Monitoring log profile without all activities

Docs > Plateforme de sécurité Datadog > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Monitoring log profile without all activities

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

Id: 89f84a1e-75f8-47c5-83b5-bee8e2de4168

Cloud Provider: Azure

Platform: Ansible

Severity: Medium

Category: Observability

Learn More

Provider Reference

Description

Monitor log profiles must include the Write, Action, and Delete categories so Azure records operations, configuration changes, and deletions. These records support detection, auditing, and forensic investigations.

In Ansible tasks using azure.azcollection.azure_rm_monitorlogprofile (or azure_rm_monitorlogprofile), the categories property must be defined as a list and include the values Write, Action, and Delete (case-insensitive). Tasks missing the categories property or omitting any of these categories are flagged.

Secure configuration example:

- name: Create monitor log profile
  azure_rm_monitorlogprofile:
    name: myLogProfile
    categories:
      - Write
      - Action
      - Delete
    locations:
      - eastus
    retention_policy:
      enabled: false

Compliant Code Examples

- name: Create a log profile
  azure_rm_monitorlogprofile:
    name: myProfile
    location: eastus
    locations:
    - eastus
    - westus
    categories:
    - Write
    - Action
    - Delete
    retention_policy:
      enabled: false
      days: 1
    storage_account:
      resource_group: myResourceGroup
      name: myStorageAccount
  register: output

Non-Compliant Code Examples

---
- name: Create a log profile
  azure_rm_monitorlogprofile:
    name: myProfile
    location: eastus
    locations:
      - eastus
      - westus
    categories:
      - Write
      - Action
    retention_policy:
      enabled: False
      days: 1
    storage_account:
      resource_group: myResourceGroup
      name: myStorageAccount
  register: output

- name: Create a log profile2
  azure_rm_monitorlogprofile:
    name: myProfile
    location: eastus
    locations:
      - eastus
      - westus
    retention_policy:
      enabled: False
      days: 1
    storage_account:
      resource_group: myResourceGroup
      name: myStorageAccount
  register: output