis_sa_soft_del.yml +++ b/non-compatible-policies/ecc-azure-011-cis_sa_soft_del.yml @@ -21,3 +21,4 @@ policies: - key: delete_retention_policy.enabled op: eq value: false + comment: '0249041500' diff --git a/non-compatible-policies/ecc-azure-013-cis_db_auditing_on.yml b/non-compatible-policies/ecc-azure-013-cis_db_auditing_on.yml index 3322c36a..78387d6d 100644 --- a/non-compatible-policies/ecc-azure-013-cis_db_auditing_on.yml +++ b/non-compatible-policies/ecc-azure-013-cis_db_auditing_on.yml @@ -14,3 +14,4 @@ policies: key: properties.state op: ne value: Enabled + comment: '0219061500' diff --git a/non-compatible-policies/ecc-azure-015-cis_db_auditing_90d.yml b/non-compatible-policies/ecc-azure-015-cis_db_auditing_90d.yml index 53593afd..03cc7103 100644 --- a/non-compatible-policies/ecc-azure-015-cis_db_auditing_90d.yml +++ b/non-compatible-policies/ecc-azure-015-cis_db_auditing_90d.yml @@ -21,3 +21,4 @@ policies: op: eq value_type: integer value: 0 + comment: '0219061500' diff --git a/non-compatible-policies/ecc-azure-016-cis_db_sql_ads_atp.yml b/non-compatible-policies/ecc-azure-016-cis_db_sql_ads_atp.yml index c9a9ba2c..bacfcc70 100644 --- a/non-compatible-policies/ecc-azure-016-cis_db_sql_ads_atp.yml +++ b/non-compatible-policies/ecc-azure-016-cis_db_sql_ads_atp.yml @@ -13,3 +13,4 @@ policies: - type: sql-server-security-alert-policies key: state value: Disabled + comment: '0232061500' diff --git a/non-compatible-policies/ecc-azure-020-cis_db_sql_va.yml b/non-compatible-policies/ecc-azure-020-cis_db_sql_va.yml index d63351fb..34f9872c 100644 --- a/non-compatible-policies/ecc-azure-020-cis_db_sql_va.yml +++ b/non-compatible-policies/ecc-azure-020-cis_db_sql_va.yml @@ -13,3 +13,4 @@ policies: - type: vulnerability-assessments property: storageContainerPath value: null + comment: '0216061500' diff --git a/non-compatible-policies/ecc-azure-021-cis_db_sql_va_periodic_scan.yml b/non-compatible-policies/ecc-azure-021-cis_db_sql_va_periodic_scan.yml index 8af7af56..0e202068 100644 --- a/non-compatible-policies/ecc-azure-021-cis_db_sql_va_periodic_scan.yml +++ b/non-compatible-policies/ecc-azure-021-cis_db_sql_va_periodic_scan.yml @@ -12,3 +12,4 @@ policies: - type: vulnerability-assessments property: recurringScans.isEnabled value: false + comment: '0216061500' diff --git a/non-compatible-policies/ecc-azure-022-cis_db_sql_va_send_scan_report.yml b/non-compatible-policies/ecc-azure-022-cis_db_sql_va_send_scan_report.yml index 22a41af1..c484652b 100644 --- a/non-compatible-policies/ecc-azure-022-cis_db_sql_va_send_scan_report.yml +++ b/non-compatible-policies/ecc-azure-022-cis_db_sql_va_send_scan_report.yml @@ -12,3 +12,4 @@ policies: - type: vulnerability-assessments property: recurringScans.emails value: [] + comment: '0216061500' diff --git a/non-compatible-policies/ecc-azure-023-cis_db_sql_va_email_notifications.yml b/non-compatible-policies/ecc-azure-023-cis_db_sql_va_email_notifications.yml index ecb7fba8..47a23401 100644 --- a/non-compatible-policies/ecc-azure-023-cis_db_sql_va_email_notifications.yml +++ b/non-compatible-policies/ecc-azure-023-cis_db_sql_va_email_notifications.yml @@ -12,3 +12,4 @@ policies: - type: vulnerability-assessments property: recurringScans.emailSubscriptionAdmins value: false + comment: '0216061500' diff --git a/non-compatible-policies/ecc-azure-025-cis_db_mysql_ssl.yml b/non-compatible-policies/ecc-azure-025-cis_db_mysql_ssl.yml index 79d9f6b0..b2b53aab 100644 --- a/non-compatible-policies/ecc-azure-025-cis_db_mysql_ssl.yml +++ b/non-compatible-policies/ecc-azure-025-cis_db_mysql_ssl.yml @@ -13,3 +13,4 @@ policies: - type: value key: properties.sslEnforcement value: Disabled + comment: '0244061500' diff --git a/non-compatible-policies/ecc-azure-026-cis_db_postgresql_log_checkpoints.yml b/non-compatible-policies/ecc-azure-026-cis_db_postgresql_log_checkpoints.yml index b2541640..07d60bf2 100644 --- a/non-compatible-policies/ecc-azure-026-cis_db_postgresql_log_checkpoints.yml +++ b/non-compatible-policies/ecc-azure-026-cis_db_postgresql_log_checkpoints.yml @@ -17,3 +17,4 @@ policies: - type: server-configuration property: log_checkpoints value: "OFF" + comment: '0219061500' diff --git a/non-compatible-policies/ecc-azure-027-cis_db_postgresql_log_connections.yml b/non-compatible-policies/ecc-azure-027-cis_db_postgresql_log_connections.yml index a997dd3e..ab61f8a2 100644 --- a/non-compatible-policies/ecc-azure-027-cis_db_postgresql_log_connections.yml +++ b/non-compatible-policies/ecc-azure-027-cis_db_postgresql_log_connections.yml @@ -17,3 +17,4 @@ policies: - type: server-configuration property: log_connections value: "OFF" + comment: '0219061500' diff --git a/non-compatible-policies/ecc-azure-028-cis_db_postgresql_log_disconnections.yml b/non-compatible-policies/ecc-azure-028-cis_db_postgresql_log_disconnections.yml index 15950b78..addac359 100644 --- a/non-compatible-policies/ecc-azure-028-cis_db_postgresql_log_disconnections.yml +++ b/non-compatible-policies/ecc-azure-028-cis_db_postgresql_log_disconnections.yml @@ -17,3 +17,4 @@ policies: - type: server-configuration property: log_disconnections value: "OFF" + comment: '0219061500' diff --git a/non-compatible-policies/ecc-azure-030-cis_db_postgresql_connection_throttling.yml b/non-compatible-policies/ecc-azure-030-cis_db_postgresql_connection_throttling.yml index 94a1b3f5..f35b5693 100644 --- a/non-compatible-policies/ecc-azure-030-cis_db_postgresql_connection_throttling.yml +++ b/non-compatible-policies/ecc-azure-030-cis_db_postgresql_connection_throttling.yml @@ -17,3 +17,4 @@ policies: - type: server-configuration property: connection_throttling value: "OFF" + comment: '0219061500' diff --git a/non-compatible-policies/ecc-azure-031-cis_db_postgresql_log_retention_days.yml b/non-compatible-policies/ecc-azure-031-cis_db_postgresql_log_retention_days.yml index 5b370d69..670870dc 100644 --- a/non-compatible-policies/ecc-azure-031-cis_db_postgresql_log_retention_days.yml +++ b/non-compatible-policies/ecc-azure-031-cis_db_postgresql_log_retention_days.yml @@ -14,3 +14,4 @@ policies: property: log_retention_days value: 4 op: lt + comment: '0219061500' diff --git a/non-compatible-policies/ecc-azure-033-cis_db_sql_tde_protector.yml b/non-compatible-policies/ecc-azure-033-cis_db_sql_tde_protector.yml index 2a9a9fef..1abed9dd 100644 --- a/non-compatible-policies/ecc-azure-033-cis_db_sql_tde_protector.yml +++ b/non-compatible-policies/ecc-azure-033-cis_db_sql_tde_protector.yml @@ -23,3 +23,4 @@ policies: key: uri value: null op: eq + comment: '0243061500' diff --git a/non-compatible-policies/ecc-azure-036-cis_log_storage_cont_access.yml b/non-compatible-policies/ecc-azure-036-cis_log_storage_cont_access.yml index 3e24e26e..556bcbab 100644 --- a/non-compatible-policies/ecc-azure-036-cis_log_storage_cont_access.yml +++ b/non-compatible-policies/ecc-azure-036-cis_log_storage_cont_access.yml @@ -18,3 +18,4 @@ policies: key: properties.publicAccess value: Container - storage-single-log-profile + comment: '0240011500' diff --git a/non-compatible-policies/ecc-azure-037-cis_log_sa_activ_logs.yml b/non-compatible-policies/ecc-azure-037-cis_log_sa_activ_logs.yml index cb70c5d7..ed3cd6c7 100644 --- a/non-compatible-policies/ecc-azure-037-cis_log_sa_activ_logs.yml +++ b/non-compatible-policies/ecc-azure-037-cis_log_sa_activ_logs.yml @@ -19,3 +19,4 @@ policies: value: null - and: - single-log-profile + comment: '0243011500' diff --git a/non-compatible-policies/ecc-azure-038-cis_log_keyvaults.yml b/non-compatible-policies/ecc-azure-038-cis_log_keyvaults.yml index 5bdc29c4..64cf4af7 100644 --- a/non-compatible-policies/ecc-azure-038-cis_log_keyvaults.yml +++ b/non-compatible-policies/ecc-azure-038-cis_log_keyvaults.yml @@ -21,3 +21,4 @@ policies: - type: diagnostic-settings key: length(logs[?category == 'AuditEvent' && enabled == `true` && retention_policy.days > `0` && retention_policy.enabled == `true`]) value: 0 + comment: '0219101500' diff --git a/non-compatible-policies/ecc-azure-039-cis_log_create_policy.yml b/non-compatible-policies/ecc-azure-039-cis_log_create_policy.yml index 291b4df2..c9e10fd4 100644 --- a/non-compatible-policies/ecc-azure-039-cis_log_create_policy.yml +++ b/non-compatible-policies/ecc-azure-039-cis_log_create_policy.yml @@ -24,3 +24,4 @@ policies: key: alerts[].scopes[] value: ^\/[a-z]{13}\/[a-z0-9A-Z]{8}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{12}$ op: regex + comment: '0216011500' diff --git a/non-compatible-policies/ecc-azure-042-cis_log_create_upd_nsg.yml b/non-compatible-policies/ecc-azure-042-cis_log_create_upd_nsg.yml index aaf58abb..4e23dc77 100644 --- a/non-compatible-policies/ecc-azure-042-cis_log_create_upd_nsg.yml +++ b/non-compatible-policies/ecc-azure-042-cis_log_create_upd_nsg.yml @@ -24,3 +24,4 @@ policies: key: alerts[].scopes[] value: ^\/[a-z]{13}\/[a-z0-9A-Z]{8}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{12}$ op: regex + comment: '0232011500' diff --git a/non-compatible-policies/ecc-azure-043-cis_log_del_nsg.yml b/non-compatible-policies/ecc-azure-043-cis_log_del_nsg.yml index 1a6883a1..967a020f 100644 --- a/non-compatible-policies/ecc-azure-043-cis_log_del_nsg.yml +++ b/non-compatible-policies/ecc-azure-043-cis_log_del_nsg.yml @@ -24,3 +24,4 @@ policies: key: alerts[].scopes[] value: ^\/[a-z]{13}\/[a-z0-9A-Z]{8}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{12}$ op: regex + comment: '0232011500' diff --git a/non-compatible-policies/ecc-azure-044-cis_log_create_upd_solutions.yml b/non-compatible-policies/ecc-azure-044-cis_log_create_upd_solutions.yml index 722c81c2..fd70ee57 100644 --- a/non-compatible-policies/ecc-azure-044-cis_log_create_upd_solutions.yml +++ b/non-compatible-policies/ecc-azure-044-cis_log_create_upd_solutions.yml @@ -24,3 +24,4 @@ policies: key: alerts[].scopes[] value: ^\/[a-z]{13}\/[a-z0-9A-Z]{8}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{12}$ op: regex + comment: '0232011500' diff --git a/non-compatible-policies/ecc-azure-045-cis_log_del_solutions.yml b/non-compatible-policies/ecc-azure-045-cis_log_del_solutions.yml index b9315b72..e912b2f6 100644 --- a/non-compatible-policies/ecc-azure-045-cis_log_del_solutions.yml +++ b/non-compatible-policies/ecc-azure-045-cis_log_del_solutions.yml @@ -24,3 +24,4 @@ policies: key: alerts[].scopes[] value: ^\/[a-z]{13}\/[a-z0-9A-Z]{8}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{12}$ op: regex + comment: '0232011500' diff --git a/non-compatible-policies/ecc-azure-046-cis_log_create_update_sql.yml b/non-compatible-policies/ecc-azure-046-cis_log_create_update_sql.yml index a264c05f..b17cfbee 100644 --- a/non-compatible-policies/ecc-azure-046-cis_log_create_update_sql.yml +++ b/non-compatible-policies/ecc-azure-046-cis_log_create_update_sql.yml @@ -24,3 +24,4 @@ policies: key: alerts[].scopes[] value: ^\/[a-z]{13}\/[a-z0-9A-Z]{8}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{12}$ op: regex + comment: '0232011500' diff --git a/non-compatible-policies/ecc-azure-048-cis_net_rdp.yml b/non-compatible-policies/ecc-azure-048-cis_net_rdp.yml index 8e5a993d..bf39edb9 100644 --- a/non-compatible-policies/ecc-azure-048-cis_net_rdp.yml +++ b/non-compatible-policies/ecc-azure-048-cis_net_rdp.yml @@ -16,3 +16,4 @@ policies: ports: '3389' ipProtocol: 'TCP' sourceAddress: ['*', 'Internet', '0.0.0.0/0'] + comment: '0242021500' diff --git a/non-compatible-policies/ecc-azure-049-cis_net_ssh.yml b/non-compatible-policies/ecc-azure-049-cis_net_ssh.yml index 2943c473..3e29e4b4 100644 --- a/non-compatible-policies/ecc-azure-049-cis_net_ssh.yml +++ b/non-compatible-policies/ecc-azure-049-cis_net_ssh.yml @@ -16,3 +16,4 @@ policies: ports: '22' ipProtocol: 'TCP' sourceAddress: ['*', 'Internet', '0.0.0.0/0'] + comment: '0242021500' diff --git a/non-compatible-policies/ecc-azure-052-cis_net_udp.yml b/non-compatible-policies/ecc-azure-052-cis_net_udp.yml index 3404b91d..3ee9b854 100644 --- a/non-compatible-policies/ecc-azure-052-cis_net_udp.yml +++ b/non-compatible-policies/ecc-azure-052-cis_net_udp.yml @@ -15,3 +15,4 @@ policies: access: 'Allow' ipProtocol: 'UDP' sourceAddress: ['*', 'Internet', '0.0.0.0/0'] + comment: '0242021500' diff --git a/non-compatible-policies/ecc-azure-057-cis_key_recoverable.yml b/non-compatible-policies/ecc-azure-057-cis_key_recoverable.yml index fefe16ba..a78b35e6 100644 --- a/non-compatible-policies/ecc-azure-057-cis_key_recoverable.yml +++ b/non-compatible-policies/ecc-azure-057-cis_key_recoverable.yml @@ -19,3 +19,4 @@ policies: key: properties.enablePurgeProtection value: true op: ne + comment: '0249101500' diff --git a/non-compatible-policies/ecc-azure-059-cis_app_auth_set.yml b/non-compatible-policies/ecc-azure-059-cis_app_auth_set.yml index 64268233..4ffb938b 100644 --- a/non-compatible-policies/ecc-azure-059-cis_app_auth_set.yml +++ b/non-compatible-policies/ecc-azure-059-cis_app_auth_set.yml @@ -13,3 +13,4 @@ policies: - type: value key: properties.enabled value: false + comment: '0233171500' diff --git a/non-compatible-policies/ecc-azure-066-cis_log_delete_policy.yml b/non-compatible-policies/ecc-azure-066-cis_log_delete_policy.yml index db6b734f..c2b423d6 100644 --- a/non-compatible-policies/ecc-azure-066-cis_log_delete_policy.yml +++ b/non-compatible-policies/ecc-azure-066-cis_log_delete_policy.yml @@ -24,3 +24,4 @@ policies: key: alerts[].scopes[] value: ^\/[a-z]{13}\/[a-z0-9A-Z]{8}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{12}$ op: regex + comment: '0232011500' diff --git a/non-compatible-policies/ecc-azure-067-cis_log_create_upd_nsg_rule.yml