azsk / devopskit Goto Github PK
View Code? Open in Web Editor NEWLicense: MIT License
devopskit's People
Contributors
Stargazers
Watchers
Forkers
vishalhaibatpure tarunkrshukla zhgupta indepth15 siniki zrahui olivier-subramanian lulzzz arneg82 sunilake magrut74 maykulkarni csprabala murat-kaya devblackops caadam schoenemeyer jorgecotillo bajorgensen stephaneey erlendhalsteinli daverendon ebrucucen dexterposh slumdunking javierjeronimo fimguy rajkrishnamurthy hyundonk israelvaldez bigj51 tuga1975 m8r1us chendrayanv gpugnet svemulapalli tawnos robdyke vincentlepape jvortega gfrascadorio edm-ms bremnes synops1s kitepro40 0-1-2-3-4 eckeman azureandsecurityotaku mraipsec-mra wenesak ctmcisco marrobi niswitze gregorypilar austindimmer murali2020kris janusznowak ruaan wirelessy johnarthur1 harisha4341 rauf2001 sassdawe blueacets bitan-munshi-maersk willyd61 atdavidpark tracywhodoesnot righteousgambit ahszn vivekpt sintaxasn frazelamont akhilareddy0923 david-deops manbearpiet sofasofadevopskit's Issues
AzSK Subscription Security Status Report fails to generate on Mac with Word installed
Title
AzSK Subscription Security Status Report fails to generate on Mac with Word installed
Description
AzSK Subscription Security Status Report fails to generate on Mac with Word installed
Steps to reproduce
OS: Mac OSX - Mojave
Powershell: 6.2.0
AzSK: 4.0.0
On Mac with Word installed, run the following command:
Get-AzSKsubscriptionSecuritystatus -subscriptionid $subId -GeneratePDF Portrait
Output:
================================================================================ AzSK Version: 4.0.0 ================================================================================ Method Name: get-azsksubscriptionsecuritystatus (GSS)
Input Parameters:
Name Alias Value
---- ----- -----
SubscriptionId XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
GeneratePDF Portrait
You can also use: gss -SubscriptionId XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX -GeneratePDF Portrait
================================================================================
Running AzSK cmdlet using a generic (org-neutral) policy...
Scan events will be sent to the following Log Analytics workspace(s): WSId: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXb ================================================================================ Starting analysis: [FeatureName: SubscriptionCore] [SubscriptionName: Managed-External] [SubscriptionId: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX] -------------------------------------------------------------------------------- Checking: [SubscriptionCore]-[Minimize the number of admins/owners]
Checking: [SubscriptionCore]-[Justify all identities that are granted with admin/owner access on your subscription.] Checking: [SubscriptionCore]-[Mandatory central accounts must be present on the subscription] Checking: [SubscriptionCore]-[Deprecated/stale accounts must not be present on the subscription] Checking: [SubscriptionCore]-[Do not grant permissions to external accounts (i.e., accounts outside the native directory for the subscription)]Checking: [SubscriptionCore]-[There should not be more than 2 classic administrators]
Checking: [SubscriptionCore]-[Use of management certificates is not permitted.]
Checking: [SubscriptionCore]-[Azure Security Center (ASC) must be correctly configured on the subscription]
Checking: [SubscriptionCore]-[Pending Azure Security Center (ASC) alerts must be resolved]
Checking: [SubscriptionCore]-[Service Principal Names (SPNs) should not be Owners or Contributors on the subscription] Checking: [SubscriptionCore]-[Critical application resources should be protected using a resource lock] Checking: [SubscriptionCore]-[ARM policies should be used to audit or deny certain activities in the subscription that can impact security] Checking: [SubscriptionCore]-[Alerts must be configured for critical actions on subscription and resources]
Checking: [SubscriptionCore]-[Do not use custom-defined RBAC roles]
Checking: [SubscriptionCore]-[Do not use any classic resources on a subscription]
Checking: [SubscriptionCore]-[Do not use any classic virtual machines on your subscription.]
