Document Version: 1.4

Date: 2022-02-24


Introduction

This document describes the configuration of Azure credentials on OUTSCAN and the steps to setup on Microsoft Azure account to perform a benchmark.

Configure an Azure Account on OUTSCAN

Prerequisite

A CIS Benchmark app should be defined on Azure account.

Procedure

  1. Log in to OUTSCAN.
  2. Go to Main Menu > Portal 
  3. Click the Account icon in the upper right corner.
  4. Click Credentials.

    Credentials


  5. Click Add Credentials, and select Microsoft Azure from the drop-down menu of account type.

    Add Credentials

  6. Then add the required credentials from the Azure console.

    Azure console

    1. Add the Name of your Azure account.
    2. Add the Tenant ID.
    3. Add the Client ID. 
    4. Add the Secret.


  7. By clicking ADD, the credential are added to the account. 

To manage your credentials, refer to Scan Credentials.[1]

Steps to Set an App on Microsoft Azure Account to Perform a Benchmark

Follow the below steps to set a CIS benchmark application.

  1. Register an app and create credentials.
  2. Create a custom role.
  3. Assign app with that custom role.

Note

If your Microsoft Azure account has more than one subscription, then you can widen the assignable scope of the custom role by adding a line for each subscription. 

Register an Application and Create Credentials - Service Account

Prerequisite

Own a Microsoft Azure account, and get access to Azure portal.

Procedure

  1. Login to Azure portal.
  2. Go to Azure Active Directory.

    Azure Active Directory

  3. On the left panel, click on App registrations.
    App registrations

  4. On the top panel, click on+ New registration
    New Registration

  5. Fill the form by entering a name, then Register.

    Register an appliacation
  6. Select the newly registered app from  the app list. 
  7. On the right panel, copy Application (client) ID value, you will need it to create Azure credential on OUTSCAN.
  8. On the left panel, select Certificate & secrets.
  9. On the right panel, select + New client secret, which opens a panel on the right hand side.
  10. Fill the form by adding description and fix the duration followed by clicking Add.
  11. On the right panel, make a copy on the value of the newly created secret (it will not be displayed later), you will need it to create Azure credential on OUTSCAN.

Create the Custom Role to Run the Benchmark

Prerequisite

Install az, [2] azure command line interface tool.

Procedure

You may refer to the Microsoft Azure link about the custom role definition tutorial [3].

Get the custom role template and customize to fit your azure subscription context:

  1. Upload JSON file containing the custom role template: Azure_Foundations_1.1.0_benchmark_role.json. See Appendix.
  2. Modify the last line in the JSON file by replacing '{subscription_id}' by the actual value of the Azure account.

If you prefer to have a view per subscription then you need to define custom roles and apps as much as subscriptions.

Your Subscription ID can be found in Microsoft Azure portal under Subscriptions as shown below.

Subscriptions

Then you run the following command:

  1. To create adhoc custom role:

    az role definition create --role-definition "<path_to>/Azure_Foundations_1.1.0_benchmark_role.json"
  2. To list custom roles:

    az role definition list --custom-role-only true
  3. To update existing custom role:

    az role definition update --role-definition "<path_to>/Azure_Foundations_1.1.0_benchmark_role.json"

Assign Application to the Custom Role

Prerequisite

Make sure that Azure Foundations 1.1.0 Benchmark Role are defined on your Azure account. See section How to Create the Custom Role to Run the Benchmark.

Procedure 

Once the custom role has been created, you need to login to the Azure portal to perform the application role assignment.

Go to subscriptions, 

  1. Select one subscription.
  2. Go to 'Access control' IAM (middle panel) 
  3. On the right panel select + Add > Add role assignment which should open a panel on the right.
  4. On the newly right panel fill the form
  5. Select the custom role: Azure Foundations 1.1.0 Benchmark Role (Custom roles are listed at the end of the list, newly created custom roles may take a while to appear on the list)
  6. Assign access to User, group, or service principal:
    1. Select the application you created to run the benchmark.
    2. Go to application overview.
    3. Go to IAM.
    4. Add role assignment.
    5. Select the custom role: Azure Foundations 1.1.0 Benchmark Role.
    6. Click Save to save the changes and close the panel.
  7. Here is an example how this looks like in the Role Assignments table.

    Access Control - IAM

Note

Repeat these steps for each subscription in custom role assignable scope. 


Example

The diagrams illustrate how a customer can define either one application that scopes all of the subscriptions or one application for each subscription.

Note

Customers can also decide how many applications they wants to set and define the scope of each application. Diagrams illustrate two use cases only.


Usecase 1


Usecase 2


How to Find Azure Parameters in the Azure Console

Procedure

The Azure parameters can be found in the Azure console.

Tenant and Tenant ID: Tenant ID is the name of your entry in the Azure Active Directory in which the app is registered such as XXX.onmicrosoft.com or the ID of the directory.

Azure Active Directory

Client ID and User Name: Client ID is the Application ID which is the application id created when you registered the app.

Application ID

Secret and Password: The password you chose while creating the keys of the application in the Active Directory.

