cloudsploit icon indicating copy to clipboard operation
cloudsploit copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

Azure plugins to cover CIS Benchmark

Open abernalsec opened this issue 4 years ago • 6 comments

I noticed that there are a lot of plugins that assesses Azure environments for CIS Benchmark but they don't generate any output regarding of it. So I modified about 74 Azure plugins to ensure that there is more CIS coverage. The list of plugins is as following:

  • ensureNoGuestUser.js
  • noCustomOwnerRoles.js
  • standardPricingEnabled.js
  • autoProvisioningEnabled.js
  • monitorSystemUpdates.js
  • monitorEndpointProtection.js
  • monitorDiskEncryption.js
  • monitorNsgEnabled.js
  • monitorVMVulnerability.js
  • monitorBlobEncryption.js
  • monitorJitNetworkAccess.js
  • appWhitelistingEnabled.js
  • monitorSqlAuditing.js
  • monitorSqlEncryption.js
  • securityContactsEnabled.js
  • securityContactsEnabledPhone.js
  • highSeverityAlertsEnabled.js
  • adminSecurityAlertsEnabled.js
  • storageAccountsHttps.js
  • networkAccessDefaultAction.js
  • trustedMsAccessEnabled.js
  • serverAuditingEnabled.js
  • auditActionGroupsEnabled.js
  • auditRetentionPolicy.js
  • advancedDataSecurityEnabled.js
  • sendAlertsEnabled.js
  • emailAccountAdminsEnabled.js
  • azureADAdminEnabled.js
  • tdeProtectorEncrypted.js
  • enforceMySQLSSLConnection.js
  • logCheckpointsEnabled.js
  • enforcePostgresSSLConnection.js
  • logConnectionsEnabled.js
  • logDisconnectionsEnabled.js
  • logDurationEnabled.js
  • connectionThrottlingEnabled.js
  • logRetentionDays.js
  • azureADAdminEnabled.js
  • logProfileRetentionPolicy.js
  • logProfileArchiveData.js
  • logContainerPublicAccess.js
  • logStorageEncryption.js
  • kvLogAnalyticsEnabled.js
  • policyAssignmentLogging.js
  • nsgLoggingEnabled.js
  • nsgLoggingEnabled.js
  • nsgRuleLoggingEnabled.js
  • nsgRuleLoggingEnabled.js
  • securitySolutionLogging.js
  • securitySolutionLogging.js
  • sqlServerFirewallRuleEnabled.js
  • securityPolicyAlertsEnabled.js
  • openRDP.js
  • openSSH.js
  • noPublicAccess.js
  • networkWatcherEnabled.js
  • vmDiskOSEncryption.js
  • vmDiskDataEncryption.js
  • vmEndpointProtection.js
  • keyExpirationEnabled.js
  • secretExpirationEnabled.js
  • managementLockEnabled.js
  • kvRecoveryEnabled.js
  • rbacEnabled.js
  • authEnabled.js
  • httpsOnlyEnabled.js
  • tlsVersionCheck.js
  • clientCertEnabled.js
  • identityEnabled.js
  • netFrameworkVersion.js
  • phpVersion.js
  • pythonVersion.js
  • javaVersion.js
  • http20Enabled.js

There is a new one plugin called securityContactsEnabledPhone.js which is separated from securityContactsEnabled.js because both cover different CIS controls (2.16 and 2.17) I would like to suggest those modifications as an enhancement, this is a quick look of new CIS controls added (a little bit dislodged) so please let me know how to proceed.

image

abernalsec avatar Jan 20 '21 15:01 abernalsec

Well done @abernalneo !!

danilocasabona avatar Jan 26 '21 16:01 danilocasabona

@abernalneo are you able to submit an PR for this?

tomweston avatar Jul 22 '21 12:07 tomweston

@tomweston I am not quite sure. If someone could guide me I would submit it.

abernalsec avatar Jul 22 '21 14:07 abernalsec

@tomweston I am not quite sure. If someone could guide me I would submit it.

@abernalneo Are you able to bundle your commits related to the issue from your fork (https://github.com/abernalneo/neocloudsploit) into a PR?

@matthewdfuller any chance you can help?

tomweston avatar Jul 22 '21 22:07 tomweston

@tomweston If I could I would, I am truly newbie with this Github stuff so any kind of help would be appreciated. Thanks,

abernalsec avatar Aug 24 '21 15:08 abernalsec

@tomweston If I could I would, I am truly newbie with this Github stuff so any kind of help would be appreciated. Thanks,

@abernalsec if you can attach a zip file here, I can submit the pull request for you. Thanks for doing this, there is definitely a need for it!

D00gs avatar Mar 28 '22 04:03 D00gs