Checking: [SubscriptionCore]-[Verify the list of public IP addresses on your subscription]
Checking: [SubscriptionCore]-[Permanent access should not be granted for privileged subscription level roles]
Checking: [SubscriptionCore]-[Mandatory tags must be set per your organization policy]
Checking: [SubscriptionCore]-[Standard tier must be enabled for Azure Security Center]
Checking: [SubscriptionCore]-[Ensure any credentials approaching expiry are rotated soon.]
-------------------------------------------------------------------------------- Completed analysis: [FeatureName: SubscriptionCore] [SubscriptionName: Managed-External] [SubscriptionId: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX] ================================================================================
Summary Total Passed Failed Verify Manual ------- ----- ------ ------ ------ ------ Medium 6 3 0 3 0 High 15 9 3 0 3
Critical 1 1 0 0 0
------ ------ ------ ------ ------ ------
Total 22 13 3 3 3
------ ------ ------ ------ ------ ------
================================================================================
** Next steps **
Look at the individual control evaluation status in the CSV file.
a) If the control has passed, no action is necessary.
b) If the control has failed, look at the control evaluation detail in the LOG file to understand why.
c) If the control status says 'Verify', it means that human judgement is required to determine the final control status. Look at the control evaluation output in the LOG file to make a determination.
d) If the control status says 'Manual', it means that AzSK (currently) does not cover the control via automation OR AzSK is not able to fetch the data. You need to manually implement/verify it.
Note: The 'Recommendation' column in the CSV file provides basic (generic) guidance that can help you fix a failed control. You can also use standard Azure product documentation. You should carefully consider the implications of making the required change in the context of your application.
Control results may not reflect attestation if you do not have permissions to read attestation data from AzSKRG
--------------------------------------------------------------------------------
Status and detailed logs have been exported to path - /Users/user1/.local/share/Microsoft/AzSKLogs/Sub_Managed-External/20190822_081425_GSS
================================================================================
You must have Microsoft Word application installed on machine to generate PDF report. /Users/user1/.local/share/Microsoft/AzSKLogs/Sub_Managed-External/20190822_081425_GSS PS /Users/user1>
Powershell Version
PS /Users/user1/.azsk/policies/Config> $PSVersionTable
Name Value
---- -----
PSVersion 6.2.0
PSEdition Core
GitCommitId 6.2.0
OS Darwin 18.6.0 Darwin Kernel Version 18.6.0: Thu Apr 25 23:16:27 PDT 2019; root:xnu-4903.261.4~2/RELEASE_X86_64
Platform Unix
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
PS /Users/user1/.azsk/policies/Config>
Expected behavior
I'd expect for report to be generated.
Actual behavior
Report fails to generate even if Word installed on Mac.
Unable to find type [GeneratePDF].
Title
Unable to find type [GeneratePDF].
Description
When trying to run "Get-AzSKSubscriptionSecurityStatus" I get
Unable to find type [GeneratePDF].
At C:\Users\user\OneDrive - Company\Documents\WindowsPowerShell\Modules\AzSK\4.4.0\SVT\SVT.ps1:381 char:3
I've encountered this error on v4.4.0 and v4.5.1
PS C:\Users\user> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.18362.628
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.18362.628
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1Steps to reproduce
Connect-AzAccount
Get-AzSKSubscriptionSecurityStatus -SubscriptionId <GUID>Expected behavior
Execute "Get-AzSKSubscriptionSecurityStatus
Actual behavior
AzSK_ARMTemplateChecker - VNET failure False positive
Title
AzSK_ARMTemplateChecker - VNET failure False positive
Description
When running the AzSK_ARMTemplateChecker, from with Azure DevOps, my VNET template fails with the error Azure_VNet_NetSec_Justify_IPForwarding_for_NICs.
My template only contains
Microsoft.Network/virtualNetworks
Microsoft.Network/networkSecurityGroups
Microsoft.Network/routeTables
There's no interface and none with IPForwarding enabled.
