azsk / devopskit Goto Github PK
View Code? Open in Web Editor NEWLicense: MIT License
License: MIT License
AzSK Subscription Security Status Report fails to generate on Mac with Word installed
AzSK Subscription Security Status Report fails to generate on Mac with Word installed
OS: Mac OSX - Mojave
Powershell: 6.2.0
AzSK: 4.0.0
On Mac with Word installed, run the following command:
Get-AzSKsubscriptionSecuritystatus -subscriptionid $subId -GeneratePDF Portrait
Output:
================================================================================ AzSK Version: 4.0.0 ================================================================================ Method Name: get-azsksubscriptionsecuritystatus (GSS)
Input Parameters:
Name Alias Value
---- ----- -----
SubscriptionId XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
GeneratePDF Portrait
You can also use: gss -SubscriptionId XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX -GeneratePDF Portrait
================================================================================
Running AzSK cmdlet using a generic (org-neutral) policy...
Scan events will be sent to the following Log Analytics workspace(s): WSId: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXb ================================================================================ Starting analysis: [FeatureName: SubscriptionCore] [SubscriptionName: Managed-External] [SubscriptionId: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX] -------------------------------------------------------------------------------- Checking: [SubscriptionCore]-[Minimize the number of admins/owners]
Checking: [SubscriptionCore]-[Justify all identities that are granted with admin/owner access on your subscription.] Checking: [SubscriptionCore]-[Mandatory central accounts must be present on the subscription] Checking: [SubscriptionCore]-[Deprecated/stale accounts must not be present on the subscription] Checking: [SubscriptionCore]-[Do not grant permissions to external accounts (i.e., accounts outside the native directory for the subscription)]Checking: [SubscriptionCore]-[There should not be more than 2 classic administrators]
Checking: [SubscriptionCore]-[Use of management certificates is not permitted.]
Checking: [SubscriptionCore]-[Azure Security Center (ASC) must be correctly configured on the subscription]
Checking: [SubscriptionCore]-[Pending Azure Security Center (ASC) alerts must be resolved]
Checking: [SubscriptionCore]-[Service Principal Names (SPNs) should not be Owners or Contributors on the subscription] Checking: [SubscriptionCore]-[Critical application resources should be protected using a resource lock] Checking: [SubscriptionCore]-[ARM policies should be used to audit or deny certain activities in the subscription that can impact security] Checking: [SubscriptionCore]-[Alerts must be configured for critical actions on subscription and resources]
Checking: [SubscriptionCore]-[Do not use custom-defined RBAC roles]
Checking: [SubscriptionCore]-[Do not use any classic resources on a subscription]
Checking: [SubscriptionCore]-[Do not use any classic virtual machines on your subscription.]
Checking: [SubscriptionCore]-[Verify the list of public IP addresses on your subscription]
Checking: [SubscriptionCore]-[Permanent access should not be granted for privileged subscription level roles]
Checking: [SubscriptionCore]-[Mandatory tags must be set per your organization policy]
Checking: [SubscriptionCore]-[Standard tier must be enabled for Azure Security Center]
Checking: [SubscriptionCore]-[Ensure any credentials approaching expiry are rotated soon.]
-------------------------------------------------------------------------------- Completed analysis: [FeatureName: SubscriptionCore] [SubscriptionName: Managed-External] [SubscriptionId: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX] ================================================================================
Summary Total Passed Failed Verify Manual ------- ----- ------ ------ ------ ------ Medium 6 3 0 3 0 High 15 9 3 0 3
Critical 1 1 0 0 0
------ ------ ------ ------ ------ ------
Total 22 13 3 3 3
------ ------ ------ ------ ------ ------
================================================================================
** Next steps **
Look at the individual control evaluation status in the CSV file.
a) If the control has passed, no action is necessary.
b) If the control has failed, look at the control evaluation detail in the LOG file to understand why.
c) If the control status says 'Verify', it means that human judgement is required to determine the final control status. Look at the control evaluation output in the LOG file to make a determination.
d) If the control status says 'Manual', it means that AzSK (currently) does not cover the control via automation OR AzSK is not able to fetch the data. You need to manually implement/verify it.
Note: The 'Recommendation' column in the CSV file provides basic (generic) guidance that can help you fix a failed control. You can also use standard Azure product documentation. You should carefully consider the implications of making the required change in the context of your application.
Control results may not reflect attestation if you do not have permissions to read attestation data from AzSKRG
--------------------------------------------------------------------------------
Status and detailed logs have been exported to path - /Users/user1/.local/share/Microsoft/AzSKLogs/Sub_Managed-External/20190822_081425_GSS
================================================================================
You must have Microsoft Word application installed on machine to generate PDF report. /Users/user1/.local/share/Microsoft/AzSKLogs/Sub_Managed-External/20190822_081425_GSS PS /Users/user1>
PS /Users/user1/.azsk/policies/Config> $PSVersionTable
Name Value
---- -----
PSVersion 6.2.0
PSEdition Core
GitCommitId 6.2.0
OS Darwin 18.6.0 Darwin Kernel Version 18.6.0: Thu Apr 25 23:16:27 PDT 2019; root:xnu-4903.261.4~2/RELEASE_X86_64
Platform Unix
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
PS /Users/user1/.azsk/policies/Config>
I'd expect for report to be generated.
Report fails to generate even if Word installed on Mac.
Unable to find type [GeneratePDF].
When trying to run "Get-AzSKSubscriptionSecurityStatus" I get
Unable to find type [GeneratePDF].
At C:\Users\user\OneDrive - Company\Documents\WindowsPowerShell\Modules\AzSK\4.4.0\SVT\SVT.ps1:381 char:3
I've encountered this error on v4.4.0 and v4.5.1
PS C:\Users\user> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.18362.628
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.18362.628
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1
Connect-AzAccount
Get-AzSKSubscriptionSecurityStatus -SubscriptionId <GUID>
Execute "Get-AzSKSubscriptionSecurityStatus
AzSK_ARMTemplateChecker - VNET failure False positive
When running the AzSK_ARMTemplateChecker, from with Azure DevOps, my VNET template fails with the error Azure_VNet_NetSec_Justify_IPForwarding_for_NICs.
My template only contains
Microsoft.Network/virtualNetworks
Microsoft.Network/networkSecurityGroups
Microsoft.Network/routeTables
There's no interface and none with IPForwarding enabled.
Azure Devops CI/CD Build Pipeline with the AzSK_ARMTemplateChecker
checking template with
Microsoft.Network/virtualNetworks
Microsoft.Network/networkSecurityGroups
Microsoft.Network/routeTables
Error
Azure_VNet_NetSec_Justify_IPForwarding_for_NICs
Only alert when an Interface is within the template with IPForwarding is enabled.
When running the AzSK_ARMTemplateChecker, from with Azure DevOps, my VNET template fails with the error Azure_VNet_NetSec_Justify_IPForwarding_for_NICs.
My template only contains
Microsoft.Network/virtualNetworks
Microsoft.Network/networkSecurityGroups
Microsoft.Network/routeTables
There's no interface and none with IPForwarding enabled.
Checking ARM template (in Azure DevOps) with an exported Event Hub passes all checks, which are Azure_EventHub_AuthZ_Use_Min_Permissions_Access_Policies but build task still fails.
When runnin the ARM Template Checker against an extracted template with event hub namespace and child resources such as sas tokens, the template validation result turns out as passed, but it appears that some internal error causes the task to fail overall.
extract an arm template from the azure portal that has an event hub and the event hub has a shared access policy.
The checks are all Passed, so the outcome of the template checker task should be successfull.
The arm template checker task fails with the following debug logs:
Note: These (Verify Manual) control states have been configured to be considered as 'Passed'.
Actual Passed 14
Treated As Passed 2
--------------- --------
Total Passed 16
==============================================================================================
==============================================================================
Note : Summary 'CSV' and detailed 'LOG' output files are available under 'Download all logs as ZIP' option.
==============================================================================
Cleaning logs from temp directory...
##[debug]Caught exception from task script.
##[debug]Error record:
##[debug]Security controls are failing in your ARM template(s).
##[debug]At D:\a\_tasks\AzSKARMTemplateChecker_6102f8a8-06a6-4918-9d2e-c02e1b659d50\4.0.0\ARMTemplateCheckerRuntime.ps1:311 char:21
##[debug]+ ... throw "Security controls are failing in your ARM template ...
##[debug]+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
##[debug] + CategoryInfo : OperationStopped: (Security contro...RM template(s).:String) [], RuntimeException
##[debug] + FullyQualifiedErrorId : Security controls are failing in your ARM template(s).
