daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

monitor and keyvault templates

patch-11
Prince Chaddha 2024-07-18 18:55:33 +05:30
parent e6cb93289d
commit b273a19930
18 changed files with 1018 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
cloud/azure/keyvault/azure-app-tier-cmk-untagged.yaml Normal file
View File

@ -0,0 +1,70 @@
id: azure-app-tier-cmk-untagged
info:
name: Customer-Managed Key Not Tagged in Azure App Tier
author: princechaddha
severity: high
description: |
Ensure that a Customer-Managed Key (CMK), also known as Bring Your Own Key (BYOK), is created and configured for your Microsoft Azure application tier to meet cloud security and compliance requirements. The conformity rule assumes all Azure cloud resources in your app tier are tagged with <app_tier_tag>:<app_tier_tag_value>. The tag set for your Azure application tier must be pre-configured in the Cloud Conformity console.
impact: |
Not using properly tagged CMKs may lead to non-compliance with security standards and make cloud resources difficult to manage and audit.
remediation: |
Ensure all Customer-Managed Keys used in the application tier are properly tagged according to organizational policies. Update the key's metadata through the Azure portal or Azure CLI.
reference:
- https://docs.microsoft.com/en-us/azure/key-vault/keys/about-keys-details
tags: cloud,devops,azure,microsoft,keyvault,azure-cloud-config
flow: |
code(1);
for (let vaultName of iterate(template.vaultNames)) {
set("vaultName", vaultName)
code(2);
for (let keyId of iterate(template.keyIds)) {
set("keyId", keyId)
code(3)
}
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az keyvault list --query '[*].name' --output json
extractors:
- type: json
name: vaultNames
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az keyvault key list --vault-name $vaultName --query '[?(attributes.enabled==`true`)].kid' --output json
extractors:
- type: json
name: keyIds
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az keyvault key show --id $keyId --query 'tags' --output json
matchers:
- type: word
words:
- '{}'
extractors:
- type: dsl
dsl:
- 'vaultName + " CMK " + keyId + " is not properly tagged as part of the app-tier resource"'
# digest: 4a0a0047304502201069ec122172a352a16ab66759b7b29178ccda441512cd221b2976c1c670fa71022100f5c02106774b47d028ad2b398d6c08376f4f5f9bdc0acc89dbe92f286c589b51:366f2a24c8eb519f6968bd8801c08ebe

70
cloud/azure/keyvault/azure-database-tier-cmk-absent.yaml Normal file
View File

@ -0,0 +1,70 @@
id: azure-database-tier-cmk-absent
info:
name: Customer-Managed Key Not Configured for Azure Database Tier
author: princechaddha
severity: high
description: |
Ensure that a Customer-Managed Key (CMK), also known as Bring Your Own Key (BYOK), is created and configured for your Microsoft Azure database tier to meet cloud security and compliance requirements within your organization. This check verifies if Azure database resources tagged with specific values use a CMK.
impact: |
Not using a Customer-Managed Key for your database tier can lead to non-compliance with security standards and regulations, potentially increasing security risks.
remediation: |
Configure a Customer-Managed Key for your Azure database tier by setting the appropriate policies through Azure portal or using Azure CLI.
reference:
- https://docs.microsoft.com/en-us/azure/key-vault/keys/about-keys
tags: cloud,devops,azure,microsoft,azure-key-vault,azure-cloud-config
flow: |
code(1);
for (let vaultName of iterate(template.vaultNames)) {
set("vaultName", vaultName);
code(2);
for (let keyId of iterate(template.keyIds)) {
set("keyId", keyId);
code(3);
}
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az keyvault list --query '[*].name' --output json
extractors:
- type: json
name: vaultNames
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az keyvault key list --vault-name $vaultName --query '[?(attributes.enabled==`true`)].kid' --output json
extractors:
- type: json
name: keyIds
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az keyvault key show --id $keyId --query 'tags' --output json
matchers:
- type: word
words:
- '{}'
extractors:
- type: dsl
dsl:
- 'vaultName + " key " + keyId + " does not have required database-tier tags"'
# digest: 490a0046304402203f9c3ca9e063842a3518681d86e5e5476218474f82e509c817a253913876ec2a02203368b465511d69282c97106b2d763a8f97dbec3cb763492046034d8aa7435120:366f2a24c8eb519f6968bd8801c08ebe

