[ad_1]
How one can Enhance Azure Safety with CIS Benchmarks
Compliance
View Development Micro Cloud One™ – Conformity in motion! Learn alongside as Chuck walks you thru methods to run a CIS report back to see methods to enhance and remediate misconfigurations by way of a Conformity Bot.
By: Chuck Losh
August 07, 2020
Learn time: ( phrases)
I like experimenting with Development Micro Cloud One Conformity! A current version to the product concerning Microsoft Azure is the inclusion of the CIS Benchmark reporting capabilities. That is aligned and completed with CIS Microsoft Azure Foundations Benchmark v1.1.0.
At the moment, I’m going to provision a check Home windows Digital Machine with some recognized misconfigurations, and run the CIS report and see how I can enhance! I’m additionally going to provision an Azure Net App in Visible Studio Code with some misconfigurations, and see how that stacks up in opposition to the CIS benchmark exams. The Cloud One Conformity Bot ought to present how I can enhance and remediate. Take pleasure in!
Okay, so first I went forward and deployed a check Microsoft Home windows Server 2019 Digital Machine in my subscription. This had some purposeful misconfigurations to see if they’d get picked up within the Development Micro Cloud Conformity Bot course of, and corresponding CIS Benchmarks Report.
And……..the outcomes are in! I ran the Development Micro Cloud Conformity Bot in opposition to my Azure Subscription and pulled my outcomes by CIS Benchmark. Seems prefer it picked up my dodgy Community Safety Group. I additionally do not have stream logs for my Community Safety Group for long run retention, and my OS disk will not be encrypted! That is actually cool the way it breaks it out by Benchmark quantity! That is a simple method for Cloud Engineers to trace the violations and what they’ve remediated.
Cool! So, how do I remediate these things? Nicely I can open up the RDP discovering particularly to get the main points on the affected useful resource, and click on the resolve button to take me to the information base.
Right here is the Cloud Conformity information base article for that discovering (RDP) which tells me methods to repair it within the Azure Portal, or programmatically repair in Azure CLI. Cool!
Let’s go forward and repair that by way of Azure CLI and see if that discovering is remediated! You may see right here I listed out all of the Community Safety Group guidelines by utilizing the next Azure CLI command.
az community nsg record
As we see, I used to be in a position to record out all of the Community Safety Teams to search out the offending Community Safety Group rule. There it’s! Lets zap that man!
Then, I went forward and up to date the Community Safety Group to not permit RDP open to the surface world, however inside solely the native Digital Community. That was performed with the next Azure CLI command.
az community nsg rule replace -g TESTCISMachine –nsg-name TESTCISMachine-nsg -n RDP –source-address-prefix ‘VirtualNetwork’
Okay, lets run the Cloud One Conformity bot once more and see if that threat has been eradicated!
Seems good!
Let’s now transfer on and repair the Community Safety Group stream logs, and disk encryption points. These have been the subsequent objects I had on my CIS report record. I like lists!
Nicely, trying on the Community Safety Group stream logs violations it seems to be like I’ve two sources in my subscription with that drawback. One is my check Digital Machine for this text and my AKS (Azure Kubernetes Service) cluster. Cool! Let’s go forward and repair them each! Good to know!
Okay, so lets see what they’re set at proper now programmatically! Let’s get a base studying!
az community watcher flow-log present –nsg TESTCISMachine-nsg –resource-group TESTCISMachine –query ‘retentionPolicy’az community watcher flow-log present –nsg aks-agentpool-24655092-nsg –resource-group MC_AKS_AKS_southcentralus –query ‘retentionPolicy’
Nicely, that is not good! As we are able to see from the json output beneath from Powershell, It isn’t turned on for each Community Safety Teams. I additionally observed that the times are set to zero not the beneficial 90 days. Nicely let’s go forward and alter it by way of Azure CLI to repair.
We’re going to repair it with the next instructions!
az community watcher flow-log create –location southcentralus–resource-group TESTCISMachine –name TestFlowLog –nsg TESTCISMachine-nsg –storage-account testcismachinediag –retention 90az community watcher flow-log create –location southcentralus –resource-group MC_AKS_AKS_southcentralus –name TestFlowLogAKS –nsg aks-agentpool-24655092-nsg –storage-account testaksv2 –retention 90
Seems just like the improve to Community Safety Movement Log retention was profitable from Azure CLI output proven beneath!
Let’s go forward and test in on our Cloud One Conformity bot!
Huzzah!!! Nicely, that clears all of our Networking associated dangers in relation to CIS benchmarking!! Have a look at that! Inexperienced is a reasonably coloration! I really feel quite a bit higher already!
