vm checks
parent
aa7528aa96
commit
d7f4895c4c
|
@ -0,0 +1,54 @@
|
||||||
|
id: azure-app-tier-vm-disk-unencrypted
|
||||||
|
info:
|
||||||
|
name: Azure App-Tier VM Disk Encryption Not Enabled
|
||||||
|
author: princechaddha
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Ensure that all the disk volumes attached to the Microsoft Azure virtual machines (VMs) provisioned within the application tier are encrypted to meet security and compliance requirements. The Azure cloud resources in the app tier should be tagged with `<app_tier_tag>:<app_tier_tag_value>`.
|
||||||
|
impact: |
|
||||||
|
Unencrypted disk volumes can expose sensitive data and potentially lead to data breaches and non-compliance with regulatory requirements.
|
||||||
|
remediation: |
|
||||||
|
Enable disk encryption on all Azure virtual machine disk volumes within the application tier by using Azure Disk Encryption.
|
||||||
|
reference:
|
||||||
|
- https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-atrest
|
||||||
|
tags: cloud,devops,azure,microsoft,vm-disk,azure-cloud-config
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1);
|
||||||
|
for (let vmData of iterate(template.vmList)) {
|
||||||
|
set("ids", vmData);
|
||||||
|
code(2);
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
az vm list --query '[?(tags==`{"app_tier_tag":"app_tier_tag_value"}`)].{"id":id}'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: vmList
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
az vm encryption show --ids "$ids" --query 'disks'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- 'Disk is not encrypted'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'ids + " disk volume is not encrypted"'
|
||||||
|
# digest: 4a0a00473045022100e8a2e274bb127537cf4734fd429ae6b4b4d4cf7f14a550365d2d9d751748229c022004e3a6a5a6524364dcda5911891e63c42bb83021f536c268b4afc7208ac432a7:366f2a24c8eb519f6968bd8801c08ebe
|
|
@ -0,0 +1,53 @@
|
||||||
|
id: azure-disk-encryption-unattached-volumes
|
||||||
|
info:
|
||||||
|
name: Azure Disk Encryption Not Enabled for Unattached Disk Volumes
|
||||||
|
author: princechaddha
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Ensure that your detached Microsoft Azure virtual machine (VM) disk volumes are encrypted using Azure Disk Encryption in order to meet security and compliance requirements. ADE encrypts the OS and data disks of Azure virtual machines (VMs) inside your VMs using the CPU via the DM-Crypt feature for Linux or the BitLocker feature for Windows. ADE is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets. The unattached disk volumes encryption and decryption is handled transparently and does not require any additional action from you, your Azure virtual machine, or your application.
|
||||||
|
impact: |
|
||||||
|
Unencrypted detached disk volumes can expose sensitive data and violate compliance and security policies.
|
||||||
|
remediation: |
|
||||||
|
Encrypt all unattached disk volumes using Azure Disk Encryption integrated with Azure Key Vault to ensure data is protected even when disks are detached.
|
||||||
|
reference:
|
||||||
|
- https://docs.microsoft.com/en-us/azure/virtual-machines/disks-enable-host-based-encryption-cli
|
||||||
|
tags: cloud,devops,azure,microsoft,disk-encryption,azure-cloud-config
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1);
|
||||||
|
for (let DiskData of iterate(template.diskList)) {
|
||||||
|
set("ids", DiskData);
|
||||||
|
code(2);
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
az disk list --query '[?diskState == `Unattached`].{"id":id}'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: diskList
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
az disk show --ids "$ids" --query '{encryptionSettingsCollection: encryptionSettingsCollection}'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '"encryptionSettingsCollection": null'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'ids + " disk volume is not encrypted"'
|
||||||
|
# digest: 4a0a00473045022027871450172dcf545b8db234294ff4eb8b8271fc2d2bdb15b93685840ff86232022100abcea3d8976999523efae5ef9ca710124a8ed8668ebb75226832bc4c9523227c:366f2a24c8eb519f6968bd8801c08ebe
|
|
@ -0,0 +1,56 @@
|
||||||
|
id: azure-lb-unused
|
||||||
|
info:
|
||||||
|
name: Azure Unused Load Balancer Check
|
||||||
|
author: princechaddha
|
||||||
|
severity: low
|
||||||
|
description: |
|
||||||
|
Identify any unused load balancers available within your Azure cloud account and delete them in order to eliminate unnecessary costs and meet compliance requirements when it comes to cloud resource management. A Microsoft Azure load balancer is considered unused when it doesn't have any associated backend pool instances. The backend pool instances can be individual virtual machines or instances running within a virtual machine scale set.
|
||||||
|
impact: |
|
||||||
|
Unused load balancers incur unnecessary costs and complicate compliance and resource management.
|
||||||
|
remediation: |
|
||||||
|
Review and remove unused load balancers that do not have any backend pool instances.