b/non-compatible-policies/ecc-azure-067-cis_log_create_upd_nsg_rule.yml index fde4c4ae..83b653fd 100644 --- a/non-compatible-policies/ecc-azure-067-cis_log_create_upd_nsg_rule.yml +++ b/non-compatible-policies/ecc-azure-067-cis_log_create_upd_nsg_rule.yml @@ -24,3 +24,4 @@ policies: key: alerts[].scopes[] value: ^\/[a-z]{13}\/[a-z0-9A-Z]{8}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{12}$ op: regex + comment: '0232011500' diff --git a/non-compatible-policies/ecc-azure-068-cis_log_del_nsg_rule.yml b/non-compatible-policies/ecc-azure-068-cis_log_del_nsg_rule.yml index b67eeea2..58c0f59e 100644 --- a/non-compatible-policies/ecc-azure-068-cis_log_del_nsg_rule.yml +++ b/non-compatible-policies/ecc-azure-068-cis_log_del_nsg_rule.yml @@ -24,3 +24,4 @@ policies: key: alerts[].scopes[] value: ^\/[a-z]{13}\/[a-z0-9A-Z]{8}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{12}$ op: regex + comment: '0216011500' diff --git a/non-compatible-policies/ecc-azure-105-cis_sa_keys_regen.yml b/non-compatible-policies/ecc-azure-105-cis_sa_keys_regen.yml index 4f23dc7a..e2ca056d 100644 --- a/non-compatible-policies/ecc-azure-105-cis_sa_keys_regen.yml +++ b/non-compatible-policies/ecc-azure-105-cis_sa_keys_regen.yml @@ -26,3 +26,4 @@ policies: value: Succeeded - key: status.value value: Succeeded + comment: '0229041500' diff --git a/non-compatible-policies/ecc-azure-106-cis_sa_logging_queue.yml b/non-compatible-policies/ecc-azure-106-cis_sa_logging_queue.yml index e4fe8e73..15e206d2 100644 --- a/non-compatible-policies/ecc-azure-106-cis_sa_logging_queue.yml +++ b/non-compatible-policies/ecc-azure-106-cis_sa_logging_queue.yml @@ -27,3 +27,4 @@ policies: - key: logging.delete value: false op: eq + comment: '0219041400' diff --git a/non-compatible-policies/ecc-azure-109-cis_sa_logging_blob.yml b/non-compatible-policies/ecc-azure-109-cis_sa_logging_blob.yml index 99f34f71..4fed1562 100644 --- a/non-compatible-policies/ecc-azure-109-cis_sa_logging_blob.yml +++ b/non-compatible-policies/ecc-azure-109-cis_sa_logging_blob.yml @@ -27,3 +27,4 @@ policies: - key: logging.delete value: false op: eq + comment: '0219041500' diff --git a/non-compatible-policies/ecc-azure-110-cis_sa_logging_table.yml b/non-compatible-policies/ecc-azure-110-cis_sa_logging_table.yml index bea3309e..7c83f2f2 100644 --- a/non-compatible-policies/ecc-azure-110-cis_sa_logging_table.yml +++ b/non-compatible-policies/ecc-azure-110-cis_sa_logging_table.yml @@ -27,3 +27,4 @@ policies: - key: logging.delete value: false op: eq + comment: '0219041500' diff --git a/non-compatible-policies/ecc-azure-111-cis_db_postgre_access.yml b/non-compatible-policies/ecc-azure-111-cis_db_postgre_access.yml index 21fb9e1c..d1f22373 100644 --- a/non-compatible-policies/ecc-azure-111-cis_db_postgre_access.yml +++ b/non-compatible-policies/ecc-azure-111-cis_db_postgre_access.yml @@ -18,3 +18,4 @@ policies: - type: firewall-rules include: - '0.0.0.0' + comment: '0233061500' diff --git a/non-compatible-policies/ecc-azure-112-cis_net_netwatcher.yml b/non-compatible-policies/ecc-azure-112-cis_net_netwatcher.yml index 9eeb18c9..7c032057 100644 --- a/non-compatible-policies/ecc-azure-112-cis_net_netwatcher.yml +++ b/non-compatible-policies/ecc-azure-112-cis_net_netwatcher.yml @@ -11,3 +11,4 @@ policies: Network Watcher is disabled across the subscription filters: - type: network-watcher-filter + comment: '0216021500' diff --git a/non-compatible-policies/ecc-azure-119-nsg_all.yml b/non-compatible-policies/ecc-azure-119-nsg_all.yml index 14118c68..96cb693e 100644 --- a/non-compatible-policies/ecc-azure-119-nsg_all.yml +++ b/non-compatible-policies/ecc-azure-119-nsg_all.yml @@ -16,3 +16,4 @@ policies: ports: '0-65535' ipProtocol: 'TCP' sourceAddress: ['*', 'Internet', '0.0.0.0/0'] + comment: '0242022000' diff --git a/non-compatible-policies/ecc-azure-120-nsg_dns.yml b/non-compatible-policies/ecc-azure-120-nsg_dns.yml index 785c8778..48cd37c4 100644 --- a/non-compatible-policies/ecc-azure-120-nsg_dns.yml +++ b/non-compatible-policies/ecc-azure-120-nsg_dns.yml @@ -16,3 +16,4 @@ policies: ports: '53' ipProtocol: 'TCP' sourceAddress: ['*', 'Internet', '0.0.0.0/0'] + comment: '0242022000' diff --git a/non-compatible-policies/ecc-azure-121-nsg_ftp.yml b/non-compatible-policies/ecc-azure-121-nsg_ftp.yml index 83db3ad2..d700d32a 100644 --- a/non-compatible-policies/ecc-azure-121-nsg_ftp.yml +++ b/non-compatible-policies/ecc-azure-121-nsg_ftp.yml @@ -16,3 +16,4 @@ policies: ports: '21' ipProtocol: 'TCP' sourceAddress: ['*', 'Internet', '0.0.0.0/0'] + comment: '0242022000' diff --git a/non-compatible-policies/ecc-azure-122-cis_nsg_http.yml b/non-compatible-policies/ecc-azure-122-cis_nsg_http.yml index 1fb677c6..02a4136c 100644 --- a/non-compatible-policies/ecc-azure-122-cis_nsg_http.yml +++ b/non-compatible-policies/ecc-azure-122-cis_nsg_http.yml @@ -16,3 +16,4 @@ policies: ports: '80' ipProtocol: 'TCP' sourceAddress: ['*', 'Internet', '0.0.0.0/0'] + comment: '0242021500' diff --git a/non-compatible-policies/ecc-azure-123-nsg_microsoft_ds.yml b/non-compatible-policies/ecc-azure-123-nsg_microsoft_ds.yml index 00726300..dbd9e297 100644 --- a/non-compatible-policies/ecc-azure-123-nsg_microsoft_ds.yml +++ b/non-compatible-policies/ecc-azure-123-nsg_microsoft_ds.yml @@ -16,3 +16,4 @@ policies: ports: '445' ipProtocol: 'TCP' sourceAddress: ['*', 'Internet', '0.0.0.0/0'] + comment: '0242022000' diff --git a/non-compatible-policies/ecc-azure-124-nsg_mongo_db.yml b/non-compatible-policies/ecc-azure-124-nsg_mongo_db.yml index b7d724f0..6fbfc4e0 100644 --- a/non-compatible-policies/ecc-azure-124-nsg_mongo_db.yml +++ b/non-compatible-policies/ecc-azure-124-nsg_mongo_db.yml @@ -16,3 +16,4 @@ policies: ports: '27017' ipProtocol: 'TCP' sourceAddress: ['*', 'Internet', '0.0.0.0/0'] + comment: '0242022000' diff --git a/non-compatible-policies/ecc-azure-125-nsg_mysql.yml b/non-compatible-policies/ecc-azure-125-nsg_mysql.yml index 097fea2f..be854871 100644 --- a/non-compatible-policies/ecc-azure-125-nsg_mysql.yml +++ b/non-compatible-policies/ecc-azure-125-nsg_mysql.yml @@ -16,3 +16,4 @@ policies: ports: '3306' ipProtocol: 'TCP' sourceAddress: ['*', 'Internet', '0.0.0.0/0'] + comment: '0242022000' diff --git a/non-compatible-policies/ecc-azure-126-nsg_netbios.yml b/non-compatible-policies/ecc-azure-126-nsg_netbios.yml index 116cf75d..f93c8da6 100644 --- a/non-compatible-policies/ecc-azure-126-nsg_netbios.yml +++ b/non-compatible-policies/ecc-azure-126-nsg_netbios.yml @@ -16,3 +16,4 @@ policies: ports: '139' ipProtocol: 'TCP' sourceAddress: ['*', 'Internet', '0.0.0.0/0'] + comment: '0242022000' diff --git a/non-compatible-policies/ecc-azure-127-nsg_oracle_db.yml b/non-compatible-policies/ecc-azure-127-nsg_oracle_db.yml index cd8d4297..e0b2b626 100644 --- a/non-compatible-policies/ecc-azure-127-nsg_oracle_db.yml +++ b/non-compatible-policies/ecc-azure-127-nsg_oracle_db.yml @@ -16,3 +16,4 @@ policies: ports: '1521' ipProtocol: 'TCP' sourceAddress: ['*', 'Internet', '0.0.0.0/0'] + comment: '0242022000' diff --git a/non-compatible-policies/ecc-azure-128-nsg_pop3.yml b/non-compatible-policies/ecc-azure-128-nsg_pop3.yml index 3a1f2a41..cccb288b 100644 --- a/non-compatible-policies/ecc-azure-128-nsg_pop3.yml +++ b/non-compatible-policies/ecc-azure-128-nsg_pop3.yml @@ -16,3 +16,4 @@ policies: ports: '110' ipProtocol: 'TCP' sourceAddress: ['*', 'Internet', '0.0.0.0/0'] + comment: '0242022000' diff --git a/non-compatible-policies/ecc-azure-129-nsg_postgresql.yml b/non-compatible-policies/ecc-azure-129-nsg_postgresql.yml index e7216479..8cf80364 100644 --- a/non-compatible-policies/ecc-azure-129-nsg_postgresql.yml +++ b/non-compatible-policies/ecc-azure-129-nsg_postgresql.yml @@ -16,3 +16,4 @@ policies: ports: '5432' ipProtocol: 'TCP' sourceAddress: ['*', 'Internet', '0.0.0.0/0'] + comment: '0242022000' diff --git a/non-compatible-policies/ecc-azure-130-nsg_smtp.yml b/non-compatible-policies/ecc-azure-130-nsg_smtp.yml index c860516f..2d903c5c 100644 --- a/non-compatible-policies/ecc-azure-130-nsg_smtp.yml +++ b/non-compatible-policies/ecc-azure-130-nsg_smtp.yml @@ -16,3 +16,4 @@ policies: ports: '25' ipProtocol: 'TCP' sourceAddress: ['*', 'Internet', '0.0.0.0/0'] + comment: '0242022000' diff --git a/non-compatible-policies/ecc-azure-131-nsg_telnet.yml b/non-compatible-policies/ecc-azure-131-nsg_telnet.yml index 3c8dd740..b5e79cc0 100644 --- a/non-compatible-policies/ecc-azure-131-nsg_telnet.yml +++ b/non-compatible-policies/ecc-azure-131-nsg_telnet.yml @@ -16,3 +16,4 @@ policies: ports: '23' ipProtocol: 'TCP' sourceAddress: ['*', 'Internet', '0.0.0.0/0'] + comment: '0242022000' diff --git a/non-compatible-policies/ecc-azure-139-snapshots.yml b/non-compatible-policies/ecc-azure-139-snapshots.yml index e0342270..7ad78dff 100644 --- a/non-compatible-policies/ecc-azure-139-snapshots.yml +++ b/non-compatible-policies/ecc-azure-139-snapshots.yml @@ -14,3 +14,4 @@ policies: - type: snapshots exist: true max-age: 14 + comment: '0249032000' diff --git a/non-compatible-policies/ecc-azure-141-asb_fw_traffic_route.yml b/non-compatible-policies/ecc-azure-141-asb_fw_traffic_route.yml index 6f8087ef..a8136da3 100644 --- a/non-compatible-policies/ecc-azure-141-asb_fw_traffic_route.yml +++ b/non-compatible-policies/ecc-azure-141-asb_fw_traffic_route.yml @@ -23,3 +23,4 @@ policies: - type: value key: properties.subnets[?name=='AzureFirewallSubnet'].id value: empty + comment: '0224020000' diff --git a/non-compatible-policies/ecc-azure-142-asb_vm_net_ports_restrict.yml b/non-compatible-policies/ecc-azure-142-asb_vm_net_ports_restrict.yml index 3e5555ad..f52d6d49 100644 --- a/non-compatible-policies/ecc-azure-142-asb_vm_net_ports_restrict.yml +++ b/non-compatible-policies/ecc-azure-142-asb_vm_net_ports_restrict.yml @@ -25,3 +25,4 @@ policies: key: properties.networkInterfaces[].id value: \/subscriptions.+\/networkInterfaces\/.+ op: regex + comment: '0242020000' diff --git a/non-compatible-policies/ecc-azure-146-asb_keyvault_disable_public_access.yml b/non-compatible-policies/ecc-azure-146-asb_keyvault_disable_public_access.yml index 38a40dfb..88e3580f 100644 --- a/non-compatible-policies/ecc-azure-146-asb_keyvault_disable_public_access.yml +++ b/non-compatible-policies/ecc-azure-146-asb_keyvault_disable_public_access.yml @@ -14,3 +14,4 @@ policies: - type: value key: properties.networkAcls.defaultAction value: Deny + comment: '0240100000' diff --git a/non-compatible-policies/ecc-azure-152-asb_vm_jit_port_protection.yml b/non-compatible-policies/ecc-azure-152-asb_vm_jit_port_protection.yml index fa07254f..b7d6b3fc 100644 --- a/non-compatible-policies/ecc-azure-152-asb_vm_jit_port_protection.yml +++ b/non-compatible-policies/ecc-azure-152-asb_vm_jit_port_protection.yml @@ -11,3 +11,4 @@ policies: resource: azure.vm filters: - type: security-jit-policy + comment: '0224030000' diff --git a/non-compatible-policies/ecc-azure-156-asb_mariadb_public_access_disabled.yml b/non-compatible-policies/ecc-azure-156-asb_mariadb_public_access_disabled.yml index 397a44b4..6137f539 100644 --- a/non-compatible-policies/ecc-azure-156-asb_mariadb_public_access_disabled.yml +++ b/non-compatible-policies/ecc-azure-156-asb_mariadb_public_access_disabled.yml @@ -13,3 +13,4 @@ policies: - type: value key: properties.publicNetworkAccess value: Enabled + comment: '0240060000' diff --git a/non-compatible-policies/ecc-azure-157-asb_mysql_public_access_disabled.yml b/non-compatible-policies/ecc-azure-157-asb_mysql_public_access_disabled.yml index 5dae6872..160882aa 100644 --- a/non-compatible-policies/ecc-azure-157-asb_mysql_public_access_disabled.yml +++ b/non-compatible-policies/ecc-azure-157-asb_mysql_public_access_disabled.yml @@ -17,3 +17,4 @@ policies: - type: value key: properties.publicNetworkAccess value: null + comment: '0240060000' diff --git a/non-compatible-policies/ecc-azure-161-asb_appconfig_private_link.yml b/non-compatible-policies/ecc-azure-161-asb_appconfig_private_link.yml index 3d9cff58..9e59a1a7 100644 --- a/non-compatible-policies/ecc-azure-161-asb_appconfig_private_link.yml +++ b/non-compatible-policies/ecc-azure-161-asb_appconfig_private_link.yml @@ -13,3 +13,4 @@ policies: - type: value key: properties.privateEndpointConnections value: absent + comment: '0240020000' diff --git a/non-compatible-policies/ecc-azure-163-asb_eg_domains_private_link.yml b/non-compatible-policies/ecc-azure-163-asb_eg_domains_private_link.yml index e17b9b8b..d40637b6 100644 --- a/non-compatible-policies/ecc-azure-163-asb_eg_domains_private_link.yml +++ b/non-compatible-policies/ecc-azure-163-asb_eg_domains_private_link.yml @@ -15,3 +15,4 @@ policies: key: properties.privateEndpointConnections[].properties.privateLinkServiceConnectionState.status value: Approved op: contains + comment: '0240020000' diff --git a/non-compatible-policies/ecc-azure-164-asb_eg_topics_private_link.yml b/non-compatible-policies/ecc-azure-164-asb_eg_topics_private_link.yml index f1c59760..bb1c1df9 100644 --- a/non-compatible-policies/ecc-azure-164-asb_eg_topics_private_link.yml +++ b/non-compatible-policies/ecc-azure-164-asb_eg_topics_private_link.yml @@ -13,3 +13,4 @@ policies: - type: value key: properties.privateEndpointConnections value: absent + comment: '0240020000' diff --git a/non-compatible-policies/ecc-azure-165-asb_ml_workspaces_private_link.yml b/non-compatible-policies/ecc-azure-165-asb_ml_workspaces_private_link.yml index 855c481e..a2d277f2 100644 --- a/non-compatible-policies/ecc-azure-165-asb_ml_workspaces_private_link.yml +++ b/non-compatible-policies/ecc-azure-165-asb_ml_workspaces_private_link.yml @@ -13,3 +13,4 @@ policies: - type: value key: properties.privateEndpointConnections value: absent + comment: '0240110000' diff --git a/non-compatible-policies/ecc-azure-166-asb_signalr_private_link.yml b/non-compatible-policies/ecc-azure-166-asb_signalr_private_link.yml index f9bc3f67..7063e6bf 100644 --- a/non-compatible-policies/ecc-azure-166-asb_signalr_private_link.yml +++ b/non-compatible-policies/ecc-azure-166-asb_signalr_private_link.yml @@ -15,3 +15,4 @@ policies: key: properties.privateEndpointConnections[].properties.privateLinkServiceConnectionState.status value: Approved op: contains + comment: '0240020000' diff --git a/non-compatible-policies/ecc-azure-167-asb_spring_cloud_net_injection.yml b/non-compatible-policies/ecc-azure-167-asb_spring_cloud_net_injection.yml index 6c303df2..0801eb99 100644 --- a/non-compatible-policies/ecc-azure-167-asb_spring_cloud_net_injection.yml +++ b/non-compatible-policies/ecc-azure-167-asb_spring_cloud_net_injection.yml @@ -18,3 +18,4 @@ policies: key: properties.networkProfile.serviceRuntimeSubnetId value: \/.