Let’s now handle that pesky disk encryption situation proven beneath underneath Digital Machines!
Nicely, from the Azure CLI output the Digital Machine positively does not have encryption turned on the OS disk. Let’s repair it programmatically.
Right here is the Azure CLI repair!
az vm encryption allow –disk-encryption-keyvault cistesting123 –name TESTCISMachine –resource-group TESTCISMachine –volume-type OS
Let’s confirm that the disk encryption accomplished efficiently…..Increase goes the dynamite! Have a look at that Azure Portal! Stunning web site!
Alrighty then! Let’s Cloud One Conformity bot test it up!
Wow!! All clear, my disk is now encrypted, and that cleared all checks for Digital Machines! That may be a good feeling! All due to Development Micro Cloud One Conformity! We’re prepared to maneuver on to my Azure Net App exams for this text.
Alrighty then! Let’s attempt one thing new!! I lately pushed a check PHP primarily based software to Azure Net App using Visible Studio Code. I purposely put in some misconfigurations. I wished to run some CIS Benchmarks on it with Development Micro Cloud One Conformity.
It’s a easy Microsoft constructed software referenced right here. https://github.com/Azure-Samples/php-docs-hello-world
Right here is its working in Azure Net App after pushing as much as an Azure App Service Plan with Visible Studio Code.
Right here is similar app working in a browser. Simply says “Whats up World!” and PHP runtime data displayed. Easy proper?
So, what does our trusty Cloud One Conformity Bot test say about this Azure Net App/Service Plan based on the CIS Benchmark?
Fascinating! Nicely for starters, I do know I did put an older model of PHP runtime on objective. Seems prefer it discovered that in 9.7 CIS Benchmark test.
I did that within the deployment part with the Visible Studio IDE. I chosen the 7.2 runtime at deployment time of the appliance. Foolish me!
Nicely, seems to be like I can repair that fairly simply within the Azure Portal, or I can redeploy the net app service plan with the brand new runtime. Both method, it should restart the related Azure Net App. We are able to now see that the PHP runtime has been up to date correctly with the php data file displaying the brand new PHP 7.3 runtime within the browser. Eureka!
Okay, lets run Cloud One Conformity bot and see if that clears up!
Voila! Let’s have a look at if we are able to clear up the remainder of the Azure App Service Plan points. Lets? Sounds good to me!
Okay, subsequent on our record is http/https violations.
First, we aren’t working the most recent model. Purposely I’m working HTTP 1.1 as an alternative of HTTP 2.0. That may simply be mounted within the Azure Portal.
Right here you possibly can see the place I mounted it, and Cloud One Conformity Bot picked up the change! I’m not shocked, after all it did! Development Micro Cloud One Conformity for the win!
Subsequent, this has to do with requiring HTTPS Solely redirect for the appliance and TLS 1.2. These at the moment are being turned on within the Azure Portal to repair the misconfigurations I launched. Oopsy!
Have a look at that! These at the moment are being displaying as remediated now on the most recent Cloud One Conformity Bot test! HTTPS Solely and TLS 1.2 now are good to go!
Neeeeeeeext! We’re needing to require incoming shopper certificates for accessing the appliance.
Right here is the place you alter that configuration within the Azure Portal underneath app service plan configuration. Observe, it’s possible you’ll must scale up your App Service Plan to Fundamental as an alternative of Free tier to take action.
Right here is the corresponding Cloud One Conformity Bot test!
Okay, that solely leaves yet one more violation! I can see the highest of the mountain! Seems like we have to register our software to Azure Energetic Listing as a finest apply!
The repair will be performed right here underneath the Id settings for the Azure App Service!
Wow! This home is evident! We’ve cleared all our violations for CIS Benchmark concerning App Service!
As an added bonus, we’ve additionally improved our total numbers!
It is a welcome boost to Development Micro Cloud One Conformity which is already an phenomenal product!
Utilizing CIS Benchmark as a information is a good way to remediate widespread misconfigurations in your Azure Subscription. At the moment, we have been particularly in a position to present how that applies to each Azure Digital Machine misconfigurations and Azure Net App and Azure App Service Plan misconfigurations. These are two widespread companies that almost all people in Azure use each day. I hope you loved stopping by! I actually loved experimenting with the brand new CIS benchmarks. I encourage you to attempt it out and do the identical! Development Micro Cloud Conformity is a superb software that can assist you repair widespread misconfigurations, aid you set up a Nicely Architected Framework, and now we’ve the bonus of extra CIS benchmark exams!
See you subsequent time!
References:https://www.cloudconformity.comhttps://github.com/Azure-Samples/php-docs-hello-world
Tags
sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk
[ad_2]