daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

synapse + storageaccount templates

patch-11
Prince Chaddha 2024-09-05 14:53:01 +07:00
parent 99de784ee7
commit e2c00a57c3
23 changed files with 1305 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
cloud/azure/storageaccounts/azure-blob-anonymous-access-disabled.yaml Normal file
View File

@ -0,0 +1,54 @@
id: azure-blob-anonymous-access-disabled
info:
name: Azure Blob Anonymous Access Disabled
author: princechaddha
severity: medium
description: |
Ensure that public (anonymous) access is disabled for all the blob containers available within your Microsoft Azure storage accounts in order to protect your data against unauthorized access. Disabling public access at the storage account level overrides the public access setting configured for the individual blob containers in that storage account.
impact: |
If the storage account show command output returns true, the container and blob data can be read by anonymous users, therefore, the public access to the blob containers in the selected Azure storage account is not disabled.
remediation: |
Disable public (anonymous) access to all blob containers in Azure storage accounts to protect your data against unauthorized access.
reference:
- https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent
tags: cloud,devops,azure,microsoft,azure-storage,azure-cloud-config
flow: |
code(1);
for (let StorageAccount of iterate(template.storageAccountIds)) {
set("ids", StorageAccount);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az storage account list --query '[*].id'
extractors:
- type: json
name: storageAccountIds
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az storage account show --ids "$ids" --query allowBlobPublicAccess
matchers-condition: and
matchers:
- type: word
words:
- 'true'
extractors:
- type: dsl
dsl:
- 'ids + " is not disabling anonymous blob access"'
# digest: 4a0a00473045022100d1b17b7d03bce8cd732ce2f64f2f28d64a11b8abefad6687663896e5f45750a402206e5cb0f7bd4bfe3a91b6c3a427a7e951b1f29881caee0d7a71daad3e9c65bf9c:366f2a24c8eb519f6968bd8801c08ebe

62
cloud/azure/storageaccounts/azure-blob-immutable-not-enabled.yaml Normal file
View File

@ -0,0 +1,62 @@
id: azure-blob-immutable-not-enabled
info:
name: Azure Blob Immutable Storage Not Enabled
author: princechaddha
severity: high
description: |
Ensure that Immutable Blob Storage feature is enabled for Microsoft Azure Storage blob containers that hold sensitive and business-critical information. Immutable Blob Storage enables you to store critical, production data objects in a WORM (Write Once, Read Many) state. This state makes the data non-erasable and non-modifiable for a user-specified time interval. Azure blob objects can be created and read, but not modified or deleted, for the duration of the retention interval configured. The feature supports two types of policies that you can apply to a container for retaining the data within the specified container in a non-modifiable and delete-protected state.
impact: |
Failure to enable Immutable Blob Storage can result in critical data being modified or deleted, which could lead to regulatory compliance issues and potential data loss.
remediation: |
Apply an appropriate time-based immutability policy or a legal hold policy to your Azure Storage blob containers to protect sensitive and business-critical data from being modified or deleted.
reference:
- https://docs.microsoft.com/en-us/azure/storage/blobs/immutable-storage
tags: cloud,devops,azure,microsoft,azure-blob-storage,azure-cloud-config
flow: |
code(1);
for (let AccountData of iterate(template.accountList)) {
AccountData = JSON.parse(AccountData);
set("name", AccountData.Name);
code(2);
let containerList = template.code_2_response;
let ContainerData = JSON.parse(containerList);
ContainerData.forEach(container => {
set("currentContainer", JSON.stringify(container));
javascript(1);
});
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az storage account list --query '[*].{"Name":name}'
extractors:
- type: json
name: accountList
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az storage container list --account-name "$name" --query '[*].{"ContainerName":name, "TimeBasedRetentionPolicy":properties.hasImmutabilityPolicy, "LegalHoldPolicy": properties.hasLegalHold}'
javascript:
- code: |
let container = JSON.parse(template.currentContainer);
if (!container.TimeBasedRetentionPolicy && !container.LegalHoldPolicy) {
let result = `Blob container '${container.ContainerName}' in account '${template.name}' does not have Immutable Blob Storage enabled.`;
Export(result);
}
extractors:
- type: dsl
dsl:
- response
# digest: 4a0a0047304502210094938785463d42a7832ad940a47275bf11685b94981e6ba1ecc2838530329a4c022038ef9199b91d5a98108b15f5741af33227af45928ea1134340e1e2c648196bd5:366f2a24c8eb519f6968bd8801c08ebe

57
cloud/azure/storageaccounts/azure-blob-lifecycle-not-enabled.yaml Normal file
View File