53
cloud/azure/keyvault/azure-keyvault-audit-not-enabled.yaml Normal file
View File

@ -0,0 +1,53 @@
id: azure-keyvault-audit-not-enabled
info:
name: Enable AuditEvent Logging for Azure Key Vaults
author: princechaddha
severity: medium
description: |
Ensure that AuditEvent logging is enabled for all Azure Key Vault instances in order to record any interactions with your vaults for enhancing data protection and compliance within your Azure cloud account. With Azure Key Vault, you can safeguard encryption keys and application secrets like passwords using keys stored in Hardware Security Modules (HSMs).
impact: |
Lack of AuditEvent logging can hinder incident detection and increase the risk of unauthorized access without traceability.
remediation: |
Enable the AuditEvent logging for Azure Key Vaults to ensure all access and operations are logged, enhancing security and compliance.
reference:
- https://docs.microsoft.com/en-us/azure/key-vault/general/overview-security
tags: cloud,devops,azure,microsoft,keyvault,azure-cloud-config
flow: |
code(1);
for (let VaultData of iterate(template.vaultNames)) {
set("vaultName", VaultData);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az keyvault list --query '[*].id' --output json
extractors:
- type: json
name: vaultNames
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az monitor diagnostic-settings list --resource $vaultName --query '[*].logs | []' --output json
matchers:
- type: word
words:
- '[]'
extractors:
- type: dsl
dsl:
- 'vaultName + " does not have AuditEvent logging enabled"'
# digest: 4b0a0048304602210089a9e87197dc95ccdaacebb668e0a21a7bb222d92c76ccd1e235736a4b43d29a022100ec6fbecd92345c5cbfc35a3091e1de6b06539895b1693f82da81b3bf3be0ed98:366f2a24c8eb519f6968bd8801c08ebe

70
cloud/azure/keyvault/azure-keyvault-cert-keytype-unapproved.yaml Normal file
View File

@ -0,0 +1,70 @@
id: azure-keyvault-cert-keytype-unapproved
info:
name: Unapproved Certificate Key Type in Azure Key Vaults
author: princechaddha
severity: medium
description: |
Ensure that your Microsoft Azure Key Vault SSL certificates are using the allowed key type(s) for security and compliance purposes. Prior to running this rule by the Cloud Conformity engine, the allowed certificate key type(s) must be configured within the rule settings, on the Cloud Conformity account dashboard.
impact: |
Using unapproved key types can violate compliance requirements and security policies, potentially exposing sensitive data.
remediation: |
Review and update the certificate key types for your Azure Key Vault SSL/TLS certificates to align with approved key types through the Azure portal or Azure CLI.
reference:
- https://docs.microsoft.com/en-us/azure/key-vault/certificates/about-certificates
tags: cloud,devops,azure,microsoft,keyvault,azure-cloud-config
flow: |
code(1);
for (let KeyVaultName of iterate(template.keyVaultNames)) {
set("vaultName", KeyVaultName)
code(2);
for (let CertificateId of iterate(template.certificateIds)) {
set("certificateId", CertificateId)
code(3)
}
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az keyvault list --query '[*].name' --output json
extractors:
- type: json
name: keyVaultNames
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az keyvault certificate list --vault-name $vaultName --query '[?(attributes.enabled==`true`)].id' --output json
extractors:
- type: json
name: certificateIds
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az keyvault certificate show --id $certificateId --query 'policy.keyProperties.keyType' --output json
matchers:
- type: word
words:
- 'EC'
extractors:
- type: dsl
dsl:
- 'vaultName + " SSL/TLS certificate " + certificateId + " uses an unapproved key type"'
# digest: 490a00463044022047ebf845080e13691a12c001932c07b97a020c84758131c7d251a7ea2210924502201ff323f0da42acc4229635086facc444918eb6a982a39a761cb8e5e1f8b21eb7:366f2a24c8eb519f6968bd8801c08ebe

70
cloud/azure/keyvault/azure-keyvault-cert-transparency-missing.yaml Normal file
View File