Steps to reproduce
Azure Devops CI/CD Build Pipeline with the AzSK_ARMTemplateChecker
checking template with
Microsoft.Network/virtualNetworks
Microsoft.Network/networkSecurityGroups
Microsoft.Network/routeTables
Error
Azure_VNet_NetSec_Justify_IPForwarding_for_NICs
Expected behavior
Only alert when an Interface is within the template with IPForwarding is enabled.
Actual behavior
When running the AzSK_ARMTemplateChecker, from with Azure DevOps, my VNET template fails with the error Azure_VNet_NetSec_Justify_IPForwarding_for_NICs.
My template only contains
Microsoft.Network/virtualNetworks
Microsoft.Network/networkSecurityGroups
Microsoft.Network/routeTables
There's no interface and none with IPForwarding enabled.
Azure_EventHub_AuthZ_Use_Min_Permissions_Access_Policies Passed but fails the build
Title
Checking ARM template (in Azure DevOps) with an exported Event Hub passes all checks, which are Azure_EventHub_AuthZ_Use_Min_Permissions_Access_Policies but build task still fails.
Description
When runnin the ARM Template Checker against an extracted template with event hub namespace and child resources such as sas tokens, the template validation result turns out as passed, but it appears that some internal error causes the task to fail overall.
Steps to reproduce
extract an arm template from the azure portal that has an event hub and the event hub has a shared access policy.
Expected behavior
The checks are all Passed, so the outcome of the template checker task should be successfull.
Actual behavior
The arm template checker task fails with the following debug logs:
Note: These (Verify Manual) control states have been configured to be considered as 'Passed'.
Actual Passed 14
Treated As Passed 2
--------------- --------
Total Passed 16
==============================================================================================
==============================================================================
Note : Summary 'CSV' and detailed 'LOG' output files are available under 'Download all logs as ZIP' option.
==============================================================================
Cleaning logs from temp directory...
##[debug]Caught exception from task script.
##[debug]Error record:
##[debug]Security controls are failing in your ARM template(s).
##[debug]At D:\a\_tasks\AzSKARMTemplateChecker_6102f8a8-06a6-4918-9d2e-c02e1b659d50\4.0.0\ARMTemplateCheckerRuntime.ps1:311 char:21
##[debug]+ ... throw "Security controls are failing in your ARM template ...
##[debug]+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
##[debug] + CategoryInfo : OperationStopped: (Security contro...RM template(s).:String) [], RuntimeException
##[debug] + FullyQualifiedErrorId : Security controls are failing in your ARM template(s).
##[debug]
##[debug]Script stack trace:
##[debug]at <ScriptBlock>, D:\a\_tasks\AzSKARMTemplateChecker_6102f8a8-06a6-4918-9d2e-c02e1b659d50\4.0.0\ARMTemplateCheckerRuntime.ps1: line 311
##[debug]at <ScriptBlock>, <No file>: line 1
##[debug]at <ScriptBlock>, <No file>: line 22
##[debug]at <ScriptBlock>, <No file>: line 18
##[debug]at <ScriptBlock>, <No file>: line 1
##[debug]Exception:
##[debug]System.Management.Automation.RuntimeException: Security controls are failing in your ARM template(s).
##[error]Security controls are failing in your ARM template(s).
##[debug]Processed: ##vso[task.logissue type=error]Security controls are failing in your ARM template(s).
##[debug]Processed: ##vso[task.complete result=Failed]
AKS - Use Latest Version is outdated
Kubernetes - Use Latest Version is outdated
Description (
We recently integrated the ARM Checker to our ARM Templates CI process. We are using the latest version of AKS (1.14.0 as of this writing). We receive the following error from the scan :
Failed: [Azure_KubernetesService_Deploy_Use_Latest_Version]
Here is more detailed from the CSV Report :
| ControlId | FeatureName | Status | SupportedResources | Severity | PropertyPath | CurrentValue | ExpectedProperty | ExpectedValue | ResourcePath | Description |
|---|---|---|---|---|---|---|---|---|---|---|
| Azure_KubernetesService_Deploy_Use_Latest_Version | KubernetesService | Failed | Microsoft.ContainerService/ManagedClusters | Medium | resources[0].properties.kubernetesVersion | "1.14.0" | $.properties.kubernetesVersion | Allow '1.11.5' | resources[0] | The latest version of Kubernetes should be used |
Seems like version 1.11.5 is the latest version according to the DevOpsKit.
