daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

vm checks

patch-11
Prince Chaddha 2024-09-02 12:21:57 +07:00
parent aa7528aa96
commit d7f4895c4c
20 changed files with 1133 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
cloud/azure/virtualmachines/azure-app-tier-vm-disk-unencrypted.yaml Normal file
View File

@ -0,0 +1,54 @@
id: azure-app-tier-vm-disk-unencrypted
info:
name: Azure App-Tier VM Disk Encryption Not Enabled
author: princechaddha
severity: high
description: |
Ensure that all the disk volumes attached to the Microsoft Azure virtual machines (VMs) provisioned within the application tier are encrypted to meet security and compliance requirements. The Azure cloud resources in the app tier should be tagged with `<app_tier_tag>:<app_tier_tag_value>`.
impact: |
Unencrypted disk volumes can expose sensitive data and potentially lead to data breaches and non-compliance with regulatory requirements.
remediation: |
Enable disk encryption on all Azure virtual machine disk volumes within the application tier by using Azure Disk Encryption.
reference:
- https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-atrest
tags: cloud,devops,azure,microsoft,vm-disk,azure-cloud-config
flow: |
code(1);
for (let vmData of iterate(template.vmList)) {
set("ids", vmData);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az vm list --query '[?(tags==`{"app_tier_tag":"app_tier_tag_value"}`)].{"id":id}'
extractors:
- type: json
name: vmList
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az vm encryption show --ids "$ids" --query 'disks'
matchers-condition: and
matchers:
- type: word
words:
- 'Disk is not encrypted'
extractors:
- type: dsl
dsl:
- 'ids + " disk volume is not encrypted"'
# digest: 4a0a00473045022100e8a2e274bb127537cf4734fd429ae6b4b4d4cf7f14a550365d2d9d751748229c022004e3a6a5a6524364dcda5911891e63c42bb83021f536c268b4afc7208ac432a7:366f2a24c8eb519f6968bd8801c08ebe

53
cloud/azure/virtualmachines/azure-disk-encryption-unattached-volumes.yaml Normal file
View File

@ -0,0 +1,53 @@
id: azure-disk-encryption-unattached-volumes
info:
name: Azure Disk Encryption Not Enabled for Unattached Disk Volumes
author: princechaddha
severity: medium
description: |
Ensure that your detached Microsoft Azure virtual machine (VM) disk volumes are encrypted using Azure Disk Encryption in order to meet security and compliance requirements. ADE encrypts the OS and data disks of Azure virtual machines (VMs) inside your VMs using the CPU via the DM-Crypt feature for Linux or the BitLocker feature for Windows. ADE is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets. The unattached disk volumes encryption and decryption is handled transparently and does not require any additional action from you, your Azure virtual machine, or your application.
impact: |
Unencrypted detached disk volumes can expose sensitive data and violate compliance and security policies.
remediation: |
Encrypt all unattached disk volumes using Azure Disk Encryption integrated with Azure Key Vault to ensure data is protected even when disks are detached.
reference:
- https://docs.microsoft.com/en-us/azure/virtual-machines/disks-enable-host-based-encryption-cli
tags: cloud,devops,azure,microsoft,disk-encryption,azure-cloud-config
flow: |
code(1);
for (let DiskData of iterate(template.diskList)) {
set("ids", DiskData);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az disk list --query '[?diskState == `Unattached`].{"id":id}'
extractors:
- type: json
name: diskList
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az disk show --ids "$ids" --query '{encryptionSettingsCollection: encryptionSettingsCollection}'
matchers:
- type: word
words:
- '"encryptionSettingsCollection": null'
extractors:
- type: dsl
dsl:
- 'ids + " disk volume is not encrypted"'
# digest: 4a0a00473045022027871450172dcf545b8db234294ff4eb8b8271fc2d2bdb15b93685840ff86232022100abcea3d8976999523efae5ef9ca710124a8ed8668ebb75226832bc4c9523227c:366f2a24c8eb519f6968bd8801c08ebe

56
cloud/azure/virtualmachines/azure-lb-unused.yaml Normal file
View File

@ -0,0 +1,56 @@
id: azure-lb-unused
info:
name: Azure Unused Load Balancer Check
author: princechaddha
severity: low
description: |
Identify any unused load balancers available within your Azure cloud account and delete them in order to eliminate unnecessary costs and meet compliance requirements when it comes to cloud resource management. A Microsoft Azure load balancer is considered unused when it doesn't have any associated backend pool instances. The backend pool instances can be individual virtual machines or instances running within a virtual machine scale set.
impact: |
Unused load balancers incur unnecessary costs and complicate compliance and resource management.
remediation: |
Review and remove unused load balancers that do not have any backend pool instances.
reference:
- https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview
tags: cloud,devops,azure,microsoft,load-balancer,azure-cloud-config
flow: |
code(1);
for (let BalancerData of iterate(template.balancerList)) {
BalancerData = JSON.parse(BalancerData);
set("name", BalancerData.Name);
set("resourceGroup", BalancerData.ResourceGroup);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az network lb list --output json --query '[*].{"Name":name,"ResourceGroup":resourceGroup}'
extractors:
- type: json
name: balancerList
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az network lb show --name "$name" --resource-group "$resourceGroup" --query 'backendAddressPools[*].backendIpConfigurations[*].id | []'
matchers-condition: and
matchers:
- type: word
words:
- '[]'
extractors:
- type: dsl
dsl:
- 'name + " in " + resourceGroup + " is unused with no backend instances"'
# digest: 490a00463044022015e1d6ee4d3bbaef184c333044eab6fb66279dc7a54bdbaf0dd279d04c7bfebf02205f95fb236d77ca37f1896ebda483443d5be2ef01d386402132aba59932e944c3:366f2a24c8eb519f6968bd8801c08ebe