@ -0,0 +1,70 @@
id: azure-keyvault-cert-transparency-missing
info:
name: Missing Certificate Transparency in Azure Key Vaults
author: princechaddha
severity: medium
description: |
Ensure that Certificate Transparency feature is enabled for all Azure Key Vault SSL/TLS certificates to adhere to web security best practices. Certificate Transparency (CT) is a new Internet standard that helps to make the Transport Layer Security (TLS) ecosystem publicly auditable.
impact: |
Without Certificate Transparency, domain owners are unaware of certificates issued to their domain unless directly requested, compromising transparency and security.
remediation: |
Enable Certificate Transparency for all Azure Key Vault SSL/TLS certificates through the Azure portal or Azure CLI to meet the standards enforced by the Certification Authority Browser Forum (CA/Browser Forum).
reference:
- https://docs.microsoft.com/en-us/azure/key-vault/certificates/how-to-enable-certificate-transparency
tags: cloud,devops,azure,microsoft,keyvault,azure-cloud-config
flow: |
code(1);
for (let KeyVaultName of iterate(template.keyVaultNames)) {
set("vaultName", KeyVaultName)
code(2);
for (let CertificateId of iterate(template.certificateIds)) {
set("certificateId", CertificateId)
code(3)
}
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az keyvault list --query '[*].name' --output json
extractors:
- type: json
name: keyVaultNames
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az keyvault certificate list --vault-name $vaultName --query '[?(attributes.enabled==`true`)].id' --output json
extractors:
- type: json
name: certificateIds
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az keyvault certificate show --id $certificateId --query 'policy.issuerParameters.certificateTransparency' --output json
matchers:
- type: word
words:
- 'false'
extractors:
- type: dsl
dsl:
- 'vaultName + " SSL/TLS certificate " + certificateId + " does not have Certificate Transparency enabled"'
# digest: 4a0a0047304502201259b718e330f5abf0999f3571ebcb7407acd833bae01ccc4be74f56a3eaa0a1022100ad3072283715089f1d8d8883c06a5bd92e71deb38f1ac3ee62a855da6f4c72c8:366f2a24c8eb519f6968bd8801c08ebe

76
cloud/azure/keyvault/azure-keyvault-certificate-insufficient-autorenew.yaml Normal file
View File

@ -0,0 +1,76 @@
id: azure-keyvault-certificate-insufficient-autorenew
info:
name: Check for Sufficient Certificate Auto-Renewal Period
author: princechaddha
severity: medium
description: |
Ensure that your Microsoft Azure Key Vault SSL certificates have a sufficient auto-renewal period configured for security and compliance purposes. This period indicates the amount of time (number of days) before SSL certificate expiration, when the renewal process is automatically triggered.
impact: |
If the auto-renewal period is too short, there might not be enough time to address issues if the renewal process fails, leading to potential service disruption or security vulnerabilities.
remediation: |
Configure SSL certificates within Azure Key Vaults to have an auto-renewal period that aligns with your organization's security and compliance requirements to ensure timely and effective renewal.
reference:
- https://docs.microsoft.com/en-us/azure/key-vault/certificates/about-certificates
tags: cloud,devops,azure,microsoft,keyvault,azure-cloud-config
flow: |
code(1);
for (let VaultData of iterate(template.vaultNames)) {
set("vaultName", VaultData);
code(2);
for (let CertificateData of iterate(template.certificateIDs)) {
set("certificateID", CertificateData);
code(3);
}
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az keyvault list --query '[*].name' --output json
extractors:
- type: json
name: vaultNames
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az keyvault certificate list --vault-name $vaultName --query '[?(attributes.enabled==`true`)].id' --output json
extractors:
- type: json
name: certificateIDs
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az keyvault certificate show --id $certificateID --query 'policy.lifetimeActions[*].trigger.daysBeforeExpiry' --output json
matchers:
- type: dsl
dsl:
- compare_versions(certificateIDnum, concat("< ", 30))
extractors:
- type: json
name: certificateIDnum
internal: true
json:
- '.[]'
- type: dsl
dsl:
- 'vaultName + " certificate ID " + certificateID + " has insufficient auto-renewal period"'
# digest: 4b0a00483046022100b60fe709ea083ab59a557f1945d938df0ef125857f6cdd8048e73275cdb871a0022100bb276f37fd7c47ed8f6f3a0771fdc80ec578adc79aad7c9f2b6ae88abdd49997:366f2a24c8eb519f6968bd8801c08ebe

54
cloud/azure/keyvault/azure-keyvault-network-unrestricted.yaml Normal file
View File