+\/virtualNetworks\/.+\/subnets\/.+ op: regex + comment: '0224020000' diff --git a/non-compatible-policies/ecc-azure-168-asb_acs_private_link.yml b/non-compatible-policies/ecc-azure-168-asb_acs_private_link.yml index b4d92b61..a77da0e9 100644 --- a/non-compatible-policies/ecc-azure-168-asb_acs_private_link.yml +++ b/non-compatible-policies/ecc-azure-168-asb_acs_private_link.yml @@ -13,3 +13,4 @@ policies: - type: value key: length(properties.privateEndpointConnections) value: 0 + comment: '0240080000' diff --git a/non-compatible-policies/ecc-azure-170-asb_keyvault_private_endpoint.yml b/non-compatible-policies/ecc-azure-170-asb_keyvault_private_endpoint.yml index 155db8c1..0acbb082 100644 --- a/non-compatible-policies/ecc-azure-170-asb_keyvault_private_endpoint.yml +++ b/non-compatible-policies/ecc-azure-170-asb_keyvault_private_endpoint.yml @@ -13,3 +13,4 @@ policies: - type: value key: properties.privateEndpointConnections value: absent + comment: '0240100000' diff --git a/non-compatible-policies/ecc-azure-171-asb_mariadb_private_endpoint.yml b/non-compatible-policies/ecc-azure-171-asb_mariadb_private_endpoint.yml index 3fd3c144..3fdc230e 100644 --- a/non-compatible-policies/ecc-azure-171-asb_mariadb_private_endpoint.yml +++ b/non-compatible-policies/ecc-azure-171-asb_mariadb_private_endpoint.yml @@ -22,3 +22,4 @@ policies: key: properties.privateEndpointConnections[].properties.privateLinkServiceConnectionState.status value: Approved op: contains + comment: '0240060000' diff --git a/non-compatible-policies/ecc-azure-172-asb_mysql_private_endpoint.yml b/non-compatible-policies/ecc-azure-172-asb_mysql_private_endpoint.yml index 99cec5f0..e46d8753 100644 --- a/non-compatible-policies/ecc-azure-172-asb_mysql_private_endpoint.yml +++ b/non-compatible-policies/ecc-azure-172-asb_mysql_private_endpoint.yml @@ -22,3 +22,4 @@ policies: key: properties.privateEndpointConnections[].properties.privateLinkServiceConnectionState.status value: Approved op: contains + comment: '0240060000' diff --git a/non-compatible-policies/ecc-azure-176-asb_ddos_protection_enabled.yml b/non-compatible-policies/ecc-azure-176-asb_ddos_protection_enabled.yml index 1d31bab6..227a65c3 100644 --- a/non-compatible-policies/ecc-azure-176-asb_ddos_protection_enabled.yml +++ b/non-compatible-policies/ecc-azure-176-asb_ddos_protection_enabled.yml @@ -19,3 +19,4 @@ policies: key: properties.ddosProtectionPlan.id value: \/.+\/ddosProtectionPlans\/.+ op: regex + comment: '0232020000' diff --git a/non-compatible-policies/ecc-azure-196-asb_sql_managed_instance_atp.yml b/non-compatible-policies/ecc-azure-196-asb_sql_managed_instance_atp.yml index 99dfaf8a..c3e847ab 100644 --- a/non-compatible-policies/ecc-azure-196-asb_sql_managed_instance_atp.yml +++ b/non-compatible-policies/ecc-azure-196-asb_sql_managed_instance_atp.yml @@ -13,3 +13,4 @@ policies: - type: managed-server-security-alert-policies key: state value: Disabled + comment: '0232060000' diff --git a/non-compatible-policies/ecc-azure-200-asb_auto_acc_encrypted.yml b/non-compatible-policies/ecc-azure-200-asb_auto_acc_encrypted.yml index 5d089393..76d87ad6 100644 --- a/non-compatible-policies/ecc-azure-200-asb_auto_acc_encrypted.yml +++ b/non-compatible-policies/ecc-azure-200-asb_auto_acc_encrypted.yml @@ -14,3 +14,4 @@ policies: key: is_encrypted value: false op: eq + comment: '0243090000' diff --git a/non-compatible-policies/ecc-azure-202-asb_AZL_encrypt_cmk.yml b/non-compatible-policies/ecc-azure-202-asb_AZL_encrypt_cmk.yml index d0f2e7bb..00a053e5 100644 --- a/non-compatible-policies/ecc-azure-202-asb_AZL_encrypt_cmk.yml +++ b/non-compatible-policies/ecc-azure-202-asb_AZL_encrypt_cmk.yml @@ -14,3 +14,4 @@ policies: - type: value key: properties.encryption.status value: Enabled + comment: '0243090000' diff --git a/non-compatible-policies/ecc-azure-207-asb_sql_managed_inst_cmk.yml b/non-compatible-policies/ecc-azure-207-asb_sql_managed_inst_cmk.yml index d249192d..fd1c667d 100644 --- a/non-compatible-policies/ecc-azure-207-asb_sql_managed_inst_cmk.yml +++ b/non-compatible-policies/ecc-azure-207-asb_sql_managed_inst_cmk.yml @@ -13,3 +13,4 @@ policies: - type: encryption-protector key: kind value: servicemanaged + comment: '0243060000' diff --git a/non-compatible-policies/ecc-azure-217-asb_reslogs_datalakestore.yml b/non-compatible-policies/ecc-azure-217-asb_reslogs_datalakestore.yml index 1ee2079e..fa2de732 100644 --- a/non-compatible-policies/ecc-azure-217-asb_reslogs_datalakestore.yml +++ b/non-compatible-policies/ecc-azure-217-asb_reslogs_datalakestore.yml @@ -17,3 +17,4 @@ policies: - type: diagnostic-settings key: length(logs[?(category == 'Audit' || category == 'Requests') && enabled == `true` && retention_policy.enabled == `true` && retention_policy.days > `0`]) value: 0 + comment: '0219010000' diff --git a/non-compatible-policies/ecc-azure-218-asb_reslogs_stream.yml b/non-compatible-policies/ecc-azure-218-asb_reslogs_stream.yml index ec1f9ffd..b81843a9 100644 --- a/non-compatible-policies/ecc-azure-218-asb_reslogs_stream.yml +++ b/non-compatible-policies/ecc-azure-218-asb_reslogs_stream.yml @@ -17,3 +17,4 @@ policies: - type: diagnostic-settings key: length(logs[?(category == 'Execution' || category == 'Authoring') && enabled == `true` && retention_policy.enabled == `true` && retention_policy.days > `0`]) value: 0 + comment: '0219010000' diff --git a/non-compatible-policies/ecc-azure-219-asb_reslogs_batch.yml b/non-compatible-policies/ecc-azure-219-asb_reslogs_batch.yml index 59e0ce73..4ae5c648 100644 --- a/non-compatible-policies/ecc-azure-219-asb_reslogs_batch.yml +++ b/non-compatible-policies/ecc-azure-219-asb_reslogs_batch.yml @@ -17,3 +17,4 @@ policies: - type: diagnostic-settings key: length(logs[?category == 'ServiceLog' && enabled == `true` && retention_policy.enabled == `true` && retention_policy.days > `0`]) value: 0 + comment: '0219010000' diff --git a/non-compatible-policies/ecc-azure-220-asb_reslogs_datalakeanalytics.yml b/non-compatible-policies/ecc-azure-220-asb_reslogs_datalakeanalytics.yml index f757e655..6a438b7b 100644 --- a/non-compatible-policies/ecc-azure-220-asb_reslogs_datalakeanalytics.yml +++ b/non-compatible-policies/ecc-azure-220-asb_reslogs_datalakeanalytics.yml @@ -17,3 +17,4 @@ policies: - type: diagnostic-settings key: length(logs[?(category == 'Audit' || category == 'Requests') && enabled == `true` && retention_policy.enabled == `true` && retention_policy.days > `0`]) value: 0 + comment: '0219010000' diff --git a/non-compatible-policies/ecc-azure-222-asb_reslogs_iot.yml b/non-compatible-policies/ecc-azure-222-asb_reslogs_iot.yml index 4fa219a4..a6ccba67 100644 --- a/non-compatible-policies/ecc-azure-222-asb_reslogs_iot.yml +++ b/non-compatible-policies/ecc-azure-222-asb_reslogs_iot.yml @@ -17,3 +17,4 @@ policies: - type: diagnostic-settings key: length(logs[?(category == 'Connections' || category == 'DeviceTelemetry' || category == 'C2DCommands' || category == 'DeviceIdentityOperations' || category == 'FileUploadOperations' || category == 'Routes' || category == 'D2CTwinOperations' || category == 'C2DTwinOperations' || category == 'TwinQueries' || category == 'JobsOperations' || category == 'DirectMethods' || category == 'DistributedTracing' || category == 'Configurations' || category == 'DeviceStreams') && enabled == `true` && retention_policy.enabled == `true` && retention_policy.days > `0`]) value: 0 + comment: '0219010000' diff --git a/non-compatible-policies/ecc-azure-224-asb_reslogs_logicapps.yml b/non-compatible-policies/ecc-azure-224-asb_reslogs_logicapps.yml index 78493653..8705db8e 100644 --- a/non-compatible-policies/ecc-azure-224-asb_reslogs_logicapps.yml +++ b/non-compatible-policies/ecc-azure-224-asb_reslogs_logicapps.yml @@ -17,3 +17,4 @@ policies: - type: diagnostic-settings key: length(logs[?category == 'WorkflowRuntime' && enabled == `true` && retention_policy.enabled == `true` && retention_policy.days > `0`]) value: 0 + comment: '0219010000' diff --git a/non-compatible-policies/ecc-azure-225-asb_reslogs_search.yml b/non-compatible-policies/ecc-azure-225-asb_reslogs_search.yml index 71dd25e7..9dea7beb 100644 --- a/non-compatible-policies/ecc-azure-225-asb_reslogs_search.yml +++ b/non-compatible-policies/ecc-azure-225-asb_reslogs_search.yml @@ -17,3 +17,4 @@ policies: - type: diagnostic-settings key: length(logs[?category == 'OperationLogs' && enabled == `true` && retention_policy.enabled == `true` && retention_policy.days > `0`]) value: 0 + comment: '0219010000' diff --git a/non-compatible-policies/ecc-azure-226-asb_reslogs_servicebus.yml b/non-compatible-policies/ecc-azure-226-asb_reslogs_servicebus.yml index adfd4643..82e89eeb 100644 --- a/non-compatible-policies/ecc-azure-226-asb_reslogs_servicebus.yml +++ b/non-compatible-policies/ecc-azure-226-asb_reslogs_servicebus.yml @@ -17,3 +17,4 @@ policies: - type: diagnostic-settings key: length(logs[?(category == 'OperationalLogs' || category == 'VNetAndIPFilteringLogs') && enabled == `true` && retention_policy.enabled == `true` && retention_policy.days > `0`]) value: 0 + comment: '0219010000' diff --git a/non-compatible-policies/ecc-azure-265-asb_sqlmi.yml b/non-compatible-policies/ecc-azure-265-asb_sqlmi.yml index bfcdf61a..84b4a01c 100644 --- a/non-compatible-policies/ecc-azure-265-asb_sqlmi.yml +++ b/non-compatible-policies/ecc-azure-265-asb_sqlmi.yml @@ -13,3 +13,4 @@ policies: - type: vulnerability-assessments key: recurring_scans.is_enabled value: false + comment: '0221060000' diff --git a/non-compatible-policies/ecc-azure-275-asb_vm_backup.yml b/non-compatible-policies/ecc-azure-275-asb_vm_backup.yml index c77aee88..6566cbc7 100644 --- a/non-compatible-policies/ecc-azure-275-asb_vm_backup.yml +++ b/non-compatible-policies/ecc-azure-275-asb_vm_backup.yml @@ -13,3 +13,4 @@ policies: - not: - type: backup-status protection-status: Protected + comment: '0249030000' diff --git a/non-compatible-policies/ecc-azure-276-asb_geo_mariadb.yml b/non-compatible-policies/ecc-azure-276-asb_geo_mariadb.yml index 62e9c1ee..e2ae3b1b 100644 --- a/non-compatible-policies/ecc-azure-276-asb_geo_mariadb.yml +++ b/non-compatible-policies/ecc-azure-276-asb_geo_mariadb.yml @@ -13,3 +13,4 @@ policies: - type: value key: properties.storageProfile.geoRedundantBackup value: Disabled + comment: '0249060000' diff --git a/non-compatible-policies/ecc-azure-277-asb_geo_mysql.yml b/non-compatible-policies/ecc-azure-277-asb_geo_mysql.yml index 5cf4fab8..8e9f94cf 100644 --- a/non-compatible-policies/ecc-azure-277-asb_geo_mysql.yml +++ b/non-compatible-policies/ecc-azure-277-asb_geo_mysql.yml @@ -13,3 +13,4 @@ policies: - type: value key: properties.storageProfile.geoRedundantBackup value: Disabled + comment: '0249060000' diff --git a/non-compatible-policies/ecc-azure-283-aks_reslogs_aks.yml b/non-compatible-policies/ecc-azure-283-aks_reslogs_aks.yml index 40aef0ae..46ce8d65 100644 --- a/non-compatible-policies/ecc-azure-283-aks_reslogs_aks.yml +++ b/non-compatible-policies/ecc-azure-283-aks_reslogs_aks.yml @@ -16,3 +16,4 @@ policies: - type: diagnostic-settings key: length(logs[?