##[debug]
##[debug]Script stack trace:
##[debug]at <ScriptBlock>, D:\a\_tasks\AzSKARMTemplateChecker_6102f8a8-06a6-4918-9d2e-c02e1b659d50\4.0.0\ARMTemplateCheckerRuntime.ps1: line 311
##[debug]at <ScriptBlock>, <No file>: line 1
##[debug]at <ScriptBlock>, <No file>: line 22
##[debug]at <ScriptBlock>, <No file>: line 18
##[debug]at <ScriptBlock>, <No file>: line 1
##[debug]Exception:
##[debug]System.Management.Automation.RuntimeException: Security controls are failing in your ARM template(s).
##[error]Security controls are failing in your ARM template(s).
##[debug]Processed: ##vso[task.logissue type=error]Security controls are failing in your ARM template(s).
##[debug]Processed: ##vso[task.complete result=Failed]
We recently integrated the ARM Checker to our ARM Templates CI process. We are using the latest version of AKS (1.14.0 as of this writing). We receive the following error from the scan :
Failed: [Azure_KubernetesService_Deploy_Use_Latest_Version]
Here is more detailed from the CSV Report :
ControlId | FeatureName | Status | SupportedResources | Severity | PropertyPath | CurrentValue | ExpectedProperty | ExpectedValue | ResourcePath | Description |
---|---|---|---|---|---|---|---|---|---|---|
Azure_KubernetesService_Deploy_Use_Latest_Version | KubernetesService | Failed | Microsoft.ContainerService/ManagedClusters | Medium | resources[0].properties.kubernetesVersion | "1.14.0" | $.properties.kubernetesVersion | Allow '1.11.5' | resources[0] | The latest version of Kubernetes should be used |
Seems like version 1.11.5 is the latest version according to the DevOpsKit.
Create a AKS ARM Template, hardcode the version to "1.14.0" and run the ARM Template Checker.
The check should pass since 1.14.0 is higher than the latest version coded in the ARM Template Checker (1.11.5).
The check is failing with he following message :
Failed: [Azure_KubernetesService_Deploy_Use_Latest_Version]
We have an API management project following the proposed structure of Azure API Management DevOps Resource Kit, which means we are using linked templates.
When sending in a master template with links, no controls are found in the template and it's skipped in its entirety. I'm guessing that is because it doesn't evaluate or retrieve the linked templates and just checks the master template for controls it can recognize. Microsoft.Resources/deployments
not being one of those, ergo the file is skipped.
Any plans on supporting linked templates?
Have two ARM templates, one master which is being deployed and one template that is linked to from the master.
Get-AzSKARMTemplateSecurityStatus -ARMTemplatePath C:\temp\master.template.json -ParameterFilePath C:\temp\master.parameters.dev.json -Debug
================================================================================
AzSK Version: 4.3.0
================================================================================
Method Name: Get-AzSKARMTemplateSecurityStatus
Input Parameters:
Key Value
--- -----
ARMTemplatePath C:\temp\master.template.json
ParameterFilePath C:\temp\master.parameters.dev.json
Debug True
================================================================================
================================================================================
Starting analysis: [FileName: .\master.template.json]
--------------------------------------------------------------------------------
No controls have been evaluated for file: .\master.template.json
================================================================================
Skipped file(s): 1
.\master.template.json
--------------------------------------------------------------------------------
One or more files were skipped during the scan.
Either the files are invalid as ARM templates or those resource types are currently not supported by this command.
Please verify the files and re-run the command.
For files that should not be included in the scan, you can use the '-ExcludeFiles' parameter.
--------------------------------------------------------------------------------
No controls have been evaluated for ARM Template(s).
--------------------------------------------------------------------------------
** Next steps **
Look at the individual control evaluation status in the CSV file.
a) If the control has passed, no action is necessary.
b) If the control has failed, look at the control evaluation detail in the CSV file (LineNumber, ExpectedValue, CurrentValue, etc.) and fix the issue.
c) If the control status says 'Skipped', it means that you have chosen to skip certain controls using the '-SkipControlsFromFile' parameter.
For further details, refer: https://aka.ms/devopskit/cicd
--------------------------------------------------------------------------------
Status and detailed logs have been exported to: C:\Users\redacted\AppData\Local\Microsoft\AzSKLogs\ARMChecker\20191209_150524
================================================================================
C:\Users\redacted\AppData\Local\Microsoft\AzSKLogs\ARMChecker\20191209_150524
All ARM templates are being analyzed.
Only the "master" template is analyzed, which is of low value when it only contains Microsoft.Resources/deployments
resources.
Azure_Keyvault_AuthZ_Min_Access_policies fails with minimal access policy
See attached image, in the ARM template the minimal (get,list) is set as required by our app, but the check fails.
Support version '2017-03-01-preview' for Microsoft.Sql/servers/securityAlertPolicies
When exporting templates from Azure Portal, the Microsoft.Sql/servers/securityAlertPolicies resource is exported using api version '2017-03-01-preview'. The json for this version is different than the one accepted by AzSK, which is based on api version '2015-05-01-preview'. Examples are that email adresses should be arrays in 2017 version and emailAccountAdmins is a true boolean type.
Any ARM Template Check fails when using 2017 version.
Export a SQL Server Database template from Azure Portal and run ARM Template Check using AzSK.
'2017-03-01-preview' api version Microsoft.Sql/servers/securityAlertPolicies resources can be verified with ARM Template Checker.
Currently only api version '2015-05-01-preview' will pass ARM Template Check.
AzSK_SVTs task on the ADO release pipeline generates a warning about a service principal secret that is included in a file and requests confirmation of ensuring that the directory has appropriate protection.
Logs:
##[warning]The provided service principal secret will be included in the 'AzureRmContext.json' file found in the user profile ( C:\Users\VssAdministrator.Azure ). Please ensure that this directory has appropriate protections.
I am looking for help to ensure I can resolve this warning.
Since the release is on a hosted VM and not on a local machine, I would like to believe that the appropriate directory protections are in place.
Accordingly, I would like to attest to the same and re-mediate this warning.
If there is something else you would like us to do differently in order to get rid of this warning, could you please help me with the steps to do so as I did not find steps to re-mediate this warning in the Wiki or the documentation.
This is a non-issue on the AzSK version 3.12.0 but is an issue on the AzSK version 3.13.0.
As the warning suggests, we can attest to the fact that the directory has appropriate protections and we can attest to the same which would not generate this warning subsequently.
We cannot suppress the warning and don't have adequate documentation on how to re-mediate the same.
Install-AzSKOMSSolution shows only results of baseline controls in Log Analytics
The key filter being IsBaselineControl_b == true
Can the OMS View take additional parameters for this?
Run Subscription Scan after setting up AzSK OMS Solution
Log Analytics should show same number of results as csv files generated.
Log Analytics shows only Baseline Controls
Any plans to release these as an Analyzer NuGet? Open Source the code?
(ref: SecurityIntelliSense-Preview)
ARM Template Checker considers "no controls" as a failure
There are a number of reasons why a template might not have anything that can be evaluated. In these scenarios, the ARM Template Checker task will write an error to output which fails the task unless the task is set to continue even on failure (resulting in partial success instead).
Since these tasks are intended to alert on or block potentially insecure or mis-configured deployments, this is unfortunate. Until one or more evaluatable policies and/or resources are included, the task either needs to be disabled or set to continue anyway which doesn't protect from future changes.
2019-08-08T06:21:01.8331196Z ================================================================================
2019-08-08T06:21:01.8331581Z AzSK Version: 3.15.0
2019-08-08T06:21:01.8332894Z ================================================================================
2019-08-08T06:21:01.8464474Z Method Name: Get-AzSKARMTemplateSecurityStatus
2019-08-08T06:21:01.8464633Z Input Parameters:
2019-08-08T06:21:01.8464745Z Key Value
2019-08-08T06:21:01.8464889Z --- -----
2019-08-08T06:21:01.8465033Z ARMTemplatePath <snip>\DeploymentTemplate.json
2019-08-08T06:21:01.8465196Z ParameterFilePath <snip>\Parameters\<params>.json
2019-08-08T06:21:01.8465310Z UseBaselineControls True
2019-08-08T06:21:01.8465431Z ================================================================================
2019-08-08T06:21:02.0033489Z ================================================================================
2019-08-08T06:21:02.0034551Z Starting analysis: [FileName: .\DeploymentTemplate.json]
2019-08-08T06:21:02.0035180Z --------------------------------------------------------------------------------
2019-08-08T06:21:02.0091041Z No controls have been evaluated for file: .\DeploymentTemplate.json
2019-08-08T06:21:02.0154741Z ================================================================================
2019-08-08T06:21:02.0177074Z Skipped file(s): 1
2019-08-08T06:21:02.0223989Z .\DeploymentTemplate.json
2019-08-08T06:21:02.0318365Z --------------------------------------------------------------------------------
2019-08-08T06:21:02.0687490Z One or more files were skipped during the scan.