@ -0,0 +1,54 @@
id: azure-keyvault-network-unrestricted
info:
name: Unrestricted Network Access to Azure Key Vaults
author: princechaddha
severity: medium
description: |
Ensure that your Microsoft Azure Key Vaults are configured to deny access to traffic from all networks (including the public Internet). By restricting the public access to your Azure Key Vaults, you add an important layer of security, since the default action is to accept connections from clients on any network. To limit access to trusted networks and/or IP addresses, you must change the Key Vault firewall default action from "Allow" to "Deny" and configure the appropriate access.
impact: |
Allowing unrestricted access from all networks to Azure Key Vaults can expose sensitive data and increase the risk of unauthorized access.
remediation: |
Modify Key Vault network settings to deny access from all networks by default. Configure network rules to allow access only from specific trusted IPs or networks.
reference:
- https://docs.microsoft.com/en-us/azure/key-vault/general/network-security
tags: cloud,devops,azure,microsoft,keyvault,azure-cloud-config
flow: |
code(1);
for (let VaultData of iterate(template.vaultNames)) {
set("vaultName", VaultData)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az keyvault list --query '[*].name' --output json
extractors:
- type: json
name: vaultNames
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az keyvault show --name $vaultName --query 'properties.networkAcls.defaultAction' --output json
matchers:
- type: word
words:
- '"Allow"'
- ''
extractors:
- type: dsl
dsl:
- 'vaultName + " is configured to allow unrestricted Key Vault network access"'
# digest: 4b0a00483046022100a16fa07147ee1dad302af8b7d27c4e69902560035190dd955dfffccfcb7c128a022100e8d380532799c45e68fb32fd249c6689d3ebecb63c5401ea8d3d9b0bd8b2aa4f:366f2a24c8eb519f6968bd8801c08ebe

55
cloud/azure/keyvault/azure-keyvault-recoverability-unconfigured.yaml Normal file
View File

@ -0,0 +1,55 @@
id: azure-keyvault-recoverability-unconfigured
info:
name: Key Vault Recoverability Not Configured
author: princechaddha
severity: high
description: |
Ensure that production Azure Key Vaults are recoverable to prevent permanent deletion/purging of encryption keys, secrets, and certificates stored within these vaults. To make your Azure Key Vault instances recoverable, you need to enable both "Soft Delete" and "Do Not Purge" features. "Soft Delete" ensures recoverability for 90 days post-deletion, whereas "Do Not Purge" prevents any purging of the vault and its contents.
impact: |
Failure to configure recoverability settings can lead to irreversible loss of critical data stored in Azure Key Vaults due to permanent deletion.
remediation: |
Enable "Soft Delete" and "Do Not Purge" on all Azure Key Vaults to ensure they are recoverable and protected against permanent deletion.
reference:
- https://docs.microsoft.com/en-us/azure/key-vault/general/soft-delete-overview
tags: cloud,devops,azure,microsoft,keyvault,azure-cloud-config
flow: |
code(1);
for (let VaultName of iterate(template.vaultNames)) {
set("name", VaultName)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az keyvault list --query '[*].name' --output json
extractors:
- type: json
name: vaultNames
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az keyvault show --name $name --query 'properties.{"enableSoftDelete":enableSoftDelete,"enablePurgeProtection":enablePurgeProtection}' --output json
matchers:
- type: word
words:
- 'enablePurgeProtection": null'
- 'enableSoftDelete": null'
condition: and
extractors:
- type: dsl
dsl:
- 'name + " is not configured for recoverability with both Soft Delete and Do Not Purge enabled"'
# digest: 4a0a0047304502201ef90f430d6f4ff9415d6801c138a3a8c98b7be826d73776d5651860605d4d6a022100a38a7862f32fe7b566218bab35176f254d55b91eeacc38ff38291285bd2dd271:366f2a24c8eb519f6968bd8801c08ebe

70
cloud/azure/keyvault/azure-keyvault-ssl-autorenewal-missing.yaml Normal file
View File

