Azure / missionlz

Azure landing zone for SCCA-compliant organizations.
MIT License
241 stars 140 forks source link

NIST Virtual Machine Compliance #314

Closed shawngib closed 7 months ago

shawngib commented 3 years ago

Benefit/Result/Outcome
STIG'd images will allow for DoD compliance.

Description Virtual machine compliance is layered. For example, to be compliance for DoD it will require that they are STIG'd. Currently guest configuration policy cannot be properly enabled since it requires the assigned initiative to grant the managed identity contributor role over the resources to be able to add policy extensions to VMs.

Review of how to STIG VM's will be required beyond the auditing of them via policy. Currently the NIST Policy Initiative finds these guest policies to be non-compliant on jumpboxes so at a minimum these should be looked at in the jumpboxes.

Virtual Machines

Note: These are unique case as they require the NIST Policy assignment to use 'DeployIfNotExist' capability to deploy the Policy Guest Configuration extension to the VM. In the case of MLZ this can not be done in a default configuration since the MI that is created for the policy can not be assigned the contributor role by the terraform SP being used. (these are reported from a subscription that had the policy configured correctly prior to MLZ for reporting purposes)

Policy Description
[Preview]: Windows machines should meet requirements of the Azure compute security baseline Requires that prerequisites are deployed to the policy assignment scope. For details
A vulnerability assessment solution should be enabled on your virtual machines Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally
Audit virtual machines without disaster recovery configured Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery
Audit Windows machines that allow re-use of the previous 24 passwords Requires that prerequisites are deployed to the policy assignment scope. For details
Audit Windows machines that do not have a maximum password age of 70 days Requires that prerequisites are deployed to the policy assignment scope. For details
Audit Windows machines that do not have a minimum password age of 1 day Requires that prerequisites are deployed to the policy assignment scope. For details
Audit Windows machines that do not have the password complexity setting enabled Requires that prerequisites are deployed to the policy assignment scope. For details
Audit Windows machines that do not restrict the minimum password length to 14 characters Requires that prerequisites are deployed to the policy assignment scope. For details
Audit Windows machines that do not store passwords using reversible encryption Requires that prerequisites are deployed to the policy assignment scope. For details
Azure Backup should be enabled for Virtual Machines Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure.
Log Analytics agent health issues should be resolved on your machines Security Center uses the Log Analytics agent
OS and data disks should be encrypted with a customer-managed key Use customer-managed keys to manage the encryption at rest of the contents of your managed disks. By default
SQL servers on machines should have vulnerability findings resolved SQL vulnerability assessment scans your database for security vulnerabilities
Virtual machines and virtual machine scale sets should have encryption at host enabled Use encryption at host to get end-to-end encryption for your virtual machine and virtual machine scale set data. Encryption at host enables encryption at rest for your temporary disk and OS/data disk caches. Temporary and ephemeral OS disks are encrypted with platform-managed keys when encryption at host is enabled. OS/data disk caches are encrypted at rest with either customer-managed or platform-managed key
Virtual machines should encrypt temp disks caches
Windows Defender Exploit Guard should be enabled on your machines Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).
Windows web servers should be configured to use secure communication protocols To protect the privacy of information communicated over the Internet

Acceptance Criteria

jamasten commented 7 months ago

Customer responsibility.