70
cloud/azure/virtualmachines/azure-vm-accelerated-networking-disabled.yaml Normal file
View File

@ -0,0 +1,70 @@
id: azure-vm-accelerated-networking-disabled
info:
name: Azure VM Accelerated Networking Not Enabled
author: princechaddha
severity: medium
description: |
Ensure that Accelerated Networking feature is enabled for your Azure virtual machines (VMs) in order to provide low latency and high throughput for the network interfaces (NICs) attached to the VMs. Accelerated networking enables single root input/output virtualization (SR-IOV) for virtual machines, vastly improving its networking performance. This high-performance pathway bypasses the host from the datapath, reducing latency, jitter and CPU utilization, so it can be used with the most demanding network workloads that can be installed on the supported VM types.
impact: |
Disabling Accelerated Networking may result in higher latency and lower throughput on network interfaces attached to VMs, leading to potential performance bottlenecks.
remediation: |
Enable Accelerated Networking on all compatible Azure VMs to ensure optimal network performance. This can be done through the Azure portal or using Azure CLI commands.
reference:
- https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-accelerated-networking-cli
tags: cloud,devops,azure,microsoft,virtual-machines,azure-cloud-config
flow: |
code(1);
for(let InstanceDetails of iterate(template.vmIDs)) {
set("vmId", InstanceDetails);
code(2);
for(let NicId of iterate(template.nicIDs)) {
set("nicId", NicId);
code(3);
}
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az vm list --query '[*].id'
extractors:
- type: json
name: vmIDs
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az vm show --ids "$vmId" --query 'networkProfile.networkInterfaces[*].id'
extractors:
- type: json
name: nicIDs
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az network nic show --ids "$nicId" --query 'enableAcceleratedNetworking'
matchers:
- type: word
words:
- 'false'
extractors:
- type: dsl
dsl:
- 'vmId + " with NIC " + nicId + " has Accelerated Networking disabled"'
# digest: 4a0a0047304502204a3a14875173b105b0f5b31df6d573bd24e46a7628f6b7cda75e4e93ddca90fb022100f02a40f72b5e100c390738ccd4f2c21babb4f6dff310435bef43bfc032d8f08d:366f2a24c8eb519f6968bd8801c08ebe

54
cloud/azure/virtualmachines/azure-vm-accelerated-networking-not-enabled.yaml Normal file
View File

@ -0,0 +1,54 @@
id: azure-vm-accelerated-networking-not-enabled
info:
name: Azure VM Accelerated Networking Not Enabled
author: princechaddha
severity: medium
description: |
Ensure that Accelerated Networking feature is enabled for your Azure virtual machines (VMs) in order to provide low latency and high throughput for the network interfaces (NICs) attached to the VMs. Accelerated networking enables single root input/output virtualization (SR-IOV) for virtual machines, vastly improving its networking performance. This high-performance pathway bypasses the host from the datapath, reducing latency, jitter, and CPU utilization, so it can be used with the most demanding network workloads that can be installed on the supported VM types.
impact: |
If Accelerated Networking is not enabled, the VM may experience higher latency and lower throughput, leading to suboptimal performance, especially in demanding network scenarios.
remediation: |
Enable Accelerated Networking on all Azure VMs that support this feature to ensure optimal networking performance.
reference:
- https://docs.microsoft.com/en-us/azure/virtual-network/create-vm-accelerated-networking-cli
tags: cloud,devops,azure,microsoft,vm,azure-cloud-config
flow: |
code(1);
for (let VM of iterate(template.vmList)) {
set("id", VM);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az vm list --query '[*].{"id":id}'
extractors:
- type: json
name: vmList
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az network nic show --ids "$id" --query 'enableAcceleratedNetworking'
matchers-condition: and
matchers:
- type: word
words:
- 'false'
extractors:
- type: dsl
dsl:
- 'enabled: "false"'
# digest: 4b0a00483046022100e830ad0c0823a66131da171a9f1f36ea510d9dca81f20b3f378a420306ed07f8022100ef0bc518ee83acac59e10abd887174fb5b3994957ff7ec023f45ebfe9dfbfe62:366f2a24c8eb519f6968bd8801c08ebe

56
cloud/azure/virtualmachines/azure-vm-boot-disk-unencrypted.yaml Normal file
View File