@ -0,0 +1,70 @@
id: azure-keyvault-ssl-autorenewal-missing
info:
name: Missing SSL Certificate Auto-Renewal in Azure Key Vaults
author: princechaddha
severity: high
description: |
Microsoft Azure Key Vault service can renew your SSL certificates automatically to prevent application or service outages, credential leaks, or process violations that can disrupt your business. Ensure that your SSL certificates in Azure Key Vaults are set to auto-renew.
impact: |
Not enabling auto-renewal for SSL certificates can lead to expired certificates, potentially causing outages and security risks.
remediation: |
Configure SSL certificates in Azure Key Vaults to automatically renew by setting the correct policies in the Azure portal or through Azure CLI.
reference:
- https://docs.microsoft.com/en-us/azure/key-vault/certificates/how-to-renew-certificate
tags: cloud,devops,azure,microsoft,keyvault,azure-cloud-config
flow: |
code(1);
for (let KeyVaultName of iterate(template.keyVaultNames)) {
set("vaultName", KeyVaultName)
code(2);
for (let CertificateId of iterate(template.certificateIds)) {
set("certificateId", CertificateId)
code(3)
}
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az keyvault list --query '[*].name' --output json
extractors:
- type: json
name: keyVaultNames
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az keyvault certificate list --vault-name $vaultName --query '[?(attributes.enabled==`true`)].id' --output json
extractors:
- type: json
name: certificateIds
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az keyvault certificate show --id $certificateId --query 'policy.lifetimeActions[*].action.actionType' --output json
matchers:
- type: word
words:
- '"EmailContacts"'
extractors:
- type: dsl
dsl:
- 'vaultName + " SSL certificate " + certificateId + " does not have auto-renewal enabled"'
# digest: 490a0046304402207bf7ab2b7509f9e23890f0e5a28b9ecc82bba6262cd939960c0548a20ecec691022039d4d2db66a5af65165df8a878c8b404c01421eb7b0cddd5a42386167dd85cd7:366f2a24c8eb519f6968bd8801c08ebe

53
cloud/azure/keyvault/azure-keyvault-trusted-ms-unrestricted.yaml Normal file
View File

@ -0,0 +1,53 @@
id: azure-keyvault-trusted-ms-unrestricted
info:
name: Key Vault Trusted Microsoft Services Access Not Configured
author: princechaddha
severity: medium
description: |
Ensure that "Allow trusted Microsoft services to bypass this firewall" exception is enabled within your Azure Key Vault network firewall configuration settings in order to grant vault access to trusted Azure cloud services. The trusted Microsoft services must also be given explicit permissions within the access policies associated with the Key Vault.
impact: |
If trusted Microsoft services cannot bypass the firewall, it could prevent essential services from accessing Key Vault, impacting functionality and integration within Azure.
remediation: |
Enable the "Allow trusted Microsoft services to bypass this firewall" setting in your Key Vault network configuration to allow trusted services access.
reference:
- https://docs.microsoft.com/en-us/azure/key-vault/general/network-security
tags: cloud,devops,azure,microsoft,keyvault,azure-cloud-config
flow: |
code(1);
for (let VaultData of iterate(template.vaultNames)) {
set("vaultName", VaultData)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az keyvault list --query '[*].name' --output json
extractors:
- type: json
name: vaultNames
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az keyvault show --name $vaultName --query 'properties.networkAcls.bypass' --output json
matchers:
- type: word
words:
- '"None"'
extractors:
- type: dsl
dsl:
- 'vaultName + " does not allow trusted Microsoft services to bypass the firewall"'
# digest: 490a004630440220231bfbfe6df594e214004268b8e157ee2b484e13943793c072ebac43304ec6460220620fae5a69e8b886f864c157b81cda20354dc1523bd4f11f0b03e70dbb764ade:366f2a24c8eb519f6968bd8801c08ebe

59
cloud/azure/locks/azure-keyvault-resource-lock-check.yaml Normal file
View File

@ -0,0 +1,59 @@
id: azure-keyvault-resource-lock-check
info:
name: Azure KeyVault Resource Lock Not Enabled
author: princechaddha
severity: high
description: |
Ensure that all your mission critical Azure cloud resources have resource locks enabled so that certain users are not able to delete or modify these resources in order to help prevent accidental and malicious changes or deletion.
impact: |
Not having resource locks on mission-critical resources can lead to accidental or malicious modifications and deletions, potentially compromising the security and stability of the application.
remediation: |
Apply resource locks to all critical Azure resources, particularly Key Vaults. Use either the "ReadOnly" or "CanNotDelete" lock levels to prevent unwanted changes or deletions.
reference:
- https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources
tags: cloud,devops,azure,microsoft,keyvault,azure-cloud-config
flow: |
code(1);
for (let keyVaultData of iterate(template.keyvaultdata)) {
keyVaultData = JSON.parse(keyVaultData)
set("resource", keyVaultData.id)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az keyvault list --query '[*].id' --output json
extractors:
- type: json
name: keyvaultdata
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az lock list --resource $resource --query '[*].{"name":name,"level":level}'
matchers:
- type: word
words:
- '"CanNotDelete"'
- '"ReadOnly"'
- type: word
words:
- '[]'
extractors:
- type: dsl
dsl:
- 'resource + " does not have the required resource lock level"'
# digest: 4b0a00483046022100a39d074a49c0bff50b6e7418cc1c3beb45d5c369520f796eb63a40903e83f380022100dd5bf33d26d5d481249525a6393c65b07847e4c978996371eae223dfb905487f:366f2a24c8eb519f6968bd8801c08ebe