|
||||||
|
reference:
|
||||||
|
- https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview
|
||||||
|
tags: cloud,devops,azure,microsoft,load-balancer,azure-cloud-config
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1);
|
||||||
|
for (let BalancerData of iterate(template.balancerList)) {
|
||||||
|
BalancerData = JSON.parse(BalancerData);
|
||||||
|
set("name", BalancerData.Name);
|
||||||
|
set("resourceGroup", BalancerData.ResourceGroup);
|
||||||
|
code(2);
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
az network lb list --output json --query '[*].{"Name":name,"ResourceGroup":resourceGroup}'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: balancerList
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
az network lb show --name "$name" --resource-group "$resourceGroup" --query 'backendAddressPools[*].backendIpConfigurations[*].id | []'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '[]'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'name + " in " + resourceGroup + " is unused with no backend instances"'
|
||||||
|
# digest: 490a00463044022015e1d6ee4d3bbaef184c333044eab6fb66279dc7a54bdbaf0dd279d04c7bfebf02205f95fb236d77ca37f1896ebda483443d5be2ef01d386402132aba59932e944c3:366f2a24c8eb519f6968bd8801c08ebe
|
|
@ -0,0 +1,70 @@
|
||||||
|
id: azure-vm-accelerated-networking-disabled
|
||||||
|
info:
|
||||||
|
name: Azure VM Accelerated Networking Not Enabled
|
||||||
|
author: princechaddha
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Ensure that Accelerated Networking feature is enabled for your Azure virtual machines (VMs) in order to provide low latency and high throughput for the network interfaces (NICs) attached to the VMs. Accelerated networking enables single root input/output virtualization (SR-IOV) for virtual machines, vastly improving its networking performance. This high-performance pathway bypasses the host from the datapath, reducing latency, jitter and CPU utilization, so it can be used with the most demanding network workloads that can be installed on the supported VM types.
|
||||||
|
impact: |
|
||||||
|
Disabling Accelerated Networking may result in higher latency and lower throughput on network interfaces attached to VMs, leading to potential performance bottlenecks.
|
||||||
|
remediation: |
|
||||||
|
Enable Accelerated Networking on all compatible Azure VMs to ensure optimal network performance. This can be done through the Azure portal or using Azure CLI commands.
|
||||||
|
reference:
|
||||||
|
- https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-accelerated-networking-cli
|
||||||
|
tags: cloud,devops,azure,microsoft,virtual-machines,azure-cloud-config
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1);
|
||||||
|
for(let InstanceDetails of iterate(template.vmIDs)) {
|
||||||
|
set("vmId", InstanceDetails);
|
||||||
|
code(2);
|
||||||
|
for(let NicId of iterate(template.nicIDs)) {
|
||||||
|
set("nicId", NicId);
|
||||||
|
code(3);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
az vm list --query '[*].id'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: vmIDs
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
az vm show --ids "$vmId" --query 'networkProfile.networkInterfaces[*].id'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: nicIDs
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
az network nic show --ids "$nicId" --query 'enableAcceleratedNetworking'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- 'false'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'vmId + " with NIC " + nicId + " has Accelerated Networking disabled"'
|
||||||
|
# digest: 4a0a0047304502204a3a14875173b105b0f5b31df6d573bd24e46a7628f6b7cda75e4e93ddca90fb022100f02a40f72b5e100c390738ccd4f2c21babb4f6dff310435bef43bfc032d8f08d:366f2a24c8eb519f6968bd8801c08ebe
|
|
@ -0,0 +1,54 @@
|
||||||
|
id: azure-vm-accelerated-networking-not-enabled
|
||||||
|
info:
|
||||||
|
name: Azure VM Accelerated Networking Not Enabled
|
||||||
|
author: princechaddha
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Ensure that Accelerated Networking feature is enabled for your Azure virtual machines (VMs) in order to provide low latency and high throughput for the network interfaces (NICs) attached to the VMs. Accelerated networking enables single root input/output virtualization (SR-IOV) for virtual machines, vastly improving its networking performance. This high-performance pathway bypasses the host from the datapath, reducing latency, jitter, and CPU utilization, so it can be used with the most demanding network workloads that can be installed on the supported VM types.
|
||||||
|
impact: |
|
||||||
|
If Accelerated Networking is not enabled, the VM may experience higher latency and lower throughput, leading to suboptimal performance, especially in demanding network scenarios.
|
||||||
|
remediation: |
|
||||||
|
Enable Accelerated Networking on all Azure VMs that support this feature to ensure optimal networking performance.
|
||||||
|
reference:
|
||||||
|
- https://docs.microsoft.com/en-us/azure/virtual-network/create-vm-accelerated-networking-cli
|
||||||
|
tags: cloud,devops,azure,microsoft,vm,azure-cloud-config
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1);
|
||||||
|
for (let VM of iterate(template.vmList)) {
|
||||||
|
set("id", VM);
|
||||||
|
code(2);
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
az vm list --query '[*].{"id":id}'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: vmList
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
az network nic show --ids "$id" --query 'enableAcceleratedNetworking'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- 'false'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'enabled: "false"'
|
||||||
|
# digest: 4b0a00483046022100e830ad0c0823a66131da171a9f1f36ea510d9dca81f20b3f378a420306ed07f8022100ef0bc518ee83acac59e10abd887174fb5b3994957ff7ec023f45ebfe9dfbfe62:366f2a24c8eb519f6968bd8801c08ebe
|
|
@ -0,0 +1,56 @@
|
||||||
|
id: azure-vm-boot-disk-unencrypted
|
||||||
|
info:
|
||||||
|
name: Azure VM Boot Disk Not Encrypted
|
||||||
|
author: princechaddha
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Ensure that your Microsoft Azure virtual machine (VM) boot volumes are encrypted using Azure Disk Encryption in order to meet security and compliance requirements. ADE encrypts the OS and data disks of Azure virtual machines (VMs) using the CPU via the DM-Crypt feature for Linux or the BitLocker feature for Windows. ADE is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets. The boot (OS) volumes encryption and decryption is handled transparently and does not require any additional action from you, your Azure virtual machine, or your cloud application.