@ -0,0 +1,57 @@
id: azure-blob-lifecycle-not-enabled
info:
name: Azure Blob Storage Lifecycle Management Not Enabled
author: princechaddha
severity: medium
description: |
Ensure there is a lifecycle management policy configured for your Microsoft Azure Blob Storage data in order to meet compliance requirements when it comes to security and cost optimization. Azure Storage lifecycle management offers a rich, rule-based policy for general purpose and blob storage accounts. Use the lifecycle management policy to transition your Azure cloud data to the appropriate access tiers or expire it at the end of the data's lifecycle.
impact: |
Not having a lifecycle management policy in place can lead to non-compliance with security and cost management policies, potentially resulting in unnecessary costs and data exposure.
remediation: |
Configure a lifecycle management policy for your Azure Blob Storage accounts to enable automatic transitioning or expiration of data as appropriate.
reference:
- https://docs.microsoft.com/en-us/azure/storage/blobs/storage-lifecycle-management-concepts
tags: cloud,devops,azure,microsoft,blob-storage,azure-cloud-config
flow: |
code(1);
for (let AccountData of iterate(template.accountList)) {
AccountData = JSON.parse(AccountData);
set("name", AccountData.name);
set("resourceGroup", AccountData.resourceGroup);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az storage account list --query '[?kind!=`Storage`].{"Name":name,"ResourceGroup":resourceGroup}'
extractors:
- type: json
name: accountList
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az storage account management-policy show --account-name "$name" --resource-group "$resourceGroup" --output json
matchers-condition: and
matchers:
- type: word
part: stderr
words:
- "No ManagementPolicy found for account"
extractors:
- type: dsl
dsl:
- 'name + " in " + resourceGroup + " has no lifecycle management policy enabled"'
# digest: 4a0a004730450221008fa8e3ef4accfabf484f098bb85d86490211446b0e8d8939fe065a9239fec0b002206a420d96f1f5aa2edbff7fceb8cf43995a162cdceaee34da7decdd74bc77a764:366f2a24c8eb519f6968bd8801c08ebe

58
cloud/azure/storageaccounts/azure-blob-service-logging-disabled.yaml Normal file
View File

@ -0,0 +1,58 @@
id: azure-blob-service-logging-disabled
info:
name: Azure Storage Blob Service Logging Not Enabled
author: princechaddha
severity: medium
description: |
Ensure that Azure Storage Blob service logging is enabled for read, write, and delete requests. The Storage Blob service provides scalable, cost-efficient objective storage in the Azure cloud. Storage logging is performed server-side and allows details for both successful and failed requests to be recorded in the associated storage account. These logs contain the following information about the individual requests: timing information such as start time, end-to-end latency, server latency, authentication details, concurrency information, and the size of the request/response.
impact: |
Not enabling logging for read, write, and delete operations on Azure Storage Blob can prevent tracking of data access and manipulation, thus reducing the ability to diagnose issues or detect breaches.
remediation: |
Enable logging for the Azure Storage Blob service by setting the 'read', 'write', and 'delete' attributes to true in the storage account settings.
reference:
- https://docs.microsoft.com/en-us/azure/storage/common/storage-analytics-logging
tags: cloud,devops,azure,microsoft,azure-storage,azure-cloud-config
flow: |
code(1);
for (let AccountData of iterate(template.accountList)) {
AccountData = JSON.parse(AccountData);
set("name", AccountData.name);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az storage account list --query '[*].{"name":name}'
extractors:
- type: json
name: accountList
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az storage logging show --services b --account-name "$name" --output json
matchers-condition: and
matchers:
- type: word
words:
- '"delete": false'
- '"read": false'
- '"write": false'
condition: and
extractors:
- type: dsl
dsl:
- 'name + " has logging disabled for read, write, and delete operations."'
# digest: 490a00463044022039d404de07e345846aca1ef8d63beb8bd79d56b349fd414e73cabebe73c05007022072bb5420cd284e2397ed81261d62f2a0ba112fc4d205c3379d7b3047e08e91dd:366f2a24c8eb519f6968bd8801c08ebe

55
cloud/azure/storageaccounts/azure-blob-soft-delete-disabled.yaml Normal file
View File

@ -0,0 +1,55 @@
id: azure-blob-soft-delete-disabled
info:
name: Azure Blob Storage Soft Delete Not Enabled
author: princechaddha
severity: medium
description: |
Ensure that Soft Delete feature is enabled for all your Microsoft Azure Storage blob objects (blobs and snapshots). Soft Delete enables you to save and recover blob data in case your Azure Storage blobs or blob snapshots are deleted. This extra layer of protection also extends to the Microsoft Azure blob data that is erased as the result of an overwrite operation. With Soft Delete feature enabled, when blob objects are deleted, they are transitioned to a soft deleted state instead of being permanently erased. When blob objects are overwritten, soft deleted snapshots are created to save the state of the overwritten blob data.
impact: |
Not having Soft Delete enabled can lead to permanent loss of blob data which cannot be recovered, leading to potential data breaches and compliance issues.
remediation: |
Enable the Soft Delete feature for all blob storage accounts via the Azure Portal or using Azure CLI commands to ensure data is recoverable even after deletion or overwriting.
reference:
- https://docs.microsoft.com/en-us/azure/storage/blobs/soft-delete-overview
tags: cloud,devops,azure,microsoft,blob-storage,azure-cloud-config
flow: |
code(1);
for (let storageAccount of iterate(template.storageAccountNames)) {
storageAccount = JSON.parse(storageAccount);
set("name", storageAccount.Name);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az storage account list --query '[*].{"Name":name}'
extractors:
- type: json
name: storageAccountNames
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az storage blob service-properties delete-policy show --account-name "$name" --output json --query 'enabled'
matchers-condition: and
matchers:
- type: word
words:
- 'false'
extractors:
- type: dsl
dsl:
- 'name + " blob storage does not have Soft Delete enabled"'
# digest: 4a0a00473045022100e9e4d710fc07a04e667fe505d985a5ad527c0a0684a94d133f5da1bc93290fc902201cb519fa752e2ceec8d43cd7e944b8c92560b379c9572181e3e24891c8ca9f5e:366f2a24c8eb519f6968bd8801c08ebe