53
cloud/azure/monitor/azure-diag-logs-not-enabled.yaml Normal file
View File

@ -0,0 +1,53 @@
id: azure-diag-logs-not-enabled
info:
name: Diagnostic Logs Not Enabled for Azure Resources
author: princechaddha
severity: medium
description: |
Ensure that Diagnostic Logs are enabled for all the supported Azure resources to log interactions within your cloud resources. Logging every access request and operation to your cloud resources is a security best practice.
impact: |
Failure to enable Diagnostic Logs can lead to a lack of insight into operations performed within resources, such as Azure Key Vault, which could potentially hinder the ability to perform security and compliance auditing.
remediation: |
Enable Diagnostic Logs for all Azure resources and ensure logs are sent to a storage account and Log Analytics Workspace or an equivalent system. Logs should be kept in accessible storage for at least one year, then moved to cold storage.
reference:
- https://docs.microsoft.com/en-us/azure/azure-monitor/logs/diagnostic-logs-overview
tags: cloud,devops,azure,microsoft,diagnostic-logs,azure-cloud-config
flow: |
code(1);
for (let ResourceId of iterate(template.resourceIds)) {
set("resource", ResourceId)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az resource list --output json --query '[*].id'
extractors:
- type: json
name: resourceIds
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az monitor diagnostic-settings list --resource $resource --query 'value'
matchers:
- type: word
words:
- '[]'
extractors:
- type: dsl
dsl:
- 'resource + " does not have Diagnostic Logs enabled"'
# digest: 4b0a00483046022100bc24147fb58356ae6a00602dfddcd7a62392eafbe0053c686bd9bcca4447c44e022100bbea7e2b8f9f9a8f03bb7ba2b8db91aafc96a3b0954592a6235070d7b5d2a676:366f2a24c8eb519f6968bd8801c08ebe

33
cloud/azure/monitor/azure-diagnostic-categories-misconfigured.yaml Normal file
View File

@ -0,0 +1,33 @@
id: azure-diagnostic-categories-misconfigured
info:
name: Diagnostic Settings Categories on Azure Resources not configured
author: princechaddha
severity: medium
description: |
Ensure that diagnostic settings are configured to log the appropriate activities from the Azure Monitor control/management plane. Proper configuration of diagnostic settings is crucial for effective monitoring and capturing essential management activities performed by resources on the Azure platform.
impact: |
Misconfigured diagnostic settings can lead to inadequate logging of control and management activities, increasing the risk of unnoticed malicious activities or misconfigurations.
remediation: |
Configure diagnostic settings for each Azure resource to log necessary activities from the control/management plane, ensuring that all important events are captured and reviewed regularly for anomalies.
reference:
- https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings
tags: cloud,devops,azure,microsoft,diagnostic,azure-cloud-config
self-contained: true
code:
- engine:
- sh
- bash
source: |
az monitor diagnostic-settings subscription list --query 'value[*].{"name": name, "logs": logs}' --output json
matchers:
- type: word
words:
- '"enabled": false'
extractors:
- type: dsl
dsl:
- '"The configuration of the verified diagnostic setting for “Administrative”, “Security”, “Alert”, and “Policy” is not compliant."'
# digest: 490a004630440220059a759dbf42fb50ab1eb56402bc79439852e2334c8dbac96d5a42e2364209bf022069c2c7b29a54f138e830ccee08d355bb2777d91fe121bb086f809901df0364be:366f2a24c8eb519f6968bd8801c08ebe

56
cloud/azure/monitor/azure-log-profile-all-activities.yaml Normal file
View File