|
||||||
|
impact: |
|
||||||
|
Unencrypted VM boot volumes may expose sensitive data to unauthorized access, violating security and compliance mandates.
|
||||||
|
remediation: |
|
||||||
|
Enable Azure Disk Encryption for VM boot volumes using Azure Key Vault to manage encryption keys and ensure data security.
|
||||||
|
reference:
|
||||||
|
- https://docs.microsoft.com/en-us/azure/virtual-machines/linux/encrypt-disks
|
||||||
|
tags: cloud,devops,azure,microsoft,vm-disk-encryption,azure-cloud-config
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1);
|
||||||
|
for (let VMData of iterate(template.vmList)) {
|
||||||
|
VMData = JSON.parse(VMData);
|
||||||
|
set("ids", VMData.id);
|
||||||
|
code(2);
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
az vm list --query '[*].{"id":id}'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: vmList
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
az vm encryption show --ids "$ids" --query 'osDisk'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: stderr
|
||||||
|
words:
|
||||||
|
- 'Azure Disk Encryption is not enabled'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'ids + " VM Boot Disk is not encrypted"'
|
||||||
|
# digest: 4a0a0047304502201e58f5ce4509df353866b76d6209727e4300cff4f70df57c0f85f5c9f477b5be022100870c8ea3d98d131bd729b4bb541f05fe8ab22c523bda6a45388c34087e8b955f:366f2a24c8eb519f6968bd8801c08ebe
|
|
@ -0,0 +1,55 @@
|
||||||
|
id: azure-vm-guest-diagnostics-unenabled
|
||||||
|
info:
|
||||||
|
name: Azure VM Guest-Level Diagnostics Not Enabled
|
||||||
|
author: princechaddha
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Ensure that Guest-Level Diagnostics feature is enabled for your Azure virtual machines (VMs) in order to gather diagnostic data useful to create notification alerts and get vital information about the state of your VM applications using advanced metrics.
|
||||||
|
impact: |
|
||||||
|
Not having Guest-Level Diagnostics enabled may lead to insufficient data collection for troubleshooting and lack of visibility into application performance and operational health.
|
||||||
|
remediation: |
|
||||||
|
Enable Guest-Level Diagnostics on your Azure virtual machines to ensure comprehensive data collection and enhance monitoring capabilities.
|
||||||
|
reference:
|
||||||
|
- https://docs.microsoft.com/en-us/azure/virtual-machines/windows/diagnostics
|
||||||
|
tags: cloud,devops,azure,microsoft,virtual-machines,azure-cloud-config
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1);
|
||||||
|
for (let VMData of iterate(template.vmList)) {
|
||||||
|
VMData = JSON.parse(VMData);
|
||||||
|
set("ids", VMData.id);
|
||||||
|
code(2);
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
az vm list --query '[*].{"id":id}'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: vmList
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
az vm show --ids "$ids" --query '{"GuestLevelDiagnosticsConfig": resources[*].settings.ladCfg.diagnosticMonitorConfiguration}'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '"GuestLevelDiagnosticsConfig": null'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'ids + " does not have Guest-Level Diagnostics enabled"'
|
||||||
|
# digest: 4b0a00483046022100ff0ac529bdade69a122f8be1543b5ac0e42f87c465f85bfe848a3636cb9a3a9d022100c68a9b2cdd58ae666efcb50ed78230a408f9c73435fb6dd3bb4cbeed48030c14:366f2a24c8eb519f6968bd8801c08ebe
|
|
@ -0,0 +1,55 @@
|
||||||
|
id: azure-vm-jit-access-not-enabled
|
||||||
|
info:
|
||||||
|
name: Azure VM Just-In-Time Access Not Enabled
|
||||||
|
author: princechaddha
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Ensure that Just-in-Time (JIT) access is enabled for your Azure virtual machines (VMs) in order to allow you to lock down inbound traffic to your VMs and reduce exposure to attacks while providing easy SSH/RDP access when needed.
|
||||||
|
impact: |
|
||||||
|
Not having JIT access enabled on Azure VMs can lead to increased exposure to attacks due to unrestricted inbound traffic.
|
||||||
|
remediation: |
|
||||||
|
Enable Just-in-Time access for your Azure VMs to control inbound traffic and improve security.
|
||||||
|
reference:
|
||||||
|
- https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time
|
||||||
|
tags: cloud,devops,azure,microsoft,security-center,azure-cloud-config
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1);
|
||||||
|
for (let VMData of iterate(template.vmList)) {
|
||||||
|
VMData = JSON.parse(VMData);
|
||||||
|
set("vmId", VMData.id);
|
||||||
|
code(2);
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
az vm list --query '[*].{"id":id}'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: vmList
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
az security jit-policy list --query '[*].virtualMachines[*].{"id":id} | []'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '[]'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'vmId + " does not have Just-in-Time access enabled."'