54
cloud/azure/storageaccounts/azure-storage-blob-public-access.yaml Normal file
View File

@ -0,0 +1,54 @@
id: azure-storage-blob-public-access
info:
name: Azure Storage Blob Public Access Not Disabled
author: princechaddha
severity: medium
description: |
Ensure that public (anonymous) access is disabled for all the blob containers available within your Microsoft Azure storage accounts in order to protect your data against unauthorized access. Disabling public access at the storage account level overrides the public access setting configured for the individual blob containers in that storage account.
impact: |
If public access is not disabled, blob containers can be accessed by anyone, potentially exposing sensitive data to unauthorized users.
remediation: |
Disable public access to all storage accounts containing blob containers to prevent unauthorized data access.
reference:
- https://docs.microsoft.com/en-us/azure/storage/common/storage-disallow-access
tags: cloud,devops,azure,microsoft,storage,azure-cloud-config
flow: |
code(1);
for (let AccountData of iterate(template.accountList)) {
set("ids", AccountData);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az storage account list --query '[*].id'
extractors:
- type: json
name: accountList
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az storage account show --ids "$ids" --query 'allowBlobPublicAccess'
matchers-condition: and
matchers:
- type: word
words:
- 'false'
extractors:
- type: dsl
dsl:
- 'ids + " has public access enabled"'
# digest: 4a0a004730450221008f69d4ea80ab5430d1924cec6063d28b846feea66c806c7d2016401e69e6705002200892f6fd2201a0c1f6035b8d2626b8ab557c94e14a12fe43375510bb3920ad53:366f2a24c8eb519f6968bd8801c08ebe

54
cloud/azure/storageaccounts/azure-storage-byok-not-used.yaml Normal file
View File

@ -0,0 +1,54 @@
id: azure-storage-byok-not-used
info:
name: Azure Storage Account Not Using BYOK
author: princechaddha
severity: high
description: |
Ensure that your Azure Storage accounts are using customer-managed keys (also known as Bring Your Own Keys - BYOKs) instead of service-managed keys (default keys used by Microsoft Azure for data encryption), in order to have a more granular control over your Azure Storage data encryption and decryption process.
impact: |
Not using BYOK for data encryption in Azure Storage accounts can limit your control over the encryption keys and may not comply with certain regulatory requirements.
remediation: |
Configure your Azure Storage accounts to use customer-managed keys (BYOK) for data encryption to ensure compliance and enhanced security.
reference:
- https://docs.microsoft.com/en-us/azure/storage/common/storage-encryption-keys-manage
tags: cloud,devops,azure,microsoft,storage,azure-cloud-config
flow: |
code(1);
for (let StorageData of iterate(template.storageList)) {
StorageData = JSON.parse(StorageData);
set("name", StorageData.Name);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az storage account list --query '[*].{"Name":name}'
extractors:
- type: json
name: storageList
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az storage account show --name "$name" --query 'encryption.keyVaultProperties.keyName' --output json
matchers:
- type: word
words:
- ''
extractors:
- type: dsl
dsl:
- 'name + " Storage Account is not using BYOK"'
# digest: 4a0a00473045022026d2ac9b97c8bf6f9a78419ec04ad084d09a9f1833554f2660d62aad646de1d8022100ddafaf816fdd5685b901dd454eb2e6a54da08916b8020977b6adf5097131adec:366f2a24c8eb519f6968bd8801c08ebe

54
cloud/azure/storageaccounts/azure-storage-cmk-not-used.yaml Normal file
View File

@ -0,0 +1,54 @@
id: azure-storage-cmk-not-used
info:
name: Azure Storage Account Not Using CMK
author: princechaddha
severity: high
description: |
Ensure that your Microsoft Azure Storage accounts are using Customer Managed Keys (CMKs) instead of Microsoft Managed Keys (i.e., default keys used by Microsoft Azure for data encryption), in order to have more granular control over your Azure Storage data encryption and decryption process.
impact: |
Not using Customer Managed Keys can limit your control over data encryption and decryption processes, potentially leading to security vulnerabilities.
remediation: |
Configure your Azure Storage accounts to use Customer Managed Keys for data encryption to enhance security and control.
reference:
- https://docs.microsoft.com/en-us/azure/storage/common/storage-encryption-keys-manage?tabs=portal
tags: cloud,devops,azure,microsoft,azure-storage,azure-cloud-config
flow: |
code(1);
for (let accountData of iterate(template.accountList)) {
accountData = JSON.parse(accountData);
set("name", accountData.Name);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az storage account list --query '[*].{"Name":name}'
extractors:
- type: json
name: accountList
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az storage account show --name "$name" --query 'encryption.keyVaultProperties.keyName'
matchers:
- type: word
words:
- ''
extractors:
- type: dsl
dsl:
- '"Storage account " + name + " is not using CMKs for encryption"'
# digest: 490a0046304402207a61db8a1965b3ac1554ed5e3e881c0da47af3e529e7d0b9687339e8c65accd90220751412a6eed56042cf17dfa792c8c91cde97c50fd40088e69e7107717ae3fa67:366f2a24c8eb519f6968bd8801c08ebe

55
cloud/azure/storageaccounts/azure-storage-cross-tenant-replication-disabled.yaml Normal file
View File

