Merge pull request #94 from cloudgraphdev/feature/CG-1175-azure-pci-encription-check-rules

feat(CG-1175): add azure encryption transit rule check

Author: tyler-dunkel

src/azure/pci-dss-3.2.1/README.md

@@ -55,6 +55,10 @@ Policy Pack based on the [PCI DSS version 3.2.1](https://www.pcisecuritystandard
 
 | Rule                   | Description                                                                                                                          |
 | ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------ |
+| encryption-check-1     | App Service web apps should have 'HTTPS only' enabled                                                                                |
+| encryption-check-2     | MySQL Database server 'enforce SSL connection' should be enabled                                                                     |
+| encryption-check-3     | PostgreSQL Database server 'enforce SSL connection' should be enabled                                                                |
+| encryption-check-4     | Storage Accounts 'Secure transfer required' should be enabled                                                                        |
 | monitoring-check-1     | Monitor audit profile should log all activities                                                                                      |
 | monitoring-check-2     | Monitor audit profile should log all activities                                                                                      |
 | monitoring-check-3     | Security Center default policy setting ‘Monitor Endpoint Protection’ should be enabled                                               |

src/azure/pci-dss-3.2.1/rules/index.ts

@@ -1,3 +1,7 @@
+import Azure_PCI_DSS_321_Encryption_1 from './pci-dss-3.2.1-encryption-check-1'
+import Azure_PCI_DSS_321_Encryption_2 from './pci-dss-3.2.1-encryption-check-2'
+import Azure_PCI_DSS_321_Encryption_3 from './pci-dss-3.2.1-encryption-check-3'
+import Azure_PCI_DSS_321_Encryption_4 from './pci-dss-3.2.1-encryption-check-4'
 import Azure_PCI_DSS_321_Monitoring_1 from './pci-dss-3.2.1-monitoring-check-1'
 import Azure_PCI_DSS_321_Monitoring_2 from './pci-dss-3.2.1-monitoring-check-2'
 import Azure_PCI_DSS_321_Monitoring_3 from './pci-dss-3.2.1-monitoring-check-3'
@@ -22,6 +26,10 @@ import Azure_PCI_DSS_321_Policy_Version_1 from './pci-dss-3.2.1-policy-version-c
 import Azure_PCI_DSS_321_User_1 from './pci-dss-3.2.1-user-check-1'
 
 export default [
+  Azure_PCI_DSS_321_Encryption_1,
+  Azure_PCI_DSS_321_Encryption_2,
+  Azure_PCI_DSS_321_Encryption_3,
+  Azure_PCI_DSS_321_Encryption_4,
   Azure_PCI_DSS_321_Monitoring_1,
   Azure_PCI_DSS_321_Monitoring_2,
   Azure_PCI_DSS_321_Monitoring_3,

src/azure/pci-dss-3.2.1/rules/pci-dss-3.2.1-encryption-check-1.ts

@@ -0,0 +1,55 @@
+// similar to CIS 9.2
+export default {
+  id: 'pci-dss-3.2.1-encryption-check-1',  
+  title: 'Encryption Check 1: App Service web apps should have \'HTTPS only\' enabled',
+  
+  description: 'Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.',
+  
+  audit: `**From Azure Console**
+  
+  1. Login to Azure Portal using https://portal.azure.com
+  2. Go to App Services
+  3. Click on each App
+  4. Under Setting section, Click on SSL settings
+  5. Ensure that HTTPS Only set to On under Protocol Settings
+  
+  **Using Azure Command Line Interface**  
+  To check HTTPS-only traffic value for an existing app, run the following command,
+  
+      az webapp show --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --query httpsOnly
+  
+  The output should return true if HTTPS-only traffic value is set to On.`,
+  
+  rationale: 'Enabling HTTPS-only traffic will redirect all non-secure HTTP request to HTTPS ports. HTTPS uses the SSL/TLS protocol to provide a secure connection, which is both encrypted and authenticated. So it is important to support HTTPS for the security benefits.',
+  
+  remediation: `**From Azure Console**
+  
+  1. Login to Azure Portal using https://portal.azure.com
+  2. Go to App Services
+  3. Click on each App
+  4. Under Setting section, Click on SSL settings
+  5. Set HTTPS Only to On under Protocol Settings section
+  
+  Using Azure Command Line Interface To set HTTPS-only traffic value for an existing app, run the following command:
+  
+      az webapp update --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --set httpsOnly=true`,
+  
+  references: [
+      'https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-https',
+      'https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit',
+      'https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic',
+  ],
+  gql: `{
+    queryazureAppServiceWebApp {
+      id
+      __typename
+      httpsOnly
+    }
+  }`,
+  resource: 'queryazureAppServiceWebApp[*]',
+  severity: 'medium',
+  conditions: {
+    path: '@.httpsOnly',
+    equal: true,
+  },
+}