|
||||||
|
# digest: 490a0046304402204e1eff5939f96025b5c40b4839b6e60b1096dfc308110a08b693739c20ed3cb302206c994b1f0d18904b5b9a5dadc8849d5f1b6f758533ce24361d329b5367d8bf22:366f2a24c8eb519f6968bd8801c08ebe
|
|
@ -0,0 +1,63 @@
|
||||||
|
id: azure-vm-performance-diagnostics-unenabled
|
||||||
|
info:
|
||||||
|
name: Azure VM Performance Diagnostics Feature Not Enabled
|
||||||
|
author: princechaddha
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Ensure that Performance Diagnostics feature is enabled for your Microsoft Azure virtual machine instances to help mitigate VM performance issues. Performance Diagnostics installs a VM extension that runs PerfInsights, available for both Windows and Linux operating systems. PerfInsights collects and analyzes diagnostic information to provide findings and recommendations for performance issues.
|
||||||
|
impact: |
|
||||||
|
Not enabling Performance Diagnostics may lead to unresolved VM performance issues due to lack of insights into VM's operational state.
|
||||||
|
remediation: |
|
||||||
|
Enable the Performance Diagnostics feature by installing the AzurePerformanceDiagnostics extension through Azure Portal or Azure CLI commands to mitigate performance issues and ensure optimal VM operation.
|
||||||
|
reference:
|
||||||
|
- https://docs.microsoft.com/en-us/azure/virtual-machines/performance-diagnostics
|
||||||
|
tags: cloud,devops,azure,microsoft,virtual-machine,azure-cloud-config
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1);
|
||||||
|
for (let vmData of iterate(template.vmList)) {
|
||||||
|
vmData = JSON.parse(vmData);
|
||||||
|
set("name", vmData.Name);
|
||||||
|
set("resourceGroup", vmData.ResourceGroup);
|
||||||
|
code(2);
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
az vm list --output json --query '[*].{"Name":name,"ResourceGroup":resourceGroup}'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: vmList
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
az vm extension list --vm-name "$name" --resource-group "$resourceGroup" --output json --query '[*].{"ExtensionName": name, "ProvisioningState": provisioningState}'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- 'AzurePerformanceDiagnosticsLinux'
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- 'Succeeded'
|
||||||
|
negative: true
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"Performance Diagnostics is not enabled for " + name + " in " + resourceGroup'
|
||||||
|
# digest: 490a0046304402206da53c860985c0c8ffc37d5e5ab9e923565eaa6e40edc684fc8a5f4d4add838902207a3ae1db421bbce53296dbe5c7791fdaae6348c91ab49edc28228afc16a2fb6e:366f2a24c8eb519f6968bd8801c08ebe
|
|
@ -0,0 +1,53 @@
|
||||||
|
id: azure-vm-ssh-auth-type
|
||||||
|
info:
|
||||||
|
name: Azure VM SSH Authentication Type Not Using Keys
|
||||||
|
author: princechaddha
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Ensure that your production Microsoft Azure virtual machines are configured to use SSH keys instead of username/password credentials for SSH authentication. Using SSH keys enhances security by eliminating the risks associated with password-based authentication.
|
||||||
|
impact: |
|
||||||
|
Using password-based SSH authentication can expose virtual machines to unauthorized access if the passwords are weak or compromised.
|
||||||
|
remediation: |
|
||||||
|
Configure all Azure virtual machines to use SSH keys for authentication. Disable password authentication to enhance the security of your virtual machines.
|
||||||
|
reference:
|
||||||
|
- https://docs.microsoft.com/en-us/azure/virtual-machines/linux/ssh-from-windows
|
||||||
|
tags: cloud,devops,azure,microsoft,vm,azure-cloud-config
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1);
|
||||||
|
for (let vmData of iterate(template.vmList)) {
|
||||||
|
set("ids", vmData);
|
||||||
|
code(2);
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
az vm list --query '[*].id'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: vmList
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
az vm show --ids "$ids" --query 'osProfile.linuxConfiguration.disablePasswordAuthentication'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- 'false'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'ids + " is configured with password-based SSH authentication, which is insecure"'
|
||||||
|
# digest: 4a0a00473045022100abb56aca0db2f579068288117d27c396428bdf8a89c72857ddc69158bbc928f602206519277589624b64e1448ab9184fa83e39d5381a24b740db1b2a4781edcf7828:366f2a24c8eb519f6968bd8801c08ebe
|
|
@ -0,0 +1,55 @@
|
||||||
|
id: azure-vm-standard-ssd-required
|
||||||
|
info:
|
||||||
|
name: Azure VM Premium SSD Not Required
|
||||||
|
author: princechaddha
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Ensure that your Microsoft Azure virtual machines (VMs) are using Standard SSD disk volumes instead of Premium SSD volumes for cost-effective storage that fits a broad range of workloads from web servers to enterprise applications that need consistent performance at lower IOPS levels. Unless you are running mission-critical applications or performance sensitive workloads that need more than 6000 IOPS or 750 MiB/s of throughput per VM disk volume, Cloud Conformity recommends converting your Premium SSD volumes to Standard SSD in order to lower the cost of your Azure monthly bill.