@ -0,0 +1,55 @@
id: azure-storage-cross-tenant-replication-disabled
info:
name: Azure Storage Cross-Tenant Replication Disabled
author: princechaddha
severity: high
description: |
Ensure that the Cross-Tenant Replication feature is disabled for your Azure Storage accounts in order to prevent object replication across Microsoft Entra tenants. Cross-Tenant Replication enables replication of data across different Microsoft Entra tenants, allowing for redundancy and disaster recovery across organizational boundaries. Although advantageous for data accessibility and sharing, this feature also poses a significant security risk if not properly managed. Potential risks include unauthorized data access, data leakage, and compliance breaches.
impact: |
Enabled Cross-Tenant Replication can lead to unauthorized data access and data leakage, posing significant security and compliance risks.
remediation: |
Disable the Cross-Tenant Replication feature for Azure Storage accounts to ensure data is not replicated across different Microsoft Entra tenants without authorization.
reference:
- https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy
tags: cloud,devops,azure,microsoft,storage,azure-cloud-config
flow: |
code(1);
for (let StorageAccount of iterate(template.storageAccountList)) {
StorageAccount = JSON.parse(StorageAccount);
set("name", StorageAccount.Name);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az storage account list --query '[*].{"Name":name}'
extractors:
- type: json
name: storageAccountList
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az storage account show --name "$name" --query 'allowCrossTenantReplication'
matchers-condition: and
matchers:
- type: word
words:
- 'false'
extractors:
- type: dsl
dsl:
- '"Cross-Tenant Replication is enabled for " + name + ", posing a security risk"'
# digest: 490a00463044022062f556736f7c49d8b42e055bd65848948d2720c1ef7d01457bdadf7ed3510b270220779dd9634cdbc6d9d94bb6b0dd69ad10526e4b03398e62fed29b8505ede7955d:366f2a24c8eb519f6968bd8801c08ebe

54
cloud/azure/storageaccounts/azure-storage-encryption-missing.yaml Normal file
View File

@ -0,0 +1,54 @@
id: azure-storage-encryption-missing
info:
name: Azure Storage Infrastructure Encryption Not Enabled
author: princechaddha
severity: high
description: |
Ensure that Infrastructure Encryption feature is enabled for your Azure Storage accounts in order to use encryption at the hardware level on top of the default software encryption provided by Microsoft Azure cloud.
impact: |
Without Infrastructure Encryption, your data may be exposed to higher risks, as it lacks the additional hardware level security layer which complements the default software-based encryption.
remediation: |
Enable Infrastructure Encryption on your Azure Storage accounts to ensure data is encrypted at both software and hardware levels, enhancing the security posture.
reference:
- https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption
tags: cloud,devops,azure,microsoft,azure-storage,azure-cloud-config
flow: |
code(1);
for (let StorageData of iterate(template.storageList)) {
set("name", StorageData);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az storage account list --query '[*].name'
extractors:
- type: json
name: storageList
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az storage account show --name "$name" --query '{"requireInfrastructureEncryption":encryption.requireInfrastructureEncryption}'
matchers-condition: and
matchers:
- type: word
words:
- '"requireInfrastructureEncryption": null'
extractors:
- type: dsl
dsl:
- 'name + " does not have Infrastructure Encryption enabled"'
# digest: 4b0a00483046022100d3fcbb6b3770292d451637d309166ebfd80ba7715ffc9d1a607708107738eabb022100e449465418532a39623984b0679ddfea62bb1662bd5b0aca0433f59f8f9a62ec:366f2a24c8eb519f6968bd8801c08ebe

60
cloud/azure/storageaccounts/azure-storage-min-tls-version.yaml Normal file
View File

@ -0,0 +1,60 @@
id: azure-storage-min-tls-version
info:
name: Azure Storage Minimum TLS Version Not Set to TLS1_2
author: princechaddha
severity: medium
description: |
Ensure that all your Microsoft Azure Storage accounts are using the latest available version of the TLS protocol in order to enhance the security of the connection between your storage accounts and their clients/applications, and comply with the industry standards.
impact: |
Not using the latest version of the TLS protocol may expose data transfers to or from Azure Storage accounts to higher security risks.
remediation: |
Configure all Azure Storage accounts to use TLS version 1.2 as the minimum required version for connections to ensure compliance with industry standards and enhanced security.
reference:
- https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide
tags: cloud,devops,azure,microsoft,storage,azure-cloud-config
flow: |
code(1);
for (let AccountData of iterate(template.accountList)) {
AccountData = JSON.parse(AccountData);
set("name", AccountData.Name);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az storage account list --query '[*].{"Name":name}'
extractors:
- type: json
name: accountList
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az storage account show --name "$name" --query 'minimumTlsVersion'
matchers-condition: and
matchers:
- type: word
words:
- 'TLS'
- type: word
words:
- 'TLS1_2'
negative: true
extractors:
- type: dsl
dsl:
- 'name + " is not using TLS version 1.2"'
# digest: 4a0a0047304502207de5ffbd22b8130c0e8162da25c26bee5c19c6ea57d51509afe8d300c80e14a00221009048f184f11b6b3c54fc276f4c906f554da22d21124903e2259d1676ecafc719:366f2a24c8eb519f6968bd8801c08ebe

55
cloud/azure/storageaccounts/azure-storage-network-unrestricted.yaml Normal file
View File