@ -0,0 +1,56 @@
id: azure-vm-boot-disk-unencrypted
info:
name: Azure VM Boot Disk Not Encrypted
author: princechaddha
severity: medium
description: |
Ensure that your Microsoft Azure virtual machine (VM) boot volumes are encrypted using Azure Disk Encryption in order to meet security and compliance requirements. ADE encrypts the OS and data disks of Azure virtual machines (VMs) using the CPU via the DM-Crypt feature for Linux or the BitLocker feature for Windows. ADE is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets. The boot (OS) volumes encryption and decryption is handled transparently and does not require any additional action from you, your Azure virtual machine, or your cloud application.
impact: |
Unencrypted VM boot volumes may expose sensitive data to unauthorized access, violating security and compliance mandates.
remediation: |
Enable Azure Disk Encryption for VM boot volumes using Azure Key Vault to manage encryption keys and ensure data security.
reference:
- https://docs.microsoft.com/en-us/azure/virtual-machines/linux/encrypt-disks
tags: cloud,devops,azure,microsoft,vm-disk-encryption,azure-cloud-config
flow: |
code(1);
for (let VMData of iterate(template.vmList)) {
VMData = JSON.parse(VMData);
set("ids", VMData.id);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az vm list --query '[*].{"id":id}'
extractors:
- type: json
name: vmList
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az vm encryption show --ids "$ids" --query 'osDisk'
matchers-condition: and
matchers:
- type: word
part: stderr
words:
- 'Azure Disk Encryption is not enabled'
extractors:
- type: dsl
dsl:
- 'ids + " VM Boot Disk is not encrypted"'
# digest: 4a0a0047304502201e58f5ce4509df353866b76d6209727e4300cff4f70df57c0f85f5c9f477b5be022100870c8ea3d98d131bd729b4bb541f05fe8ab22c523bda6a45388c34087e8b955f:366f2a24c8eb519f6968bd8801c08ebe

55
cloud/azure/virtualmachines/azure-vm-guest-diagnostics-unenabled.yaml Normal file
View File

@ -0,0 +1,55 @@
id: azure-vm-guest-diagnostics-unenabled
info:
name: Azure VM Guest-Level Diagnostics Not Enabled
author: princechaddha
severity: medium
description: |
Ensure that Guest-Level Diagnostics feature is enabled for your Azure virtual machines (VMs) in order to gather diagnostic data useful to create notification alerts and get vital information about the state of your VM applications using advanced metrics.
impact: |
Not having Guest-Level Diagnostics enabled may lead to insufficient data collection for troubleshooting and lack of visibility into application performance and operational health.
remediation: |
Enable Guest-Level Diagnostics on your Azure virtual machines to ensure comprehensive data collection and enhance monitoring capabilities.
reference:
- https://docs.microsoft.com/en-us/azure/virtual-machines/windows/diagnostics
tags: cloud,devops,azure,microsoft,virtual-machines,azure-cloud-config
flow: |
code(1);
for (let VMData of iterate(template.vmList)) {
VMData = JSON.parse(VMData);
set("ids", VMData.id);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az vm list --query '[*].{"id":id}'
extractors:
- type: json
name: vmList
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az vm show --ids "$ids" --query '{"GuestLevelDiagnosticsConfig": resources[*].settings.ladCfg.diagnosticMonitorConfiguration}'
matchers-condition: and
matchers:
- type: word
words:
- '"GuestLevelDiagnosticsConfig": null'
extractors:
- type: dsl
dsl:
- 'ids + " does not have Guest-Level Diagnostics enabled"'
# digest: 4b0a00483046022100ff0ac529bdade69a122f8be1543b5ac0e42f87c465f85bfe848a3636cb9a3a9d022100c68a9b2cdd58ae666efcb50ed78230a408f9c73435fb6dd3bb4cbeed48030c14:366f2a24c8eb519f6968bd8801c08ebe

55
cloud/azure/virtualmachines/azure-vm-jit-access-not-enabled.yaml Normal file
View File

@ -0,0 +1,55 @@
id: azure-vm-jit-access-not-enabled
info:
name: Azure VM Just-In-Time Access Not Enabled
author: princechaddha
severity: high
description: |
Ensure that Just-in-Time (JIT) access is enabled for your Azure virtual machines (VMs) in order to allow you to lock down inbound traffic to your VMs and reduce exposure to attacks while providing easy SSH/RDP access when needed.
impact: |
Not having JIT access enabled on Azure VMs can lead to increased exposure to attacks due to unrestricted inbound traffic.
remediation: |
Enable Just-in-Time access for your Azure VMs to control inbound traffic and improve security.
reference:
- https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time
tags: cloud,devops,azure,microsoft,security-center,azure-cloud-config
flow: |
code(1);
for (let VMData of iterate(template.vmList)) {
VMData = JSON.parse(VMData);
set("vmId", VMData.id);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az vm list --query '[*].{"id":id}'
extractors:
- type: json
name: vmList
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az security jit-policy list --query '[*].virtualMachines[*].{"id":id} | []'
matchers-condition: and
matchers:
- type: word
words:
- '[]'
extractors:
- type: dsl
dsl:
- 'vmId + " does not have Just-in-Time access enabled."'
# digest: 490a0046304402204e1eff5939f96025b5c40b4839b6e60b1096dfc308110a08b693739c20ed3cb302206c994b1f0d18904b5b9a5dadc8849d5f1b6f758533ce24361d329b5367d8bf22:366f2a24c8eb519f6968bd8801c08ebe