|
||||||
|
impact: |
|
||||||
|
Using Premium SSD volumes when not required can significantly increase the cost without providing necessary benefits for non-critical workloads, leading to inefficient resource utilization and budget overruns.
|
||||||
|
remediation: |
|
||||||
|
Convert any Premium SSD volumes to Standard SSD unless the workload requires high performance disk specifications. This can be achieved through Azure's portal or via CLI commands.
|
||||||
|
reference:
|
||||||
|
- https://docs.microsoft.com/en-us/azure/virtual-machines/disks-types
|
||||||
|
tags: cloud,devops,azure,microsoft,virtual-machine,azure-cloud-config
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1);
|
||||||
|
for (let VMData of iterate(template.vmList)) {
|
||||||
|
VMData = JSON.parse(VMData);
|
||||||
|
set("ids", VMData.id);
|
||||||
|
code(2);
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
az vm list --query '[*].{"id":id}'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: vmList
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
az vm show --ids "$ids" --query 'storageProfile.{"osDiskStorageType":osDisk.managedDisk.storageAccountType,"dataDiskStorageType":dataDisks[*].managedDisk.storageAccountType}'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- 'Premium_LRS'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'ids + " is using Premium SSD volumes for OS or data disks which is not recommended for its current workload"'
|
||||||
|
# digest: 4b0a0048304602210081810b11a5eb9a9a212274f2c75acebae3895a452809bada26ee083b0eeede04022100c9b7d24d67e10c6691bef71d730c53c4edfdc2c6f5c9df072bc37c2129a5e8bc:366f2a24c8eb519f6968bd8801c08ebe
|
|
@ -0,0 +1,56 @@
|
||||||
|
id: azure-vm-unapproved-image
|
||||||
|
info:
|
||||||
|
name: Azure VM Not Using Approved Image
|
||||||
|
author: princechaddha
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Ensure that all the Azure virtual machine (VM) instances necessary for your application stack are launched from an approved base Azure machine image, known as golden machine image, in order to enforce application security best practices, consistency, and save time when scaling your application.
|
||||||
|
impact: |
|
||||||
|
Using unapproved machine images can lead to inconsistencies and potential security vulnerabilities in your application stack.
|
||||||
|
remediation: |
|
||||||
|
Ensure all Azure VM instances are launched from approved machine images. Update any instances that are not using the approved images.
|
||||||
|
reference:
|
||||||
|
- https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview
|
||||||
|
tags: cloud,devops,azure,microsoft,virtual-machine,azure-cloud-config
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1);
|
||||||
|
for (let VMData of iterate(template.vmList)) {
|
||||||
|
VMData = JSON.parse(VMData);
|
||||||
|
set("name", VMData.Name);
|
||||||
|
set("resourceGroup", VMData.ResourceGroup);
|
||||||
|
code(2);
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
az vm list --output json --query '[*].{"Name":name,"ResourceGroup":resourceGroup}'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: vmList
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
az vm show --name "$name" --resource-group "$resourceGroup" --query '{"ImageId": storageProfile.imageReference.id}'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '"ImageId": null'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'name + " in " + resourceGroup + " is using an unapproved Azure machine image"'
|
||||||
|
# digest: 490a00463044022050a761d6b7c0d9d6fe78958b9cb5477db2aebee81bd4556c3bc067e00141cce102204694f059ec7e4450542a52fed8d2e706dde2247eb4f436ce0a4fd967ec3bcd33:366f2a24c8eb519f6968bd8801c08ebe
|
|
@ -0,0 +1,56 @@
|
||||||
|
id: azure-vm-web-tier-disk-unencrypted
|
||||||
|
info:
|
||||||
|
name: Azure VM Web-Tier Disk Volumes Not Encrypted
|
||||||
|
author: princechaddha
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Ensure that all the disk volumes attached to the Microsoft Azure virtual machines (VMs) launched within the web tier are encrypted to meet security and compliance requirements. This rule assumes all Azure cloud resources in the web tier are tagged with <web_tier_tag>:<web_tier_tag_value>. Tags must be configured on the Cloud Conformity dashboard prior to running this check.
|
||||||
|
impact: |
|
||||||
|
Unencrypted disk volumes can lead to data breaches and non-compliance with security standards, exposing sensitive information.
|
||||||
|
remediation: |
|
||||||
|
Enable encryption for all disk volumes attached to VMs within the Azure web tier to enhance data security and comply with regulatory requirements.