@ -0,0 +1,55 @@
id: azure-storage-network-unrestricted
info:
name: Azure Storage Default Network Access Not Restricted
author: princechaddha
severity: medium
description: |
Ensure that your Microsoft Azure Storage account is configured to deny access to traffic from all networks (including Internet traffic). By restricting access to your storage account default network, you add a new layer of security, since the default action is to accept connections from clients on any network. To limit access to selected networks or IP addresses, you must first change the default action from "Allow" to "Deny".
impact: |
If the default network access is set to "Allow", all networks, including the Internet, can access the selected Azure Storage account, potentially exposing sensitive data or resources.
remediation: |
Configure the network access rule for Azure Storage accounts to "Deny" to restrict access to selected networks only, enhancing security by preventing unwanted or unauthorized access.
reference:
- https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security
tags: cloud,devops,azure,microsoft,storage,azure-cloud-config
flow: |
code(1);
for (let StorageData of iterate(template.storageList)) {
StorageData = JSON.parse(StorageData);
set("name", StorageData.Name);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az storage account list --query '[*].{"Name":name}'
extractors:
- type: json
name: storageList
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az storage account show --name "$name" --query 'networkRuleSet.defaultAction'
matchers-condition: and
matchers:
- type: word
words:
- '"Allow"'
extractors:
- type: dsl
dsl:
- 'name + " storage account network access is not restricted (default action is Allow)"'
# digest: 4b0a00483046022100c27c74baa0fd1b8606ec62ad918a8cf98742e10ca7e485823fb748f86ffeedc6022100cc87d623e248796f750aee288dc6812a75048629d0fbdc5c21d5f72fee5b9ab9:366f2a24c8eb519f6968bd8801c08ebe

70
cloud/azure/storageaccounts/azure-storage-overly-permissive-sap.yaml Normal file
View File

@ -0,0 +1,70 @@
id: azure-storage-overly-permissive-sap
info:
name: Azure Storage Overly Permissive Stored Access Policies
author: princechaddha
severity: high
description: |
Ensure that your Microsoft Azure Storage shared access signatures don't have full access to your storage account resources (i.e. blob objects, files, tables, and queues) via stored access policies. A stored access policy provides an additional level of control over service-level shared access signatures, enhancing security by managing constraints for one or more shared access signatures.
impact: |
Having overly permissive stored access policies can expose your storage resources to unnecessary risks, violating the principle of least privilege.
remediation: |
Review and restrict the permissions in your stored access policies to ensure they align with the principle of least privilege.
reference:
- https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview
tags: cloud,devops,azure,microsoft,azure-storage,azure-cloud-config
flow: |
code(1);
for (let accountName of iterate(template.accountNames)) {
set("accountName", accountName);
code(2);
for (let containerName of iterate(template.containerNames)) {
set("containerName", containerName);
code(3);
}
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az storage account list --query '[*].name'
extractors:
- type: json
name: accountNames
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az storage container list --account-name "$accountName" --query '[*].name'
extractors:
- type: json
name: containerNames
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az storage container policy list --account-name "$accountName" --container-name "$containerName"
matchers:
- type: word
words:
- '{}'
extractors:
- type: dsl
dsl:
- 'accountName + " with container " + containerName + " has overly permissive stored access policies"'
# digest: 4a0a004730450220507a4c4ed1d354038c889b47b3def0fad31d72810fc59e105d86895a6cc518ad022100ca2a8dd0802cb016567715889bf9ec0bfb07359c2f22fc24dca22b8706857ed5:366f2a24c8eb519f6968bd8801c08ebe

55
cloud/azure/storageaccounts/azure-storage-private-endpoint-unconfigured.yaml Normal file
View File

@ -0,0 +1,55 @@
id: azure-storage-private-endpoint-unconfigured
info:
name: Azure Storage Private Endpoint Not Configured
author: princechaddha
severity: high
description: |
Ensure that private endpoints are configured for Microsoft Azure Storage accounts in order to allow clients and services to securely access data located over a network via an encrypted Private Link connection.
impact: |
Not using private endpoints for Azure Storage accounts can expose sensitive data to potential breaches by allowing data transmission over less secure networks.
remediation: |
Configure private endpoints for your Azure Storage accounts to ensure secure access via Private Link.
reference:
- https://docs.microsoft.com/en-us/azure/storage/common/storage-private-endpoints
tags: cloud,devops,azure,microsoft,azure-storage,azure-cloud-config
flow: |
code(1);
for (let StorageAccount of iterate(template.storageAccounts)) {
StorageAccount = JSON.parse(StorageAccount);
set("name", StorageAccount.Name);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az storage account list --query '[*].{"Name":name}'
extractors:
- type: json
name: storageAccounts
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az storage account show --name "$name" --query 'privateEndpointConnections' --output json
matchers-condition: and
matchers:
- type: word
words:
- '[]'
extractors:
- type: dsl
dsl:
- 'name + " does not have any configured private endpoints."'
# digest: 4a0a0047304502206a52edb1651c67b51d220db8414500ba1ae0c0e48f3eccf99cf57a5681bc1e77022100bb1af7ca2af738a606f03704089e39c48f09fc7aa321c8c7e5481845be446d46:366f2a24c8eb519f6968bd8801c08ebe

70
cloud/azure/storageaccounts/azure-storage-public-access.yaml Normal file
View File

