Reference to Azure Security Benchmark

[BernieWhite]

Discussed in https://github.com/Azure/PSRule.Rules.Azure/discussions/1244

^{Originally posted by **BernieWhite** February 8, 2022} Some rules specifically check security controls defined in [Azure Security Benchmark](https://docs.microsoft.com/security/benchmark/azure/). ASB provides a reference point to map Azure controls to other security standards, for [example](https://docs.microsoft.com/security/benchmark/azure/security-controls-v3-privileged-access): CIS Controls v8 ID(s) | NIST SP 800-53 r4 ID(s) | PCI-DSS ID(s) v3.2.1 -- | -- | -- 5.4, 6.8 | AC-2, AC-6 | 7.1, 7.2, 8.1

---

This enhancement aims to map rules from the Security pillar to Azure Security Benchmark.

Rules will be tagged with:

• Azure.WAF/pillar which will be set to Security

Rules will be labeled with (to support mapping to multiple controls if applicable):

• Azure.ASB.v3/control which will be set to the control ID from ASB.

Syntax:

Azure.WAF/pillar: 'Security'
Azure.ASB.v3/control: 'XX-N'

For example, in YAML:

---
# Synopsis: Internet accessible Application Gateways should use protect endpoints with WAF.
apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
  name: Azure.AppGw.UseWAF
  ref: AZR-000063
  tags:
    release: 'GA'
    ruleSet: '2020_06'
    Azure.WAF/pillar: 'Security'
  labels:
    Azure.ASB.v3/control: 'NS-6'
spec:
  with:
  - Azure.IsAppGwPublic
  condition:
    field: properties.sku.tier
    in:
    - WAF
    - WAF_v2

For example in PowerShell:

# Synopsis: App Service should reject TLS versions older then 1.2.
Rule 'Azure.AppService.MinTLS' -Ref 'AZR-000073' -Type 'Microsoft.Web/sites', 'Microsoft.Web/sites/slots' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.ASB.v3/control' = 'DP-3' } {
    $siteConfigs = @(GetWebSiteConfig);
    if ($siteConfigs.Length -eq 0) {
        return $Assert.
            HasFieldValue($TargetObject, 'properties.siteConfig.minTlsVersion', '1.2').
            ReasonFrom('properties.siteConfig.minTlsVersion', $LocalizedData.MinTLSVersion, $TargetObject.properties.siteConfig.minTlsVersion);
    }
    foreach ($siteConfig in $siteConfigs) {
        $path = $siteConfig._PSRule.path;
        $Assert.
            HasFieldValue($siteConfig, 'properties.minTlsVersion', '1.2').
            ReasonFrom('properties.minTlsVersion', $LocalizedData.MinTLSVersion, $siteConfig.properties.minTlsVersion).PathPrefix($path);
    }
}

Rules that are already mapped include:

Azure.AppService.MinTLS
Azure.CDN.MinTLS
Azure.FrontDoor.MinTLS
Azure.FrontDoor.UseWAF
Azure.KeyVault.AutoRotationPolicy
Azure.VNET.UseNSGs
Azure.AppGw.UseWAF
Azure.AppGw.SSLPolicy
Azure.AppGw.WAFEnabled
Azure.EventGrid.DisableLocalAuth
Azure.FrontDoor.WAF.Enabled
Azure.MySQL.MinTLS
Azure.PostgreSQL.MinTLS
Azure.SQL.MinTLS
Azure.Storage.MinTLS
Azure.Storage.SecureTransfer

[jagoodwin]

I am working on mapping the rules to the ASB alphabetically starting with ACR.

[jagoodwin]

I have finished mapping the rules and will have them all included in a PR with the baseline for #1634

[jagoodwin]

These are the common controls across most Azure Resources

NS-1 Establish network segmentation boundaries (VNet integration) AM-1 Track asset inventory and their risks (Tags) AM-2 Use only approved services (Azure Policy Enforcement) LT-1 Enable Threat detection capabilities (defender enabled) LT-2 Threat detection for identity and access management (defender enabled) LT-3 Enable Logging for Security investigation (logging enabled) IM-1 Use centralized identity and authentication system (AAD in use for example SQL and service fabric) IM-3 Manage application identities securely and automatically (private endpoints where applicable) PV-2 Audit and ensure secure configuration (see xlsx) PV-6 Rapidly and automatically remediate vulnerabilities (see xlsx) DP-3 Encrypt sensitive data in transit (TLS)

azure-security-benchmark-v3.0.xlsx

[BernieWhite]

@jagoodwin Ok awesome. We can focus on adding rules for these. Then we can look at others as they come up.