src/azure/pci-dss-3.2.1/rules/pci-dss-3.2.1-encryption-check-2.ts

@@ -0,0 +1,61 @@
+// similar to CIS 4.3.2
+export default {
+  id: 'pci-dss-3.2.1-encryption-check-2',  
+  title: 'Encryption Check 2: MySQL Database server \'enforce SSL connection\' should be enabled',
+  
+  description: 'Enable SSL connection on MYSQL Servers.',
+  
+  audit: `**From Azure Console:**
+  
+  1. Login to Azure Portal using https://portal.azure- list text here.com
+  2. Go to Azure Database for MySQL server
+  3. For each database, click on Connection security
+  4. In SSL settings
+  5. Ensure Enforce SSL connection is set to ENABLED.
+  
+  **Using Azure Command Line Interface 2.0**  
+  Ensure the output of the below command returns ENABLED.
+  
+    az mysql server show --resource-group myresourcegroup --name <resourceGroupName> --query sslEnforcement`,
+  
+  rationale: `SSL connectivity helps to provide a new layer of security, by connecting database server to
+  client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between
+  database server and client applications helps protect against "man in the middle" attacks
+  by encrypting the data stream between the server and application.`,
+  
+  remediation: `**From Azure Console:**
+  
+  1. Login to Azure Portal using https://portal.azure.com
+  2. Go to Azure Database for MySQL server
+  3. For each database, click on Connection security
+  4. In SSL settings
+  5. Click on ENABLED for Enforce SSL connection
+  
+  **Using Azure Command Line Interface 2.0**  
+  Use the below command to set MYSQL Databases to Enforce SSL connection.
+  
+    az mysql server update --resource-group <resourceGroupName> --name <serverName> --ssl-enforcement Enabled`,
+  
+  references: [
+    'https://docs.microsoft.com/en-us/azure/mysql/concepts-ssl-connection-security',
+    'https://docs.microsoft.com/en-us/azure/mysql/howto-configure-ssl',
+    'https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit',
+  ],  
+  gql: `{
+    queryazureMySqlServer {
+      id
+      __typename       
+      sslEnforcement
+    }
+  }`,
+  resource: 'queryazureMySqlServer[*]',
+  severity: 'medium',
+  conditions: {
+    and: [
+      {
+        path: '@.sslEnforcement',
+        equal: 'Enabled',
+      },
+    ],
+  },
+}