@ -0,0 +1,70 @@
id: azure-storage-public-access
info:
name: Azure Storage Publicly Accessible Web Containers
author: princechaddha
severity: high
description: |
Ensure that the Microsoft Azure storage container where the exported activity log files are saved is not publicly accessible from the Internet, in order to avoid exposing sensitive data and minimize security risks.
impact: |
If the storage container is publicly accessible, sensitive data contained within the activity log files can be accessed by anyone, thus increasing the risk of data breaches and unauthorized access.
remediation: |
Ensure that the Azure storage containers storing activity log files are configured to deny public access. Review and modify the public access settings of your storage accounts to protect sensitive data.
reference:
- https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview
tags: cloud,devops,azure,microsoft,storage,azure-cloud-config
flow: |
code(1);
for (let subName of iterate(template.subscriptionNames)) {
set("subName", subName);
code(2);
for (let containerDetails of iterate(template.containerDetails)) {
set("containerDetails", containerDetails);
code(3);
}
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az monitor diagnostic-settings subscription list --query 'value[*].name'
extractors:
- type: json
name: subscriptionNames
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az monitor diagnostic-settings subscription show --name "$subName" --query 'storageAccountId'
extractors:
- type: json
name: containerDetails
internal: true
json:
- '.'
- engine:
- sh
- bash
source: |
az storage container show --account-name $containerDetails --name insights-operational-logs --query 'properties.publicAccess'
matchers:
- type: word
words:
- 'container'
extractors:
- type: dsl
dsl:
- 'subName + " storage container insights-operational-logs is publicly accessible"'
# digest: 4a0a00473045022100c4b716407c29f8e7dfdf830aaf1b95cbf6a2de0cce18b9717a91d48df9e9df40022003c7fc9974650dc89fb771a04a1b5aedf665d9164063aa4fb9cc905627d60663:366f2a24c8eb519f6968bd8801c08ebe

57
cloud/azure/storageaccounts/azure-storage-queue-logging-disabled.yaml Normal file
View File

@ -0,0 +1,57 @@
id: azure-storage-queue-logging-disabled
info:
name: Azure Storage Queue Logging Not Enabled
author: princechaddha
severity: high
description: |
Ensure that Microsoft Azure Storage Queue service logging is enabled for read, write, and delete requests. The Storage Queue service records details of both successful and failed requests, including end-to-end latency, server latency, and authentication information, which is crucial for security and compliance.
impact: |
Not enabling logging for Azure Storage Queue can result in insufficient data for auditing and lack of visibility into access patterns, potentially leading to unauthorized access and data breaches.
remediation: |
Enable logging for read, write, and delete requests in Azure Storage Queue service to ensure compliance and improve security monitoring.
reference:
- https://docs.microsoft.com/en-us/azure/storage/queues/storage-queues-introduction
tags: cloud,devops,azure,microsoft,storage-queue,azure-cloud-config
flow: |
code(1);
for (let StorageAccount of iterate(template.storageAccounts)) {
StorageAccount = JSON.parse(StorageAccount);
set("name", StorageAccount.Name);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az storage account list --query '[*].{"Name":name}'
extractors:
- type: json
name: storageAccounts
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az storage logging show --services q --account-name "$name" --output json
matchers:
- type: word
words:
- '"delete": false'
- '"read": false'
- '"write": false'
condition: and
extractors:
- type: dsl
dsl:
- 'name + " does not have logging enabled for delete, read, or write actions."'
# digest: 4a0a00473045022100fe27994bea8b635ed95eb05ff31e986ac186b453d8ae7a0f26f5211dea1c092202203c53084e31275d85ed659753b0996a17379a1257380d5011033b6dd83eec5fe4:366f2a24c8eb519f6968bd8801c08ebe

55
cloud/azure/storageaccounts/azure-storage-secure-transfer.yaml Normal file
View File

@ -0,0 +1,55 @@
id: azure-storage-secure-transfer
info:
name: Azure Storage Secure Transfer Not Enabled
author: princechaddha
severity: medium
description: |
Ensure that all data transferred between clients and your Azure Storage account is encrypted using the HTTPS protocol. A Microsoft Azure Storage account contains data objects such as files, blobs, queues, tables, and disks. The storage account provides a unique namespace for your Azure Storage data that is accessible from anywhere in the world over HTTP/HTTPS. All data stored within your Azure Storage account is secure, scalable, durable, and highly available.
impact: |
If HTTPS is not enforced, data in transit between clients and Azure Storage resources (files, blobs, queues, tables, and disks) may be transmitted unencrypted, exposing it to potential interception and tampering.
remediation: |
Enable "Secure transfer required" in your Azure Storage account settings to enforce HTTPS traffic only, ensuring all data in transit is encrypted.
reference:
- https://docs.microsoft.com/en-us/azure/storage/common/storage-require-secure-transfer
tags: cloud,devops,azure,microsoft,azure-storage,azure-cloud-config
flow: |
code(1);
for (let StorageAccount of iterate(template.storageAccounts)) {
StorageAccount = JSON.parse(StorageAccount);
set("name", StorageAccount.Name);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az storage account list --query '[*].{"Name":name}'
extractors:
- type: json
name: storageAccounts
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az storage account show --name "$name" --query 'enableHttpsTrafficOnly'
matchers-condition: and
matchers:
- type: word
words:
- 'false'
extractors:
- type: dsl
dsl:
- 'name + " storage account does not have secure transfer enabled"'
# digest: 4a0a0047304502204205b864a1c3abea62733d689581f0ddcc428dec4e1df17dea9a1a73968bac0402210083a5f5993a2fe63946699d4763f721d09836242adf8aadfcd94409b8865d334e:366f2a24c8eb519f6968bd8801c08ebe

55
cloud/azure/storageaccounts/azure-storage-static-website-review.yaml Normal file
View File