63
cloud/azure/virtualmachines/azure-vm-performance-diagnostics-unenabled.yaml Normal file
View File

@ -0,0 +1,63 @@
id: azure-vm-performance-diagnostics-unenabled
info:
name: Azure VM Performance Diagnostics Feature Not Enabled
author: princechaddha
severity: medium
description: |
Ensure that Performance Diagnostics feature is enabled for your Microsoft Azure virtual machine instances to help mitigate VM performance issues. Performance Diagnostics installs a VM extension that runs PerfInsights, available for both Windows and Linux operating systems. PerfInsights collects and analyzes diagnostic information to provide findings and recommendations for performance issues.
impact: |
Not enabling Performance Diagnostics may lead to unresolved VM performance issues due to lack of insights into VM's operational state.
remediation: |
Enable the Performance Diagnostics feature by installing the AzurePerformanceDiagnostics extension through Azure Portal or Azure CLI commands to mitigate performance issues and ensure optimal VM operation.
reference:
- https://docs.microsoft.com/en-us/azure/virtual-machines/performance-diagnostics
tags: cloud,devops,azure,microsoft,virtual-machine,azure-cloud-config
flow: |
code(1);
for (let vmData of iterate(template.vmList)) {
vmData = JSON.parse(vmData);
set("name", vmData.Name);
set("resourceGroup", vmData.ResourceGroup);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az vm list --output json --query '[*].{"Name":name,"ResourceGroup":resourceGroup}'
extractors:
- type: json
name: vmList
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az vm extension list --vm-name "$name" --resource-group "$resourceGroup" --output json --query '[*].{"ExtensionName": name, "ProvisioningState": provisioningState}'
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'AzurePerformanceDiagnosticsLinux'
- type: word
part: body
words:
- 'Succeeded'
negative: true
extractors:
- type: dsl
dsl:
- '"Performance Diagnostics is not enabled for " + name + " in " + resourceGroup'
# digest: 490a0046304402206da53c860985c0c8ffc37d5e5ab9e923565eaa6e40edc684fc8a5f4d4add838902207a3ae1db421bbce53296dbe5c7791fdaae6348c91ab49edc28228afc16a2fb6e:366f2a24c8eb519f6968bd8801c08ebe

53
cloud/azure/virtualmachines/azure-vm-ssh-auth-type.yaml Normal file
View File

@ -0,0 +1,53 @@
id: azure-vm-ssh-auth-type
info:
name: Azure VM SSH Authentication Type Not Using Keys
author: princechaddha
severity: high
description: |
Ensure that your production Microsoft Azure virtual machines are configured to use SSH keys instead of username/password credentials for SSH authentication. Using SSH keys enhances security by eliminating the risks associated with password-based authentication.
impact: |
Using password-based SSH authentication can expose virtual machines to unauthorized access if the passwords are weak or compromised.
remediation: |
Configure all Azure virtual machines to use SSH keys for authentication. Disable password authentication to enhance the security of your virtual machines.
reference:
- https://docs.microsoft.com/en-us/azure/virtual-machines/linux/ssh-from-windows
tags: cloud,devops,azure,microsoft,vm,azure-cloud-config
flow: |
code(1);
for (let vmData of iterate(template.vmList)) {
set("ids", vmData);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az vm list --query '[*].id'
extractors:
- type: json
name: vmList
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az vm show --ids "$ids" --query 'osProfile.linuxConfiguration.disablePasswordAuthentication'
matchers:
- type: word
words:
- 'false'
extractors:
- type: dsl
dsl:
- 'ids + " is configured with password-based SSH authentication, which is insecure"'
# digest: 4a0a00473045022100abb56aca0db2f579068288117d27c396428bdf8a89c72857ddc69158bbc928f602206519277589624b64e1448ab9184fa83e39d5381a24b740db1b2a4781edcf7828:366f2a24c8eb519f6968bd8801c08ebe

55
cloud/azure/virtualmachines/azure-vm-standard-ssd-required.yaml Normal file
View File