(category == 'kube-apiserver' || category == 'kube-audit' || category == 'kube-audit-admin' || category == 'kube-controller-manager' || category == 'kube-scheduler' || category == 'cluster-autoscaler' || category == 'cloud-controller-manager' || category == 'guard') && enabled == `true` && retention_policy.enabled == `true` && retention_policy.days > `0`]) value: 0 + comment: '0219072000' diff --git a/non-compatible-policies/ecc-azure-293-sql_data_replication_failover_groups.yml b/non-compatible-policies/ecc-azure-293-sql_data_replication_failover_groups.yml index 47fc8ccf..7e7b1f90 100644 --- a/non-compatible-policies/ecc-azure-293-sql_data_replication_failover_groups.yml +++ b/non-compatible-policies/ecc-azure-293-sql_data_replication_failover_groups.yml @@ -14,3 +14,4 @@ policies: key: length(failover_groups) op: eq value: 0 + comment: '0249062000' diff --git a/non-compatible-policies/ecc-azure-301-redis_cache_fw_rules.yml b/non-compatible-policies/ecc-azure-301-redis_cache_fw_rules.yml index c79bf347..61945654 100644 --- a/non-compatible-policies/ecc-azure-301-redis_cache_fw_rules.yml +++ b/non-compatible-policies/ecc-azure-301-redis_cache_fw_rules.yml @@ -18,3 +18,4 @@ policies: key: 'end_ip' op: eq value: 0.0.0.0 + comment: '0239062000' diff --git a/non-compatible-policies/ecc-azure-311-cis_postgresql_logging_collector.yml b/non-compatible-policies/ecc-azure-311-cis_postgresql_logging_collector.yml index 7281c3d1..62468c63 100644 --- a/non-compatible-policies/ecc-azure-311-cis_postgresql_logging_collector.yml +++ b/non-compatible-policies/ecc-azure-311-cis_postgresql_logging_collector.yml @@ -17,3 +17,4 @@ policies: - type: server-configuration property: logging_collector value: "OFF" + comment: '0219061900' diff --git a/non-compatible-policies/ecc-azure-313-cis_postgresql_log_min_messages.yml b/non-compatible-policies/ecc-azure-313-cis_postgresql_log_min_messages.yml index 525a5942..078368fc 100644 --- a/non-compatible-policies/ecc-azure-313-cis_postgresql_log_min_messages.yml +++ b/non-compatible-policies/ecc-azure-313-cis_postgresql_log_min_messages.yml @@ -14,3 +14,4 @@ policies: - type: server-configuration property: log_min_messages value: warning + comment: '0219061910' diff --git a/non-compatible-policies/ecc-azure-314-cis_postgresql_debug_print_plan_disabled.yml b/non-compatible-policies/ecc-azure-314-cis_postgresql_debug_print_plan_disabled.yml index 1580d266..4f6c4695 100644 --- a/non-compatible-policies/ecc-azure-314-cis_postgresql_debug_print_plan_disabled.yml +++ b/non-compatible-policies/ecc-azure-314-cis_postgresql_debug_print_plan_disabled.yml @@ -17,3 +17,4 @@ policies: - type: server-configuration property: debug_print_plan value: "ON" + comment: '0219061900' diff --git a/non-compatible-policies/ecc-azure-317-cis_postgresql_log_error_verbosity_set_correctly.yml b/non-compatible-policies/ecc-azure-317-cis_postgresql_log_error_verbosity_set_correctly.yml index 33ce0948..c3566c4c 100644 --- a/non-compatible-policies/ecc-azure-317-cis_postgresql_log_error_verbosity_set_correctly.yml +++ b/non-compatible-policies/ecc-azure-317-cis_postgresql_log_error_verbosity_set_correctly.yml @@ -14,3 +14,4 @@ policies: - type: server-configuration property: log_error_verbosity value: "verbose" + comment: '0219061910' diff --git a/non-compatible-policies/ecc-azure-318-cis_postgresql_log_line_prefix_set_correctly.yml b/non-compatible-policies/ecc-azure-318-cis_postgresql_log_line_prefix_set_correctly.yml index 959bc9a7..d1d06a28 100644 --- a/non-compatible-policies/ecc-azure-318-cis_postgresql_log_line_prefix_set_correctly.yml +++ b/non-compatible-policies/ecc-azure-318-cis_postgresql_log_line_prefix_set_correctly.yml @@ -14,3 +14,4 @@ policies: - type: server-configuration property: log_line_prefix value: "%m [%p]: [%l-1], db=%d,user=%u,app=%a,client=%h," + comment: '0219061900' diff --git a/non-compatible-policies/ecc-azure-319-cis_postgresql_log_min_error_statement.yml b/non-compatible-policies/ecc-azure-319-cis_postgresql_log_min_error_statement.yml index a3cfd8cd..5facd6a1 100644 --- a/non-compatible-policies/ecc-azure-319-cis_postgresql_log_min_error_statement.yml +++ b/non-compatible-policies/ecc-azure-319-cis_postgresql_log_min_error_statement.yml @@ -14,3 +14,4 @@ policies: - type: server-configuration property: log_min_error_statement value: "error" + comment: '0219061910' diff --git a/non-compatible-policies/ecc-azure-321-cis_postgresql_log_statement_set_correctly.yml b/non-compatible-policies/ecc-azure-321-cis_postgresql_log_statement_set_correctly.yml index 251e4f85..321f4e11 100644 --- a/non-compatible-policies/ecc-azure-321-cis_postgresql_log_statement_set_correctly.yml +++ b/non-compatible-policies/ecc-azure-321-cis_postgresql_log_statement_set_correctly.yml @@ -14,3 +14,4 @@ policies: - type: server-configuration property: log_statement value: "ddl" + comment: '0219061910' diff --git a/non-compatible-policies/ecc-azure-324-data_explorer_double_encryption.yml b/non-compatible-policies/ecc-azure-324-data_explorer_double_encryption.yml index 83eb3979..fbd68dc4 100644 --- a/non-compatible-policies/ecc-azure-324-data_explorer_double_encryption.yml +++ b/non-compatible-policies/ecc-azure-324-data_explorer_double_encryption.yml @@ -14,3 +14,4 @@ policies: - type: value key: properties.enableDoubleEncryption value: true + comment: '0243052000' diff --git a/non-compatible-policies/ecc-azure-325-data_explorer_disc_encryption.yml b/non-compatible-policies/ecc-azure-325-data_explorer_disc_encryption.yml index ae1ea023..b57bfebb 100644 --- a/non-compatible-policies/ecc-azure-325-data_explorer_disc_encryption.yml +++ b/non-compatible-policies/ecc-azure-325-data_explorer_disc_encryption.yml @@ -14,3 +14,4 @@ policies: - type: value key: properties.enableDiskEncryption value: true + comment: '0243052000' diff --git a/non-compatible-policies/ecc-azure-326-data_explorer_cmk.yml b/non-compatible-policies/ecc-azure-326-data_explorer_cmk.yml index ebab3fd4..f20fa64b 100644 --- a/non-compatible-policies/ecc-azure-326-data_explorer_cmk.yml +++ b/non-compatible-policies/ecc-azure-326-data_explorer_cmk.yml @@ -15,3 +15,4 @@ policies: key: properties.keyVaultProperties.keyName value: .+ op: regex + comment: '0243052000' diff --git a/non-compatible-policies/ecc-azure-341-front_door_waf_log4j.yml b/non-compatible-policies/ecc-azure-341-front_door_waf_log4j.yml index 2cc3749a..caf3d761 100644 --- a/non-compatible-policies/ecc-azure-341-front_door_waf_log4j.yml +++ b/non-compatible-policies/ecc-azure-341-front_door_waf_log4j.yml @@ -18,3 +18,4 @@ policies: key: managed_rules.managed_rule_sets[0].rule_group_overrides[0].rules[0].enabled_state value: 'Disabled' op: eq + comment: '0223022000' diff --git a/non-compatible-policies/ecc-azure-343-postgresql_threat_detection_policy.yml b/non-compatible-policies/ecc-azure-343-postgresql_threat_detection_policy.yml index 55abf76c..82085a56 100644 --- a/non-compatible-policies/ecc-azure-343-postgresql_threat_detection_policy.yml +++ b/non-compatible-policies/ecc-azure-343-postgresql_threat_detection_policy.yml @@ -13,3 +13,4 @@ policies: - type: server-security-alert-policies-filter key: state value: Disabled + comment: '0232062000' diff --git a/non-compatible-policies/ecc-azure-344-mysql_threat_detection_policy.yml b/non-compatible-policies/ecc-azure-344-mysql_threat_detection_policy.yml index 7f55eecf..4711df82 100644 --- a/non-compatible-policies/ecc-azure-344-mysql_threat_detection_policy.yml +++ b/non-compatible-policies/ecc-azure-344-mysql_threat_detection_policy.yml @@ -13,3 +13,4 @@ policies: - type: mysql-server-security-alert-policies-filter key: state value: Disabled + comment: '0232062000' diff --git a/non-compatible-policies/ecc-azure-345-mysql_infrastructure_encryption.yml b/non-compatible-policies/ecc-azure-345-mysql_infrastructure_encryption.yml index 1b23b68a..92673e36 100644 --- a/non-compatible-policies/ecc-azure-345-mysql_infrastructure_encryption.yml +++ b/non-compatible-policies/ecc-azure-345-mysql_infrastructure_encryption.yml @@ -13,3 +13,4 @@ policies: - type: value key: properties.infrastructureEncryption value: Disabled + comment: '0243062000' diff --git a/non-compatible-policies/ecc-azure-346-mysql_latest_tls.yml b/non-compatible-policies/ecc-azure-346-mysql_latest_tls.yml index d58d843f..16177dbe 100644 --- a/non-compatible-policies/ecc-azure-346-mysql_latest_tls.yml +++ b/non-compatible-policies/ecc-azure-346-mysql_latest_tls.yml @@ -14,3 +14,4 @@ policies: - type: value key: properties.minimalTlsVersion value: TLS1_2 + comment: '0221062000' diff --git a/non-compatible-policies/ecc-azure-347-mysql_cmk.yml b/non-compatible-policies/ecc-azure-347-mysql_cmk.yml index 43151992..7d87d38a 100644 --- a/non-compatible-policies/ecc-azure-347-mysql_cmk.yml +++ b/non-compatible-policies/ecc-azure-347-mysql_cmk.yml @@ -13,3 +13,4 @@ policies: - type: value key: properties.byokEnforcement value: Disabled + comment: '0243062000' diff --git a/non-compatible-policies/ecc-azure-348-mysql_harden_usage_for_local_infile.yml b/non-compatible-policies/ecc-azure-348-mysql_harden_usage_for_local_infile.yml index 0bc2511d..717579ff 100644 --- a/non-compatible-policies/ecc-azure-348-mysql_harden_usage_for_local_infile.yml +++ b/non-compatible-policies/ecc-azure-348-mysql_harden_usage_for_local_infile.yml @@ -17,3 +17,4 @@ policies: - type: server-parameters property: local_infile value: "ON" + comment: '0220061800' diff --git a/non-compatible-policies/ecc-azure-349-mysql_max_user_connections.yml b/non-compatible-policies/ecc-azure-349-mysql_max_user_connections.yml index 1ce0b252..020c3832 100644 --- a/non-compatible-policies/ecc-azure-349-mysql_max_user_connections.yml +++ b/non-compatible-policies/ecc-azure-349-mysql_max_user_connections.yml @@ -13,3 +13,4 @@ policies: - type: server-parameters property: max_user_connections value: 0 + comment: '0220061810' diff --git a/non-compatible-policies/ecc-azure-350-mysql_slow_query_log_permissions.yml b/non-compatible-policies/ecc-azure-350-mysql_slow_query_log_permissions.yml index ec82bf81..42c0aa4a 100644 --- a/non-compatible-policies/ecc-azure-350-mysql_slow_query_log_permissions.yml +++ b/non-compatible-policies/ecc-azure-350-mysql_slow_query_log_permissions.yml @@ -17,3 +17,4 @@ policies: - type: server-parameters property: slow_query_log value: "OFF" + comment: '0219061800' diff --git a/non-compatible-policies/ecc-azure-351-sql_mode.yml b/non-compatible-policies/ecc-azure-351-sql_mode.yml index 5c0829f3..8aa5b69a 100644 --- a/non-compatible-policies/ecc-azure-351-sql_mode.yml +++ b/non-compatible-policies/ecc-azure-351-sql_mode.yml @@ -14,3 +14,4 @@ policies: - type: server-parameters property: sql_mode value: "STRICT_ALL_TABLES,ONLY_FULL_GROUP_BY,STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION" + comment: '0220061800' diff --git a/non-compatible-policies/ecc-azure-355-ml_min_cluster_nodes.yml b/non-compatible-policies/ecc-azure-355-ml_min_cluster_nodes.yml index 261c9bfa..2f3d87f0 100644 --- a/non-compatible-policies/ecc-azure-355-ml_min_cluster_nodes.yml +++ b/non-compatible-policies/ecc-azure-355-ml_min_cluster_nodes.yml @@ -15,3 +15,4 @@ policies: key: min_node_count value: 0 op: eq + comment: '0203090000' diff --git a/non-compatible-policies/ecc-azure-356-api_mgmt_client_cert.yml b/non-compatible-policies/ecc-azure-356-api_mgmt_client_cert.yml index 4b419507..a8dac2c8 100644 --- a/non-compatible-policies/ecc-azure-356-api_mgmt_client_cert.yml +++ b/non-compatible-policies/ecc-azure-356-api_mgmt_client_cert.yml @@ -15,3 +15,4 @@ policies: key: count value: 1 op: gte + comment: '0229090000' diff --git a/non-compatible-policies/ecc-azure-358-synapse_workspace_managed_vnet.yml b/non-compatible-policies/ecc-azure-358-synapse_workspace_managed_vnet.yml index 2970abfc..c1ea383f 100644 --- a/non-compatible-policies/ecc-azure-358-synapse_workspace_managed_vnet.yml +++ b/non-compatible-policies/ecc-azure-358-synapse_workspace_managed_vnet.yml @@ -13,3 +13,4 @@ policies: - type: value key: properties.managedVirtualNetwork value: default + comment: '0241052000' diff --git a/non-compatible-policies/ecc-azure-359-synapse_workspace_data_exfiltration_protection.yml b/non-compatible-policies/ecc-azure-359-synapse_workspace_data_exfiltration_protection.yml index 288a4069..9b415c33 100644 --- a/non-compatible-policies/ecc-azure-359-synapse_workspace_data_exfiltration_protection.yml +++ b/non-compatible-policies/ecc-azure-359-synapse_workspace_data_exfiltration_protection.yml @@ -13,3 +13,4 @@ policies: - type: value key: properties.managedVirtualNetworkSettings.preventDataExfiltration value: true + comment: '0223052000' diff --git a/non-compatible-policies/ecc-azure-362-vm_without_va_extension.yml b/non-compatible-policies/ecc-azure-362-vm_without_va_extension.yml index 51d08749..8714b761 100644 --- a/non-compatible-policies/ecc-azure-362-vm_without_va_extension.yml +++ b/non-compatible-policies/ecc-azure-362-vm_without_va_extension.yml @@ -15,3 +15,4 @@ policies: - type: value key: properties.status.cause value: VaScannerNotInstalled + comment: '0223032000' diff --git a/non-compatible-policies/ecc-azure-364-resource_tag_activity_log_alert.yml b/non-compatible-policies/ecc-azure-364-resource_tag_activity_log_alert.yml index 7e322c54..8a0c461f 100644 --- a/non-compatible-policies/ecc-azure-364-resource_tag_activity_log_alert.yml +++ b/non-compatible-policies/ecc-azure-364-resource_tag_activity_log_alert.yml @@ -13,3 +13,4 @@ policies: - type: value key: tags value: empty + comment: '0210092000' diff --git a/non-compatible-policies/ecc-azure-371-cis_mysql_audit_log_enabled.yml b/non-compatible-policies/ecc-azure-371-cis_mysql_audit_log_enabled.yml index 859feaee..a09bfd77 100644 --- a/non-compatible-policies/ecc-azure-371-cis_mysql_audit_log_enabled.yml +++ b/non-compatible-policies/ecc-azure-371-cis_mysql_audit_log_enabled.yml @@ -17,3 +17,4 @@ policies: - type: server-parameters property: audit_log_enabled value: "off" + comment: '0219061500' diff --git a/non-compatible-policies/ecc-azure-372-cis_mysql_audit_log_events.yml b/non-compatible-policies/ecc-azure-372-cis_mysql_audit_log_events.yml index 56f11c0a..6dbdea64 100644 --- a/non-compatible-policies/ecc-azure-372-cis_mysql_audit_log_events.yml +++ b/non-compatible-policies/ecc-azure-372-cis_mysql_audit_log_events.yml @@ -18,3 +18,4 @@ policies: - type: server-parameters property: audit_log_events value: "CONNECTION" + comment: '0219061400' diff --git a/non-compatible-policies/ecc-azure-373-cis_activity_log_alert_create_or_update_pip.yml b/non-compatible-policies/ecc-azure-373-cis_activity_log_alert_create_or_update_pip.yml index a2abdc99..52a70bf9 100644 --- a/non-compatible-policies/ecc-azure-373-cis_activity_log_alert_create_or_update_pip.yml +++ b/non-compatible-policies/ecc-azure-373-cis_activity_log_alert_create_or_update_pip.yml @@ -24,3 +24,4 @@ policies: key: alerts[].scopes[] value: ^\/[a-z]{13}\/[a-z0-9A-Z]{8}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{12}$ op: regex + comment: '0232011500' diff --git a/non-compatible-policies/ecc-azure-374-cis_activity_log_alert_delete_pip.yml b/non-compatible-policies/ecc-azure-374-cis_activity_log_alert_delete_pip.yml index 1744ba87..6ddb0abb 100644 --- a/non-compatible-policies/ecc-azure-374-cis_activity_log_alert_delete_pip.yml +++ b/non-compatible-policies/ecc-azure-374-cis_activity_log_alert_delete_pip.yml @@ -24,3 +24,4 @@ policies: key: alerts[].scopes[] value: ^\/[a-z]{13}\/[a-z0-9A-Z]{8}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{4}\-[a-z0-9A-Z]{12}$ op: regex + comment: '0232011500' diff --git a/non-compatible-policies/ecc-azure-378-cis_nsg_flow_log_analytics.yml b/non-compatible-policies/ecc-azure-378-cis_nsg_flow_log_analytics.yml index 8b5902bd..8e3e249e 100644 --- a/non-compatible-policies/ecc-azure-378-cis_nsg_flow_log_analytics.yml +++ b/non-compatible-policies/ecc-azure-378-cis_nsg_flow_log_analytics.yml @@ -14,3 +14,4 @@ policies: - type: flow-analytics-logging key: enabled value: true + comment: '0232021500' diff --git a/non-compatible-policies/ecc-azure-379-cis_appservice_http_logs.yml b/non-compatible-policies/ecc-azure-379-cis_appservice_http_logs.yml index f245dcdf..ac44253b 100644 --- a/non-compatible-policies/ecc-azure-379-cis_appservice_http_logs.yml +++ b/non-compatible-policies/ecc-azure-379-cis_appservice_http_logs.yml @@ -16,3 +16,4 @@ policies: - type: diagnostic-settings key: length(logs[?category == 'AppServiceHTTPLogs' && enabled == `true`]) value: 0 + comment: '0219011500' diff --git a/policies/ecc-azure-002-cis_iam_owner_roles.yml b/policies/ecc-azure-002-cis_iam_owner_roles.yml index 6de66d1f..0a740623 100644 --- a/policies/ecc-azure-002-cis_iam_owner_roles.yml +++ b/policies/ecc-azure-002-cis_iam_owner_roles.yml @@ -33,3 +33,4 @@ policies: key: properties.assignableScopes[] value: \/subscriptions\/.