Secret and Password




Which Specific Permission to Get 1.3 Running

1.3 check requires special ad hoc permissions. You need to grant Directory.Read.All (Application Type) to the application that runs the benchmark.


Prerequisite

Make sure that the application is registered in the Azure Account.

Procedure

You need to login to Azure Portal then:

  1. Go to App registration.
  2. Select the Application registered to run the Benchmark.
  3. Select API permissions.
  4. Add permission on:
    1. Azure Active Directory Graph.
    2. Select Application permissions (Active Directory permissions type in Microsoft Identity Platform).
    3. Select Directory.Read.All permission.
    4. Add Permission.

      Active Directory Permissions
  5. Click on Grant admin Consent for bottom when it is displayed in bold.

Here is an example how this looks like in the API Permissions.

API Permissions

Which Specific Permission to Get 8.x Running

8.x checks require special ad hoc permissions. You need to grant list permission in the Access Policies of your Key vault to the application that runs the benchmark.

Prerequisite

Make sure that the application is registered in the Azure Account.

Procedure

You need to login to Azure Portal then:

  1. Go to Key Vaults.
  2. Select a specific key vault.
  3. Select Access policies.
  4. Add Access Policy by selecting all List permissions to Key, Secret & Certificate Management as follow

Add Access Policy

Here is an example how this looks like in the Access policies for a specific Key vault.

Access Policies

References

  1. Scan Credentials
  2. Install the Azure CLI - https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest

  3. Tutorial: Create a custom role for Azure resources using Azure CLI - https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-cli

  4. How to: Use the portal to create an Azure AD application and service principal that can access resources - https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal


Appendix

Azure_Foundations_1.1.1_benchmark_role.json

{
   "properties": {
        "roleName": "Azure Foundations 1.1.1 Benchmark Role",
        "isCustom": true,
        "description": "Perform checks of Azure CIS Foundations 1.1.1 Benchmark.",
        "assignableScopes":[
            "/subscriptions/1546581-1562-152a-xxyx-abcdabcdabcdabcd"
        ],
        "permissions":[
            {
                "actions": [
                    "Microsoft.Authorization/*/read",
                    "Microsoft.Compute/disks/read",
                    "Microsoft.Compute/diskEncryptionSets/read",
                    "Microsoft.Compute/locations/publishers/read",
                    "Microsoft.Compute/locations/publishers/artifacttypes/types/read",
                    "Microsoft.Compute/locations/publishers/artifacttypes/types/versions/read",
                    "Microsoft.Compute/virtualMachines/read",
                    "Microsoft.Compute/virtualMachines/extensions/read",
                    "Microsoft.Compute/virtualMachines/instanceView/read",
                    "Microsoft.ContainerService/managedClusters/read",
                    "Microsoft.DBforMySQL/servers/read",
                    "Microsoft.DBforMySQL/servers/*/read",
                    "Microsoft.DBforPostgreSQL/servers/read",
                    "Microsoft.DBforPostgreSQL/servers/*/read",
                    "Microsoft.DBforPostgreSQL/serversv2/*/read",
                    "Microsoft.KeyVault/vaults/read",
                    "Microsoft.KeyVault/deletedVaults/read",
                    "Microsoft.KeyVault/*/read",
                    "Microsoft.Network/networkSecurityGroups/read",
                    "Microsoft.Network/networkSecurityGroups/securityRules/read",
                    "Microsoft.Network/networkWatchers/read",
                    "Microsoft.Network/networkWatchers/queryFlowLogStatus/action",
                    "Microsoft.Network/networkWatchers/securityGroupView/action",
                    "Microsoft.Resources/subscriptions/*/read",
                    "Microsoft.Security/*/read",
                    "Microsoft.Sql/servers/read",
                    "Microsoft.Sql/servers/administrators/read",
                    "Microsoft.Sql/servers/auditingSettings/read",
                    "Microsoft.Sql/servers/databases/read",
                    "Microsoft.Sql/servers/databases/auditingSettings/read",
                    "Microsoft.Sql/servers/databases/transparentDataEncryption/read",
                    "Microsoft.Sql/servers/databases/securityAlertPolicies/read",
                    "Microsoft.Sql/servers/databases/vulnerabilityAssessments/read",
                    "Microsoft.Sql/servers/encryptionProtector/read",
                    "Microsoft.Sql/servers/extendedAuditingSettings/read",
                    "Microsoft.Sql/servers/firewallRules/read",
                    "Microsoft.Sql/servers/securityAlertPolicies/read",
                    "Microsoft.Sql/servers/virtualNetworkRules/read",
                    "Microsoft.Storage/storageAccounts/read",
                    "Microsoft.Storage/storageAccounts/*/read",
                    "Microsoft.Web/sites/read",
                    "Microsoft.Web/sites/config/read",
                    "Microsoft.Resources/subscriptions/resourceGroups/read"
                  ],
                  "notActions": [],
                  "dataActions": [],
                  "notDataActions": []
            }
        ]

   } 
}
CODE




Copyright

© 2022 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.

Trademark

Outpost24® and OUTSCAN™ are trademarks of Outpost24® in Sweden and other countries.