2019-08-08T06:21:02.0740076Z Either the files are invalid as ARM templates or those resource types are currently not supported by this command.
2019-08-08T06:21:02.0742203Z Please verify the files and re-run the command.
2019-08-08T06:21:02.0742769Z For files that should not be included in the scan, you can use the '-ExcludeFiles' parameter.
2019-08-08T06:21:02.0743115Z --------------------------------------------------------------------------------
2019-08-08T06:21:02.0743391Z No controls have been evaluated for ARM Template(s).
2019-08-08T06:21:02.0743818Z --------------------------------------------------------------------------------
2019-08-08T06:21:02.0744106Z ** Next steps **
2019-08-08T06:21:02.0744388Z Look at the individual control evaluation status in the CSV file.
2019-08-08T06:21:02.0744686Z a) If the control has passed, no action is necessary.
2019-08-08T06:21:02.0744999Z b) If the control has failed, look at the control evaluation detail in the CSV file (LineNumber, ExpectedValue, CurrentValue, etc.) and fix the issue.
2019-08-08T06:21:02.0745347Z c) If the control status says 'Skipped', it means that you have chosen to skip certain controls using the '-SkipControlsFromFile' parameter.
2019-08-08T06:21:02.0745653Z For further details, refer: https://aka.ms/devopskit/cicd
2019-08-08T06:21:02.0745932Z --------------------------------------------------------------------------------
2019-08-08T06:21:02.0746595Z Status and detailed logs have been exported to: C:\Users\VssAdministrator\AppData\Local\Microsoft\AzSKLogs\ARMChecker\20190808_062101
2019-08-08T06:21:02.0746920Z ================================================================================
2019-08-08T06:21:05.6655092Z Cleaning logs from temp directory...
2019-08-08T06:21:05.8062570Z ##[error]No controls have been evaluated for ARM Template(s).
2019-08-08T06:21:05.9227313Z ##[section]Finishing: AzSK ARM Template Checker
As a note, the above logs are from a setup that works if I remove -UseBaselineControls. The template and its parameters are valid and controls can be evaluated if they are enabled.
This can be repro'd locally with a simple deployment template:
Get-AzSKARMTemplateSecurityStatus -ARMTemplatePath "SampleDeployment.json"
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
"contentVersion": "1.0.0.0",
"parameters": {
},
"variables": {
"ApplicationInsightsName": "MySample",
},
"resources": [
{
"type": "Microsoft.Insights/components",
"apiVersion": "2014-08-01",
"name": "[variables('ApplicationInsightsName')]",
"location": "[resourceGroup().location]",
"properties": {
"ApplicationId": "[variables('ApplicationInsightsName')]",
"Application_Type": "web",
"Flow_Type": "Bluefield",
"Request_Source": "rest"
}
}
]
}
In my opinion, the error here should only be written if the task actually fails, policies can't be loaded from the server (e.g. organizational policies), the template/parameters specified are invalid, or any other true error scenario. If there are simply no resources to evaluate, no policies to evaluate, or no policies to evaluate for the specified resources, then the task should be considered a success.
It would also be beneficial if the error were more specific to the scenario encountered.
The version of AzSK in the PSGallery differs from here
The master branch here does not agree with contents of the azsk.nupkg in PSGallery.
The PSGallery package should agree with some branch in Github
The PSGallery version differs
Running Update-AzSKOrganizationPolicy
with PowerShell Core on Linux will fail because folder "Desktop" is hard coded and it for obvious reasons doesn't exist.
Importing Az modules. This may take a while...
Join-Path: /root/.local/share/powershell/Modules/AzSK/4.5.1/Framework/Core/PolicySetup/PolicySetup.ps1:149
Line |
149 | … = Join-Path $([System.Environment]::GetFolderPath("Desktop")) ($prefi …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Cannot bind argument to parameter 'Path' because it is an empty string.
StackTrace: at CreateInstance, /root/.local/share/powershell/Modules/AzSK/4.5.1/Framework/Core/PolicySetup/PolicySetup.ps1: line 149
at PolicySetup, /root/.local/share/powershell/Modules/AzSK/4.5.1/Framework/Core/PolicySetup/PolicySetup.ps1: line 53
at Update-AzSKOrganizationPolicy<Process>, /root/.local/share/powershell/Modules/AzSK/4.5.1/PolicySetup/PolicySetup.ps1: line 246
at <ScriptBlock>, <No file>: line 12
Cannot deploy Install-AzSKOrganizationPolicy with App insights location set...
Setting the -AppInsightLocation northeurope or westeurope will result in an error,
Install-AzSKOrganizationPolicy : Parameter set cannot be resolved using the specified named parameters.
Call Install-AzSKOrganizationPolicy with a -AppInsightLocation of north or west europe.
Install-AzSKOrganizationPolicy -SubscriptionId <SUBID> -OrgName "<NAME>" -DepartmentName "<DEP>" -PolicyFolderPath "<C: PATH>" -ResourceGroupLocation westeurope -AppInsightLocation westeurope -ResourceGroupName "<NAME>" -AppInsightName "<NAME>"
Should set AppInsights location to the north or west europe.
Error, if this parameter is left out, the app insights will deploy to east US, which is not compliant for us.
Log Analytics Security View shows empty graphs sometimes
Log Analytics Security View shows empty graphs sometimes though corresponding Kusto query for the view gives non-empty result set.
Setup Log Analytics and CA for multiple automation accounts as described on the page:
https://github.com/azsk/DevOpsKit-docs/tree/master/04-Continous-Assurance
'Security Monitoring using the AzSK' dashboards shows graphs and tables corresponding to the scan results
'Security Monitoring using the AzSK' dashboards shows sometimes empty graphs.
However if I click on the "see all" link below it shows non empty result set:
Using a separate organization and running on azurewebsites doesn't give users much confidence that this is an actual Microsoft project.
Do you have plans to migrate this under the https://github.com/Azure and https://github.com/MicrosoftDocs organizations?
I have a custom org policy and I tried using the ARMTemplate checker cmdlet (and CI/CD extension) and it keeps getting its ARMControls.json from https://azsdkossep.azureedge.net/1.0.0/ARMControls.json instead of my org storage account. While digging a little bit, I noticed that this location is hardcoded in Constants.ps1:
static [string] $ARMControlsFileURI = "https://azsdkossep.azureedge.net/1.0.0/ARMControls.json";
and used by ARMCheckerStatus.ps1. So, it seems that there is no way to make it use the ARMControls.json stored in an org policy folder.
Get-AzSKARMTemplateSecurityStatus
I would have expected the ARM template checker to read the control file provided into the org policy folder. The ARM template checker should behave like the Get-AzSKAzureServicesSecurityStatus cmdlet.
Least Privilege Service Principal/Permission Rights requirement to run AzSK
I'm trying to find in a doc, but maybe I'm missing something. I would like to understand what is the least SP requirements to run all out-of-box checks.
When specifying a custom resource group name to install continuous assurance the command still creates the default AzSKRG resource group.
Install AzSK continous assurance to a subscription with the following command:
Install-AzSKContinuousAssurance -SubscriptionId $subscriptions[0].Id -ResourceGroupNames $rgs -WebhookUrl $webhook -OMSWorkspaceId $omsworkspace.CustomerId.ToString() -OMSSharedKey $omssharedkeys.PrimarySharedKey -AutomationAccountRGName azsk-custom-rg -AutomationAccountLocation westeurope
All resources deployed for the AzSK Continuous Assurance are deployed inside the custom azsk-custom-rg resource group
Some resources are deployed inside the custom resource group and others are deployed inside the default resource group AzSKRG.
Get-module
Open ISE in Admin Mode
Execute Install-Module AzSK -Scope CurrentUser
Install-Module AzSK -Scope CurrentUser
Module Installed
error
PS C:\WINDOWS\system32> Install-Module AzSK -Scope CurrentUser
WARNING: Could not get response from query 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='Azure.Storage'&$skip=80&$top=40'.
WARNING: Could not get response from query 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='Azure.Storage'&$skip=120&$top=40'
.