+?\/.+ op: regex + comment: '0233001500' diff --git a/policies/ecc-azure-004-cis_sec_auto_provisioning.yml b/policies/ecc-azure-004-cis_sec_auto_provisioning.yml index 74423f5c..e433c1d9 100644 --- a/policies/ecc-azure-004-cis_sec_auto_provisioning.yml +++ b/policies/ecc-azure-004-cis_sec_auto_provisioning.yml @@ -16,3 +16,4 @@ policies: - type: value key: properties.autoProvision value: "Off" + comment: '0216181500' diff --git a/policies/ecc-azure-008-cis_sa_sec_transfer_req.yml b/policies/ecc-azure-008-cis_sa_sec_transfer_req.yml index a9d2ef81..8efe3753 100644 --- a/policies/ecc-azure-008-cis_sa_sec_transfer_req.yml +++ b/policies/ecc-azure-008-cis_sa_sec_transfer_req.yml @@ -17,3 +17,4 @@ policies: key: tags."ms-resource-usage" value: azure-cloud-shell op: ne + comment: '0244041500' diff --git a/policies/ecc-azure-009-cis_sa_private.yml b/policies/ecc-azure-009-cis_sa_private.yml index 1cf68398..0764b5e0 100644 --- a/policies/ecc-azure-009-cis_sa_private.yml +++ b/policies/ecc-azure-009-cis_sa_private.yml @@ -17,3 +17,4 @@ policies: key: tags."ms-resource-usage" value: azure-cloud-shell op: ne + comment: '0240041500' diff --git a/policies/ecc-azure-010-cis_sa_net_defaultAction.yml b/policies/ecc-azure-010-cis_sa_net_defaultAction.yml index ac8e1d92..f0ff9897 100644 --- a/policies/ecc-azure-010-cis_sa_net_defaultAction.yml +++ b/policies/ecc-azure-010-cis_sa_net_defaultAction.yml @@ -17,3 +17,4 @@ policies: key: tags."ms-resource-usage" value: azure-cloud-shell op: ne + comment: '0240041500' diff --git a/policies/ecc-azure-012-cis_sa_enc.yml b/policies/ecc-azure-012-cis_sa_enc.yml index 3ae47590..9f32a08e 100644 --- a/policies/ecc-azure-012-cis_sa_enc.yml +++ b/policies/ecc-azure-012-cis_sa_enc.yml @@ -18,3 +18,4 @@ policies: key: properties.encryption.keySource op: eq value: Microsoft.Storage + comment: '0243041500' diff --git a/policies/ecc-azure-014-cis_db_sql_db_encryption_on.yml b/policies/ecc-azure-014-cis_db_sql_db_encryption_on.yml index 501a6d50..66b46e11 100644 --- a/policies/ecc-azure-014-cis_db_sql_db_encryption_on.yml +++ b/policies/ecc-azure-014-cis_db_sql_db_encryption_on.yml @@ -12,3 +12,4 @@ policies: filters: - type: transparent-data-encryption enabled: false + comment: '0243061500' diff --git a/policies/ecc-azure-024-cis_db_postgresql_ssl.yml b/policies/ecc-azure-024-cis_db_postgresql_ssl.yml index 8ecbaa56..9fc20f1b 100644 --- a/policies/ecc-azure-024-cis_db_postgresql_ssl.yml +++ b/policies/ecc-azure-024-cis_db_postgresql_ssl.yml @@ -14,3 +14,4 @@ policies: key: properties.sslEnforcement value: Disabled op: eq + comment: '0244061500' diff --git a/policies/ecc-azure-032-cis_db_aad_admin.yml b/policies/ecc-azure-032-cis_db_aad_admin.yml index 1b2e5c25..92d87bc9 100644 --- a/policies/ecc-azure-032-cis_db_aad_admin.yml +++ b/policies/ecc-azure-032-cis_db_aad_admin.yml @@ -14,3 +14,4 @@ policies: - type: azure-ad-administrators key: azureADOnlyAuthentication value: true + comment: '0234061500' diff --git a/policies/ecc-azure-050-cis_net_db_firewall.yml b/policies/ecc-azure-050-cis_net_db_firewall.yml index dbc7a545..62c7b6c9 100644 --- a/policies/ecc-azure-050-cis_net_db_firewall.yml +++ b/policies/ecc-azure-050-cis_net_db_firewall.yml @@ -17,3 +17,4 @@ policies: mode: equal list: - AzureServices + comment: '0240021500' diff --git a/policies/ecc-azure-053-cis_vm_attached_disks.yml b/policies/ecc-azure-053-cis_vm_attached_disks.yml index ca98203a..11bd46e7 100644 --- a/policies/ecc-azure-053-cis_vm_attached_disks.yml +++ b/policies/ecc-azure-053-cis_vm_attached_disks.yml @@ -19,3 +19,4 @@ policies: key: properties.encryption.type op: in value: [EncryptionAtRestWithPlatformKey, EncryptionAtRestWithPlatformAndCustomerKeys] + comment: '0243031500' diff --git a/policies/ecc-azure-054-cis_vm_unattached_disks.yml b/policies/ecc-azure-054-cis_vm_unattached_disks.yml index 34b57f0d..7b2264d7 100644 --- a/policies/ecc-azure-054-cis_vm_unattached_disks.yml +++ b/policies/ecc-azure-054-cis_vm_unattached_disks.yml @@ -18,3 +18,4 @@ policies: key: properties.encryption.type op: in value: [EncryptionAtRestWithPlatformKey, EncryptionAtRestWithPlatformAndCustomerKeys] + comment: '0243031500' diff --git a/policies/ecc-azure-055-cis_key_exp_on.yml b/policies/ecc-azure-055-cis_key_exp_on.yml index 03007619..b3e134a2 100644 --- a/policies/ecc-azure-055-cis_key_exp_on.yml +++ b/policies/ecc-azure-055-cis_key_exp_on.yml @@ -13,3 +13,4 @@ policies: - type: value key: attributes.expires value: null + comment: '0229101500' diff --git a/policies/ecc-azure-056-cis_secret_exp.yml b/policies/ecc-azure-056-cis_secret_exp.yml index fc0bd42a..82dcd076 100644 --- a/policies/ecc-azure-056-cis_secret_exp.yml +++ b/policies/ecc-azure-056-cis_secret_exp.yml @@ -13,3 +13,4 @@ policies: - type: value key: attributes.expires value: null + comment: '0229101500' diff --git a/policies/ecc-azure-058-cis_aks_rbac.yml b/policies/ecc-azure-058-cis_aks_rbac.yml index e84b0ca7..5f696404 100644 --- a/policies/ecc-azure-058-cis_aks_rbac.yml +++ b/policies/ecc-azure-058-cis_aks_rbac.yml @@ -14,3 +14,4 @@ policies: key: properties.enableRBAC op: ne value: true + comment: '0233071300' diff --git a/policies/ecc-azure-060-cis_app_https.yml b/policies/ecc-azure-060-cis_app_https.yml index b9ca06e2..d7826426 100644 --- a/policies/ecc-azure-060-cis_app_https.yml +++ b/policies/ecc-azure-060-cis_app_https.yml @@ -17,3 +17,4 @@ policies: - type: value key: properties.httpsOnly value: false + comment: '0244171500' diff --git a/policies/ecc-azure-061-cis_app_last_tls.yml b/policies/ecc-azure-061-cis_app_last_tls.yml index 0a05b254..f5c84fc7 100644 --- a/policies/ecc-azure-061-cis_app_last_tls.yml +++ b/policies/ecc-azure-061-cis_app_last_tls.yml @@ -14,3 +14,4 @@ policies: key: minTlsVersion value: '1.2' op: ne + comment: '0221171500' diff --git a/policies/ecc-azure-064-cis_app_ftp_disabled.yml b/policies/ecc-azure-064-cis_app_ftp_disabled.yml index 9403fd45..f5d66924 100644 --- a/policies/ecc-azure-064-cis_app_ftp_disabled.yml +++ b/policies/ecc-azure-064-cis_app_ftp_disabled.yml @@ -13,3 +13,4 @@ policies: - type: configuration key: ftpsState value: AllAllowed + comment: '0223171500' diff --git a/policies/ecc-azure-065-cis_app_last_http.yml b/policies/ecc-azure-065-cis_app_last_http.yml index 504dc6e6..bf81a11a 100644 --- a/policies/ecc-azure-065-cis_app_last_http.yml +++ b/policies/ecc-azure-065-cis_app_last_http.yml @@ -17,3 +17,4 @@ policies: - type: configuration key: http20Enabled value: false + comment: '0221171500' diff --git a/policies/ecc-azure-069-cis_app_last_java.yml b/policies/ecc-azure-069-cis_app_last_java.yml index 00970e11..852cd065 100644 --- a/policies/ecc-azure-069-cis_app_last_java.yml +++ b/policies/ecc-azure-069-cis_app_last_java.yml @@ -26,3 +26,4 @@ policies: - type: configuration key: javaVersion value: "1.8" + comment: '0221171500' diff --git a/policies/ecc-azure-070-cis_app_last_python.yml b/policies/ecc-azure-070-cis_app_last_python.yml index d26d115c..efc64267 100644 --- a/policies/ecc-azure-070-cis_app_last_python.yml +++ b/policies/ecc-azure-070-cis_app_last_python.yml @@ -22,3 +22,4 @@ policies: - type: configuration key: linuxFxVersion value: PYTHON|3.9 + comment: '0221171500' diff --git a/policies/ecc-azure-071-cis_app_last_php.yml b/policies/ecc-azure-071-cis_app_last_php.yml index ffb7191e..e64ca902 100644 --- a/policies/ecc-azure-071-cis_app_last_php.yml +++ b/policies/ecc-azure-071-cis_app_last_php.yml @@ -18,3 +18,4 @@ policies: - type: configuration key: linuxFxVersion value: PHP|8.0 + comment: '0221171500' diff --git a/policies/ecc-azure-072-cis-app-keyvaults.yml b/policies/ecc-azure-072-cis-app-keyvaults.yml index a75a4687..f7f945f5 100644 --- a/policies/ecc-azure-072-cis-app-keyvaults.yml +++ b/policies/ecc-azure-072-cis-app-keyvaults.yml @@ -18,3 +18,4 @@ policies: key: properties.keyVaultReferenceIdentity value: .+\/Microsoft.ManagedIdentity\/userAssignedIdentities\/.+ op: regex + comment: '0248171500' diff --git a/policies/ecc-azure-094-cis_sec_defender_servers.yml b/policies/ecc-azure-094-cis_sec_defender_servers.yml index e07da045..3776b9c9 100644 --- a/policies/ecc-azure-094-cis_sec_defender_servers.yml +++ b/policies/ecc-azure-094-cis_sec_defender_servers.yml @@ -17,3 +17,4 @@ policies: - type: value key: properties.pricingTier value: Standard + comment: '0216181500' diff --git a/policies/ecc-azure-095-cis_sec_defender_app.yml b/policies/ecc-azure-095-cis_sec_defender_app.yml index ae34599d..cabf85c8 100644 --- a/policies/ecc-azure-095-cis_sec_defender_app.yml +++ b/policies/ecc-azure-095-cis_sec_defender_app.yml @@ -17,3 +17,4 @@ policies: - type: value key: properties.pricingTier value: Standard + comment: '0232181500' diff --git a/policies/ecc-azure-096-cis_sec_defender_azure_sql.yml b/policies/ecc-azure-096-cis_sec_defender_azure_sql.yml index 7659560e..7d455584 100644 --- a/policies/ecc-azure-096-cis_sec_defender_azure_sql.yml +++ b/policies/ecc-azure-096-cis_sec_defender_azure_sql.yml @@ -17,3 +17,4 @@ policies: - type: value key: properties.pricingTier value: Standard + comment: '0232181500' diff --git a/policies/ecc-azure-097-cis_sec_defender_sql_machines.yml b/policies/ecc-azure-097-cis_sec_defender_sql_machines.yml index a3e3d5a2..949d7f43 100644 --- a/policies/ecc-azure-097-cis_sec_defender_sql_machines.yml +++ b/policies/ecc-azure-097-cis_sec_defender_sql_machines.yml @@ -17,3 +17,4 @@ policies: - type: value key: properties.pricingTier value: Standard + comment: '0232181500' diff --git a/policies/ecc-azure-098-cis_sec_defender_storages.yml b/policies/ecc-azure-098-cis_sec_defender_storages.yml index 459bd7b6..7da130ea 100644 --- a/policies/ecc-azure-098-cis_sec_defender_storages.yml +++ b/policies/ecc-azure-098-cis_sec_defender_storages.yml @@ -17,3 +17,4 @@ policies: - type: value key: properties.pricingTier value: Standard + comment: '0232181500' diff --git a/policies/ecc-azure-099-cis_sec_defender_aks.yml b/policies/ecc-azure-099-cis_sec_defender_aks.yml index f67a597a..472b26e8 100644 --- a/policies/ecc-azure-099-cis_sec_defender_aks.yml +++ b/policies/ecc-azure-099-cis_sec_defender_aks.yml @@ -17,3 +17,4 @@ policies: - type: value key: properties.pricingTier value: Standard + comment: '0232181500' diff --git a/policies/ecc-azure-100-cis_sec_defender_acr.yml b/policies/ecc-azure-100-cis_sec_defender_acr.yml index be4ffa74..7491313e 100644 --- a/policies/ecc-azure-100-cis_sec_defender_acr.yml +++ b/policies/ecc-azure-100-cis_sec_defender_acr.yml @@ -17,3 +17,4 @@ policies: - type: value key: properties.pricingTier value: Standard + comment: '0232181500' diff --git a/policies/ecc-azure-101-cis_sec_defender_keyvaults.yml b/policies/ecc-azure-101-cis_sec_defender_keyvaults.yml index bcfab335..08e7d2f1 100644 --- a/policies/ecc-azure-101-cis_sec_defender_keyvaults.yml +++ b/policies/ecc-azure-101-cis_sec_defender_keyvaults.yml @@ -17,3 +17,4 @@ policies: - type: value key: properties.pricingTier value: Standard + comment: '0216181500' diff --git a/policies/ecc-azure-102-cis_sec_defender_wdatp.yml b/policies/ecc-azure-102-cis_sec_defender_wdatp.yml index 4839c0c0..f430d272 100644 --- a/policies/ecc-azure-102-cis_sec_defender_wdatp.yml +++ b/policies/ecc-azure-102-cis_sec_defender_wdatp.yml @@ -16,3 +16,4 @@ policies: - type: value key: properties.enabled value: false + comment: '0216181500' diff --git a/policies/ecc-azure-103-cis_sec_mcas.yml b/policies/ecc-azure-103-cis_sec_mcas.yml index 3eb1568a..a3adae63 100644 --- a/policies/ecc-azure-103-cis_sec_mcas.yml +++ b/policies/ecc-azure-103-cis_sec_mcas.yml @@ -16,3 +16,4 @@ policies: - type: value key: properties.enabled value: false + comment: '0223181500' diff --git a/policies/ecc-azure-108-cis_sa_tms.yml b/policies/ecc-azure-108-cis_sa_tms.yml index f4685cd2..cace471e 100644 --- a/policies/ecc-azure-108-cis_sa_tms.yml +++ b/policies/ecc-azure-108-cis_sa_tms.yml @@ -18,3 +18,4 @@ policies: key: properties.networkAcls.bypass op: ne value: AzureServices + comment: '0233041500' diff --git a/policies/ecc-azure-113-cis_vm_utilizing_managed_disks.yml b/policies/ecc-azure-113-cis_vm_utilizing_managed_disks.yml index 4e475c5f..e1cc9116 100644 --- a/policies/ecc-azure-113-cis_vm_utilizing_managed_disks.yml +++ b/policies/ecc-azure-113-cis_vm_utilizing_managed_disks.yml @@ -19,3 +19,4 @@ policies: key: properties.storageProfile.dataDisk.vhd.uri value: .