Skip to main content

Azure CIS 1.3.1 Benchmark Report

The Azure CIS 1.3.1 benchmark report was added as of the v4.32 platform release. This report will continue to co-exist with the CIS 1.0 benchmark report for Azure. The CIS 1.0 benchmark will eventually be deprecated once all Lacework customers have had time to migrate to the latest report.

Prerequisites

The following articles describe how to integrate your Azure environment with the Lacework Compliance platform. Completing these will prepare your environment for the Azure CIS 1.3.1 benchmark.

Choose one of the following options:

  1. Azure Compliance Integration - Manually using the Azure Portal
    • This guide includes links to existing articles for creating the Azure App and gathering the required information. Previous methods are now deprecated.
  2. Azure Compliance & Activity Log Integrations - Terraform using Azure Cloud Shell
    • This guide has been updated for the new 1.0 Terraform module.
  3. Azure Compliance & Activity Log Integrations - Terraform From Any Supported Host
    • This guide has been updated for the new 1.0 Terraform module.
note

For Terraform, the new Azure CIS 1.3.1 benchmark will run under your existing integration, but will require an upgrade by 2022.

Enable the Azure CIS 1.3.1 Benchmark

The Azure CIS 1.3.1 benchmark is released with all policies/recommendations disabled. Enabling the new benchmark will depend on your current setup.

The Automatically enable Lacework default policies option in the Lacework Console (Settings > General > Lacework Policy subscriptions) overrides the shipped settings.

console_lw_policy_subscriptions_enabled.png

For example, the following scenarios could exist in your environment:

  • If you have subscribed to only Critical and High severity policies, this behavior is accommodated by the Azure CIS 1.3.1 report. So only policies with severity Critical and High will default to ON.
  • If you have subscribed to all policy severities, all of the Azure CIS 1.3.1 benchmark rules are set to ON.
note

This behavior is affected by a known issue when the Automatically enable Lacework default policies option is switched on. See Known Issue with Lacework Policy subscriptions Setting for additional steps to enable the benchmark correctly.

We encourage you to review your global policy settings as and when new reports and benchmarks are released.

Enable or Disable Specific Policies

Once access is granted, the CIS 1.3.1 benchmarks are suppressed by default (see the known issue below if you have Lacework Policy subscriptions enabled in General Settings).

Switch them on by going to the Azure Compliance Reports page (Compliance > Azure > Reports) and selecting Actions > Advanced Suppression on any of the benchmark rules. The Azure CIS 1.3.1 benchmarks are shown in the format of Azure_CIS131_*, switch on the ones that you require.

In a future release, the option to enable or disable all rules in a Suppressions list will be available.

Known Issue with Lacework Policy subscriptions Setting

Check if your Lacework Policy subscriptions (Settings > General) are automatically enabled (or enabled for any severity).
console_lw_policy_subscriptions_enabled.png

If they are enabled, the Advanced Suppression modal window will display the status as ON for some or all of the Azure_CIS131_* rules.
console_azure_compliance_adv_suppression_modal.png

This is a known issue in the Lacework Console when first running a Azure CIS 1.3.1 compliance report and these rules will still be disabled internally.

Manual Workaround

To resolve this:

  1. Go to the Azure Compliance Reports page (Compliance > Azure > Reports) and select Actions > Advanced Suppression on any of the benchmark rules.
    console_azure_compliance_adv_suppression_opt.png

  2. Manually disable all of the Azure_CIS131_* rules that are ON and click SAVE. Once this is done, the Azure CIS 1.3.1 rules can be enabled in the normal way.

CLI Workaround

Alternatively, use the Lacework CLI to disable and re-enable all CIS 1.3.1 report checks:

lacework configure show
#if CLI is not installed, do:
#curl https://raw.githubusercontent.com/lacework/go-sdk/main/cli/install.sh | bash
#lacework configure
Disable all rules
lacework compliance azure disable CIS_1_3_1 
Enable all rules
lacework compliance azure enable CIS_1_3_1

Once the new rules have been activated, either wait 24h or manually run a new Compliance Report.

lacework compliance azure run-assessment $(lacework compliance azure list-tenants --json | jq -r ".azure_tenants[0]")

This script can also be used to disable and enable Lacework custom rules, and all rules. Run the script with the -h flag to see the options available:

lacework compliance azure enable -h
lacework compliance azure disable -h

Automated vs Manual Rules

Lacework uses the CIS Workbench Benchmarks to automate your Compliance rules where it is possible to do so.

Automated rules that were deemed "manual"

In some cases, Lacework is able to automate some of the Azure CIS 1.3.1 benchmark rules that were deemed as "manual" by CIS. The following table outlines these rules:

Automated RulesActionRationale
Azure_CIS131_3_3
Azure_CIS131_3_7
Azure_CIS131_3_10
Azure_CIS131_3_11
Lacework have automated these rules, described as Manual in the Azure CIS 1.3.1 benchmark.Lacework have submitted corrections to CIS on these rules and the auditing procedure in place for upcoming 1.4.0 benchmark. More details can be found at the CIS Workbench.

Manual rules that were deemed "automated"

For some of the benchmark rules, it is not possible to automate the checks in an Azure environment. As such, manual auditing of these rules in your Azure environment is required.

The table below outlines the Azure CIS 1.3.1 benchmark rules that require manual checks:

Manual RulesActionRationale
Azure_CIS131_1_3
Azure_CIS131_1_22
Azure_CIS131_3_9
Azure_CIS131_5_1_1
Azure_CIS131_5_3
Azure_CIS131_8_1
Azure_CIS131_8_3
Lacework have marked these rules as manual processing only. They cannot be automated in full due to one of the following reasons :
- Scope is defined by the user.
- It requires configuring other products or API permissions that are out of scope.
- Known issues for audit procedure described by CIS control rule.
Lacework have submitted corrections to CIS on these rules, in place for upcoming benchmark 1.4.0. More details can be found at the CIS Workbench.

Lacework Custom Rules

The following custom rules are used to automate certain "manual" CIS 1.3.1 benchmark rules as close to the original intention:

Lacework Custom RuleCIS Rule
LW_Azure_IAM_1Azure_CIS131_1_1
LW_Azure_IAM_2Azure_CIS131_1_2
LW_Azure_IAM_3Azure_CIS131_1_3

These CIS rules were originally considered at the Tenant-level, but the custom versions are implemented at the Subscription-level.

important

These rules can only be enabled/automated if you have enabled Azure Security Center (free). See Azure FAQs for further info.