PackageManagement\Install-Package : Unable to find dependent module(s) (Azure.Storage)
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.6.5\PSModule.psm1:9385 char:21
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Custom Org Policies are not picked up by multiple CA accounts
Installed custom Org Policies are not picked up by multiple CA accounts.
The runbook under CA automation account has still a reference to org-neutral policy and the one which was setup: $onlinePolicyStoreUrl = "https://azsdkossep.azureedge.net/`$Version/`$FileName"
Configure multiple CA accounts.
Install custom org policies
AzSK version 4.0.0
After the installation of the org policies the onlinePolicyStoreUrl is pointing to org policies location, the CA scans are performed according to the policies.
The URL is not changed, the org-neutral policies are still used.
With AzSK 3.12.0 version the above setup was working successfully.
PS /Users/user1/.azsk/policies/Config> $PSVersionTable
Name Value
---- -----
PSVersion 6.2.0
PSEdition Core
GitCommitId 6.2.0
OS Darwin 18.6.0 Darwin Kernel Version 18.6.0: Thu Apr 25 23:16:27 PDT 2019; root:xnu-4903.261.4~2/RELEASE_X86_64
Platform Unix
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
PS /Users/user1/.azsk/policies/Config>
AzSK Version: 3.15.0
I am referencing a documentation written here: https://azsk.azurewebsites.net/07-Customizing-AzSK-for-your-Org/Readme.html#create-cloud-security-compliance-report-for-your-org-in-powerbi-1
Created policy under local user directory /Users/user1/.azsk/policies
. Initial setup did create necessary configuration files:
- AzSK.json
- ControlSettings.json
- ServerConfigMetadata.json
Now, I changed settings in AzSK.json
and ControlSettings.json
and re-run the setup. However, AzSK can't find any changes in configuration directory (i.e. /Users/user1/.azsk/policies
).
Command:
Install-AzSKOrganizationPolicy -SubscriptionId "XXXX-XXXX-XXXX-XXXXXXXXX" -OrgName "Test-AK" -ResourceGroupName "AK-AzSK-Test-001" -StorageAccountName "XXXXXXXXX001" -PolicyFolderPath "/Users/user1/.azsk/policies" -AppInsightName "test-ak-azsk-poc"
The output:
================================================================================
AzSK Version: 3.15.0
================================================================================
Method Name: Install-AzSKOrganizationPolicy (IOP)
Input Parameters:
Name Alias Value
---- ----- -----
SubscriptionId XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXd
OrgName Test-AK
ResourceGroupName AK-AzSK-Test-001
StorageAccountName XXXXXXXXXXXXX001
PolicyFolderPath /Users/user1/.azsk/policies
AppInsightName test-ak-azsk-poc
You can also use: iop -SubscriptionId XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXd -OrgName Test-AK -ResourceGroupName AK-AzSK-Test-001 -StorageAccountName XXXXXXXXX001 -PolicyFolderPath /Users/user1/.azsk/policies -AppInsightName test-ak-azsk-poc
================================================================================
Running AzSK cmdlet using a generic (org-neutral) policy...
Uploading [1] file(s) to container [installer]... All files have been uploaded to container [installer]
.No configuration files found under folder [/Users/user1/.azsk/policies/Config] The setup has been completed and policies have been copied to [/Users/user1/.azsk/policies].
Run the command below to install Organization specific version.
iwr 'https://akazsktestsvc001.blob.core.windows.net/installer/AzSK-EasyInstaller.ps1' -UseBasicParsing | iex
Note: This is a basic setup and uses a public access blob for storing your org's installer. Once you have richer org policies, consider using a location/end-point protected by your tenant authentication.
================================================================================
Logs have been exported to: '/Users/user1/.local/share/Microsoft/AzSKLogs/Sub_Enterprise/20190808_143354_IOP'
================================================================================
/Users/user1/.local/share/Microsoft/AzSKLogs/Sub_Enterprise/20190808_143354_IOP
PS /Users/user1/.azsk/policies/Config>
It however finds everything under /Users/user1/.azsk/installer
directory and uploads to a blob.
Running the AzSK Security Verification Tests as part of the VSTS Pipeline fails with the following errors:
2018-08-08T17:33:38.0050374Z ##[section]Starting: Security Verification Tests
2018-08-08T17:33:38.0055921Z ==============================================================================
2018-08-08T17:33:38.0056308Z Task : AzSK Security Verification Tests
2018-08-08T17:33:38.0056638Z Description : Scan Azure resources for security issues using AzSK.
2018-08-08T17:33:38.0056947Z Version : 3.0.2
2018-08-08T17:33:38.0057209Z Author : Microsoft Corporation
2018-08-08T17:33:38.0057527Z Help : [More Information](http://aka.ms/azskossdocs)
2018-08-08T17:33:38.0057866Z ==============================================================================
2018-08-08T17:33:45.3993773Z Installing Module AzSK...
2018-08-08T17:34:27.1179273Z ##[error]Cannot process argument transformation on parameter 'InstalledModuleInfo'. Cannot convert the "System.Object[]" value of type "System.Object[]" to type "System.Management.Automation.PSModuleInfo".
2018-08-08T17:34:27.1560834Z ##[section]Finishing: Security Verification Tests
PS C:\Users\buildadmin> Install-Module AzSK -Scope CurrentUser -Force -Verbose
VERBOSE: Using the provider 'PowerShellGet' for searching packages.
VERBOSE: The -Repository parameter was not specified. PowerShellGet will use all of the registered repositories.
VERBOSE: Getting the provider object for the PackageManagement Provider 'NuGet'.
VERBOSE: The specified Location is 'https://www.powershellgallery.com/api/v2/' and PackageManagementProvider is
'NuGet'.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzSK'' for ''.
VERBOSE: Total package yield:'1' for the specified package 'AzSK'.
VERBOSE: Performing the operation "Install-Module" on target "Version '3.4.0' of module 'AzSK'".
VERBOSE: The installation scope is specified to be 'CurrentUser'.
VERBOSE: The specified module will be installed in 'C:\Users\buildadmin\Documents\WindowsPowerShell\Modules'.
VERBOSE: The specified Location is 'NuGet' and PackageManagementProvider is 'NuGet'.
VERBOSE: Downloading module 'AzSK' with version '3.4.0' from the repository
'https://www.powershellgallery.com/api/v2/'.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzSK'' for ''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.Profile'' for
''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='Azure.Storage'' for ''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.Profile'' for
''.
VERBOSE: Searching repository
'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.AnalysisServices'' for ''.
VERBOSE: Searching repository
'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.ApplicationInsights'' for ''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.Automation'' for
''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.Batch'' for ''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.Cdn'' for ''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.Compute'' for
''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.DataFactories''
for ''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.DataFactoryV2''
for ''.
VERBOSE: Searching repository
'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.DataLakeAnalytics'' for ''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.DataLakeStore''
for ''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.EventHub'' for
''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.HDInsight'' for
''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.Insights'' for
''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.KeyVault'' for
''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.LogicApp'' for
''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.Network'' for
''.
VERBOSE: Searching repository
'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.NotificationHubs'' for ''.
VERBOSE: Searching repository
'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.OperationalInsights'' for ''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.RedisCache'' for
''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.Resources'' for
''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.Scheduler'' for
''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.ServiceBus'' for
''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.ServiceFabric''
for ''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.Sql'' for ''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.Storage'' for
''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='Azure.Storage'' for ''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.Profile'' for
''.
VERBOSE: Searching repository
'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.StreamAnalytics'' for ''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.Tags'' for ''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.Profile'' for
''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.TrafficManager''
for ''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.Websites'' for
''.
VERBOSE: Searching repository
'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.ContainerInstance'' for ''.
VERBOSE: InstallPackage' - name='AzureRM.profile',
version='4.2.0',destination='C:\Users\buildadmin\AppData\Local\Temp\767117022'
VERBOSE: DownloadPackage' - name='AzureRM.profile',
version='4.2.0',destination='C:\Users\buildadmin\AppData\Local\Temp\767117022\AzureRM.profile\AzureRM.profile.nupkg',
uri='https://www.powershellgallery.com/api/v2/package/AzureRM.profile/4.2.0'
VERBOSE: Downloading 'https://www.powershellgallery.com/api/v2/package/AzureRM.profile/4.2.0'.
VERBOSE: Completed downloading 'https://www.powershellgallery.com/api/v2/package/AzureRM.profile/4.2.0'.
VERBOSE: Completed downloading 'AzureRM.profile'.
VERBOSE: Hash for package 'AzureRM.profile' does not match hash provided from the server.