+ op: regex + comment: '0243031500' diff --git a/policies/ecc-azure-116-cis_vm_endpoint_protection.yml b/policies/ecc-azure-116-cis_vm_endpoint_protection.yml index 8c913ae2..99d889b8 100644 --- a/policies/ecc-azure-116-cis_vm_endpoint_protection.yml +++ b/policies/ecc-azure-116-cis_vm_endpoint_protection.yml @@ -13,3 +13,4 @@ policies: - type: vm-extensions key: length([?(properties.type == 'IaaSAntimalware' || properties.type == 'McAfeeEndpointSecurity' || properties.type == 'TrendMicroDSA' || properties.type == 'TrendMicroDSALinux' || properties.type == 'SymantecEndpointProtection' || properties.type == 'SCWPAgentForLinux' || properties.type == 'SCWPAgentForWindows' || properties.type == 'PortalProtectExtension' || properties.type == 'FileSecurity') && properties.provisioningState == 'Succeeded']) value: 0 + comment: '0224031400' diff --git a/policies/ecc-azure-117-cis_vm_vhd_encrypted.yml b/policies/ecc-azure-117-cis_vm_vhd_encrypted.yml index a5f52d57..4cebe36c 100644 --- a/policies/ecc-azure-117-cis_vm_vhd_encrypted.yml +++ b/policies/ecc-azure-117-cis_vm_vhd_encrypted.yml @@ -31,3 +31,4 @@ policies: key: resources[].id value: ".+AzureDiskEncryption" op: regex + comment: '0243031500' diff --git a/policies/ecc-azure-132-vm_wo_del_lock.yml b/policies/ecc-azure-132-vm_wo_del_lock.yml index 9c4de9c7..50f045b1 100644 --- a/policies/ecc-azure-132-vm_wo_del_lock.yml +++ b/policies/ecc-azure-132-vm_wo_del_lock.yml @@ -13,3 +13,4 @@ policies: - not: - type: resource-lock lock-type: CanNotDelete + comment: '0247092000' diff --git a/policies/ecc-azure-133-vm_wo_tags.yml b/policies/ecc-azure-133-vm_wo_tags.yml index 437848a9..1a2e51e1 100644 --- a/policies/ecc-azure-133-vm_wo_tags.yml +++ b/policies/ecc-azure-133-vm_wo_tags.yml @@ -13,3 +13,4 @@ policies: - type: value key: tags value: empty + comment: '0210092000' diff --git a/policies/ecc-azure-137-storage_replication.yml b/policies/ecc-azure-137-storage_replication.yml index 905d0fef..8e528b6e 100644 --- a/policies/ecc-azure-137-storage_replication.yml +++ b/policies/ecc-azure-137-storage_replication.yml @@ -14,3 +14,4 @@ policies: - type: value key: properties.statusOfSecondary value: available + comment: '0250042000' diff --git a/policies/ecc-azure-143-asb_api_mgmt_vnet.yml b/policies/ecc-azure-143-asb_api_mgmt_vnet.yml index d367ecc5..a0d4aaa5 100644 --- a/policies/ecc-azure-143-asb_api_mgmt_vnet.yml +++ b/policies/ecc-azure-143-asb_api_mgmt_vnet.yml @@ -24,3 +24,4 @@ policies: key: properties.virtualNetworkType value: 'External' op: eq + comment: '0240020000' diff --git a/policies/ecc-azure-144-asb_aks_auth_ip_ranges.yml b/policies/ecc-azure-144-asb_aks_auth_ip_ranges.yml index e2eb5388..557f7e3b 100644 --- a/policies/ecc-azure-144-asb_aks_auth_ip_ranges.yml +++ b/policies/ecc-azure-144-asb_aks_auth_ip_ranges.yml @@ -15,3 +15,4 @@ policies: key: properties.apiServerAccessProfile.authorizedIPRanges[] value: .+ op: regex + comment: '0239070000' diff --git a/policies/ecc-azure-145-asb_cosmosdb_fw_rules.yml b/policies/ecc-azure-145-asb_cosmosdb_fw_rules.yml index 9ffd6e62..f1258c12 100644 --- a/policies/ecc-azure-145-asb_cosmosdb_fw_rules.yml +++ b/policies/ecc-azure-145-asb_cosmosdb_fw_rules.yml @@ -16,3 +16,4 @@ policies: - type: value key: properties.ipRules value: [] + comment: '0224060000' diff --git a/policies/ecc-azure-147-asb_cognitive_disable_public_access.yml b/policies/ecc-azure-147-asb_cognitive_disable_public_access.yml index e7295385..4ff768db 100644 --- a/policies/ecc-azure-147-asb_cognitive_disable_public_access.yml +++ b/policies/ecc-azure-147-asb_cognitive_disable_public_access.yml @@ -14,3 +14,4 @@ policies: key: properties.publicNetworkAccess value: Disabled op: ne + comment: '0240020000' diff --git a/policies/ecc-azure-148-asb_cognitive_disable_net_access.yml b/policies/ecc-azure-148-asb_cognitive_disable_net_access.yml index 029923b0..958618d1 100644 --- a/policies/ecc-azure-148-asb_cognitive_disable_net_access.yml +++ b/policies/ecc-azure-148-asb_cognitive_disable_net_access.yml @@ -14,3 +14,4 @@ policies: key: properties.networkAcls.defaultAction value: Deny op: ne + comment: '0224020000' diff --git a/policies/ecc-azure-149-asb_acs_not_allow_unrestr_access.yml b/policies/ecc-azure-149-asb_acs_not_allow_unrestr_access.yml index ffdd2ef1..9a78e21a 100644 --- a/policies/ecc-azure-149-asb_acs_not_allow_unrestr_access.yml +++ b/policies/ecc-azure-149-asb_acs_not_allow_unrestr_access.yml @@ -21,3 +21,4 @@ policies: - type: value key: properties.networkRuleSet.defaultAction value: "" + comment: '0224080000' diff --git a/policies/ecc-azure-150-asb_vm_net_access_protected_by_nsg.yml b/policies/ecc-azure-150-asb_vm_net_access_protected_by_nsg.yml index 85d42e78..d923cd0c 100644 --- a/policies/ecc-azure-150-asb_vm_net_access_protected_by_nsg.yml +++ b/policies/ecc-azure-150-asb_vm_net_access_protected_by_nsg.yml @@ -22,3 +22,4 @@ policies: key: properties.networkSecurityGroup.id value: \/.+\/networkSecurityGroups\/.+ op: regex + comment: '0240030000' diff --git a/policies/ecc-azure-151-asb_vm_disable_ip_forward.yml b/policies/ecc-azure-151-asb_vm_disable_ip_forward.yml index 8e616dc5..18b87ec8 100644 --- a/policies/ecc-azure-151-asb_vm_disable_ip_forward.yml +++ b/policies/ecc-azure-151-asb_vm_disable_ip_forward.yml @@ -18,3 +18,4 @@ policies: - type: value key: properties.enableIPForwarding value: true + comment: '0224030000' diff --git a/policies/ecc-azure-155-asb_mssql_public_access_disabled.yml b/policies/ecc-azure-155-asb_mssql_public_access_disabled.yml index 5d792058..d9205549 100644 --- a/policies/ecc-azure-155-asb_mssql_public_access_disabled.yml +++ b/policies/ecc-azure-155-asb_mssql_public_access_disabled.yml @@ -17,3 +17,4 @@ policies: - type: value key: properties.publicNetworkAccess value: null + comment: '0240060000' diff --git a/policies/ecc-azure-158-asb_postgresql_public_access_disabled.yml b/policies/ecc-azure-158-asb_postgresql_public_access_disabled.yml index 7a7e3b53..7d633ffe 100644 --- a/policies/ecc-azure-158-asb_postgresql_public_access_disabled.yml +++ b/policies/ecc-azure-158-asb_postgresql_public_access_disabled.yml @@ -17,3 +17,4 @@ policies: - type: value key: properties.publicNetworkAccess value: null + comment: '0240060000' diff --git a/policies/ecc-azure-159-asb_sa_restrict_net_access_vnet_rules.yml b/policies/ecc-azure-159-asb_sa_restrict_net_access_vnet_rules.yml index 361b5845..2fe40200 100644 --- a/policies/ecc-azure-159-asb_sa_restrict_net_access_vnet_rules.yml +++ b/policies/ecc-azure-159-asb_sa_restrict_net_access_vnet_rules.yml @@ -19,3 +19,4 @@ policies: key: length(properties.networkAcls.ipRules[?contains(keys(@), 'action')]) value: 0 op: gt + comment: '0240040000' diff --git a/policies/ecc-azure-160-asb_nsg_assoc_subnet.yml b/policies/ecc-azure-160-asb_nsg_assoc_subnet.yml index 126f5f12..40f80cba 100644 --- a/policies/ecc-azure-160-asb_nsg_assoc_subnet.yml +++ b/policies/ecc-azure-160-asb_nsg_assoc_subnet.yml @@ -19,3 +19,4 @@ policies: key: properties.subnets[].properties.networkSecurityGroup.id value: \/.+\/networkSecurityGroups\/.+ op: regex + comment: '0242020000' diff --git a/policies/ecc-azure-162-asb_redis_cache_reside_vnet.yml b/policies/ecc-azure-162-asb_redis_cache_reside_vnet.yml index 3c7ed636..c6aa8bbf 100644 --- a/policies/ecc-azure-162-asb_redis_cache_reside_vnet.yml +++ b/policies/ecc-azure-162-asb_redis_cache_reside_vnet.yml @@ -19,3 +19,4 @@ policies: key: properties.subnetId value: \/.+\/virtualNetworks\/.+\/subnets\/.+ op: regex + comment: '0241060000' diff --git a/policies/ecc-azure-173-asb_postgresql_private_endpoint.yml b/policies/ecc-azure-173-asb_postgresql_private_endpoint.yml index 8347826d..18f543be 100644 --- a/policies/ecc-azure-173-asb_postgresql_private_endpoint.yml +++ b/policies/ecc-azure-173-asb_postgresql_private_endpoint.yml @@ -22,3 +22,4 @@ policies: key: properties.privateEndpointConnections[].properties.privateLinkServiceConnectionState.status value: Approved op: contains + comment: '0240060000' diff --git a/policies/ecc-azure-174-asb_sa_private_link.yml b/policies/ecc-azure-174-asb_sa_private_link.yml index 10e3d6f8..f7589a39 100644 --- a/policies/ecc-azure-174-asb_sa_private_link.yml +++ b/policies/ecc-azure-174-asb_sa_private_link.yml @@ -26,3 +26,4 @@ policies: key: properties.privateEndpointConnections[].properties.privateLinkServiceConnectionState.status value: Approved op: contains + comment: '0240040000' diff --git a/policies/ecc-azure-177-asb_waf_enabled_for_app_gateway.yml b/policies/ecc-azure-177-asb_waf_enabled_for_app_gateway.yml index 12739a40..67f2ba3f 100644 --- a/policies/ecc-azure-177-asb_waf_enabled_for_app_gateway.yml +++ b/policies/ecc-azure-177-asb_waf_enabled_for_app_gateway.yml @@ -14,3 +14,4 @@ policies: - type: value key: properties.webApplicationFirewallConfiguration.enabled value: true + comment: '0224020000' diff --git a/policies/ecc-azure-178-asb_waf_enabled_for_front_door.yml b/policies/ecc-azure-178-asb_waf_enabled_for_front_door.yml index 160d346c..e62260a1 100644 --- a/policies/ecc-azure-178-asb_waf_enabled_for_front_door.yml +++ b/policies/ecc-azure-178-asb_waf_enabled_for_front_door.yml @@ -15,3 +15,4 @@ policies: key: properties.frontendEndpoints[].properties.webApplicationFirewallPolicyLink.id value: \/.+\/frontdoorwebapplicationfirewallpolicies\/.+ op: regex + comment: '0224020000' diff --git a/policies/ecc-azure-179-asb_app_service_managed_identity.yml b/policies/ecc-azure-179-asb_app_service_managed_identity.yml index 22604c1f..577051e9 100644 --- a/policies/ecc-azure-179-asb_app_service_managed_identity.yml +++ b/policies/ecc-azure-179-asb_app_service_managed_identity.yml @@ -21,3 +21,4 @@ policies: - type: value key: identity value: absent + comment: '0223170000' diff --git a/policies/ecc-azure-180-asb_func_app_managed_identity.yml b/policies/ecc-azure-180-asb_func_app_managed_identity.yml index dd421321..f59b2371 100644 --- a/policies/ecc-azure-180-asb_func_app_managed_identity.yml +++ b/policies/ecc-azure-180-asb_func_app_managed_identity.yml @@ -21,3 +21,4 @@ policies: - type: value key: identity value: absent + comment: '0223170000' diff --git a/policies/ecc-azure-181-asb_web_app_managed_identity.yml b/policies/ecc-azure-181-asb_web_app_managed_identity.yml index c136f4e2..e84cf78f 100644 --- a/policies/ecc-azure-181-asb_web_app_managed_identity.yml +++ b/policies/ecc-azure-181-asb_web_app_managed_identity.yml @@ -21,3 +21,4 @@ policies: - type: value key: identity value: absent + comment: '0223170000' diff --git a/policies/ecc-azure-182-asb_service_fabric_aad_auth.yml b/policies/ecc-azure-182-asb_service_fabric_aad_auth.yml index 7f0463f0..6252c73d 100644 --- a/policies/ecc-azure-182-asb_service_fabric_aad_auth.yml +++ b/policies/ecc-azure-182-asb_service_fabric_aad_auth.yml @@ -19,3 +19,4 @@ policies: - type: value key: properties.azureActiveDirectory.clientApplication value: absent + comment: '0223000000' diff --git a/policies/ecc-azure-184-asb_vm_linux_ssh_auth_req.yml b/policies/ecc-azure-184-asb_vm_linux_ssh_auth_req.yml index a6d00374..e8f9d9e9 100644 --- a/policies/ecc-azure-184-asb_vm_linux_ssh_auth_req.yml +++ b/policies/ecc-azure-184-asb_vm_linux_ssh_auth_req.yml @@ -48,3 +48,4 @@ policies: - type: value key: properties.storageProfile.imageReference.publisher value: Oracle + comment: '0234030000' diff --git a/policies/ecc-azure-197-asb_vm_disk_encryption_on.yml b/policies/ecc-azure-197-asb_vm_disk_encryption_on.yml index c82f2e0d..3c127b1a 100644 --- a/policies/ecc-azure-197-asb_vm_disk_encryption_on.yml +++ b/policies/ecc-azure-197-asb_vm_disk_encryption_on.yml @@ -21,3 +21,4 @@ policies: key: resources[].id value: \/.+\/virtualMachines\/.+\/extensions\/AzureDiskEncryptionForLinux op: regex + comment: '0243030000' diff --git a/policies/ecc-azure-199-asb_redis_ssl.yml b/policies/ecc-azure-199-asb_redis_ssl.yml index 5d13f8e8..a81b8c69 100644 --- a/policies/ecc-azure-199-asb_redis_ssl.yml +++ b/policies/ecc-azure-199-asb_redis_ssl.yml @@ -13,3 +13,4 @@ policies: - type: value key: properties.enableNonSslPort value: true + comment: '0244060000' diff --git a/policies/ecc-azure-201-asb_cosmosdb_encrypt_cmk.yml b/policies/ecc-azure-201-asb_cosmosdb_encrypt_cmk.yml index 4e71909b..36313415 100644 --- a/policies/ecc-azure-201-asb_cosmosdb_encrypt_cmk.yml +++ b/policies/ecc-azure-201-asb_cosmosdb_encrypt_cmk.yml @@ -15,3 +15,4 @@ policies: key: properties.keyVaultKeyUri value: .+\/keys\/.