@ -0,0 +1,55 @@
id: azure-vm-standard-ssd-required
info:
name: Azure VM Premium SSD Not Required
author: princechaddha
severity: high
description: |
Ensure that your Microsoft Azure virtual machines (VMs) are using Standard SSD disk volumes instead of Premium SSD volumes for cost-effective storage that fits a broad range of workloads from web servers to enterprise applications that need consistent performance at lower IOPS levels. Unless you are running mission-critical applications or performance sensitive workloads that need more than 6000 IOPS or 750 MiB/s of throughput per VM disk volume, Cloud Conformity recommends converting your Premium SSD volumes to Standard SSD in order to lower the cost of your Azure monthly bill.
impact: |
Using Premium SSD volumes when not required can significantly increase the cost without providing necessary benefits for non-critical workloads, leading to inefficient resource utilization and budget overruns.
remediation: |
Convert any Premium SSD volumes to Standard SSD unless the workload requires high performance disk specifications. This can be achieved through Azure's portal or via CLI commands.
reference:
- https://docs.microsoft.com/en-us/azure/virtual-machines/disks-types
tags: cloud,devops,azure,microsoft,virtual-machine,azure-cloud-config
flow: |
code(1);
for (let VMData of iterate(template.vmList)) {
VMData = JSON.parse(VMData);
set("ids", VMData.id);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az vm list --query '[*].{"id":id}'
extractors:
- type: json
name: vmList
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az vm show --ids "$ids" --query 'storageProfile.{"osDiskStorageType":osDisk.managedDisk.storageAccountType,"dataDiskStorageType":dataDisks[*].managedDisk.storageAccountType}'
matchers-condition: and
matchers:
- type: word
words:
- 'Premium_LRS'
extractors:
- type: dsl
dsl:
- 'ids + " is using Premium SSD volumes for OS or data disks which is not recommended for its current workload"'
# digest: 4b0a0048304602210081810b11a5eb9a9a212274f2c75acebae3895a452809bada26ee083b0eeede04022100c9b7d24d67e10c6691bef71d730c53c4edfdc2c6f5c9df072bc37c2129a5e8bc:366f2a24c8eb519f6968bd8801c08ebe

56
cloud/azure/virtualmachines/azure-vm-unapproved-image.yaml Normal file
View File

@ -0,0 +1,56 @@
id: azure-vm-unapproved-image
info:
name: Azure VM Not Using Approved Image
author: princechaddha
severity: medium
description: |
Ensure that all the Azure virtual machine (VM) instances necessary for your application stack are launched from an approved base Azure machine image, known as golden machine image, in order to enforce application security best practices, consistency, and save time when scaling your application.
impact: |
Using unapproved machine images can lead to inconsistencies and potential security vulnerabilities in your application stack.
remediation: |
Ensure all Azure VM instances are launched from approved machine images. Update any instances that are not using the approved images.
reference:
- https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview
tags: cloud,devops,azure,microsoft,virtual-machine,azure-cloud-config
flow: |
code(1);
for (let VMData of iterate(template.vmList)) {
VMData = JSON.parse(VMData);
set("name", VMData.Name);
set("resourceGroup", VMData.ResourceGroup);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az vm list --output json --query '[*].{"Name":name,"ResourceGroup":resourceGroup}'
extractors:
- type: json
name: vmList
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az vm show --name "$name" --resource-group "$resourceGroup" --query '{"ImageId": storageProfile.imageReference.id}'
matchers-condition: and
matchers:
- type: word
words:
- '"ImageId": null'
extractors:
- type: dsl
dsl:
- 'name + " in " + resourceGroup + " is using an unapproved Azure machine image"'
# digest: 490a00463044022050a761d6b7c0d9d6fe78958b9cb5477db2aebee81bd4556c3bc067e00141cce102204694f059ec7e4450542a52fed8d2e706dde2247eb4f436ce0a4fd967ec3bcd33:366f2a24c8eb519f6968bd8801c08ebe

56
cloud/azure/virtualmachines/azure-vm-web-tier-disk-unencrypted.yaml Normal file
View File

@ -0,0 +1,56 @@
id: azure-vm-web-tier-disk-unencrypted
info:
name: Azure VM Web-Tier Disk Volumes Not Encrypted
author: princechaddha
severity: high
description: |
Ensure that all the disk volumes attached to the Microsoft Azure virtual machines (VMs) launched within the web tier are encrypted to meet security and compliance requirements. This rule assumes all Azure cloud resources in the web tier are tagged with <web_tier_tag>:<web_tier_tag_value>. Tags must be configured on the Cloud Conformity dashboard prior to running this check.
impact: |
Unencrypted disk volumes can lead to data breaches and non-compliance with security standards, exposing sensitive information.
remediation: |
Enable encryption for all disk volumes attached to VMs within the Azure web tier to enhance data security and comply with regulatory requirements.
reference:
- https://docs.microsoft.com/en-us/azure/virtual-machines/linux/encrypt-disks
tags: cloud,devops,azure,microsoft,azure-vm,azure-cloud-config
flow: |
code(1);
for (let VmData of iterate(template.vmList)) {
VmData = JSON.parse(VmData);
set("ids", VmData.Id);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az vm list --query '[?(tags.web_tier_tag == "web_tier_tag_value")].{"Id":id}'
extractors:
- type: json
name: vmList
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az vm encryption show --ids "$ids" --query 'disks'
matchers-condition: and
matchers:
- type: word
part: stderr
words:
- 'Azure Disk Encryption is not enabled'
extractors:
- type: dsl
dsl:
- 'ids + " in " + " is not encrypted"'
# digest: 4a0a00473045022079060ef72f3349de321e9f17c0b937347a1ce1d40225c2739175b51a47efd714022100865908f8227c1b917cbe8db3d5d3b7ad890305396c4d8e1236682290b65a845c:366f2a24c8eb519f6968bd8801c08ebe