@ -0,0 +1,56 @@
id: azure-log-profile-all-activities
info:
name: Azure Log Profile Missing Critical Activity Categories
author: princechaddha
severity: medium
description: |
Ensure that the Log Profile created for your Azure cloud activity log is configured to collect logs for all the control and management activity categories, i.e. "Write", "Delete", and "Action", for security and compliance purposes. A Log Profile controls how the activity log is exported and retained within your Microsoft Azure cloud account.
impact: |
Failing to capture all activity categories can lead to incomplete logging information, which might hinder security audits and compliance checks, reducing the visibility into operations within the cloud environment.
remediation: |
Configure the Azure Log Profile to include all necessary activity categories such as "Write", "Delete", and "Action" to ensure comprehensive logging and compliance with security policies.
reference:
- https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-log-collect
tags: cloud,devops,azure,microsoft,log-profile,azure-cloud-config
flow: |
code(1);
for (let logProfileName of iterate(template.logProfileNames)) {
set("profileName", logProfileName)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az monitor log-profiles list --query '[*].name' --output json
extractors:
- type: json
name: logProfileNames
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az monitor log-profiles show --name $profileName --query 'categories[]'
matchers:
- type: word
words:
- '"Write"'
- '"Delete"'
- '"Action"'
condition: and
extractors:
- type: dsl
dsl:
- 'profileName + " missing critical activity categories in log-profile configuration"'
# digest: 490a00463044022065f890b76f0c32e8ec7a9ff0481b5ab5837b13387d4df8a2567e01fd44ae808302204636c3fcd24973ca8ec1d06cb136a052883c3b20955665cf392e0eba29a8a5c7:366f2a24c8eb519f6968bd8801c08ebe

33
cloud/azure/monitor/azure-monitor-diagnostic-unrestricted.yaml Normal file
View File

@ -0,0 +1,33 @@
id: azure-monitor-diagnostic-unrestricted
info:
name: Azure Monitor Diagnostic Settings for Subscription Activity Log Export Check
author: princechaddha
severity: medium
description: |
Ensure that Azure Monitor Diagnostic Settings are configured to export activity logs for the selected Microsoft Azure subscription. This helps in maintaining a record of all operational actions which are crucial for security and operational auditing.
impact: |
Not having diagnostic settings configured to export activity logs can lead to a lack of visibility into operational actions within the subscription, increasing the risk of undetected malicious activities or misconfigurations.
remediation: |
Configure Azure Monitor Diagnostic Settings to export activity logs. Refer to the Azure documentation on how to set up diagnostic settings for activity log export.
reference:
- https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log
tags: cloud,devops,azure,microsoft,monitor,azure-cloud-config
self-contained: true
code:
- engine:
- sh
- bash
source: |
az monitor diagnostic-settings subscription list --query 'value[*].id' --output json
matchers:
- type: word
words:
- '[]'
extractors:
- type: dsl
dsl:
- '"Azure Monitor Diagnostic Settings for Subscription Activity Log Export are not configured."'
# digest: 4a0a00473045022100f9cf3d17755a10abbb4a5229e4d4b8b21b377bd97e9d0f2ba251a6fb03f77501022022e0dfa61ebf1c29f7f5f04a3a8259539dfdee2e8fc3ec503870e7250558288f:366f2a24c8eb519f6968bd8801c08ebe

33
cloud/azure/network/azure-network-watcher.yaml Normal file
View File

@ -0,0 +1,33 @@
id: azure-network-watcher
info:
name: Azure Network Watcher Service Not Enabled
author: princechaddha
severity: high
description: |
Ensure that Azure Network Watcher service is enabled for all regions in your Microsoft Azure subscription to help monitor and diagnose conditions at the network level.
impact: |
Not having Azure Network Watcher enabled can prevent effective monitoring and diagnosing of network conditions, increasing the risk of network failures going undetected.
remediation: |
Enable Azure Network Watcher in all regions of your Microsoft Azure subscription. Refer to Azure documentation on how to enable and manage Azure Network Watcher.
reference:
- https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview
tags: cloud,devops,azure,microsoft,network-watcher,azure-cloud-config
self-contained: true
code:
- engine:
- sh
- bash
source: |
az network watcher list --query '[*].{"location":location,"provisioningState":provisioningState,"resourceGroup":resourceGroup}' --output json
matchers:
- type: word
words:
- '[]'
extractors:
- type: dsl
dsl:
- '"Azure Network Watcher is not enabled in all locations."'
# digest: 4a0a00473045022100a90a2c79d3f62ae9846f8dc99c8352e4982cd2656ee66b9ed7c0dee0769beb65022064e5dd780b716071fc520646fe4f6e35bcdd5ef35197373bab758accdfca5273:366f2a24c8eb519f6968bd8801c08ebe

