CIS 2.1.0 output has missing checks [Bug]:

[littlestewart]

Steps to Reproduce

1. prowler azure --tenant-id --browser-auth --compliance cis_2.1_azure

Expected behavior

I expect all the checks from the CIS Azure V2.1.0 to be included in the CSV/XLSX output.

Actual Result with Screenshots or Logs

In the image, you can see that in the Excel file, the first check in the list is 1.1.4, but it should actually be 1.1.1, 1.1.2, and 1.1.3. Additionally, many other checks from the official CIS Microsoft Azure Foundation Benchmark v2.1.0 are missing in the output.

How did you install Prowler?

From pip package (pip install prowler)

Environment Resource

Workstation

OS used

Kali Linux

Prowler version

Prowler 4.1.0

Pip version

pip 23.3.2

Context

No response

[pedrooot]

Hi @littlestewart We are investigating this issue to fine-tune CIS on Prowler, I'll reach you with a solution soon. Thanks for using Prowler! 🚀

[pedrooot]

Hi! @littlestewart I've been investigating about this issue:

• When a compliance is executed, Prowler start writing in the output the requirements that have no checks mapped or associated with Prowler. I think that's the reason why you can't see the previous requirements id to 1.1.4 (for example). If you go down in the file, you will find the requirements 1.1.1... This takes me to the second point.
• If a requirement has a check mapped in Prowler and this check has no findings, it won't appear in the output. For example: Requirement 4.4.1 - Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server won't appear in the output unless you have at least one mysql flexible server in your subscription.

Also, executing prowler azure --list-compliance-requirements cis_2.1_azure you will get all the requirements mapped in Prowler an the related checks for CIS 2.1 on Azure.
I hope everything is clear, if you still have any question or comments, don't hesistate to reopen this issue. Thanks for using Prowler!! 🚀

[littlestewart]

The issue is that I need all the checks of the CIS in the the Excel reports file to show the client what we are auditing. The advantage of using Prowler is to automate most of the checks and to automate the generation of Excel reports. I already know that I can view the list of CIS controls using the --list-compliance-requirements option. So, why not simply add all the controls to the generated Excel report and mark them as "N/A" in the status field when a control hasn't been validated for various reasons? I need to have the entire list in the Excel file... I don't want to manually add them to the Excel file every time for the client... For example, if there are 80 controls in the CIS, could you add them all to the Excel file and mark them as "N/A" if it could not be verified? Thank you for your help.

[littlestewart]

Also, this will help to know what checks still need to be validated "Manually".