55
cloud/azure/virtualmachines/azure-vmss-auto-os-upgrade-missing.yaml Normal file
View File

@ -0,0 +1,55 @@
id: azure-vmss-auto-os-upgrade-missing
info:
name: Azure VMSS Automatic OS Upgrade Not Enabled
author: princechaddha
severity: medium
description: |
Ensure that operating system (OS) upgrades are automatically applied to your Microsoft Azure virtual machine scale sets when a newer version of the OS image is released by the image publishers. Automatic OS Upgrades feature supports both Windows and Linux images, and can be enabled for all virtual machine sizes. An automatic OS upgrade works by replacing the boot (OS) disk of a virtual machine instance running within a scale set with a new disk created using the latest image version available. Any configured extensions and custom data scripts are run on the OS disk, while persisted data disks are retained. To minimize the application downtime, the upgrades take place in multiple batches, with a maximum of 20% of the scale set upgrading at any time.
impact: |
Failure to enable automatic OS upgrades can lead to outdated OS versions in use, which may lack critical security updates and features, increasing the risk of security vulnerabilities and operational inefficiencies.
remediation: |
Enable automatic OS upgrades in Azure VMSS settings to ensure all instances are updated automatically with the latest OS image version, thereby improving security and reducing manual maintenance overhead.
reference:
- https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade
tags: cloud,devops,azure,microsoft,vmss,azure-cloud-config
flow: |
code(1);
for (let VmssData of iterate(template.vmssList)) {
VmssData = JSON.parse(VmssData);
set("name", VmssData.Name);
set("resourceGroup", VmssData.ResourceGroup);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az vmss list --output json --query '[*].{"Name":name,"ResourceGroup":resourceGroup}'
extractors:
- type: json
name: vmssList
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az vmss show --name "$name" --resource-group "$resourceGroup" --query '{"AutomaticOsUpgrades": upgradePolicy.automaticOsUpgradePolicy.enableAutomaticOsUpgrade}'
matchers:
- type: word
words:
- '"AutomaticOsUpgrades": null'
extractors:
- type: dsl
dsl:
- 'name + " in " + resourceGroup + " does not have automatic OS upgrades enabled"'
# digest: 4a0a0047304502205a186c2011703103169ba7d37bbddf0427812e0a42a89b9cee842f4abeee42de022100aeb11286bd19e1018aafd78d25644447b1f2725f7024d2f39ec8ad3133cb6f2d:366f2a24c8eb519f6968bd8801c08ebe

56
cloud/azure/virtualmachines/azure-vmss-auto-repairs-disabled.yaml Normal file
View File

@ -0,0 +1,56 @@
id: azure-vmss-auto-repairs-disabled
info:
name: Azure VMSS Automatic Instance Repairs Not Enabled
author: princechaddha
severity: medium
description: |
Ensure that unhealthy virtual machine instances are automatically deleted from the scale sets and new ones are created, using the latest instance model settings. Automatic Instance Repairs feature relies on health checks performed for individual instances running in a scale set. These virtual machine instances can be configured to emit an application health status using the Azure Application Health extension or a load balancer health probe. If a VM instance is found to be unhealthy, as reported by the Application Health extension or by the associated load balancer health probe, then the scale set performs the repair action by deleting the unhealthy instance and creating a new one to replace it.
impact: |
Not having Automatic Instance Repairs enabled can lead to prolonged downtime and potential service disruption as unhealthy instances may not be promptly replaced.
remediation: |
Enable the Automatic Instance Repairs feature for Azure VMSS to ensure high availability and resilience of your applications.
reference:
- https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-instance-repairs
tags: cloud,devops,azure,microsoft,vmss,azure-cloud-config
flow: |
code(1);
for (let ScaleSetData of iterate(template.scaleSetList)) {
ScaleSetData = JSON.parse(ScaleSetData);
set("name", ScaleSetData.name);
set("resourceGroup", ScaleSetData.resourceGroup);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az vmss list --output json --query '[*].{"name":name,"resourceGroup":resourceGroup}'
extractors:
- type: json
name: scaleSetList
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az vmss show --name "$name" --resource-group "$resourceGroup" --query '{"AutomaticRepairsPolicyEnabled": automaticRepairsPolicy.enabled}'
matchers-condition: and
matchers:
- type: word
words:
- '"AutomaticRepairsPolicyEnabled": null'
extractors:
- type: dsl
dsl:
- 'name + " in " + resourceGroup + " does not have automatic instance repairs enabled"'
# digest: 490a00463044022007e684eead738a34e1ce2675bddf07e08c822f3e76922cd80d5befe9391ee724022038ea234d154189fe4bb1d182c6417ad16d953b58b2875ca1e6d8d5ab5b7ff1c4:366f2a24c8eb519f6968bd8801c08ebe