@ -0,0 +1,55 @@
id: azure-storage-static-website-review
info:
name: Azure Storage Static Website Configuration Review
author: princechaddha
severity: medium
description: |
Ensure that all the Microsoft Azure Storage accounts configured to host static websites are regularly reviewed for security and compliance purposes. Upon enabling this rule on your Cloud Conformity console, you must specify the storage account or the list of storage accounts that are expected to host static content (HTML, CSS, JavaScript, and image files).
impact: |
Failing to review storage accounts hosting static websites can lead to potential security risks and non-compliance with data handling standards.
remediation: |
Regularly review your Azure Storage accounts that host static websites and ensure they comply with security and data protection standards.
reference:
- https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-static-website
tags: cloud,devops,azure,microsoft,storage-account,azure-cloud-config
flow: |
code(1);
for (let accountData of iterate(template.accountList)) {
accountData = JSON.parse(accountData);
set("name", accountData.Name);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az storage account list --query '[*].{"Name":name}'
extractors:
- type: json
name: accountList
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az storage blob service-properties show --account-name "$name" --query 'staticWebsite.enabled'
matchers-condition: and
matchers:
- type: word
words:
- 'true'
extractors:
- type: dsl
dsl:
- 'name + " is configured to host static websites"'
# digest: 490a00463044022061abb5c6e02f25bd531671d9ab62f225e2fab3d93381ca59bf90a8686dce30c20220301d702d147907e4383821d519a221f2b47281783afe69428e39c21da0394328:366f2a24c8eb519f6968bd8801c08ebe

57
cloud/azure/storageaccounts/azure-storage-table-logging-disabled.yaml Normal file
View File

@ -0,0 +1,57 @@
id: azure-storage-table-logging-disabled
info:
name: Azure Storage Table Logging Not Enabled
author: princechaddha
severity: medium
description: |
Ensure that Azure Storage Table service logging is enabled for read, write, and delete requests. The Azure Storage Table service stores structured NoSQL data in the cloud, providing a key/attribute store with a schema-less design. Storage logging is performed server-side and allows details for both successful and failed requests to be recorded in the associated storage account.
impact: |
Failing to enable logging for the Azure Storage Table service can prevent tracking of successful and failed requests, impacting auditing and troubleshooting capabilities.
remediation: |
Enable logging for read, write, and delete requests in the Azure Storage Table service through the Azure portal or using the Azure CLI.
reference:
- https://docs.microsoft.com/en-us/azure/storage/tables/table-storage-overview
tags: cloud,devops,azure,microsoft,azure-storage,azure-cloud-config
flow: |
code(1);
for (let AccountData of iterate(template.accountList)) {
AccountData = JSON.parse(AccountData);
set("name", AccountData.Name);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az storage account list --query '[*].{"Name":name}'
extractors:
- type: json
name: accountList
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az storage logging show --services t --account-name "$name" --output json
matchers:
- type: word
words:
- '"delete": false'
- '"read": false'
- '"write": false'
condition: and
extractors:
- type: dsl
dsl:
- 'name + " has logging for read, write, delete not enabled"'
# digest: 4b0a00483046022100ed951594f079cd64e542bc7819b2d674ab1ec265fab22c6c65fcf63b2db6bcf2022100ded50fcd7446a8e4f0baba0a4a79e6f9841721816c44de9a3c111ca03f9542ba:366f2a24c8eb519f6968bd8801c08ebe

54
cloud/azure/storageaccounts/azure-storage-trusted-access-disabled.yaml Normal file
View File

@ -0,0 +1,54 @@
id: azure-storage-trusted-access-disabled
info:
name: Azure Storage Trusted Microsoft Services Access Disabled
author: princechaddha
severity: medium
description: |
Ensure that "Allow trusted Microsoft services to access this storage account" exception is enabled within your Azure Storage account configuration settings to grant access to trusted cloud services.
impact: |
Not allowing trusted Microsoft services to access the storage account can restrict functionality and impact service continuity.
remediation: |
Enable the "Allow trusted Microsoft services to access this storage account" exception in the Azure portal under Storage account settings.
reference:
- https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security
tags: cloud,devops,azure,microsoft,storage,azure-cloud-config
flow: |
code(1);
for (let StorageAccountData of iterate(template.storageAccounts)) {
StorageAccountData = JSON.parse(StorageAccountData);
set("name", StorageAccountData.Name);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az storage account list --query '[*].{"Name":name}'
extractors:
- type: json
name: storageAccounts
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az storage account show --name "$name" --query 'networkRuleSet.bypass' --output json
matchers:
- type: word
words:
- 'None'
extractors:
- type: dsl
dsl:
- 'name + " does not have trusted Microsoft services access enabled"'
# digest: 4b0a00483046022100ca0c5727d1150e083b16cb351fee142d1c242e798bf642c810a7a2b8dee93af6022100e966c8f1b674c9256e14afae827e11b352b2bd30fca007a81d33eee78688b3fe:366f2a24c8eb519f6968bd8801c08ebe

33
cloud/azure/subscriptions/azure-budget-alerts-missing.yaml Normal file
View File