55
cloud/azure/network/azure-nic-ip-forwarding-check.yaml Normal file
View File

@ -0,0 +1,55 @@
id: azure-nic-ip-forwarding-check
info:
name: Review Network Interfaces with IP Forwarding Enabled
author: princechaddha
severity: medium
description: |
Ensure that all Microsoft Azure network interfaces (NICs) with IP forwarding enabled are regularly reviewed for security and compliance reasons. IP forwarding allows a virtual machine (VM) to receive and send network traffic not intended for its own IP, used primarily by network virtual appliances.
impact: |
If improperly managed, IP forwarding can expose Azure environments to security risks, potentially allowing traffic redirection or eavesdropping.
remediation: |
Regularly review and validate the necessity of IP forwarding settings on Azure NICs. Ensure that only authorized and secure virtual appliances use this feature.
reference:
- https://docs.microsoft.com/en-us/azure/virtual-network/ip-forwarding
tags: cloud,devops,azure,microsoft,nic,azure-cloud-config
flow: |
code(1);
for (let NicData of iterate(template.nicdata)) {
NicData = JSON.parse(NicData)
set("name", NicData.name)
set("resourcegroup", NicData.resourceGroup)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az network nic list --output json --query '[*].{name:name, resourceGroup:resourceGroup}'
extractors:
- type: json
name: nicdata
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az network nic show --name $name --resource-group $resourcegroup --query 'enableIpForwarding'
matchers:
- type: word
words:
- "true"
extractors:
- type: dsl
dsl:
- 'nsg + " has IP forwarding enabled"'
# digest: 4a0a00473045022100fa8942cfcd4b173abd29f461ddce9023d2f9a27a246d514a9ee91d7c023b2c6c02205e83994f2ffa3b8653ed43c26ccfbd304ff9b3bd6c5ae873989c651f4d8555e0:366f2a24c8eb519f6968bd8801c08ebe

55
cloud/azure/network/azure-vnet-ddos-protection.yaml Normal file
View File

@ -0,0 +1,55 @@
id: azure-vnet-ddos-protection
info:
name: Azure VNet DDoS Unprotected Check
author: princechaddha
severity: medium
description: |
Ensure that DDoS Standard Protection feature is enabled for all your security-critical Microsoft Azure virtual networks (VNETs). DDoS Protection Standard is a premium paid cloud feature that offers enhanced Distributed Denial-of-Service (DDoS) mitigation capabilities via adaptive tuning, attack alert notifications, and telemetry to protect against the impacts of large DDoS attacks for all the protected resources available within your Azure virtual networks.
impact: |
Not enabling DDoS Standard Protection can leave your virtual networks vulnerable to distributed denial-of-service attacks, potentially leading to significant disruptions and loss of service.
remediation: |
Enable DDoS Standard Protection for all security-critical virtual networks in your Microsoft Azure subscription to mitigate the risks associated with DDoS attacks.
reference:
- https://docs.microsoft.com/en-us/azure/virtual-network/ddos-protection-overview
tags: cloud,devops,azure,microsoft,ddos,azure-cloud-config
flow: |
code(1);
for (let VnetData of iterate(template.vnetdata)) {
VnetData = JSON.parse(VnetData)
set("vnet", VnetData.name)
set("resourcegroup", VnetData.resourceGroup)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az network vnet list --query '[*].{name:name, resourceGroup:resourceGroup}' --output json
extractors:
- type: json
name: vnetdata
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az network vnet show --resource-group $resourcegroup --name $vnet --query "provisioningState" --output json
matchers:
- type: word
words:
- 'false'
extractors:
- type: dsl
dsl:
- '"DDoS Protection is not enabled for " + vnet + " virtual network"'
# digest: 490a0046304402200bce9c9140a58484ea45fe0de42a29d94170399f24fcaff0094e3387f87edcfd02202ef191fc8c24f5641247f1b5feda829bf83b31dfb76794916e1aa8614fdf74a0:366f2a24c8eb519f6968bd8801c08ebe