56
cloud/azure/virtualmachines/azure-vmss-empty-unattached.yaml Normal file
View File

@ -0,0 +1,56 @@
id: azure-vmss-empty-unattached
info:
name: Azure Virtual Machine Scale Sets Empty and Unattached
author: princechaddha
severity: low
description: |
Identify any empty virtual machine scale sets available within your Microsoft Azure cloud account and delete them in order to eliminate unnecessary costs and meet compliance requirements when it comes to unused resources. A Microsoft Azure virtual machine scale set is considered empty when it doesn't have any VM instances attached anymore and is no longer associated with a load balancer.
impact: |
Maintaining empty VM scale sets can incur unnecessary costs and occupy valuable resources that could be utilized elsewhere.
remediation: |
Regularly check and remove any VM scale sets that do not contain any VM instances and are not associated with any load balancers.
reference:
- https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/
tags: cloud,devops,azure,microsoft,vmss,azure-cloud-config
flow: |
code(1);
for (let ScaleSetData of iterate(template.scaleSetList)) {
ScaleSetData = JSON.parse(ScaleSetData);
set("name", ScaleSetData.Name);
set("resourceGroup", ScaleSetData.ResourceGroup);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az vmss list --output json --query '[*].{"Name":name,"ResourceGroup":resourceGroup}'
extractors:
- type: json
name: scaleSetList
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az vmss list-instances --name "$name" --resource-group "$resourceGroup" --query '[*].id'
matchers-condition: and
matchers:
- type: word
words:
- '[]'
extractors:
- type: dsl
dsl:
- 'name + " in " + resourceGroup + " is empty and unattached"'
# digest: 490a00463044022058363fdaf7c7ff8476d3bfe2e0bb04963013776b29a1460cf04b46318a89a2ff022002177f197a83f05c24603c8b467bad648457201766f4addf03f2a76b579ce469:366f2a24c8eb519f6968bd8801c08ebe

56
cloud/azure/virtualmachines/azure-vmss-load-balancer-unassociated.yaml Normal file
View File

@ -0,0 +1,56 @@
id: azure-vmss-load-balancer-unassociated
info:
name: Azure VMSS Load Balancer Unassociated
author: princechaddha
severity: medium
description: |
Ensure that each Microsoft Azure virtual machine scale set is integrated with a load balancer in order to distribute incoming traffic among healthy virtual machine instances running within the scale set. Azure load balancer is a layer 4 load balancer that provides low latency, high throughput, and scales up to millions of flows for all TCP and UDP web applications.
impact: |
Virtual machine scale sets without associated load balancers may experience uneven traffic distribution and potential bottlenecks, affecting performance and reliability.
remediation: |
Ensure each Azure virtual machine scale set is integrated with a load balancer to distribute incoming traffic effectively among instances.
reference:
- https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-load-balancer
tags: cloud,devops,azure,microsoft,vmss,azure-cloud-config
flow: |
code(1);
for (let VmssData of iterate(template.vmssList)) {
VmssData = JSON.parse(VmssData);
set("name", VmssData.Name);
set("resourceGroup", VmssData.ResourceGroup);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az vmss list --output json --query '[*].{"Name":name,"ResourceGroup":resourceGroup}'
extractors:
- type: json
name: vmssList
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az vmss show --name "$name" --resource-group "$resourceGroup" --query 'virtualMachineProfile.networkProfile.networkInterfaceConfigurations[*].ipConfigurations[*].loadBalancerBackendAddressPools[*].id | []'
matchers-condition: and
matchers:
- type: word
words:
- '[]'
extractors:
- type: dsl
dsl:
- 'name + " in " + resourceGroup + " is not associated with a load balancer"'
# digest: 4b0a00483046022100a87a44d5219422b4078004b749fc81104c0c86c171d328cff2976ad99ccb5f41022100a5214007f585143fb1189673612a487c75f62b48b88be78cb1e57c1e5c863e2e:366f2a24c8eb519f6968bd8801c08ebe

56
cloud/azure/virtualmachines/azure-vmss-public-ip-disabled.yaml Normal file
View File

@ -0,0 +1,56 @@
id: azure-vmss-public-ip-disabled
info:
name: Azure VMSS Public IP Not Assigned
author: princechaddha
severity: high
description: |
Ensure that instances running within your Microsoft Azure virtual machine scale set (VMSS) are not configured with public IP addresses. Assigning public IP addresses to individual VMSS instances increases attack surface, making it harder to manage and secure the environment.
impact: |
Instances with public IP addresses are more exposed to potential external attacks, increasing the security risks for the Azure environment.
remediation: |
Configure your VMSS to disable public IP address assignments to its instances. Ensure that all networking is handled through internal networking resources.
reference:
- https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-networking
tags: cloud,devops,azure,microsoft,vmss,azure-cloud-config
flow: |
code(1);
for (let InstanceData of iterate(template.vmssList)) {
InstanceData = JSON.parse(InstanceData);
set("name", InstanceData.name);
set("resourceGroup", InstanceData.resourceGroup);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az vmss list --output json --query '[*].{"name":name,"resourceGroup":resourceGroup}'
extractors:
- type: json
name: vmssList
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az vmss list-instance-public-ips --name "$name" --resource-group "$resourceGroup" --query '[*].ipAddress'
matchers-condition: and
matchers:
- type: word
words:
- '[]'
extractors:
- type: dsl
dsl:
- 'name + " in " + resourceGroup + " has no public IP addresses assigned."'
# digest: 4a0a00473045022100bccaeecd1bc7d38fcfcb801f89dc43967acb91d8a3c7c277609f8e0503de541302201876ee95889d563e09985d15311c427df2cc1aa543ce1d91e1e98311f64dd273:366f2a24c8eb519f6968bd8801c08ebe

