cnspec-policies
cnspec-policies copied to clipboard
Azure core policies fail to compile
Describe the bug
cnspec scan azure
fails to compile the official Azure policies with a strange cannot find resource for identifier 'microsoft'
error.
To Reproduce
- download
cnspec
from GitHub releases - login to Azure CLI as Global Reader
- run
cnspec scan azure
Expected behavior
cnspec
should test the mondoo-azure-security.mql.yaml
policy against my Azure tenant.
Screenshots or CLI Output
❯ az login --use-device-code
❯ ./cnspec shell azure
→ no Mondoo configuration file provided, using defaults
→ selected asset asset="Azure subscription Pay per Use (XXXXXX)" selection=0
→ connected to Azure Subscription
...
cnspec> azure.subscription.name
azure.subscription.name: "Pay per Use (XXXXXX)"
cnspec> exit
❯ ./cnspec scan azure
→ no Mondoo configuration file provided, using defaults
! No credentials provided. Switching to --incognito mode.
→ discover related assets for 1 asset(s)
...
0/3 scanned 3/3 errored
...
error: failed to compile fetched bundle: failed to validate query '//registry.mondoo.com/namespace/mondoohq/queries/mondoo-azure-security-ensure-multifactor-authentication-is-enabled-for-all-users-in-administrative-roles': failed to compile query 'microsoft.security.latestSecureScores.controlScores.one( _['controlName'] == 'AdminMFAV2' && _['score'] == 10 )': cannot find resource for identifier 'microsoft'
failed to validate query '//registry.mondoo.com/namespace/mondoohq/queries/mondoo-azure-security-ensure-that-between-two-and-four-global-admins-are-designated': failed to compile query 'microsoft.rolemanagement.roleDefinitions.where(displayName == "Global Administrator").all(assignments.length > 1 && assignments.length <= 4)': cannot find resource for identifier 'microsoft'
failed to validate query '//registry.mondoo.com/namespace/mondoohq/queries/mondoo-azure-security-ensure-multifactor-authentication-is-enabled-for-all-users-in-all-roles': failed to compile query 'microsoft.security.latestSecureScores.controlScores.one( _['controlName'] == 'MFARegistrationV2' && _['score'] == 9)': cannot find resource for identifier 'microsoft'
failed to validate query '//registry.mondoo.com/namespace/mondoohq/queries/mondoo-azure-security-enable-azure-ad-identity-protection-user-risk-policies': failed to compile query 'microsoft.security.latestSecureScores.controlScores.one( _['controlName'] == 'UserRiskPolicy' && _['score'] == 7 )': cannot find resource for identifier 'microsoft'
failed to validate query '//registry.mondoo.com/namespace/mondoohq/queries/mondoo-azure-security-enable-azure-ad-identity-protection-sign-in-risk-policies': failed to compile query 'microsoft.security.latestSecureScores.controlScores.one( _['controlName'] == 'SigninRiskPolicy' && _['score'] == 7 )': cannot find resource for identifier 'microsoft'
failed to validate query '//registry.mondoo.com/namespace/mondoohq/queries/mondoo-azure-security-ensure-security-defaults-is-enabled-on-azure-active-directory': failed to compile query 'microsoft.policies.identitySecurityDefaultsEnforcementPolicy["isEnabled"] == true': failed to compile: cannot find resource for identifier 'microsoft'
...
Desktop (please complete the following information):
- OS: Arch Linux
- OS Version: na
- Browser if applicable: na
- Browser Version: na
Additional context
Tested with cnspec
9.4.0, 9.5.0 and 9.5.1.