Document Version: 1.3

Date: 2021-01-21


Copyright

© 2021 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.

Trademark

Outpost24® and OUTSCAN™ are trademarks of Outpost24® in Sweden and other countries.


Introduction

This document describes how to create Azure credentials.

Configure an Azure Account

To navigate to this section, 

  1. Log in to OUTSCAN.
  2. Go to Main Menu > Portal 
  3. Click the Account icon in the upper right corner.
  4. Click Credentials.




  5. Click Add Credentials, and select Microsoft Azure from the drop-down menu of account type.



  6. Then add the required credentials from the Azure console.



    1. Add the Name of your Azure account.
    2. Add the Tenant ID.
    3. Add the Client ID. 
    4. Add the Secret.
  7. By clicking ADD, the credential are added to the account. 

To manage your credentials, refer to Scan Credentials.[1]

How to Find Azure Parameters in the Azure Console

The Azure parameters can be found in the Azure console.

Tenant and Tenant ID: Tenant ID is the name of your entry in the Azure Active Directory in which the app is registered such as XXX.onmicrosoft.com or the ID of the directory.



Client ID and User Name: Client ID is the Application ID which is the application id created when you registered the app.



Secret and Password: The password you chose while creating the keys of the application in the Active Directory.



How to Create the Custom Role to Run the Benchmark

Prerequisite

Install az, [2] azure command line interface tool.

Procedure

You may refer to the Microsoft Azure link about the custom role definition tutorial [3].

Get the custom role template and customize to fit your azure subscription context:

  1. Upload JSON file containing the custom role template: Azure_Foundations_1.1.0_benchmark_role.json. See Appendix.
  2. Modify the last line in the JSON file by replacing '{subscription_id}' by the actual value of the Azure account.

Your Subscription ID can be found in Micosoft Azure portal under "Subscriptions" as shown below.

Then you run the following command:

  1. To create adhoc custom role:

    az role definition create --role-definition "<path_to>/Azure_Foundations_1.1.0_benchmark_role.json"
  2. To list custom roles:

    az role definition list --custom-role-only true
  3. To update existing custom role:

    az role definition update --role-definition "<path_to>/Azure_Foundations_1.1.0_benchmark_role.json"

How to Assign Application to the Custom Role

Prerequisite

Make sure that Azure Foundations 1.1.0 Benchmark Role are defined on your Azure account. See section How to Create the Custom Role to Run the Benchmark.

Procedure

Once the custom role has been created, you need to login to the Azure portal to perform the application role assignment.

Follow the steps as documented by Azure: Use the portal to create an Azure AD application and service principal that can access resources [4]

  1. Select the application you created to run the benchmark.
  2. Go to application overview.
  3. Go to IAM.
  4. Add role assignment
    1. Select the custom role: Azure Foundations 1.1.0 Benchmark Role

Here is an example how this looks like in the Role Assignments table.


Which Specific Permission to Get 1.3 Running

1.3 check requires special ad hoc permissions. You need to grant Directory.Read.All (Application Type) to the application that runs the benchmark.

Prerequisite

Make sure that the application is registered in the Azure Account.

Procedure

You need to login to Azure Portal then:

  1. Go to App registration.
  2. Select the Application registered to run the Benchmark.
  3. Select API permissions.
  4. Add permission on:
    1. Azure Active Directory Graph.
    2. Select Application permissions (Active Directory permissions type in Microsoft Identity Platform).
    3. Select Directory.Read.All permission.
    4. Add Permission.

  5. Click on Grant admin Consent for bottom when it is displayed in bold.

Here is an example how this looks like in the API Permissions.

Which Specific Permission to Get 8.x Running

8.x checks require special ad hoc permissions. You need to grant list permission in the Access Policies of your Key vault to the application that runs the benchmark.

Prerequisite

Make sure that the application is registered in the Azure Account.

Procedure

You need to login to Azure Portal then:

  1. Go to Key Vaults.
  2. Select a specific key vault.
  3. Select Access policies.
  4. Add Access Policy by selecting all List permissions to "Key, Secret & Certificate Management" as follow

Here is an example how this looks like in the Access policies for a specific Key vault.

References

  1. Scan Credentials
  2. Install the Azure CLI - https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest

  3. Tutorial: Create a custom role for Azure resources using Azure CLI - https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-cli

  4. How to: Use the portal to create an Azure AD application and service principal that can access resources - https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal


Appendix


Azure_Foundations_1.1.0_benchmark_role.json

{
  "Name": "Azure Foundations 1.1.0 Benchmark Role",
  "IsCustom": true,
  "Description": "Perform checks of Azure CIS Foundations 1.1.0 Benchmark.",
  "Actions": [
    "Microsoft.Authorization/*/read",
    "Microsoft.Compute/disks/read",
    "Microsoft.Compute/diskEncryptionSets/read",
    "Microsoft.Compute/locations/publishers/read",
    "Microsoft.Compute/locations/publishers/artifacttypes/types/read",
    "Microsoft.Compute/locations/publishers/artifacttypes/types/versions/read",
    "Microsoft.Compute/virtualMachines/read",
    "Microsoft.Compute/virtualMachines/extensions/read",
    "Microsoft.Compute/virtualMachines/instanceView/read",
    "Microsoft.ContainerService/managedClusters/read",
    "Microsoft.DBforMySQL/servers/read",
    "Microsoft.DBforMySQL/servers/*/read",
    "Microsoft.DBforPostgreSQL/servers/read",
    "Microsoft.DBforPostgreSQL/servers/*/read",
    "Microsoft.DBforPostgreSQL/serversv2/*/read",
    "Microsoft.KeyVault/*/read",
    "Microsoft.KeyVault/vaults/*/read",
    "Microsoft.KeyVault/vaults/keys/*/read",
    "Microsoft.Network/networkSecurityGroups/read",
    "Microsoft.Network/networkSecurityGroups/securityRules/read",
    "Microsoft.Network/networkWatchers/read",
    "Microsoft.Network/networkWatchers/queryFlowLogStatus/action",
    "Microsoft.Network/networkWatchers/securityGroupView/action",
    "Microsoft.Resources/subscriptions/*/read",
    "Microsoft.Security/*/read",
    "Microsoft.Sql/servers/read",
    "Microsoft.Sql/servers/administrators/read",
    "Microsoft.Sql/servers/auditingSettings/read",
    "Microsoft.Sql/servers/databases/read",
    "Microsoft.Sql/servers/databases/auditingSettings/read",
    "Microsoft.Sql/servers/databases/transparentDataEncryption/read",
    "Microsoft.Sql/servers/databases/securityAlertPolicies/read",
    "Microsoft.Sql/servers/databases/vulnerabilityAssessments/read",
    "Microsoft.Sql/servers/encryptionProtector/read",
    "Microsoft.Sql/servers/extendedAuditingSettings/read",
    "Microsoft.Sql/servers/firewallRules/read",
    "Microsoft.Sql/servers/securityAlertPolicies/read",
    "Microsoft.Sql/servers/virtualNetworkRules/read",
    "Microsoft.Storage/storageAccounts/read",
    "Microsoft.Storage/storageAccounts/*/read",
    "Microsoft.Web/sites/read",
    "Microsoft.Web/sites/config/Read",
    "Microsoft.Resources/subscriptions/resourceGroups/read"
  ],
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [
    "/subscriptions/{subscription_id}"
  ]
}
CODE