VERBOSE: InstallPackageLocal' - name='AzureRM.profile',
version='4.2.0',destination='C:\Users\buildadmin\AppData\Local\Temp\767117022'
VERBOSE: InstallPackage' - name='Azure.Storage',
version='4.1.0',destination='C:\Users\buildadmin\AppData\Local\Temp\767117022'
VERBOSE: DownloadPackage' - name='Azure.Storage',
version='4.1.0',destination='C:\Users\buildadmin\AppData\Local\Temp\767117022\Azure.Storage\Azure.Storage.nupkg',
uri='https://www.powershellgallery.com/api/v2/package/Azure.Storage/4.1.0'
VERBOSE: Downloading 'https://www.powershellgallery.com/api/v2/package/Azure.Storage/4.1.0'.
VERBOSE: Completed downloading 'https://www.powershellgallery.com/api/v2/package/Azure.Storage/4.1.0'.
VERBOSE: Completed downloading 'Azure.Storage'.
VERBOSE: Hash for package 'Azure.Storage' does not match hash provided from the server.
VERBOSE: InstallPackageLocal' - name='Azure.Storage',
version='4.1.0',destination='C:\Users\buildadmin\AppData\Local\Temp\767117022'
VERBOSE: InstallPackage' - name='AzureRM.AnalysisServices',
version='0.6.2',destination='C:\Users\buildadmin\AppData\Local\Temp\767117022'
VERBOSE: DownloadPackage' - name='AzureRM.AnalysisServices',
version='0.6.2',destination='C:\Users\buildadmin\AppData\Local\Temp\767117022\AzureRM.AnalysisServices\AzureRM.Analysis
Services.nupkg', uri='https://www.powershellgallery.com/api/v2/package/AzureRM.AnalysisServices/0.6.2'
VERBOSE: Downloading 'https://www.powershellgallery.com/api/v2/package/AzureRM.AnalysisServices/0.6.2'.
VERBOSE: Could not find a part of the path
'C:\Users\buildadmin\AppData\Local\Temp\767117022\AzureRM.AnalysisServices\AzureRM.AnalysisServices.nupkg'.
VERBOSE: Retry downloading 'https://www.powershellgallery.com/api/v2/package/AzureRM.AnalysisServices/0.6.2' for '2'
more times
VERBOSE: Download is incomplete. Downloaded '0' out of '0' bytes.
PackageManagement\Install-Package : Cannot process argument transformation on parameter 'InstalledModuleInfo'. Cannot
convert the "System.Object[]" value of type "System.Object[]" to type "System.Management.Automation.PSModuleInfo".
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:1772 char:21
+ ... $null = PackageManagement\Install-Package @PSBoundParameters
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (Microsoft.Power....InstallPackage:InstallPackage) [Install-Package], Excep
tion
+ FullyQualifiedErrorId : ParameterArgumentTransformationError,Validate-ModuleAuthenticodeSignature,Microsoft.Powe
rShell.PackageManagement.Cmdlets.InstallPackage
And finally trying to install the specific module:
PS C:\Users\buildadmin> Install-Module -Name AzureRM.AnalysisServices -RequiredVersion 0.6.2 -Force -Verbose
VERBOSE: Using the provider 'PowerShellGet' for searching packages.
VERBOSE: The -Repository parameter was not specified. PowerShellGet will use all of the registered repositories.
VERBOSE: Getting the provider object for the PackageManagement Provider 'NuGet'.
VERBOSE: The specified Location is 'https://www.powershellgallery.com/api/v2/' and PackageManagementProvider is
'NuGet'.
VERBOSE: Searching repository
'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.AnalysisServices'' for ''.
VERBOSE: Total package yield:'1' for the specified package 'AzureRM.AnalysisServices'.
VERBOSE: Performing the operation "Install-Module" on target "Version '0.6.2' of module 'AzureRM.AnalysisServices'".
VERBOSE: The installation scope is specified to be 'AllUsers'.
VERBOSE: The specified module will be installed in 'C:\Program Files\WindowsPowerShell\Modules'.
VERBOSE: The specified Location is 'NuGet' and PackageManagementProvider is 'NuGet'.
VERBOSE: Downloading module 'AzureRM.AnalysisServices' with version '0.6.2' from the repository
'https://www.powershellgallery.com/api/v2/'.
VERBOSE: Searching repository
'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.AnalysisServices'' for ''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.Profile'' for
''.
VERBOSE: InstallPackage' - name='AzureRM.profile',
version='5.3.4',destination='C:\Users\buildadmin\AppData\Local\Temp\803675978'
VERBOSE: DownloadPackage' - name='AzureRM.profile',
version='5.3.4',destination='C:\Users\buildadmin\AppData\Local\Temp\803675978\AzureRM.profile\AzureRM.profile.nupkg',
uri='https://www.powershellgallery.com/api/v2/package/AzureRM.profile/5.3.4'
VERBOSE: Downloading 'https://www.powershellgallery.com/api/v2/package/AzureRM.profile/5.3.4'.
VERBOSE: Completed downloading 'https://www.powershellgallery.com/api/v2/package/AzureRM.profile/5.3.4'.
VERBOSE: Completed downloading 'AzureRM.profile'.
VERBOSE: Hash for package 'AzureRM.profile' does not match hash provided from the server.
VERBOSE: InstallPackageLocal' - name='AzureRM.profile',
version='5.3.4',destination='C:\Users\buildadmin\AppData\Local\Temp\803675978'
VERBOSE: InstallPackage' - name='AzureRM.AnalysisServices',
version='0.6.2',destination='C:\Users\buildadmin\AppData\Local\Temp\803675978'
VERBOSE: DownloadPackage' - name='AzureRM.AnalysisServices',
version='0.6.2',destination='C:\Users\buildadmin\AppData\Local\Temp\803675978\AzureRM.AnalysisServices\AzureRM.Analysis
Services.nupkg', uri='https://www.powershellgallery.com/api/v2/package/AzureRM.AnalysisServices/0.6.2'
VERBOSE: Downloading 'https://www.powershellgallery.com/api/v2/package/AzureRM.AnalysisServices/0.6.2'.
VERBOSE: Completed downloading 'https://www.powershellgallery.com/api/v2/package/AzureRM.AnalysisServices/0.6.2'.
VERBOSE: Completed downloading 'AzureRM.AnalysisServices'.
VERBOSE: Hash for package 'AzureRM.AnalysisServices' does not match hash provided from the server.
VERBOSE: InstallPackageLocal' - name='AzureRM.AnalysisServices',
version='0.6.2',destination='C:\Users\buildadmin\AppData\Local\Temp\803675978'
PackageManagement\Install-Package : Cannot process argument transformation on parameter 'InstalledModuleInfo'. Cannot
convert the "System.Object[]" value of type "System.Object[]" to type "System.Management.Automation.PSModuleInfo".
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:1772 char:21
+ ... $null = PackageManagement\Install-Package @PSBoundParameters
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (Microsoft.Power....InstallPackage:InstallPackage) [Install-Package], Excep
tion
+ FullyQualifiedErrorId : ParameterArgumentTransformationError,Validate-ModuleAuthenticodeSignature,Microsoft.Powe
rShell.PackageManagement.Cmdlets.InstallPackage
PS C:\Users\buildadmin>
Positive and Negative drifts of controls are always showing 0 change
Positive and Negative drifts of controls are always showing 0 change in App Insights Dashboard
Setup Org Policy Monitoring dashboard using a guide here: https://github.com/azsk/DevOpsKit-docs/blob/master/Images/07_OrgPolicy_MonitoringDashboard.png
Positive and Negative drifts of controls shows actual change across the old and the latest scan.
Positive and Negative drifts of controls are always showing 0 change in App Insights Dashboard. The query always gives 0 change.
