azure_cis_scanner 0.3.5

Description:

azure cis scanner 0.3.5

.. role:: raw-html-m2r(raw) :format: htmlazure_cis_scanner=================Security Compliance Scanning tool for CIS Azure Benchmark 1.0The purpose of this scanner is to assist organizations in locking down their Azure environments following best practices in the Center for Internet Security Benchmark release Feb 20, 2018. This repo was inspired by a similar scanner for AWS called Scout2.This project is not yet production ready and should only be run from a local machine not exposed to untrusted networks.The scanner can generate reports that mirror the CIS sections.--------------------------------------------------------------.. image:: images/cis_test_vm_section.png?raw=true :target: images/cis_test_vm_section.png?raw=true :alt: azure cis scanner hometThis scanner also allows tracking progress over time----------------------------------------------------.. image:: images/cis_test_secure_transfer_graph.png?raw=true :target: images/cis_test_secure_transfer_graph.png?raw=true :alt: Azure Storage: Secure Transfer not EnabledRaw data will have the format as returned by the Azure Api in json format.Raw data will be per major CIS section in files based on the name... code-block:: Identity and Access Management Logging and Monitoring Security Center Networking Storage Virtual Machines SQL Services Other Miscellaneous ItemsFiltered data will be in files named by the finding and have the following format.. code-block:: { "threat_detection_should_be_turned_on": { "metadata": { "columns": ['region', 'server', database' ], "finding": 'threat_detection_should_be_turned_on'} "stats": {"items_checked": 10, "items_flagged": 4}, "items": [ ('us-west-1', 'server01', 'db011') ('us-west-2', 'server02', 'db021') ('us-west-2', 'server02', 'db023') ('us-west-2', 'server02', 'db024') ] } "another_finding_in_this_section": ... }Getting Started---------------Best practice is to work inside a docker container to avoid any issues that would arise from a multi-tenant environment.If running from the native command-line, take care that multi-subscription calls like permissions.sh only see the right targetsubscriptions in the ``~/.azure/ directory``. The container is currently a base of pshchelo/alpine-jupyter-sci-py3 with microsoft/azure-cli Dockerfile layered on top.We will replace the pshchelo base with a more official (nbgallery or jupyter) docker image and tune the image in the future.We assume you have already created an azure account or have been granted credentials with privileges sufficient to run the scanner.We will login once outside of the container (merges creds with anything in ~/.azure) to get the correct subscription id, and thenagain inside the container to restrict ourselves to the correct creds only.Configure^^^^^^^^^Get the repo (until it is public).. code-block:: Misplaced &Misplaced & git clone https://github.com/praetorian-inc/azure_cis_scanner.git && cd azure_cis_scannerCopy azure_cis_scanner/.env-sample to .env. This is a special filename that controls docker-compose and is in .gitignore... code-block:: azure_cis_scannerYou can't use 'macro parameter character #' in math modeYou can't use 'macro parameter character #' in math mode docker-compose upIn another terminal get the container id and exec into it.. code-block:: azure_cis_scannerdockerpsazurecisscanner docker exec -it <container-id> /bin/bashLogin inside the container^^^^^^^^^^^^^^^^^^^^^^^^^^The docker-compose creates (on first run) a .azure folder to hold the creds and maps it to /root/.azure.This allows you to stop and start the container without having to re login for the lifetime of your tokens... code-block:: bash-4.4azloginbash−4.4 az account list bash-4.4Missing open brace for superscriptMissing open brace for superscript cd /praetorian-tools/azure_cis_scanner/scanner scannerMissing open brace for superscriptMissing open brace for superscript cd ../report bash-4.4 reportMissing open brace for superscriptMissing open brace for superscript git clone https://github.com/praetorian-inc/azure_cis_scanner.gitFetch the official microsoft container.. code-block:: dockerpullmicrosoft/azure−cliIfyouaregoingtobeworkingovermanydaysandshuttingdownthecontainerbetweenruns,youmaywanttocreateaproject−directory.azurefolderwhichyouwillmountintothecontainer.Persistingcredswithlocalmount‘‘−v.azure/: /.azure‘‘isoptional...code−block:: cd /path/to/working-project cp/path/to/azurecisscanner/permissions.sh,minimaltesterrole.sh.working−project docker run -it -v .azure/:~/.azure -v .:/workdir bash-4.3#We are now inside the container at the bash-4.3# prompt. Time to log in... code-block:: bash-4.3# az loginComplete sign-in via the web UI login.Modify minimal_tester_role.json with the correct subscription(s)Modify the permissions.sh with positional variables 1=startdate,2=end_date, $3=ip_whitelist for the generated storage keys.. code-block:: bash-4.3# /workdir/permissions.shThe script creates a AzureSecurityScanner role definition. The Owner now associates that role to the users and can copy the generated (resource_group, account, SAS keys) tuples and send them securely to the pen-tester.Constraints-----------An attempt was made to convert to json everywhere, but the current raw/filtered data used key tuples - eg (resource_group, server, database) -which only supported in yaml. An attempt to use safe_yaml was made, but the tuples caused errors. The intention is to have ``raw`` data pulledas infrequently as possible from the cloud API, stored as close as possible to the delivered format.\ :raw-html-m2r:`<br>`We may switch from tuple to nested dict in the future.Roadmap-------* Further development of automation for deployment of an insecure test environment.* Add to remediation scripts in the ``remediations`` folder to automatically resolve many simple "switch on" issues.* Use the python sdk instead of bash.* Wrap the flask project with praetorian-flask for security. Only run on a local network until this is complete.* Remove manual steps by generating minimal_tester_role.json with correct subscriptions/resource_group paths.* The container is currently a base of pshchelo/alpine-jupyter-sci-py3 with microsoft/azure-cli Dockerfile layered on top.* Replace the pshchelo base with a more official (nbgallery or jupyter) docker image and tune the image in the future.* Add git hooks to automatically remove cell output of azure_cis_scanner.ipynb to avoid checking in sensitive infoDigging Deeper--------------A Scanner is a good first tool for securing a cloud environment to ensure best practices and secure configuration settings are employed.However, this scanner does not assess the health of your IAM policies and roles or network security groups beyond some basic known-bad settings. Azure is constantly evolving and part of the challenge of a SecOps team is keeping up with best practices in an environment where new tools are released on a monthly basis.More advanced SecOps teams should consider leveraging automation tools, policy configurations, Azure Quick Templates, EventGrid and many other advanced features.Need manual penetration testing? Praetorian has expertise in the Cloud, IOT, NetSec and more.