+ op: regex + comment: '0243060000' diff --git a/policies/ecc-azure-203-asb_postgresql_encrypt_cmk.yml b/policies/ecc-azure-203-asb_postgresql_encrypt_cmk.yml index a94d3840..c6131cc6 100644 --- a/policies/ecc-azure-203-asb_postgresql_encrypt_cmk.yml +++ b/policies/ecc-azure-203-asb_postgresql_encrypt_cmk.yml @@ -13,3 +13,4 @@ policies: - type: value key: properties.byokEnforcement value: Disabled + comment: '0243060000' diff --git a/policies/ecc-azure-204-asb_cognitive_sa_encrypt_cmk.yml b/policies/ecc-azure-204-asb_cognitive_sa_encrypt_cmk.yml index 7e619d28..e8c5f90e 100644 --- a/policies/ecc-azure-204-asb_cognitive_sa_encrypt_cmk.yml +++ b/policies/ecc-azure-204-asb_cognitive_sa_encrypt_cmk.yml @@ -17,3 +17,4 @@ policies: - type: value key: properties.encryption.keySource value: Microsoft.KeyVault + comment: '0243090000' diff --git a/policies/ecc-azure-205-asb_acs_ecnrypted_cmk.yml b/policies/ecc-azure-205-asb_acs_ecnrypted_cmk.yml index 16c6b6ce..32728510 100644 --- a/policies/ecc-azure-205-asb_acs_ecnrypted_cmk.yml +++ b/policies/ecc-azure-205-asb_acs_ecnrypted_cmk.yml @@ -13,3 +13,4 @@ policies: - type: value key: properties.encryption.status value: disabled + comment: '0243080000' diff --git a/policies/ecc-azure-206-asb_service_fabric_property.yml b/policies/ecc-azure-206-asb_service_fabric_property.yml index 93ee81b7..8d737092 100644 --- a/policies/ecc-azure-206-asb_service_fabric_property.yml +++ b/policies/ecc-azure-206-asb_service_fabric_property.yml @@ -19,3 +19,4 @@ policies: key: properties.fabricSettings[?name=='Security'].parameters[].value value: EncryptAndSign op: contains + comment: '0243090000' diff --git a/policies/ecc-azure-213-asb_lt_defender_dns.yml b/policies/ecc-azure-213-asb_lt_defender_dns.yml index 432825de..a0523d1f 100644 --- a/policies/ecc-azure-213-asb_lt_defender_dns.yml +++ b/policies/ecc-azure-213-asb_lt_defender_dns.yml @@ -19,3 +19,4 @@ policies: key: properties.pricingTier value: "Standard" op: eq + comment: '0232180000' diff --git a/policies/ecc-azure-214-asb_defender_arm.yml b/policies/ecc-azure-214-asb_defender_arm.yml index cbd8938f..1c6874cd 100644 --- a/policies/ecc-azure-214-asb_defender_arm.yml +++ b/policies/ecc-azure-214-asb_defender_arm.yml @@ -18,3 +18,4 @@ policies: key: properties.pricingTier value: "Standard" op: ne + comment: '0232180000' diff --git a/policies/ecc-azure-215-asb_networktraffic_linuxvm.yml b/policies/ecc-azure-215-asb_networktraffic_linuxvm.yml index bd8096d7..76fd5fa1 100644 --- a/policies/ecc-azure-215-asb_networktraffic_linuxvm.yml +++ b/policies/ecc-azure-215-asb_networktraffic_linuxvm.yml @@ -25,3 +25,4 @@ policies: key: "[].properties.provisioningState" value: Succeeded value_type: swap + comment: '0216030000' diff --git a/policies/ecc-azure-216-asb_networktraffic_winvm.yml b/policies/ecc-azure-216-asb_networktraffic_winvm.yml index 87b2b9a1..cbc655db 100644 --- a/policies/ecc-azure-216-asb_networktraffic_winvm.yml +++ b/policies/ecc-azure-216-asb_networktraffic_winvm.yml @@ -25,3 +25,4 @@ policies: key: "[].properties.provisioningState" value: Succeeded value_type: swap + comment: '0219030000' diff --git a/policies/ecc-azure-227-asb_reslogs_vmss.yml b/policies/ecc-azure-227-asb_reslogs_vmss.yml index 9d11571e..c5e850c0 100644 --- a/policies/ecc-azure-227-asb_reslogs_vmss.yml +++ b/policies/ecc-azure-227-asb_reslogs_vmss.yml @@ -24,3 +24,4 @@ policies: key: properties.virtualMachineProfile.extensionProfile.extensions[].properties.type value: IaaSDiagnostics op: regex + comment: '0219030000' diff --git a/policies/ecc-azure-228-asb_guest_extension.yml b/policies/ecc-azure-228-asb_guest_extension.yml index fd66daf4..df98ec5c 100644 --- a/policies/ecc-azure-228-asb_guest_extension.yml +++ b/policies/ecc-azure-228-asb_guest_extension.yml @@ -40,3 +40,4 @@ policies: key: "[].properties.provisioningState" value: Succeeded value_type: swap + comment: '0223030000' diff --git a/policies/ecc-azure-231-asb_vm_wo_mma.yml b/policies/ecc-azure-231-asb_vm_wo_mma.yml index 12db37eb..08251af9 100644 --- a/policies/ecc-azure-231-asb_vm_wo_mma.yml +++ b/policies/ecc-azure-231-asb_vm_wo_mma.yml @@ -40,3 +40,4 @@ policies: key: "[].properties.provisioningState" value: Succeeded value_type: swap + comment: '0232030000' diff --git a/policies/ecc-azure-232-asb_vmss_wo_mma.yml b/policies/ecc-azure-232-asb_vmss_wo_mma.yml index b1f89989..cdaa5f31 100644 --- a/policies/ecc-azure-232-asb_vmss_wo_mma.yml +++ b/policies/ecc-azure-232-asb_vmss_wo_mma.yml @@ -20,3 +20,4 @@ policies: key: properties.virtualMachineProfile.extensionProfile.extensions[].properties.type value: OmsAgentForLinux op: contains + comment: '0232030000' diff --git a/policies/ecc-azure-234-asb_guest_extension_mi.yml b/policies/ecc-azure-234-asb_guest_extension_mi.yml index 066e4bb4..f55db243 100644 --- a/policies/ecc-azure-234-asb_guest_extension_mi.yml +++ b/policies/ecc-azure-234-asb_guest_extension_mi.yml @@ -48,3 +48,4 @@ policies: - type: value key: identity.type value: SystemAssigned, UserAssigned + comment: '0223030000' diff --git a/policies/ecc-azure-235-asb_k8s_policy.yml b/policies/ecc-azure-235-asb_k8s_policy.yml index a531b09f..2de160d7 100644 --- a/policies/ecc-azure-235-asb_k8s_policy.yml +++ b/policies/ecc-azure-235-asb_k8s_policy.yml @@ -13,3 +13,4 @@ policies: - type: value key: properties.addonProfiles.azurepolicy.enabled value: false + comment: '0223070000' diff --git a/policies/ecc-azure-236-asb_cors_api.yml b/policies/ecc-azure-236-asb_cors_api.yml index e85cb49c..33ece69e 100644 --- a/policies/ecc-azure-236-asb_cors_api.yml +++ b/policies/ecc-azure-236-asb_cors_api.yml @@ -18,3 +18,4 @@ policies: key: cors.allowedOrigins value: '*' op: contains + comment: '0222170000' diff --git a/policies/ecc-azure-237-asb_cors_func.yml b/policies/ecc-azure-237-asb_cors_func.yml index 7e5e10bf..c460af7f 100644 --- a/policies/ecc-azure-237-asb_cors_func.yml +++ b/policies/ecc-azure-237-asb_cors_func.yml @@ -18,3 +18,4 @@ policies: key: cors.allowedOrigins value: '*' op: contains + comment: '0222170000' diff --git a/policies/ecc-azure-238-asb_cors_web.yml b/policies/ecc-azure-238-asb_cors_web.yml index 5bbcaa42..a713dca7 100644 --- a/policies/ecc-azure-238-asb_cors_web.yml +++ b/policies/ecc-azure-238-asb_cors_web.yml @@ -18,3 +18,4 @@ policies: key: cors.allowedOrigins value: '*' op: contains + comment: '0222170000' diff --git a/policies/ecc-azure-239-asb_certif_api.yml b/policies/ecc-azure-239-asb_certif_api.yml index b2e66a08..fba5ed7c 100644 --- a/policies/ecc-azure-239-asb_certif_api.yml +++ b/policies/ecc-azure-239-asb_certif_api.yml @@ -17,3 +17,4 @@ policies: - type: value key: properties.clientCertEnabled value: false + comment: '0223170000' diff --git a/policies/ecc-azure-240-asb_certif_web.yml b/policies/ecc-azure-240-asb_certif_web.yml index 1650ce6a..6c7c6568 100644 --- a/policies/ecc-azure-240-asb_certif_web.yml +++ b/policies/ecc-azure-240-asb_certif_web.yml @@ -17,3 +17,4 @@ policies: - type: value key: properties.clientCertEnabled value: false + comment: '0223170000' diff --git a/policies/ecc-azure-241-asb_certif_func.yml b/policies/ecc-azure-241-asb_certif_func.yml index 76a68619..e9c89ec4 100644 --- a/policies/ecc-azure-241-asb_certif_func.yml +++ b/policies/ecc-azure-241-asb_certif_func.yml @@ -17,3 +17,4 @@ policies: - type: value key: properties.clientCertEnabled value: false + comment: '0223170000' diff --git a/policies/ecc-azure-256-asb_remotedebug_api.yml b/policies/ecc-azure-256-asb_remotedebug_api.yml index 362d7ecb..8ed2e6e5 100644 --- a/policies/ecc-azure-256-asb_remotedebug_api.yml +++ b/policies/ecc-azure-256-asb_remotedebug_api.yml @@ -17,3 +17,4 @@ policies: - type: configuration key: remoteDebuggingEnabled value: true + comment: '0239170000' diff --git a/policies/ecc-azure-257-asb_remotedebug_func.yml b/policies/ecc-azure-257-asb_remotedebug_func.yml index 96f9a1ce..0c7d8a13 100644 --- a/policies/ecc-azure-257-asb_remotedebug_func.yml +++ b/policies/ecc-azure-257-asb_remotedebug_func.yml @@ -17,3 +17,4 @@ policies: - type: configuration key: remoteDebuggingEnabled value: true + comment: '0223170000' diff --git a/policies/ecc-azure-258-asb_remotedebug_web.yml b/policies/ecc-azure-258-asb_remotedebug_web.yml index c655682d..3a5fd5c0 100644 --- a/policies/ecc-azure-258-asb_remotedebug_web.yml +++ b/policies/ecc-azure-258-asb_remotedebug_web.yml @@ -17,3 +17,4 @@ policies: - type: configuration key: remoteDebuggingEnabled value: true + comment: '0223170000' diff --git a/policies/ecc-azure-267-asb_java_funcapp.yml b/policies/ecc-azure-267-asb_java_funcapp.yml index 29464b88..04fb665a 100644 --- a/policies/ecc-azure-267-asb_java_funcapp.yml +++ b/policies/ecc-azure-267-asb_java_funcapp.yml @@ -21,3 +21,4 @@ policies: - type: configuration key: windowsFxVersion value: "Java|8" + comment: '0221170000' diff --git a/policies/ecc-azure-270-asb_python_funcapp.yml b/policies/ecc-azure-270-asb_python_funcapp.yml index 33909127..122cdfe4 100644 --- a/policies/ecc-azure-270-asb_python_funcapp.yml +++ b/policies/ecc-azure-270-asb_python_funcapp.yml @@ -28,3 +28,4 @@ policies: - type: configuration key: linuxFxVersion value: PYTHON|3.11 + comment: '0221170000' diff --git a/policies/ecc-azure-272-asb_scaleset.yml b/policies/ecc-azure-272-asb_scaleset.yml index c55ebbdd..9a3e690b 100644 --- a/policies/ecc-azure-272-asb_scaleset.yml +++ b/policies/ecc-azure-272-asb_scaleset.yml @@ -44,3 +44,4 @@ policies: key: properties.virtualMachineProfile.extensionProfile.extensions[].properties.type value: "KSWS" op: regex + comment: '0223030000' diff --git a/policies/ecc-azure-278-asb_geo_postgresql.yml b/policies/ecc-azure-278-asb_geo_postgresql.yml index db4e44d0..c5b418a0 100644 --- a/policies/ecc-azure-278-asb_geo_postgresql.yml +++ b/policies/ecc-azure-278-asb_geo_postgresql.yml @@ -13,3 +13,4 @@ policies: - type: value key: properties.storageProfile.geoRedundantBackup value: Disabled + comment: '0249060000' diff --git a/policies/ecc-azure-279-aks_local_auth_disabled.yml b/policies/ecc-azure-279-aks_local_auth_disabled.yml index 0f4e3edf..787b8dbb 100644 --- a/policies/ecc-azure-279-aks_local_auth_disabled.yml +++ b/policies/ecc-azure-279-aks_local_auth_disabled.yml @@ -13,3 +13,4 @@ policies: - type: value key: properties.disableLocalAccounts value: false + comment: '0233072000' diff --git a/policies/ecc-azure-280-aks_private_clusters.yml b/policies/ecc-azure-280-aks_private_clusters.yml index f059fdf4..c93d5233 100644 --- a/policies/ecc-azure-280-aks_private_clusters.yml +++ b/policies/ecc-azure-280-aks_private_clusters.yml @@ -13,3 +13,4 @@ policies: - type: value key: properties.apiServerAccessProfile.enablePrivateCluster value: false + comment: '0239072000' diff --git a/policies/ecc-azure-281-aks_non_vulnerable_version.yml b/policies/ecc-azure-281-aks_non_vulnerable_version.yml index 2bd5096c..861a3e00 100644 --- a/policies/ecc-azure-281-aks_non_vulnerable_version.yml +++ b/policies/ecc-azure-281-aks_non_vulnerable_version.yml @@ -80,3 +80,4 @@ policies: - 1.13.2 - 1.13.1 - 1.13.0 + comment: '0221072000' diff --git a/policies/ecc-azure-282-aks_temp_disks_and_cache_encryptedathost.yml b/policies/ecc-azure-282-aks_temp_disks_and_cache_encryptedathost.yml index 55cc609e..30c686c6 100644 --- a/policies/ecc-azure-282-aks_temp_disks_and_cache_encryptedathost.yml +++ b/policies/ecc-azure-282-aks_temp_disks_and_cache_encryptedathost.yml @@ -22,3 +22,4 @@ policies: - type: value key: properties.agentPoolProfiles[].enableEncryptionAtHost value: absent + comment: '0244072000' diff --git a/policies/ecc-azure-284-aks_disks_encrypted.yml b/policies/ecc-azure-284-aks_disks_encrypted.yml index 9e0233c3..dd5960de 100644 --- a/policies/ecc-azure-284-aks_disks_encrypted.yml +++ b/policies/ecc-azure-284-aks_disks_encrypted.yml @@ -17,3 +17,4 @@ policies: - type: value key: properties.diskEncryptionSetID value: "" + comment: '0244072000' diff --git a/policies/ecc-azure-286-aks_network_policy.yml b/policies/ecc-azure-286-aks_network_policy.yml index dd793a9c..8f5f1b96 100644 --- a/policies/ecc-azure-286-aks_network_policy.yml +++ b/policies/ecc-azure-286-aks_network_policy.yml @@ -18,3 +18,4 @@ policies: - type: value key: properties.networkProfile.networkPolicy value: absent + comment: '0223072000' diff --git a/policies/ecc-azure-287-aks_azure_cni_networking.yml b/policies/ecc-azure-287-aks_azure_cni_networking.yml index bd2f1ef3..6ac03b8e 100644 --- a/policies/ecc-azure-287-aks_azure_cni_networking.yml +++ b/policies/ecc-azure-287-aks_azure_cni_networking.yml @@ -14,3 +14,4 @@ policies: - type: value key: properties.networkProfile.networkPlugin value: azure + comment: '0220072000' diff --git a/policies/ecc-azure-288-aks_cluster_pool_contains_nodes.yml b/policies/ecc-azure-288-aks_cluster_pool_contains_nodes.yml index d6997e26..6aecf82b 100644 --- a/policies/ecc-azure-288-aks_cluster_pool_contains_nodes.yml +++ b/policies/ecc-azure-288-aks_cluster_pool_contains_nodes.yml @@ -13,3 +13,4 @@ policies: - type: value key: length(properties.agentPoolProfiles[?count < `3`]) value: 1 + comment: '0250072000' diff --git a/policies/ecc-azure-289-acr_admin_user_disabled.yml b/policies/ecc-azure-289-acr_admin_user_disabled.yml index bcbabd79..d6074efd 100644 --- a/policies/ecc-azure-289-acr_admin_user_disabled.yml +++ b/policies/ecc-azure-289-acr_admin_user_disabled.yml @@ -13,3 +13,4 @@ policies: - type: value key: properties.adminUserEnabled value: true + comment: '0223082000' diff --git a/policies/ecc-azure-290-acr_resource_locks.yml b/policies/ecc-azure-290-acr_resource_locks.yml index 23723de2..b6d6c00d 100644 --- a/policies/ecc-azure-290-acr_resource_locks.yml +++ b/policies/ecc-azure-290-acr_resource_locks.yml @@ -12,3 +12,4 @@ policies: filters: - type: resource-lock lock-type: Absent + comment: '0247082000' diff --git a/policies/ecc-azure-291-storage_accounts_regions.yml b/policies/ecc-azure-291-storage_accounts_regions.yml index 4ecf5dc8..11ac0f3f 100644 --- a/policies/ecc-azure-291-storage_accounts_regions.yml +++ b/policies/ecc-azure-291-storage_accounts_regions.yml @@ -33,3 +33,4 @@ policies: - type: value key: secondaryLocation value: empty + comment: '0220042000' diff --git a/policies/ecc-azure-294-vm_availability_set.yml b/policies/ecc-azure-294-vm_availability_set.yml index d885be46..c404800c 100644 --- a/policies/ecc-azure-294-vm_availability_set.yml +++ b/policies/ecc-azure-294-vm_availability_set.yml @@ -15,3 +15,4 @@ policies: key: properties.availabilitySet.id value: .