//Negative Drift
let ControlResults = customEvents
| where timestamp < ago(2d) and timestamp >= ago(4d)
| where name == "Control Scanned" and customDimensions.HasAttestationReadPermissions == "True" and customDimensions.HasRequiredAccess == "True"
| summarize arg_max(timestamp, *) by tostring(customDimensions.SubscriptionId), tostring(customDimensions.SubscriptionName), tostring(customDimensions.ControlId)
| project tostring(customDimensions.SubscriptionId), tostring(customDimensions.SubscriptionName),tostring(customDimensions.ResourceId), tostring(customDimensions.ControlId), Oldresult =tostring(customDimensions.VerificationResult)
| join
(
customEvents
| where timestamp >= ago(2d)
| where name == "Control Scanned" and customDimensions.HasAttestationReadPermissions == "True" and customDimensions.HasRequiredAccess == "True"
| summarize arg_max(timestamp, *) by tostring(customDimensions.SubscriptionId), tostring(customDimensions.SubscriptionName), tostring(customDimensions.ControlId)
| project tostring(customDimensions.SubscriptionId), tostring(customDimensions.SubscriptionName),tostring(customDimensions.ResourceId), tostring(customDimensions.ControlId), Latestresult = tostring(customDimensions.VerificationResult)
)
on customDimensions_SubscriptionId, customDimensions_SubscriptionName,customDimensions_ResourceId, customDimensions_ControlId
| project tostring(customDimensions_SubscriptionId), tostring(customDimensions_SubscriptionName),tostring(customDimensions_ResourceId), tostring(customDimensions_ControlId),Oldresult,Latestresult;
let OldScan = ControlResults
| where Oldresult == "Passed"
| summarize OldScanCount = count() by tostring(customDimensions_ControlId);
let LatestScan = ControlResults
| where Latestresult == "Passed"
| summarize LatestScanCount = count() by tostring(customDimensions_ControlId);
OldScan
| join
(
LatestScan
)
on customDimensions_ControlId
| project ControlId=tostring(customDimensions_ControlId),OldStatusCount=OldScanCount,LatestStatusCount=LatestScanCount
| where OldStatusCount != LatestStatusCount and LatestStatusCount < OldStatusCount
| extend Change =OldStatusCount-LatestStatusCount
| order by Change desc
| project ControlId,OldStatusCount,LatestStatusCount,Change
Non-interactively run Get-AzSKAzureDevOpsSecurityStatus
We want to be able to run this under a non user account, so that there's not interactive login needed. Is this something that can be placed on your backlog or anything?
Get-AzSKAzureDevOpsSecurityStatus -OrganizationName <"Whatever"> -Credentials $credentialObject
User is logged in non-interactively.
Does not exist
CA Multiple accounts setup with custom Org policy
CA Scan failing with the following error:
Get-AzStorageAccount : Resource group 'AzSKRG' could not be found. At C:\Modules\User\AzSK\Framework\Core\SVT\SubscriptionCore\SubscriptionCore.ps1:1532 char:27 + ... rageAccount = Get-AzStorageAccount -ResourceGroupName $AzSKRG | Where ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : CloseError: (:) [Get-AzStorageAccount], CloudException + FullyQualifiedErrorId : Microsoft.Azure.Commands.Management.Storage.GetAzureStorageAccountCommand
Setup multiple CA accounts following instructions here:
https://github.com/azsk/DevOpsKit-docs/tree/master/04-Continous-Assurance
Scan completed successfully
The error occurs during a scan execution:
Get-AzStorageAccount : Resource group 'AzSKRG' could not be found. At C:\Modules\User\AzSK\Framework\Core\SVT\SubscriptionCore\SubscriptionCore.ps1:1532 char:27 + ... rageAccount = Get-AzStorageAccount -ResourceGroupName $AzSKRG | Where ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : CloseError: (:) [Get-AzStorageAccount], CloudException + FullyQualifiedErrorId : Microsoft.Azure.Commands.Management.Storage.GetAzureStorageAccountCommand
Setting UseOnelinePolicyStore to false does not support custom organization policies
Feature request.
Some enterprises have policies restricting the use of Azure storage accounts (FinTech and data exfiltration concerns are one misuse case).
There is no documented (easy) way to create an organization extension according to the instructions at Extending AzSK Modules while disabling UseOnlinePolicyStore.
A parameter like Get-AzSKOrganizationPolicyStatus -PolicyFolderPath LOCALEXTENSIONS
would allow for local extensions to be made and kept local.
*.ext.ps1 files are ignored
As a work-around, one can fork the AzSK DevOpsKit and place the extensions directly in the forked SVT/* directory code. At that point the UseOnelinePolicyStore: false, will work, but this requires forking and altering AzSK.
Malfunctions on PowershellCore OSX & Linux
On OSX and Linux AzSK runs the builtin policies, but fails to upload organization policy extensions to the storage account and fails to run them.
Since outside pull requests are not being accepted, applying the following diffs will make things work:
master...gfrascadorio:master
Issue 685 may also be caused by this problem. If one uses Linux or OSX to follow the instructions for Extending AzSK Modules and then call Install-AzSKOrganizationPolicy or Update-AzSKOrganizationPolicy, no *.ext.ps1 files will be uploaded to the storage account.
The issue seems to be the use of Windows specific:
*.ext.ps1 files would be uploaded
Files not uploaded
The code is using a mix and match of spaces and tabs at the moment for indenting code.
This is a sore to eye while reading the code, can this be standardized to only using spaces (1tab=4spaces)?
Open the *.ps1 files from the source code in VSCode (or any other editor) and you'd notice that there.
Standardized indentation using whitespaces instead of tabs.
Mix & match of tab & whitespace for indentation.
This would be a variable valuable tool for government customers but when I attempt to run it and even try to set the -Environment I received a "the provided account ... does not have access to subscription ID ..." which is inline with an error trying to execute against a commercial endpoint.
Adjustments to the Jenkins SVT plugin should occur such that execution is directed at the selected node and not forced to run on the host. Essentially all Jenkins jobs have this node-specific context. It's certainly acceptable to assume that an environment with PowerShell (Windows) is needed, but execution can happen perfectly fine on the node. It's quite common to have a Jenkins setup where the host is not running Windows but a Windows node is available.
FATAL: /tmpAzSDKSVTRuntime.ps1 (Permission denied)
.Job runs on the Windows node in its entirety.
AzSK plugin ignores node-specific environment and attempts to run on the Jenkins host.
Help to fix the bug which occurs when running Get-AzSKARMTemplateSecurityStatus command on a bad ARM template
I have an ARM template and I am running a security scan against it. When I run the Get-AzSKARMTemplateSecurityStatus command, it hangs in between the scan. It doesn't end or give any errors, just hangs.
Here is my ARM template:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"AppServiceName": {
"type": "string",
"metadata": {
"description": "The name of the function app that you wish to create."
}
},
"DomainName": {
"type": "string"
},
"AzureFunction.StorageAccountType": {
"type": "string",
"defaultValue": "Standard_LRS",
"allowedValues": [
"Standard_LRS",
"Standard_GRS",
"Standard_ZRS",
"Premium_LRS"
],
"metadata": {
"description": "Storage Account type"
}
},
"AzureFunction.StorageAccountName": {
"type": "string"
},
"AppInsightsLocation": {
"type": "string"
},
"HostingPlanName": {
"type": "string"
},
"HostingPlanResourceGroup": {
"type": "string"
},
"SSLThumbprint": {
"type": "string",
"metadata": {
"description": "The thumbprint of the SSL certificate as it should be defined in a hosting plan"
}
}
},
"variables": {
"storageAccountid": "[concat(resourceGroup().id,'/providers/','Microsoft.Storage/storageAccounts/', parameters('AzureFunction.StorageAccountName'))]",
"serverFarmId": "[resourceId(parameters('HostingPlanResourceGroup'),'Microsoft.Web/serverfarms/', parameters('HostingPlanName'))]"
},
"resources": [
{
"apiVersion": "2015-05-01",
"name": "[parameters('AppServiceName')]",
"type": "Microsoft.Insights/components",
"location": "[parameters('AppInsightsLocation')]",
"properties": {
"applicationId": "[parameters('AppServiceName')]"
}
},
{
"type": "Microsoft.Storage/storageAccounts",
"name": "[parameters('AzureFunction.StorageAccountName')]",
"apiVersion": "2017-06-01",
"location": "[resourceGroup().location]",
"kind": "Storage",
"sku": {
"name": "[parameters('AzureFunction.StorageAccountType')]"
}
},
{
"apiVersion": "2016-08-01",
"type": "Microsoft.Web/sites",
"name": "[parameters('AppServiceName')]",
"location": "[resourceGroup().location]",
"kind": "functionapp",
"dependsOn": [
"[resourceId('Microsoft.Insights/components', parameters('AppServiceName'))]",
"[resourceId('Microsoft.Storage/storageAccounts', parameters('AzureFunction.StorageAccountName'))]"
],
"properties": {
"enabledHostnames": [ "[parameters('DomainName')]" ],
"hostNameSslStates": [
{
"name": "[parameters('DomainName')]",
"sslState": "SniEnabled",
"thumbprint": "[parameters('SSLThumbprint')]",
"toUpdate": true
}
],
"serverFarmId": "[variables('serverFarmId')]"
},
"resources": [
{
"apiVersion": "2016-08-01",
"name": "web",
"type": "config",
"dependsOn": [
"[concat('Microsoft.Web/sites/',parameters('AppServiceName'))]"
],
"properties": {
}
}
]
},
{
"type": "Microsoft.Web/sites/hostnameBindings",
"name": "[concat(parameters('AppServiceName'),'/',parameters('DomainName'))]",
"apiVersion": "2016-08-01",
"location": "[resourceGroup().location]",
"dependsOn": [
"[concat('Microsoft.Web/sites/',parameters('AppServiceName'))]"
],
"properties": {
"domainId": null,
"hostNameType": "Verified",
"siteName": "[parameters('DomainName')]",
"toUpdate": true
}
}
],
"outputs": {
"AppInsightsInstrumentationKey": {
"value": "[reference(resourceId('Microsoft.Insights/components', parameters('AppServiceName')), '2015-05-01').InstrumentationKey]",
"type": "string"
}
}
}
Save this ARM somewhere on your File System to reproduce the issue.