@ -0,0 +1,33 @@
id: azure-budget-alerts-missing
info:
name: Azure Budget Alerts Not Configured
author: princechaddha
severity: high
description: |
Keeping the cost of your Microsoft Azure cloud infrastructure under control is vital for your organization. It's important to ensure that budget exceeding alerts are created to prevent unexpected expenditure within your Azure account.
impact: |
Lack of budget alerts can lead to unexpected costs, potentially exceeding budget limits without timely notifications.
remediation: |
Create and configure budget alerts in your Azure account to monitor and manage cloud expenditures effectively.
reference:
- https://docs.microsoft.com/en-us/azure/cost-management-billing/costs/tutorial-acm-create-budgets
tags: cloud,devops,azure,microsoft,budget,azure-cloud-config
self-contained: true
code:
- engine:
- sh
- bash
source: |
az consumption budget list --output json
matchers:
- type: regex
regex:
- '(?m)^\[\]$'
extractors:
- type: dsl
dsl:
- '"There are no budget alerts set up for cost monitoring in the Microsoft Azure cloud subscription"'
# digest: 4a0a00473045022100c43140cfcf90b52938698d5d3af59ea58dd4f83b4869cea143b8d079e776237a022068987e675a2e1e83a72800a30d3ffdd0866a66708cabd53dc3a6ca4575d5f65a:366f2a24c8eb519f6968bd8801c08ebe

57
cloud/azure/subscriptions/azure-policy-not-allowed-types-unassigned.yaml Normal file
View File

@ -0,0 +1,57 @@
id: azure-policy-not-allowed-types-unassigned
info:
name: Azure Policy - Not Allowed Resource Types Policy Assignment Not in Use
author: princechaddha
severity: medium
description: |
Ensure that a "Not Allowed Resource Types" policy is assigned to your Azure subscriptions in order to deny deploying restricted resources within your Azure cloud account for security and compliance purposes. Microsoft Azure Policy service allows you to enforce organizational standards and assess cloud compliance at-scale. The "Not Allowed Resource Types" policy assignment must use the built-in policy definition which enables you to specify the cloud resource types that your organization cannot deploy.
impact: |
Failure to assign the "Not Allowed Resource Types" policy can result in unauthorized resource deployment, potentially violating compliance and security policies.
remediation: |
Assign the "Not Allowed Resource Types" policy to your Azure subscriptions to ensure compliance with corporate standards and prevent unauthorized resource deployment.
reference:
- https://docs.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure
tags: cloud,devops,azure,microsoft,azure-policy,azure-cloud-config
flow: |
code(1);
for (let AssignmentData of iterate(template.policyAssignmentList)) {
AssignmentData = JSON.parse(AssignmentData);
set("name", AssignmentData.name);
set("policyDefinitionId", AssignmentData.policyDefinitionId);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az policy assignment list --output json --query '[*].{"name":displayName,"policyDefinitionId":policyDefinitionId}'
extractors:
- type: json
name: policyAssignmentList
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az policy definition show --name "$name" --query 'displayName' --output json
matchers-condition: and
matchers:
- type: word
part: stderr
words:
- 'Audit virtual machines without disaster recovery configured'
extractors:
- type: dsl
dsl:
- '"Policy " + name + " not enforcing allowed resource types"'
# digest: 490a0046304402203f7c8e350ac1986dca24eb64ce9f7c85316352109991df3c1440e32dfb1129820220664180b658e037f844ee8c2af8f5f38a0062b8af34b1440f08d5112c91be8072:366f2a24c8eb519f6968bd8801c08ebe

70
cloud/azure/synapse/azure-synapse-sqlpool-tde-disabled.yaml Normal file
View File

@ -0,0 +1,70 @@
id: azure-synapse-sqlpool-tde-disabled
info:
name: Azure Synapse Analytics SQL Pool Transparent Data Encryption Not Enabled
author: princechaddha
severity: high
description: |
Ensure that Transparent Data Encryption (TDE) is enabled for all dedicated SQL pools within Microsoft Azure Synapse Analytics workspaces in order to protect your data at rest and help meet compliance requirements.
impact: |
Failing to enable Transparent Data Encryption (TDE) can result in non-compliance with regulatory requirements and increased risk of unauthorized access to sensitive data at rest.
remediation: |
Enable Transparent Data Encryption (TDE) for all Azure Synapse Analytics dedicated SQL pools to ensure your data at rest is encrypted and secure.
reference:
- https://docs.microsoft.com/en-us/azure/synapse-analytics/sql-data-warehouse/sql-data-warehouse-overview-what-is
tags: cloud,devops,azure,microsoft,synapse,azure-cloud-config
flow: |
code(1);
for (let workspaceId of iterate(template.workspaceIds)) {
set("workspaceId", workspaceId);
code(2);
for (let sqlPoolId of iterate(template.sqlPoolIds)) {
set("sqlPoolId", sqlPoolId);
code(3);
}
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az synapse workspace list --query '[*].id'
extractors:
- type: json
name: workspaceIds
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az synapse sql pool list --workspace-name "$workspaceId" --resource-group "$resourceGroup" --query '[*].id'
extractors:
- type: json
name: sqlPoolIds
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az synapse sql pool tde show --ids "$sqlPoolId" --transparent-data-encryption-name current --query 'status'
matchers:
- type: word
words:
- '"Disabled"'
extractors:
- type: dsl
dsl:
- 'workspaceId + " " + sqlPoolId + " does not have TDE enabled"'
# digest: 4b0a00483046022100f14ac158adedd2e2a992ece777fe373a866390e42f48ac6e29f442a22e386cad022100f2b26bb8c1f2088747f7227f0bae244c4789e4e7e09d796b250768de50a1b80b:366f2a24c8eb519f6968bd8801c08ebe