Skip to content

Latest commit

 

History

History
113 lines (90 loc) · 7.19 KB

RN191115.md

File metadata and controls

113 lines (90 loc) · 7.19 KB
Raw

191115 (AzSK v.4.3.0)

Feature updates

  • DevOps Kit controls expressed as Azure Policy (in progress):

    • Authored Azure Policy for 70 more DevOps Kit controls. These will be submitted to the Azure Security Center (ASC) team for inclusion in the ASC initiative.
    • At this point we are done with 152 of approx. 250 controls. For most of the remaining controls from the target set, we are blocked for various reasons such as absence of alias, need custom code, etc.

  • Security Verification Tests (SVTs):

    • Added support for Azure Virtual Machine Scale Sets (VMSS).
    • Automated controls include checks for anti-malware protection, monitoring, disk encryption, VM instance upgradation, IP configuration, NSG rules and diagnostic settings.

  • Privileged Identity Management (PIM):

    • Added capabilities to enable conditional access policy for PIM in a subscription. This can be achieved using the following command:

    setpim -ConfigureRoleSettings -SubscriptionId $subid -RoleName $roleName -ApplyConditonalAccessPolicyForRoleActivation $true

    • Added support for activation of permanent eligible PIM assignments.

  • In-cluster security scans for ADB, AKS, HDI Spark:

    • N/A

  • Log Analytics:

    • N/A.

  • ARM Template Checker:

    • N/A.

  • Org policy/external user updates (for non-CSEO users):

    • Ported Org policy cmdlets to PS Core. After this change, users can perform all org policy management operations from OS X/Linux, etc.
    • Validated support for use of a local folder on the client machine (as opposed to a storage-based blob) as the source for org policy at AzSK runtime.

Note: The next few items mention features from recent releases retained for visibility in case you missed those release announcements:

  • Credential Hygiene helper cmdlets

    • New-AzSKTrackedCredential to onboard a credential for tracking via DevOps Kit. You can set the reminder period (in days) for the credential.
    • Get-AzSKTrackedCredential to list the onboarded credential(s).
    • Update-AzSKTrackedCredential to update the credential settings and reset the last updated timestamp.
    • Remove-AzSKTrackedCredential to deboard a credential from AzSK tracking.

  • Privileged Identity Management (PIM) helper cmdlets (from last sprint)

    • Set-AzSKPIMConfiguration (alias setpim )for configuring/changing PIM settings
    • Get-AzSKPIMConfiguration (alias getpim )for querying various PIM settings/status
    • Activating your PIM role is now as simple as this:

    setpim -ActivateMyRole -SubscriptionId $s5 -DurationInHours 8 -Justification 'ad hoc test' -RoleName Owner

    • See docs here for more.

  • (Preview) Security Scan for Azure Active Directory (AAD)

    • You can scan security controls for your AAD tenant (as either an admin or even as a regular user) using the DevOps Kit AAD Security Scan module.
    • Use following steps:
    # AAD scan cmdlets are packaged as a separate module (AzSK.AAD)
Install-Module AzSK.AAD -Scope CurrentUser -AllowClobber
Import-Module AzSK.AAD
Get-AzSKAADSecurityStatusTenant    # check the tenant (admin)
Get-AzSKAADSecurityStatusUser      # check objects you own (user)
    • Caveats:
      • Do not run these in the same PS session as AzSK. Start a new PS console.
      • Az- modules require .Net Framework v4.7.2.
      • By default, the current cmdlets will scan just 3 objects of each type (Apps/SPNs/Groups, etc.). This is until we work out how best to group/batch scans when scanning the entire tenant. If you want to scan more objects you can use the '-MaxObj' switch in the cmdlets.

  • (Preview) AzSK module for Azure DevOps (ADO/VSTS)

    • You can try the scan cmdlet using:
#VSTS scan cmdlet is in a separate module called AzSK.AzureDevOps!
Install-Module AzSK.AzureDevOps -Scope CurrentUser -AllowClobber    
Get-AzSKAzureDevOpsSecurityStatus -OrganizationName "MicrosoftIT"`
                                  -ProjectNames "OneITVSO"`
                                  -BuildNames "build_name_here"`
                                  -ReleaseNames "release_name_here"

Other improvements/bug fixes

  • Subscription Security:

    • Subscription security controls that check for persistent access viz. Azure_Subscription_AuthZ_Dont_Grant_Persistent_Access_RG and Azure_Subscription_AuthZ_Dont_Grant_Persistent_Access will no longer fail for permanent PIM eligible roles.
    • Introduced a new control Azure_Subscription_Configure_Conditional_Access_for_PIM to check that conditional access policy has been configured for subscription level critical roles (Owner, User Access Administrator and Contributor) in PIM as required by an org.
    • Fixed a bug in the Set-AzSKSubscriptionRBAC command where the missing mandatory RBAC accounts were not being added when not using the -Force parameter.
    • Control for checking Azure Security Center (ASC) setup has been updated to limit checking desired ASC policy state (‘enabled’/’disabled’) only at the subscription scope. Validation and evaluation of assignments at management group scope will be available in a future release.

  • Privileged Identity Management (PIM):

    • Fixed an issue where PIM access was getting activated on additional resource groups due to a more permissive regex match.
    • Bug fix in Set-AzSKPIMConfiguration -RemovePermanentAssignments. Earlier, the command used to give success message for unauthorised request, which has been fixed as part of this bug fix.

  • SVTs:

    • N/A

  • Controls:

    • Automated the control Azure_APIManagement_DP_Use_Secure_TLS_Version to detect if any of the unsecure protocols/cipher configurations (3DES Ciphers, TLS protocols 1.0/1.1 and SSL 3.0) are enabled in an APIM service.
    • Azure_VirtualMachine_SI_Enable_Vuln_Solution control will now be skipped for VMs used in Kubernetes and Databricks clusters. This is to avoid noise for VMs that get spun up temporarily for job execution and then disappear. In future sprints, we plan to review some more candidate controls for such exclusion.
    • Fixed an issue with the control Azure_VirtualMachine_SI_Deploy_GuestConfig_Extension where it was failing if both user and system-assigned identity were enabled on the VM resource. (The control was supposed to check only system-assigned identity.)
    • The TLS control for AppService has been renamed from Azure_AppService_DP_Use_Approved_TLS_Version to Azure_AppService_DP_Use_Secure_TLS_Version.

  • ARM Template Checker:

    • The following new controls have been added to ARM Checker:
      • Azure_AppService_DP_Review_CORS_Request_Credential
      • Azure_DBforMySQL_Authz_Enable_SSL_Connection
      • Azure_DBforPostgreSQL_AuthZ_Enable_SSL_Connection
      • Azure_Storage_BCDR_Enable_Soft_Delete

  • CA:

    • N/A.

  • In-cluster CA:

    • 2 new in-cluster security controls to check latest version of HDI 3.0 and Spark 2.4
    • Introduced a flag to retrieve and delete previous scan reports and metadata.

  • Azure DevOps (ADO/VSTS):

    • N/A.

  • Log Analytics:

    • N/A.

  • Other

    • N/A.