Get-AzSKARMTemplateSecurityStatus -ARMTemplatePath "PathToTheAboveARM"
It should result in giving me an ARMChecker folder with the result in the form of csv file and the PowerShell output file.
It hangs in between the security scan.
Is it a known issue? When any bad ARM template receives as an input to the command, it hangs?
Could you please work on this bug of handling the hang issue?
Install-AzSKContinuousAssurance fails when specifying a list of RG
Install-AzSKContinuousAssurance fails when specifying a comma separated list of resource groups as parameters
Execute Install-AzSKContinuousAssurance command providing for ResourceGroupNames parameter a comma separated list of resource groups
Install-AzSKContinuousAssurance -SubscriptionId <SubscriptionId> `
-ResourceGroupNames <ResourceGroupName1>, <ResourceGroupName1>`
-OMSWorkspaceId <WorkspaceId> `
-OMSSharedKey <SharedKey>
The command executed successfully
The command fails with the following error:
Get-AzSKARMTemplateSecurityStatus seems to fail under linux containers
Get-AzSKARMTemplateSecurityStatus seems to fail under linux containers
Run Get-AzSKARMTemplateSecurityStatus under any linux docker container. It fails on CSV file creation because of the path issues. $Env:LOCALAPPDATA is null under Linux containers, and then the path does not get created at all.
Export-Csv : Could not find a part of the path '/Microsoft/AzSKLogs/ARMChecker/20190325_061020/ARMCheckerResults_20190325_061020.csv'.
At /opt/microsoft/powershell/6/Modules/AzSK/3.11.0/Framework/Core/ARMChecker/ARMCheckerStatus.ps1:232 char:16
+ ... $csvResults| Export-Csv $csvFilePath -NoTypeInformation -Force
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (:) [Export-Csv], DirectoryNotFoundException
+ FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.ExportCsvCommand
Name Value
---- -----
PSVersion 6.1.3
PSEdition Core
GitCommitId 6.1.3
OS Linux 4.9.125-linuxkit #1 SMP Fri Sep 7 08:20:28 UTC 2018
Platform Unix
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
It fails on path creation under linux container.
This is actually related to Enable Get-AzSKARMTemplateSecurityStatus to Output results to Array #267 issue raised by @PlagueHO. A very opinionated approach on creating CSV files with no way to specify path or disable it at all, or get the output array of result objects. Should we have an option to get an array as output, this problem partly go away.
The very challenge is integration with other tools:
I might help with this fix, looking into source code.
SA: The module: {AzSK} is not available/ready. Skipping AzSK scan. Will retry in the next run.
AzSK ContinuousAssurance fails to run with the message:
SA: The module: {AzSK} is not available/ready. Skipping AzSK scan. Will retry in the next run.
PS /Users/user1/.azsk/policies/Config> $PSVersionTable
Name Value
---- -----
PSVersion 6.2.0
PSEdition Core
GitCommitId 6.2.0
OS Darwin 18.6.0 Darwin Kernel Version 18.6.0: Thu Apr 25 23:16:27 PDT 2019; root:xnu-4903.261.4~2/RELEASE_X86_64
Platform Unix
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
PS /Users/user1/.azsk/policies/Config>
I expected AzSK CA to run properly
AzSK CA errors out complaining that AzSK module is not available.
SA: The module: {AzSK} is not available/ready. Skipping AzSK scan. Will retry in the next run.
However it is listed under modules:
Enable encryption of Automation account (Preview)
Make the variables used for the CA_Runbook encrypted
Just look at security center after install of the CA runbook from AZSK
I have discovered that game code, which needs to be secured now, with everything being online and with online transactions,
The issue is that some code like Random rng = new Random();
triggers an error. There needs to be a way to in code ignore that one line, otherwise these checks are useless for secured game development.
When executing Set-AzSKSubscriptionSecurity ... -TargetResourceGroup azsk
it still provisio a AzSKRG
in "East US ".
Is it possible to specify that all resources gets provisioned to "West Europe"?
Set-AzSKSubscriptionSecurity -SubscriptionId xxx -SecurityContactEmails "xxx" -SecurityPhoneNumber "xxx" -TargetResourceGroup xxx -AlertResourceGroupLocation "West Europe"
It should be possible to specify to target location of all provisioned resources.
It always creates resources in "East US 2".
Integration of DevOpsKit with Terraform
I am looking at leveraging the DevOpsKit with a number of different infrastructure orchestrators. Are there plans to extend the ARM Template checker to integrate more tightly with terraform?
Enable Get-AzSKARMTemplateSecurityStatus to Output results to Array so that it facilitates use cases within test automation frameworks like PowerShell Pester.
This is a fantastic module! But I'd like to see it providing better functionality in the automation/CI/CD/DevOps space. For example, I'd like to be able to easily use this in Pester (PowerShell Testing framework).
I also want to easily suppress/prevent Write-Host output as well as forcing output to the host isn't a PowerShell best practice - I should be allowed to decide if I want to see the output.
Describe 'ARM template best practices' -Tag 'AzSK' {
Context 'When AzSK module is installed and run on all files in the Templates folder' {
It 'Should not have any failed results' {
$results = Get-AzSKARMTemplateSecurityStatus -ARMTemplatePath (Join-Path -Path $TemplatePath -ChildPath '*.json') -Preview:$true -DoNotOpenOutputFolder
$results.FailedCount | Should -Be 0
}
}
}
Note: I would be happy to contribute a PR for this, but as you've not got a contribution model set up then... 😢 Also, as there aren't don't appear to be any unit tests for the module then I'd be a little bit hesitant.
I want to be able to do something like this (a Pester test):
Describe 'ARM template best practices' -Tag 'AzSK' {
Context 'When AzSK module is installed and run on all files in the Templates folder' {
It 'Should not have any failed results' {
$results = Get-AzSKARMTemplateSecurityStatus -ARMTemplatePath (Join-Path -Path $TemplatePath -ChildPath '*.json') -Preview:$true -DoNotOpenOutputFolder -SuppressHostOutput
$results.FailedCount | Should -Be 0
}
}
}
My test is run and no additional host output is generated and $results object contains a summary of the result and the passed and failed tests on each ARM template.
Lots of Write-Host and the result is just a path to the location the files are output to. I then need to use additional steps to load and parse the output for failures.
When running a subscription scan, the control Azure_AppService_DP_Dont_Allow_HTTP_Access_Fn reports functions as "passed" although SSL is not enforced.
Get-AzSKAzureServicesSecurityStatus
I assume that the function apps which do not have HTTPS enforced should be reported as failed.
Function Apps allowing both HTTP & HTTPS are listed as "passed" for the above control.
As described by the below pointer, a few controls are available to enforce some behavior right from the ARM template.
https://github.com/azsk/DevOpsKit-docs/blob/master/ARMTemplates/AppService.json
It'd be nice to be able to add the MSI check as well.
N/A
Could not find a part of the path '/Microsoft/AzSK/AzSKSettings.json'
When executing any of AzSK commands under Ubuntu 14.04, 18.04 they fail with a reason:
Could not find a part of the path '/Microsoft/AzSK/AzSKSettings.json'
Execute
$PSVersionTable
Name Value
---- -----
PSVersion 6.2.0
PSEdition Core
GitCommitId 6.2.0
OS Linux 3.13.0-163-generic #213-Ubuntu SMP Thu Nov 15 02:19:07 UTC 2018
Platform Unix
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Get-AzSKAzureServicesSecurityStatus <subscription_id>
The command execute successfully
The commands gives an error: "Could not find a part of the path '/Microsoft/AzSK/AzSKSettings.json'" and does not execute till the end
CA: Error importing module AzSK
When installing a CA solution for a subscription very often importing AzSK module fails.