Steps to reproduce
Create a AKS ARM Template, hardcode the version to "1.14.0" and run the ARM Template Checker.
Expected behavior
The check should pass since 1.14.0 is higher than the latest version coded in the ARM Template Checker (1.11.5).
Actual behavior
The check is failing with he following message :
Failed: [Azure_KubernetesService_Deploy_Use_Latest_Version]
Get-AzSKARMTemplateSecurityStatus, support for linked templates
Get-AzSKARMTemplateSecurityStatus, support for linked templates
Description
We have an API management project following the proposed structure of Azure API Management DevOps Resource Kit, which means we are using linked templates.
When sending in a master template with links, no controls are found in the template and it's skipped in its entirety. I'm guessing that is because it doesn't evaluate or retrieve the linked templates and just checks the master template for controls it can recognize. Microsoft.Resources/deployments not being one of those, ergo the file is skipped.
Any plans on supporting linked templates?
Steps to reproduce
Have two ARM templates, one master which is being deployed and one template that is linked to from the master.
Get-AzSKARMTemplateSecurityStatus -ARMTemplatePath C:\temp\master.template.json -ParameterFilePath C:\temp\master.parameters.dev.json -Debug
================================================================================
AzSK Version: 4.3.0
================================================================================
Method Name: Get-AzSKARMTemplateSecurityStatus
Input Parameters:
Key Value
--- -----
ARMTemplatePath C:\temp\master.template.json
ParameterFilePath C:\temp\master.parameters.dev.json
Debug True
================================================================================
================================================================================
Starting analysis: [FileName: .\master.template.json]
--------------------------------------------------------------------------------
No controls have been evaluated for file: .\master.template.json
================================================================================
Skipped file(s): 1
.\master.template.json
--------------------------------------------------------------------------------
One or more files were skipped during the scan.
Either the files are invalid as ARM templates or those resource types are currently not supported by this command.
Please verify the files and re-run the command.
For files that should not be included in the scan, you can use the '-ExcludeFiles' parameter.
--------------------------------------------------------------------------------
No controls have been evaluated for ARM Template(s).
--------------------------------------------------------------------------------
** Next steps **
Look at the individual control evaluation status in the CSV file.
a) If the control has passed, no action is necessary.
b) If the control has failed, look at the control evaluation detail in the CSV file (LineNumber, ExpectedValue, CurrentValue, etc.) and fix the issue.
c) If the control status says 'Skipped', it means that you have chosen to skip certain controls using the '-SkipControlsFromFile' parameter.
For further details, refer: https://aka.ms/devopskit/cicd
--------------------------------------------------------------------------------
Status and detailed logs have been exported to: C:\Users\redacted\AppData\Local\Microsoft\AzSKLogs\ARMChecker\20191209_150524
================================================================================
C:\Users\redacted\AppData\Local\Microsoft\AzSKLogs\ARMChecker\20191209_150524Expected behavior
All ARM templates are being analyzed.
Actual behavior
Only the "master" template is analyzed, which is of low value when it only contains Microsoft.Resources/deployments resources.
Azure_Keyvault_AuthZ_Min_Access_policies fails with minimal access policy
Title
Azure_Keyvault_AuthZ_Min_Access_policies fails with minimal access policy
Description
See attached image, in the ARM template the minimal (get,list) is set as required by our app, but the check fails.
