PSRule.Rules.Azure
PSRule.Rules.Azure copied to clipboard
Azure
Reference to Azure Security Benchmark
Discussed in https://github.com/Azure/PSRule.Rules.Azure/discussions/1244
Originally posted by BernieWhite February 8, 2022 Some rules specifically check security controls defined in Azure Security Benchmark.
ASB provides a reference point to map Azure controls to other security standards, for example:
| CIS Controls v8 ID(s) | NIST SP 800-53 r4 ID(s) | PCI-DSS ID(s) v3.2.1 |
|---|---|---|
| 5.4, 6.8 | AC-2, AC-6 | 7.1, 7.2, 8.1 |
This enhancement aims to map rules from the Security pillar to Azure Security Benchmark.
Rules will be tagged with two key/ values:
Azure.WAF/pillarwhich will be set toSecurityAzure.ASB.v3/controlwhich will be set to the control ID from ASB.
Syntax:
Azure.WAF/pillar: 'Security'
Azure.ASB.v3/control: 'XX-N'
For example, in YAML:
---
# Synopsis: Internet accessible Application Gateways should use protect endpoints with WAF.
apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
name: Azure.AppGw.UseWAF
ref: AZR-000063
tags:
release: 'GA'
ruleSet: '2020_06'
Azure.WAF/pillar: 'Security'
Azure.ASB.v3/control: 'NS-6'
spec:
with:
- Azure.IsAppGwPublic
condition:
field: properties.sku.tier
in:
- WAF
- WAF_v2
For example in PowerShell:
# Synopsis: App Service should reject TLS versions older then 1.2.
Rule 'Azure.AppService.MinTLS' -Ref 'AZR-000073' -Type 'Microsoft.Web/sites', 'Microsoft.Web/sites/slots' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; 'Azure.ASB.v3/control' = 'DP-3' } {
$siteConfigs = @(GetWebSiteConfig);
if ($siteConfigs.Length -eq 0) {
return $Assert.
HasFieldValue($TargetObject, 'properties.siteConfig.minTlsVersion', '1.2').
ReasonFrom('properties.siteConfig.minTlsVersion', $LocalizedData.MinTLSVersion, $TargetObject.properties.siteConfig.minTlsVersion);
}
foreach ($siteConfig in $siteConfigs) {
$path = $siteConfig._PSRule.path;
$Assert.
HasFieldValue($siteConfig, 'properties.minTlsVersion', '1.2').
ReasonFrom('properties.minTlsVersion', $LocalizedData.MinTLSVersion, $siteConfig.properties.minTlsVersion).PathPrefix($path);
}
}
Rules that are already mapped include:
Azure.AppService.MinTLS
Azure.CDN.MinTLS
Azure.FrontDoor.MinTLS
Azure.FrontDoor.UseWAF
Azure.KeyVault.AutoRotationPolicy
Azure.VNET.UseNSGs
Azure.AppGw.UseWAF
Azure.AppGw.SSLPolicy
Azure.AppGw.WAFEnabled
Azure.EventGrid.DisableLocalAuth
Azure.FrontDoor.WAF.Enabled
Azure.MySQL.MinTLS
Azure.PostgreSQL.MinTLS
Azure.SQL.MinTLS
Azure.Storage.MinTLS
Azure.Storage.SecureTransfer
I am working on mapping the rules to the ASB alphabetically starting with ACR.
I have finished mapping the rules and will have them all included in a PR with the baseline for #1634
These are the common controls across most Azure Resources
NS-1 Establish network segmentation boundaries (VNet integration) AM-1 Track asset inventory and their risks (Tags) AM-2 Use only approved services (Azure Policy Enforcement) LT-1 Enable Threat detection capabilities (defender enabled) LT-2 Threat detection for identity and access management (defender enabled) LT-3 Enable Logging for Security investigation (logging enabled) IM-1 Use centralized identity and authentication system (AAD in use for example SQL and service fabric) IM-3 Manage application identities securely and automatically (private endpoints where applicable) PV-2 Audit and ensure secure configuration (see xlsx) PV-6 Rapidly and automatically remediate vulnerabilities (see xlsx) DP-3 Encrypt sensitive data in transit (TLS)
azure-security-benchmark-v3.0.xlsx
@jagoodwin Ok awesome. We can focus on adding rules for these. Then we can look at others as they come up.