To fix it you need to reinstall the CA for the subscription.
Install-AzSKContinuousAssurance -SubscriptionId <SubscriptionId> `
-ResourceGroupNames <ResourceGroupNames> `
-OMSWorkspaceId <WorkspaceId> `
-OMSSharedKey <SharedKey>
AzSK module status is Available
AzSK module status is Failed
Error message: The
start time of the schedule must be at least 5 minutes after the time you create the schedule.
Open Visual Studio Code
I have tested against both AzSK 3.2.0 and 3.3.0
Install-Module AzSK -Scope CurrentUser -force -allowclobber
Install-AzSKContinuousAssurance -SubscriptionId -ResourceGroupNames -OMSWorkspaceId -OMSSharedKey
Trying to install AzSK Continuous Assurance Automation account:
Create AzSK Continuous Assurance Account:
PS C:\Users\azureuser> Install-AzSKContinuousAssurance -SubscriptionId $subId -AutomationAccountLocation $location -AutomationAccountRGName $rgname -ResourceGroupNames 'AK-TEST-0001,captain-america,aaas-rg' -OMSWorkspaceId $lawsId -OMSSharedKey $omsKey -AzureADAppName 'AzSk-Assurance' -ScanIntervalInHours 24
Auto-update for AzSK is currently not enabled for your machine. To set it, run the command below:
Set-AzSKPolicySettings -AutoUpdate On
A newer version of AzSK is available: Version 4.0.0
To update, run the command below in a fresh PS window:
Install-Module -Name AzSK -Scope CurrentUser -AllowClobber -Force
Using the latest version ensures that AzSK security commands you run use the latest, most up-to-date controls.
Results from the current version should not be considered towards compliance requirements.
================================================================================
================================================================================
AzSK Version: 3.15.0
================================================================================
Method Name: Install-AzSKContinuousAssurance (ICA)
Input Parameters:
Name Alias Value
---- ----- -----
SubscriptionId sid XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
AutomationAccountLocation loc eastus2
AutomationAccountRGName aargn AK-AzSK-Test-001
ResourceGroupNames rgns AK-TEST-0001,aaas-rg
LAWSId wid XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXXX
LAWSSharedKey wkey XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
AzureADAppName spn AzSk-Assurance
ScanIntervalInHours si 24
You can also use: ica -sid XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX -loc eastus2 -aargn AK-AzSK-Test-001 -rgns AK-TEST-0001,aaas-rg -wid XXXXXXXX-XXXX-X
-si 24
================================================================================
Running AzSK cmdlet using a generic (org-neutral) policy...
================================================================================
Started setting up Automation Account for Continuous Assurance (CA)
================================================================================
Creating Automation Account: [AzSKContinuousAssurance]
Found AAD application in the directory: [AzSk-Assurance]
Generating new credential for AzSK CA SPN
Configuring permissions for AzSK CA SPN. This may take a few min...
Adding SPN to [Contributor] role at [AzSKRG] resource group scope...
WARNING: Ignoring error while assigning CA SPN permissions for SPN: [XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX].
WARNING: Make sure this SPN is 'Contributor' on AzSKRG and 'Reader' on the subscription.
Successfully configured AzSK CA Automation Account with SPN.
Creating a storage account: [azsk201908XXXXXXXX] for storing reports from CA scans.
Updating runbook: [Continuous_Assurance_Runbook]
--------------------------------------------------------------------------------
Completed setup phase-1 for AzSK Continuous Assurance.
Setup phase-2 has been triggered and will continue automatically in the background. This involves loading all PS modules CA requires to run, scheduling runbook, etc
You can check the overall status of installation using the 'Get-AzSKContinuousAssurance' command 2 hours after running 'Install-AzSKContinuousAssurance' command.
Once phase-2 setup completes, your subscription and resources (from the specified resource groups) will be scanned periodically by CA. All security control evaluati
You may subsequently update any of the parameters specified during installation using the 'Update-AzSKContinuousAssurance' command. If you specified '*' for resourc
You should use the AzSK Monitoring solution to monitor your subscription and resource health status.
================================================================================
Logs have been exported to: 'C:\Users\azureuser\AppData\Local\Microsoft\AzSKLogs\Sub_Enterprise\20190814_130552_ICA'
================================================================================
C:\Users\azureuser\AppData\Local\Microsoft\AzSKLogs\Sub_Enterprise\20190814_130552_ICA
PS C:\Users\azureuser>
Wait 2hours for phase2 to get completed. Display AzSK Continuous Assurance Account:
PS C:\Users\azureuser> Get-AzSKContinuousAssurance -AutomationAccountName AzSKContinuousAssurance -SubscriptionId $subId -AutomationAccountRGName $rgname
Auto-update for AzSK is currently not enabled for your machine. To set it, run the command below:
Set-AzSKPolicySettings -AutoUpdate On
A newer version of AzSK is available: Version 4.0.0
To update, run the command below in a fresh PS window:
Install-Module -Name AzSK -Scope CurrentUser -AllowClobber -Force
Using the latest version ensures that AzSK security commands you run use the latest, most up-to-date controls.
Results from the current version should not be considered towards compliance requirements.
================================================================================
================================================================================
AzSK Version: 3.15.0
================================================================================
Method Name: Get-AzSKContinuousAssurance (GCA)
Input Parameters:
Name Alias Value
---- ----- -----
AutomationAccountName aan AzSKContinuousAssurance
SubscriptionId s XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
AutomationAccountRGName aargn AK-AzSK-Test-001
You can also use: gca -aan AzSKContinuousAssurance -s XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX -aargn AK-AzSK-Test-001
================================================================================
Running AzSK cmdlet using a generic (org-neutral) policy...
================================================================================
Started validating your AzSK Continuous Assurance (CA) setup...
================================================================================
Check 01: Presence of CA Automation Account.
Status: OK. Found the CA Automation Account: [AzSKContinuousAssurance].
--------------------------------------------------------------------------------
Check 02: Checking CA Runbook version.
Status: OK. CA runbook is healthy.
--------------------------------------------------------------------------------
Check 03: Inspecting CA module: [AZSK].
Status: Failed. AZSK module is not available in automation account.
To resolve this please run command 'Remove-AzSKContinuousAssurance' followed by 'Install-AzSKContinuousAssurance'.
--------------------------------------------------------------------------------
Summary of CA configuration:
Name Value
---- -----
AltLAWSId NULL
AppResourceGroupNames AK-TEST-0001,aaas-rg
AutomationAccountName AzSKContinuousAssurance
AzSKReportsStorageAccountName azsk201908XXXXXXXX
AzureADAppID XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
AzureADAppName AzSk-Assurance
CertificateExpiry 2/15/2020 1:05:59 PM -05:00
LAWSId XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
Runbooks Continuous_Assurance_Runbook
RunbookVersion Current version: [3.1902.0] Latest version: [3.1902.0]
Schedules CA_Scan_Schedule (Frequency: 24 Hour)
WebhookUrl NULL
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Found that AzSK Continuous Assurance (CA) is not correctly setup or functioning properly.
Review the failed check and follow the remedy suggested. If it does not work, please file a support request after reviewing the FAQ.
--------------------------------------------------------------------------------
================================================================================
Logs have been exported to: 'C:\Users\azureuser\AppData\Local\Microsoft\AzSKLogs\Sub_Enterprise\20190814_151456_GCA'
================================================================================
C:\Users\azureuser\AppData\Local\Microsoft\AzSKLogs\Sub_Enterprise\20190814_151456_GCA
PS C:\Users\azureuser>
As you can see the account creation failed. I don't know what is going on here. Why would it fail?
:(
Hi team,
The project looks interesting yet there are a few things which are really confusing.
I hope this is a reasonable concerns. Again, the project looks great yet this is not the only variable on usage evaluation.
Help for SecurityIntellisenseCS
Help for SecurityIntellisenseCS points to https://aka.ms/acecrc which directs to a Microsoft internal corporate resource. There is no help supported.
Hello,
I know it might not be the right location to post this issue but you might help and redirect me to the appropriate location. I'm testing the AzSK Azure DevOps marketplace extension and I would have liked to propose a new feature (through a fork & pull request) but the source isn't published on GitHub it seems. Any clue why or am I wrong? I can of course change it only for myself but I had the impression that AzSK is a community driven effort.
Thanks
Best Regards
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.