src/azure/pci-dss-3.2.1/rules/pci-dss-3.2.1-encryption-check-3.ts

@@ -0,0 +1,60 @@
+// similar to CIS 4.3.1
+export default {
+  id: 'pci-dss-3.2.1-encryption-check-3',  
+  title: 'Encryption Check 3: PostgreSQL Database server \'enforce SSL connection\' should be enabled',
+  
+  description: 'Enable SSL connection on PostgreSQL Servers.',
+  
+  audit: `**From Azure Console:**
+  
+  1. Login to Azure Portal using https://portal.azure.com
+  2. Go to Azure Database for PostgreSQL server
+  3. For each database, click on Connection security
+  4. In SSL settings
+  5. Ensure Enforce SSL connection is set to ENABLED.
+  
+  **Using Azure Command Line Interface 2.0**  
+  Ensure the output of the below command returns ENABLED.
+  
+    az postgres server show --resource-group myresourcegroup --name <resourceGroupName> --query sslEnforcement`,
+  
+  rationale: `SSL connectivity helps to provide a new layer of security, by connecting database server
+  to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between
+  database server and client applications helps protect against "man in the middle" attacks
+  by encrypting the data stream between the server and application.`,
+  
+  remediation: `**From Azure Console:**
+  
+  1. Login to Azure Portal using https://portal.azure.com
+  2. Go to Azure Database for PostgreSQL server
+  3. For each database, click on Connection security
+  4. In SSL settings.
+  5. Click on ENABLED to Enforce SSL connection
+  
+  **Using Azure Command Line Interface 2.0**  
+  Use the below command to enforce ssl connection for PostgreSQL Database.
+  
+    az postgres server update --resource-group <resourceGroupName> --name <serverName> --ssl-enforcement Enabled`,
+  
+  references: [
+    'https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security',
+    'https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit',
+  ],  
+  gql: `{
+    queryazurePostgreSqlServer {
+      id
+      __typename       
+      sslEnforcement
+    }
+  }`,
+  resource: 'queryazurePostgreSqlServer[*]',
+  severity: 'medium',
+  conditions: {
+    and: [
+      {
+        path: '@.sslEnforcement',
+        equal: 'Enabled',
+      },
+    ],
+  },
+}

src/azure/pci-dss-3.2.1/rules/pci-dss-3.2.1-encryption-check-4.ts

@@ -0,0 +1,52 @@
+// similar to CIS 3.1
+export default {
+  id: 'pci-dss-3.2.1-encryption-check-4',  
+  title: "Encryption Check 4: Storage Accounts 'Secure transfer required' should be enabled",
+
+  description: 'Enable Storage Accounts data encryption in transit.',
+
+  audit: `**From Azure Console**
+
+  1. Go to Storage Accounts
+  2. For each storage account, go to Configuration
+  3. Ensure that Secure transfer required is set to Enabled
+
+  **Using Azure Command Line Interface 2.0**  
+  Use the below command to ensure the Secure transfer required is enabled for all the Storage Accounts by ensuring the output contains true for each of the Storage Accounts.
+
+          z storage account list --query [*].[name,enableHttpsTrafficOnly]`,
+
+  rationale:
+    "The secure transfer option enhances the security of a storage account by only allowing requests to the storage account by a secure connection. For example, when calling REST APIs to access storage accounts, the connection must use HTTPS. Any requests using HTTP will be rejected when 'secure transfer required' is enabled. When using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. Because Azure storage doesn’t support HTTPS for custom domain names, this option is not applied when using a custom domain name.",
+
+  remediation: `**From Azure Console**
+
+  1. Go to Storage Accounts
+  2. For each storage account, go to Configuration
+  3. Set Secure transfer required to Enabled
+
+  **Using Azure Command Line Interface 2.0**  
+  Use the below command to enable Secure transfer required for a Storage Account
+
+          az storage account update --name <storageAccountName> --resource-group <resourceGroupName> --https-only true`,
+
+  references: [
+    'https://docs.microsoft.com/en-us/azure/storage/blobs/security-recommendations#encryption-in-transit',
+    'https://docs.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az_storage_account_list',
+    'https://docs.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az_storage_account_update',
+    'https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit',
+  ],  
+  gql: `{
+        queryazureStorageAccount {
+      id
+      __typename
+      enableHttpsTrafficOnly
+    }
+  }`,
+  resource: 'queryazureStorageAccount[*]',
+  severity: 'medium',
+  conditions: {
+    path: '@.enableHttpsTrafficOnly',
+    equal: 'Yes',
+  },
+}