|
||||||
|
reference:
|
||||||
|
- https://docs.microsoft.com/en-us/azure/virtual-machines/linux/encrypt-disks
|
||||||
|
tags: cloud,devops,azure,microsoft,azure-vm,azure-cloud-config
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1);
|
||||||
|
for (let VmData of iterate(template.vmList)) {
|
||||||
|
VmData = JSON.parse(VmData);
|
||||||
|
set("ids", VmData.Id);
|
||||||
|
code(2);
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
az vm list --query '[?(tags.web_tier_tag == "web_tier_tag_value")].{"Id":id}'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: vmList
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
az vm encryption show --ids "$ids" --query 'disks'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: stderr
|
||||||
|
words:
|
||||||
|
- 'Azure Disk Encryption is not enabled'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'ids + " in " + " is not encrypted"'
|
||||||
|
# digest: 4a0a00473045022079060ef72f3349de321e9f17c0b937347a1ce1d40225c2739175b51a47efd714022100865908f8227c1b917cbe8db3d5d3b7ad890305396c4d8e1236682290b65a845c:366f2a24c8eb519f6968bd8801c08ebe
|
|
@ -0,0 +1,55 @@
|
||||||
|
id: azure-vmss-auto-os-upgrade-missing
|
||||||
|
info:
|
||||||
|
name: Azure VMSS Automatic OS Upgrade Not Enabled
|
||||||
|
author: princechaddha
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Ensure that operating system (OS) upgrades are automatically applied to your Microsoft Azure virtual machine scale sets when a newer version of the OS image is released by the image publishers. Automatic OS Upgrades feature supports both Windows and Linux images, and can be enabled for all virtual machine sizes. An automatic OS upgrade works by replacing the boot (OS) disk of a virtual machine instance running within a scale set with a new disk created using the latest image version available. Any configured extensions and custom data scripts are run on the OS disk, while persisted data disks are retained. To minimize the application downtime, the upgrades take place in multiple batches, with a maximum of 20% of the scale set upgrading at any time.
|
||||||
|
impact: |
|
||||||
|
Failure to enable automatic OS upgrades can lead to outdated OS versions in use, which may lack critical security updates and features, increasing the risk of security vulnerabilities and operational inefficiencies.
|
||||||
|
remediation: |
|
||||||
|
Enable automatic OS upgrades in Azure VMSS settings to ensure all instances are updated automatically with the latest OS image version, thereby improving security and reducing manual maintenance overhead.
|
||||||
|
reference:
|
||||||
|
- https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade
|
||||||
|
tags: cloud,devops,azure,microsoft,vmss,azure-cloud-config
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1);
|
||||||
|
for (let VmssData of iterate(template.vmssList)) {
|
||||||
|
VmssData = JSON.parse(VmssData);
|
||||||
|
set("name", VmssData.Name);
|
||||||
|
set("resourceGroup", VmssData.ResourceGroup);
|
||||||
|
code(2);
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
az vmss list --output json --query '[*].{"Name":name,"ResourceGroup":resourceGroup}'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: vmssList
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
az vmss show --name "$name" --resource-group "$resourceGroup" --query '{"AutomaticOsUpgrades": upgradePolicy.automaticOsUpgradePolicy.enableAutomaticOsUpgrade}'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '"AutomaticOsUpgrades": null'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'name + " in " + resourceGroup + " does not have automatic OS upgrades enabled"'
|
||||||
|
# digest: 4a0a0047304502205a186c2011703103169ba7d37bbddf0427812e0a42a89b9cee842f4abeee42de022100aeb11286bd19e1018aafd78d25644447b1f2725f7024d2f39ec8ad3133cb6f2d:366f2a24c8eb519f6968bd8801c08ebe
|
|
@ -0,0 +1,56 @@
|
||||||
|
id: azure-vmss-auto-repairs-disabled
|
||||||
|
info:
|
||||||
|
name: Azure VMSS Automatic Instance Repairs Not Enabled
|
||||||
|
author: princechaddha
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Ensure that unhealthy virtual machine instances are automatically deleted from the scale sets and new ones are created, using the latest instance model settings. Automatic Instance Repairs feature relies on health checks performed for individual instances running in a scale set. These virtual machine instances can be configured to emit an application health status using the Azure Application Health extension or a load balancer health probe. If a VM instance is found to be unhealthy, as reported by the Application Health extension or by the associated load balancer health probe, then the scale set performs the repair action by deleting the unhealthy instance and creating a new one to replace it.
|
||||||
|
impact: |
|
||||||
|
Not having Automatic Instance Repairs enabled can lead to prolonged downtime and potential service disruption as unhealthy instances may not be promptly replaced.
|
||||||
|
remediation: |
|
||||||
|
Enable the Automatic Instance Repairs feature for Azure VMSS to ensure high availability and resilience of your applications.
|
||||||
|
reference:
|
||||||
|
- https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-instance-repairs
|
||||||
|
tags: cloud,devops,azure,microsoft,vmss,azure-cloud-config
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1);
|
||||||
|
for (let ScaleSetData of iterate(template.scaleSetList)) {
|
||||||
|
ScaleSetData = JSON.parse(ScaleSetData);
|
||||||
|
set("name", ScaleSetData.name);
|
||||||
|
set("resourceGroup", ScaleSetData.resourceGroup);
|
||||||
|
code(2);
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
az vmss list --output json --query '[*].{"name":name,"resourceGroup":resourceGroup}'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: scaleSetList
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
az vmss show --name "$name" --resource-group "$resourceGroup" --query '{"AutomaticRepairsPolicyEnabled": automaticRepairsPolicy.enabled}'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '"AutomaticRepairsPolicyEnabled": null'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'name + " in " + resourceGroup + " does not have automatic instance repairs enabled"'
|
||||||
|
# digest: 490a00463044022007e684eead738a34e1ce2675bddf07e08c822f3e76922cd80d5befe9391ee724022038ea234d154189fe4bb1d182c6417ad16d953b58b2875ca1e6d8d5ab5b7ff1c4:366f2a24c8eb519f6968bd8801c08ebe
|
|
@ -0,0 +1,56 @@
|
||||||
|
id: azure-vmss-empty-unattached
|
||||||
|
info:
|
||||||
|
name: Azure Virtual Machine Scale Sets Empty and Unattached
|
||||||
|
author: princechaddha
|
||||||
|
severity: low
|
||||||
|
description: |
|
||||||
|
Identify any empty virtual machine scale sets available within your Microsoft Azure cloud account and delete them in order to eliminate unnecessary costs and meet compliance requirements when it comes to unused resources. A Microsoft Azure virtual machine scale set is considered empty when it doesn't have any VM instances attached anymore and is no longer associated with a load balancer.