56
cloud/azure/virtualmachines/azure-vmss-termination-notif-disabled.yaml Normal file
View File

@ -0,0 +1,56 @@
id: azure-vmss-termination-notif-disabled
info:
name: Azure VMSS Instance Termination Notifications Disabled
author: princechaddha
severity: medium
description: |
Ensure that your Microsoft Azure virtual machine scale sets are configured to receive instance termination notifications through the Azure Metadata service and have a predefined delay timeout configured for the "Terminate" operation (event). The termination notifications are delivered through Scheduled Events, an Azure Metadata feature which sends termination notifications, and can also be used to delay impactful operations such as reboots and redeployments. The delay associated with the "Terminate" event will depend on the delay limit specified in the VM scale set model configuration.
impact: |
Failing to enable instance termination notifications can lead to insufficient preparation time for termination events, potentially disrupting operations and leading to data loss.
remediation: |
Configure the termination notification feature for all your Azure VM scale sets to receive proper alerts and set a reasonable delay for the termination events.
reference:
- https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-terminate-notification
tags: cloud,devops,azure,microsoft,vmss,azure-cloud-config
flow: |
code(1);
for (let ScaleSetData of iterate(template.scaleSetList)) {
ScaleSetData = JSON.parse(ScaleSetData);
set("name", ScaleSetData.name);
set("resourceGroup", ScaleSetData.resourceGroup);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az vmss list --output json --query '[*].{"name":name,"resourceGroup":resourceGroup}'
extractors:
- type: json
name: scaleSetList
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az vmss show --name "$name" --resource-group "$resourceGroup" --query '{"TerminateNotificationProfileStatus": virtualMachineProfile.scheduledEventsProfile.terminateNotificationProfile.enable}'
matchers-condition: and
matchers:
- type: word
words:
- '"TerminateNotificationProfileStatus": null'
extractors:
- type: dsl
dsl:
- 'name + " in " + resourceGroup + " does not have termination notifications enabled."'
# digest: 4b0a00483046022100fc7e344e021eb8ecfaa86f2561b79711dca92107c9dbaf372fcf6d781cc344c1022100e3d4685520a75f5f1fc06cf83cd2308be07c738e030eb6b38f1e6bd4c978bed4:366f2a24c8eb519f6968bd8801c08ebe

62
cloud/azure/virtualmachines/azure-vmss-zone-redundancy-missing.yaml Normal file
View File

@ -0,0 +1,62 @@
id: azure-vmss-zone-redundancy-missing
info:
name: Azure VMSS Zone-Redundant Configuration Not Enabled
author: princechaddha
severity: high
description: |
Ensure that all your Microsoft Azure virtual machine scale sets are using zone-redundant availability configurations instead of single-zone (zonal) configurations, to deploy and load balance virtual machines (VMs) across multiple Availability Zones (AZs) in order to protect the scale sets from datacenter-level failures.
impact: |
Using single-zone configurations can lead to potential datacenter-level outages affecting your services' availability and reliability.
remediation: |
Configure your VMSS to use zone-redundant availability configurations to ensure high availability and fault tolerance across multiple data centers.
reference:
- https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-design-overview
tags: cloud,devops,azure,microsoft,vmss,azure-cloud-config
flow: |
code(1);
for (let ScaleSetData of iterate(template.scaleSetList)) {
ScaleSetData = JSON.parse(ScaleSetData);
set("name", ScaleSetData.name);
set("resourceGroup", ScaleSetData.resourceGroup);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az vmss list --output json --query '[*].{"name":name,"resourceGroup":resourceGroup}'
extractors:
- type: json
name: scaleSetList
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az vmss show --name "$name" --resource-group "$resourceGroup" --query 'zones' --output json
matchers-condition: and
matchers:
- type: word
part: body
words:
- '[]'
- type: word
negative: true
words:
- "1"
extractors:
- type: dsl
dsl:
- 'name + " in " + resourceGroup + " is not using a zone-redundant configuration"'
# digest: 4b0a00483046022100aa67333d18d97c02ad8b20780c2e3f43fb9c3561d62b6639ffab58afd7daf7eb0221009f2e1dd29e3f49922a15bda6124f0e8b2162c17e4d0085e128c471e2d2a4c5dd:366f2a24c8eb519f6968bd8801c08ebe