+ op: regex + comment: '0250032000' diff --git a/policies/ecc-azure-295-sql_avoid_ad_admin_name.yml b/policies/ecc-azure-295-sql_avoid_ad_admin_name.yml index 2c770777..a99d35c8 100644 --- a/policies/ecc-azure-295-sql_avoid_ad_admin_name.yml +++ b/policies/ecc-azure-295-sql_avoid_ad_admin_name.yml @@ -18,3 +18,4 @@ policies: key: login value: ^[Aa][Dd][Mm][Ii][Nn]$|^[Aa][Dd][Mm][Ii][Nn][Ii][Ss][Tt][Rr][Aa][Tt][Oo][Rr]$ op: regex + comment: '0223062000' diff --git a/policies/ecc-azure-296-sql_avoid_local_admin_name.yml b/policies/ecc-azure-296-sql_avoid_local_admin_name.yml index e9b88963..8df682e4 100644 --- a/policies/ecc-azure-296-sql_avoid_local_admin_name.yml +++ b/policies/ecc-azure-296-sql_avoid_local_admin_name.yml @@ -14,3 +14,4 @@ policies: key: properties.administratorLogin value: .+\W*admin\W*|\W*admin\W*.+|^[Aa][Dd][Mm][Ii][Nn]$|^[Aa][Dd][Mm][Ii][Nn][Ii][Ss][Tt][Rr][Aa][Tt][Oo][Rr]$ op: regex + comment: '0223062000' diff --git a/policies/ecc-azure-298-function_app_service_logging.yml b/policies/ecc-azure-298-function_app_service_logging.yml index 26bc920f..4284e5e3 100644 --- a/policies/ecc-azure-298-function_app_service_logging.yml +++ b/policies/ecc-azure-298-function_app_service_logging.yml @@ -21,3 +21,4 @@ policies: - type: configuration key: httpLoggingEnabled value: false + comment: '0219172000' diff --git a/policies/ecc-azure-299-function_app_health_check.yml b/policies/ecc-azure-299-function_app_health_check.yml index 17ac1514..9c643bd5 100644 --- a/policies/ecc-azure-299-function_app_health_check.yml +++ b/policies/ecc-azure-299-function_app_health_check.yml @@ -19,3 +19,4 @@ policies: key: healthCheckPath value: .+ op: regex + comment: '0218172000' diff --git a/policies/ecc-azure-300-app_gateway_tls_version.yml b/policies/ecc-azure-300-app_gateway_tls_version.yml index 5b0f6076..716825d1 100644 --- a/policies/ecc-azure-300-app_gateway_tls_version.yml +++ b/policies/ecc-azure-300-app_gateway_tls_version.yml @@ -14,3 +14,4 @@ policies: - type: value key: properties.sslPolicy.minProtocolVersion value: TLSv1_2 + comment: '0223022000' diff --git a/policies/ecc-azure-302-redis_cache_disabled_public_access.yml b/policies/ecc-azure-302-redis_cache_disabled_public_access.yml index 27094219..d35a4522 100644 --- a/policies/ecc-azure-302-redis_cache_disabled_public_access.yml +++ b/policies/ecc-azure-302-redis_cache_disabled_public_access.yml @@ -13,3 +13,4 @@ policies: - type: value key: properties.publicNetworkAccess value: Enabled + comment: '0239062000' diff --git a/policies/ecc-azure-304-app_gateway_https.yml b/policies/ecc-azure-304-app_gateway_https.yml index ad596951..bc6dc43f 100644 --- a/policies/ecc-azure-304-app_gateway_https.yml +++ b/policies/ecc-azure-304-app_gateway_https.yml @@ -15,3 +15,4 @@ policies: key: properties.httpListeners[].properties.protocol value: https op: regex + comment: '0244022000' diff --git a/policies/ecc-azure-305-cis_storage_account_minimum_tls.yml b/policies/ecc-azure-305-cis_storage_account_minimum_tls.yml index cceb9404..ef87d7e8 100644 --- a/policies/ecc-azure-305-cis_storage_account_minimum_tls.yml +++ b/policies/ecc-azure-305-cis_storage_account_minimum_tls.yml @@ -18,3 +18,4 @@ policies: - type: value key: properties.minimumTlsVersion value: TLS1_2 + comment: '0223041500' diff --git a/policies/ecc-azure-306-cis_postgresql_infrastructure_double_enc.yml b/policies/ecc-azure-306-cis_postgresql_infrastructure_double_enc.yml index 4e90f2ff..a487c8ff 100644 --- a/policies/ecc-azure-306-cis_postgresql_infrastructure_double_enc.yml +++ b/policies/ecc-azure-306-cis_postgresql_infrastructure_double_enc.yml @@ -13,3 +13,4 @@ policies: - type: value key: properties.infrastructureEncryption value: Disabled + comment: '0243061500' diff --git a/policies/ecc-azure-310-asb_defender_open_source_rds.yml b/policies/ecc-azure-310-asb_defender_open_source_rds.yml index a876653b..7af7736a 100644 --- a/policies/ecc-azure-310-asb_defender_open_source_rds.yml +++ b/policies/ecc-azure-310-asb_defender_open_source_rds.yml @@ -18,3 +18,4 @@ policies: key: properties.pricingTier value: Standard op: ne + comment: '0232180000' diff --git a/policies/ecc-azure-323-linux_vmss_ssh.yml b/policies/ecc-azure-323-linux_vmss_ssh.yml index 18dc6a58..170a989b 100644 --- a/policies/ecc-azure-323-linux_vmss_ssh.yml +++ b/policies/ecc-azure-323-linux_vmss_ssh.yml @@ -13,3 +13,4 @@ policies: - type: value key: properties.virtualMachineProfile.osProfile.linuxConfiguration.disablePasswordAuthentication value: false + comment: '0223032000' diff --git a/policies/ecc-azure-327-data_factory_git_repo.yml b/policies/ecc-azure-327-data_factory_git_repo.yml index 115debfc..c4727c4d 100644 --- a/policies/ecc-azure-327-data_factory_git_repo.yml +++ b/policies/ecc-azure-327-data_factory_git_repo.yml @@ -13,3 +13,4 @@ policies: - type: value key: properties.repoConfiguration value: absent + comment: '0220052000' diff --git a/policies/ecc-azure-328-data_factory_cmk.yml b/policies/ecc-azure-328-data_factory_cmk.yml index f5dcd12f..5f16cacc 100644 --- a/policies/ecc-azure-328-data_factory_cmk.yml +++ b/policies/ecc-azure-328-data_factory_cmk.yml @@ -13,3 +13,4 @@ policies: - type: value key: properties.encryption value: absent + comment: '0243052000' diff --git a/policies/ecc-azure-329-batch_cmk.yml b/policies/ecc-azure-329-batch_cmk.yml index 726fda9c..7d3c41d9 100644 --- a/policies/ecc-azure-329-batch_cmk.yml +++ b/policies/ecc-azure-329-batch_cmk.yml @@ -13,3 +13,4 @@ policies: - type: value key: properties.encryption.keySource value: Microsoft.Batch + comment: '0243092000' diff --git a/policies/ecc-azure-331-app_service_detailed_error_messages.yml b/policies/ecc-azure-331-app_service_detailed_error_messages.yml index bc9dd566..89d21644 100644 --- a/policies/ecc-azure-331-app_service_detailed_error_messages.yml +++ b/policies/ecc-azure-331-app_service_detailed_error_messages.yml @@ -17,3 +17,4 @@ policies: - type: configuration key: detailedErrorLoggingEnabled value: false + comment: '0219172000' diff --git a/policies/ecc-azure-332-app_service_request_tracing.yml b/policies/ecc-azure-332-app_service_request_tracing.yml index b8dd95ac..bb0d36c5 100644 --- a/policies/ecc-azure-332-app_service_request_tracing.yml +++ b/policies/ecc-azure-332-app_service_request_tracing.yml @@ -17,3 +17,4 @@ policies: - type: configuration key: requestTracingEnabled value: false + comment: '0219172000' diff --git a/policies/ecc-azure-333-iot_hub_public_access.yml b/policies/ecc-azure-333-iot_hub_public_access.yml index df73907a..efc70425 100644 --- a/policies/ecc-azure-333-iot_hub_public_access.yml +++ b/policies/ecc-azure-333-iot_hub_public_access.yml @@ -13,3 +13,4 @@ policies: - type: value key: properties.publicNetworkAccess value: Enabled + comment: '0240022000' diff --git a/policies/ecc-azure-334-cosmosdb_priveleged_escalation.yml b/policies/ecc-azure-334-cosmosdb_priveleged_escalation.yml index 7bbb7280..271c7c3c 100644 --- a/policies/ecc-azure-334-cosmosdb_priveleged_escalation.yml +++ b/policies/ecc-azure-334-cosmosdb_priveleged_escalation.yml @@ -13,3 +13,4 @@ policies: - type: value key: properties.disableKeyBasedMetadataWriteAccess value: true + comment: '0233062000' diff --git a/policies/ecc-azure-336-vmss_encryption_at_host.yml b/policies/ecc-azure-336-vmss_encryption_at_host.yml index 9fb72019..ea5d59e5 100644 --- a/policies/ecc-azure-336-vmss_encryption_at_host.yml +++ b/policies/ecc-azure-336-vmss_encryption_at_host.yml @@ -14,3 +14,4 @@ policies: - type: value key: properties.virtualMachineProfile.securityProfile.encryptionAtHost value: true + comment: '0243032000' diff --git a/policies/ecc-azure-337-vm_antimalware_auto_updates.yml b/policies/ecc-azure-337-vm_antimalware_auto_updates.yml index 0a87f59f..14128324 100644 --- a/policies/ecc-azure-337-vm_antimalware_auto_updates.yml +++ b/policies/ecc-azure-337-vm_antimalware_auto_updates.yml @@ -13,3 +13,4 @@ policies: - type: vm-extensions key: length([?properties.type == 'IaaSAntimalware' && properties.provisioningState == 'Succeeded' && properties.autoUpgradeMinorVersion == `true`]) value: 0 + comment: '0221032000' diff --git a/policies/ecc-azure-339-kv_secrets_content_type.yml b/policies/ecc-azure-339-kv_secrets_content_type.yml index 7d335da4..33ac878a 100644 --- a/policies/ecc-azure-339-kv_secrets_content_type.yml +++ b/policies/ecc-azure-339-kv_secrets_content_type.yml @@ -15,3 +15,4 @@ policies: key: content_type value: .+ op: regex + comment: '0210102000' diff --git a/policies/ecc-azure-340-appgw_waf_log4j.yml b/policies/ecc-azure-340-appgw_waf_log4j.yml index 5e67e9c3..7a117b96 100644 --- a/policies/ecc-azure-340-appgw_waf_log4j.yml +++ b/policies/ecc-azure-340-appgw_waf_log4j.yml @@ -23,3 +23,4 @@ policies: key: properties.webApplicationFirewallConfiguration.disabledRuleGroups[?ruleGroupName == 'Known-CVEs'].rules[] op: contains value: 800100 + comment: '0223022000' diff --git a/policies/ecc-azure-342-mssql_latest_tls.yml b/policies/ecc-azure-342-mssql_latest_tls.yml index fce5f27c..197c32ec 100644 --- a/policies/ecc-azure-342-mssql_latest_tls.yml +++ b/policies/ecc-azure-342-mssql_latest_tls.yml @@ -14,3 +14,4 @@ policies: - type: value key: properties.minimalTlsVersion value: '1.2' + comment: '0221062000' diff --git a/policies/ecc-azure-353-vmss_auto_image_patching.yml b/policies/ecc-azure-353-vmss_auto_image_patching.yml index 634c2c86..039690ef 100644 --- a/policies/ecc-azure-353-vmss_auto_image_patching.yml +++ b/policies/ecc-azure-353-vmss_auto_image_patching.yml @@ -14,3 +14,4 @@ policies: - type: value key: properties.upgradePolicy.automaticOSUpgradePolicy.enableAutomaticOSUpgrade value: true + comment: '0221032000' diff --git a/policies/ecc-azure-354-acr_anonymous_pull.yml b/policies/ecc-azure-354-acr_anonymous_pull.yml index dea296f5..4a2c5af0 100644 --- a/policies/ecc-azure-354-acr_anonymous_pull.yml +++ b/policies/ecc-azure-354-acr_anonymous_pull.yml @@ -13,3 +13,4 @@ policies: - type: value key: properties.anonymousPullEnabled value: true + comment: '0233082000' diff --git a/policies/ecc-azure-357-databricks_public_access.yml b/policies/ecc-azure-357-databricks_public_access.yml index 7ade46fc..b4481715 100644 --- a/policies/ecc-azure-357-databricks_public_access.yml +++ b/policies/ecc-azure-357-databricks_public_access.yml @@ -13,3 +13,4 @@ policies: - type: value key: properties.parameters.enableNoPublicIp.value value: false + comment: '0240052000' diff --git a/policies/ecc-azure-365-resource_tag_api_management.yml b/policies/ecc-azure-365-resource_tag_api_management.yml index 45783b6e..f8ab227e 100644 --- a/policies/ecc-azure-365-resource_tag_api_management.yml +++ b/policies/ecc-azure-365-resource_tag_api_management.yml @@ -13,3 +13,4 @@ policies: - type: value key: tags value: empty + comment: '0210092000' diff --git a/policies/ecc-azure-367-vm_omi_vulnerability.yml b/policies/ecc-azure-367-vm_omi_vulnerability.yml index 2f23fc8d..37dc0d70 100644 --- a/policies/ecc-azure-367-vm_omi_vulnerability.yml +++ b/policies/ecc-azure-367-vm_omi_vulnerability.yml @@ -29,3 +29,4 @@ policies: key: "[].properties.typeHandlerVersion" value: "1.14" value_type: swap + comment: '0221032000' diff --git a/policies/ecc-azure-368-vmss_omi_vulnerability.yml b/policies/ecc-azure-368-vmss_omi_vulnerability.yml index 5daa4f4a..664be925 100644 --- a/policies/ecc-azure-368-vmss_omi_vulnerability.yml +++ b/policies/ecc-azure-368-vmss_omi_vulnerability.yml @@ -19,3 +19,4 @@ policies: key: properties.virtualMachineProfile.extensionProfile.extensions[].properties.typeHandlerVersion value: "1.14" op: regex + comment: '0221032000' diff --git a/policies/ecc-azure-369-cis_sa_infrastructure_encryption.yml b/policies/ecc-azure-369-cis_sa_infrastructure_encryption.yml index 2297ba14..c3f76f62 100644 --- a/policies/ecc-azure-369-cis_sa_infrastructure_encryption.yml +++ b/policies/ecc-azure-369-cis_sa_infrastructure_encryption.yml @@ -18,3 +18,4 @@ policies: - type: value key: properties.encryption.requireInfrastructureEncryption value: true + comment: '0243041500' diff --git a/policies/ecc-azure-370-cis_cosmosdb_private_endpoint.yml b/policies/ecc-azure-370-cis_cosmosdb_private_endpoint.yml index b0a264de..539e43e6 100644 --- a/policies/ecc-azure-370-cis_cosmosdb_private_endpoint.yml +++ b/policies/ecc-azure-370-cis_cosmosdb_private_endpoint.yml @@ -15,3 +15,4 @@ policies: key: properties.privateEndpointConnections[].properties.privateLinkServiceConnectionState.status value: Approved op: contains + comment: '0239021500' diff --git a/policies/ecc-azure-376-cis_defender_cosmodb.yml b/policies/ecc-azure-376-cis_defender_cosmodb.yml index 589d9ff0..6daf7401 100644 --- a/policies/ecc-azure-376-cis_defender_cosmodb.yml +++ b/policies/ecc-azure-376-cis_defender_cosmodb.yml @@ -17,3 +17,4 @@ policies: - type: value key: properties.pricingTier value: Standard + comment: '0232181500'