|
||||||
|
impact: |
|
||||||
|
Maintaining empty VM scale sets can incur unnecessary costs and occupy valuable resources that could be utilized elsewhere.
|
||||||
|
remediation: |
|
||||||
|
Regularly check and remove any VM scale sets that do not contain any VM instances and are not associated with any load balancers.
|
||||||
|
reference:
|
||||||
|
- https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/
|
||||||
|
tags: cloud,devops,azure,microsoft,vmss,azure-cloud-config
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1);
|
||||||
|
for (let ScaleSetData of iterate(template.scaleSetList)) {
|
||||||
|
ScaleSetData = JSON.parse(ScaleSetData);
|
||||||
|
set("name", ScaleSetData.Name);
|
||||||
|
set("resourceGroup", ScaleSetData.ResourceGroup);
|
||||||
|
code(2);
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
az vmss list --output json --query '[*].{"Name":name,"ResourceGroup":resourceGroup}'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: scaleSetList
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
az vmss list-instances --name "$name" --resource-group "$resourceGroup" --query '[*].id'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '[]'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'name + " in " + resourceGroup + " is empty and unattached"'
|
||||||
|
# digest: 490a00463044022058363fdaf7c7ff8476d3bfe2e0bb04963013776b29a1460cf04b46318a89a2ff022002177f197a83f05c24603c8b467bad648457201766f4addf03f2a76b579ce469:366f2a24c8eb519f6968bd8801c08ebe
|
|
@ -0,0 +1,56 @@
|
||||||
|
id: azure-vmss-load-balancer-unassociated
|
||||||
|
info:
|
||||||
|
name: Azure VMSS Load Balancer Unassociated
|
||||||
|
author: princechaddha
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Ensure that each Microsoft Azure virtual machine scale set is integrated with a load balancer in order to distribute incoming traffic among healthy virtual machine instances running within the scale set. Azure load balancer is a layer 4 load balancer that provides low latency, high throughput, and scales up to millions of flows for all TCP and UDP web applications.
|
||||||
|
impact: |
|
||||||
|
Virtual machine scale sets without associated load balancers may experience uneven traffic distribution and potential bottlenecks, affecting performance and reliability.
|
||||||
|
remediation: |
|
||||||
|
Ensure each Azure virtual machine scale set is integrated with a load balancer to distribute incoming traffic effectively among instances.
|
||||||
|
reference:
|
||||||
|
- https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-load-balancer
|
||||||
|
tags: cloud,devops,azure,microsoft,vmss,azure-cloud-config
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1);
|
||||||
|
for (let VmssData of iterate(template.vmssList)) {
|
||||||
|
VmssData = JSON.parse(VmssData);
|
||||||
|
set("name", VmssData.Name);
|
||||||
|
set("resourceGroup", VmssData.ResourceGroup);
|
||||||
|
code(2);
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
az vmss list --output json --query '[*].{"Name":name,"ResourceGroup":resourceGroup}'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: vmssList
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
az vmss show --name "$name" --resource-group "$resourceGroup" --query 'virtualMachineProfile.networkProfile.networkInterfaceConfigurations[*].ipConfigurations[*].loadBalancerBackendAddressPools[*].id | []'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '[]'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'name + " in " + resourceGroup + " is not associated with a load balancer"'
|
||||||
|
# digest: 4b0a00483046022100a87a44d5219422b4078004b749fc81104c0c86c171d328cff2976ad99ccb5f41022100a5214007f585143fb1189673612a487c75f62b48b88be78cb1e57c1e5c863e2e:366f2a24c8eb519f6968bd8801c08ebe
|
|
@ -0,0 +1,56 @@
|
||||||
|
id: azure-vmss-public-ip-disabled
|
||||||
|
info:
|
||||||
|
name: Azure VMSS Public IP Not Assigned
|
||||||
|
author: princechaddha
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Ensure that instances running within your Microsoft Azure virtual machine scale set (VMSS) are not configured with public IP addresses. Assigning public IP addresses to individual VMSS instances increases attack surface, making it harder to manage and secure the environment.
|
||||||
|
impact: |
|
||||||
|
Instances with public IP addresses are more exposed to potential external attacks, increasing the security risks for the Azure environment.
|
||||||
|
remediation: |
|
||||||
|
Configure your VMSS to disable public IP address assignments to its instances. Ensure that all networking is handled through internal networking resources.
|
||||||
|
reference:
|
||||||
|
- https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-networking
|
||||||
|
tags: cloud,devops,azure,microsoft,vmss,azure-cloud-config
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1);
|
||||||
|
for (let InstanceData of iterate(template.vmssList)) {
|
||||||
|
InstanceData = JSON.parse(InstanceData);
|
||||||
|
set("name", InstanceData.name);
|
||||||
|
set("resourceGroup", InstanceData.resourceGroup);
|
||||||
|
code(2);
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
az vmss list --output json --query '[*].{"name":name,"resourceGroup":resourceGroup}'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: vmssList
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
az vmss list-instance-public-ips --name "$name" --resource-group "$resourceGroup" --query '[*].ipAddress'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '[]'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'name + " in " + resourceGroup + " has no public IP addresses assigned."'
|
||||||
|
# digest: 4a0a00473045022100bccaeecd1bc7d38fcfcb801f89dc43967acb91d8a3c7c277609f8e0503de541302201876ee95889d563e09985d15311c427df2cc1aa543ce1d91e1e98311f64dd273:366f2a24c8eb519f6968bd8801c08ebe
|
|
@ -0,0 +1,56 @@
|
||||||
|
id: azure-vmss-termination-notif-disabled
|
||||||
|
info:
|
||||||
|
name: Azure VMSS Instance Termination Notifications Disabled
|
||||||
|
author: princechaddha
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Ensure that your Microsoft Azure virtual machine scale sets are configured to receive instance termination notifications through the Azure Metadata service and have a predefined delay timeout configured for the "Terminate" operation (event). The termination notifications are delivered through Scheduled Events, an Azure Metadata feature which sends termination notifications, and can also be used to delay impactful operations such as reboots and redeployments. The delay associated with the "Terminate" event will depend on the delay limit specified in the VM scale set model configuration.
|
||||||
|
impact: |
|
||||||
|
Failing to enable instance termination notifications can lead to insufficient preparation time for termination events, potentially disrupting operations and leading to data loss.
|
||||||
|
remediation: |
|
||||||
|
Configure the termination notification feature for all your Azure VM scale sets to receive proper alerts and set a reasonable delay for the termination events.
|
||||||
|
reference:
|
||||||
|
- https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-terminate-notification
|
||||||
|
tags: cloud,devops,azure,microsoft,vmss,azure-cloud-config
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1);
|
||||||
|
for (let ScaleSetData of iterate(template.scaleSetList)) {
|
||||||
|
ScaleSetData = JSON.parse(ScaleSetData);
|
||||||
|
set("name", ScaleSetData.name);
|
||||||
|
set("resourceGroup", ScaleSetData.resourceGroup);
|
||||||
|
code(2);
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
az vmss list --output json --query '[*].{"name":name,"resourceGroup":resourceGroup}'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: scaleSetList
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
az vmss show --name "$name" --resource-group "$resourceGroup" --query '{"TerminateNotificationProfileStatus": virtualMachineProfile.scheduledEventsProfile.terminateNotificationProfile.enable}'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '"TerminateNotificationProfileStatus": null'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'name + " in " + resourceGroup + " does not have termination notifications enabled."'
|
||||||
|
# digest: 4b0a00483046022100fc7e344e021eb8ecfaa86f2561b79711dca92107c9dbaf372fcf6d781cc344c1022100e3d4685520a75f5f1fc06cf83cd2308be07c738e030eb6b38f1e6bd4c978bed4:366f2a24c8eb519f6968bd8801c08ebe
|
|
@ -0,0 +1,62 @@
|
||||||
|
id: azure-vmss-zone-redundancy-missing
|
||||||
|
info:
|
||||||
|
name: Azure VMSS Zone-Redundant Configuration Not Enabled
|
||||||
|
author: princechaddha
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Ensure that all your Microsoft Azure virtual machine scale sets are using zone-redundant availability configurations instead of single-zone (zonal) configurations, to deploy and load balance virtual machines (VMs) across multiple Availability Zones (AZs) in order to protect the scale sets from datacenter-level failures.
|
||||||
|
impact: |
|
||||||
|
Using single-zone configurations can lead to potential datacenter-level outages affecting your services' availability and reliability.
|
||||||
|
remediation: |
|
||||||
|
Configure your VMSS to use zone-redundant availability configurations to ensure high availability and fault tolerance across multiple data centers.
|
||||||
|
reference:
|
||||||
|
- https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-design-overview
|
||||||
|
tags: cloud,devops,azure,microsoft,vmss,azure-cloud-config
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1);
|
||||||
|
for (let ScaleSetData of iterate(template.scaleSetList)) {
|
||||||
|
ScaleSetData = JSON.parse(ScaleSetData);
|
||||||
|
set("name", ScaleSetData.name);
|
||||||
|
set("resourceGroup", ScaleSetData.resourceGroup);
|
||||||
|
code(2);
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
az vmss list --output json --query '[*].{"name":name,"resourceGroup":resourceGroup}'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: scaleSetList
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
az vmss show --name "$name" --resource-group "$resourceGroup" --query 'zones' --output json
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- '[]'
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
negative: true
|
||||||
|
words:
|
||||||
|
- "1"
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'name + " in " + resourceGroup + " is not using a zone-redundant configuration"'
|
||||||
|
# digest: 4b0a00483046022100aa67333d18d97c02ad8b20780c2e3f43fb9c3561d62b6639ffab58afd7daf7eb0221009f2e1dd29e3f49922a15bda6124f0e8b2162c17e4d0085e128c471e2d2a4c5dd:366f2a24c8eb519f6968bd8801c08ebe
|
Loading…
Reference in New Issue