Steps to reproduce
- Set keyvault secret/keys access to get/list
Expected behavior
- Should pass
Actual behavior
- Fails
Support version '2017-03-01-preview' for Microsoft.Sql/servers/securityAlertPolicies
Title
Support version '2017-03-01-preview' for Microsoft.Sql/servers/securityAlertPolicies
Description
When exporting templates from Azure Portal, the Microsoft.Sql/servers/securityAlertPolicies resource is exported using api version '2017-03-01-preview'. The json for this version is different than the one accepted by AzSK, which is based on api version '2015-05-01-preview'. Examples are that email adresses should be arrays in 2017 version and emailAccountAdmins is a true boolean type.
Any ARM Template Check fails when using 2017 version.
Steps to reproduce
Export a SQL Server Database template from Azure Portal and run ARM Template Check using AzSK.
Expected behavior
'2017-03-01-preview' api version Microsoft.Sql/servers/securityAlertPolicies resources can be verified with ARM Template Checker.
Actual behavior
Currently only api version '2015-05-01-preview' will pass ARM Template Check.
AzSK_SVTs release task generates a warning about service principal secret being included in a file on a hosted VM (Only on AzSK Version 3.13.0)
Title
AzSK_SVTs task on the ADO release pipeline generates a warning about a service principal secret that is included in a file and requests confirmation of ensuring that the directory has appropriate protection.
Description
Logs:
##[warning]The provided service principal secret will be included in the 'AzureRmContext.json' file found in the user profile ( C:\Users\VssAdministrator.Azure ). Please ensure that this directory has appropriate protections.
I am looking for help to ensure I can resolve this warning.
Since the release is on a hosted VM and not on a local machine, I would like to believe that the appropriate directory protections are in place.
Accordingly, I would like to attest to the same and re-mediate this warning.
If there is something else you would like us to do differently in order to get rid of this warning, could you please help me with the steps to do so as I did not find steps to re-mediate this warning in the Wiki or the documentation.
This is a non-issue on the AzSK version 3.12.0 but is an issue on the AzSK version 3.13.0.
Steps to reproduce
Expected behavior
As the warning suggests, we can attest to the fact that the directory has appropriate protections and we can attest to the same which would not generate this warning subsequently.
Actual behavior
We cannot suppress the warning and don't have adequate documentation on how to re-mediate the same.
Install-AzSKOMSSolution shows only results of baseline controls in Log Analytics
Title
Install-AzSKOMSSolution shows only results of baseline controls in Log Analytics
Description
The key filter being IsBaselineControl_b == true
Can the OMS View take additional parameters for this?
Steps to reproduce
Run Subscription Scan after setting up AzSK OMS Solution
Expected behavior
Log Analytics should show same number of results as csv files generated.
Actual behavior
Log Analytics shows only Baseline Controls
Security IntelliSense
Any plans to release these as an Analyzer NuGet? Open Source the code?
(ref: SecurityIntelliSense-Preview)
ARM Template Checker considers no controls for deployed resources as a failure
Title
ARM Template Checker considers "no controls" as a failure
Description
There are a number of reasons why a template might not have anything that can be evaluated. In these scenarios, the ARM Template Checker task will write an error to output which fails the task unless the task is set to continue even on failure (resulting in partial success instead).
Since these tasks are intended to alert on or block potentially insecure or mis-configured deployments, this is unfortunate. Until one or more evaluatable policies and/or resources are included, the task either needs to be disabled or set to continue anyway which doesn't protect from future changes.
2019-08-08T06:21:01.8331196Z ================================================================================
2019-08-08T06:21:01.8331581Z AzSK Version: 3.15.0
2019-08-08T06:21:01.8332894Z ================================================================================
2019-08-08T06:21:01.8464474Z Method Name: Get-AzSKARMTemplateSecurityStatus
2019-08-08T06:21:01.8464633Z Input Parameters:
2019-08-08T06:21:01.8464745Z Key Value
2019-08-08T06:21:01.8464889Z --- -----
2019-08-08T06:21:01.8465033Z ARMTemplatePath <snip>\DeploymentTemplate.json
2019-08-08T06:21:01.8465196Z ParameterFilePath <snip>\Parameters\<params>.json
2019-08-08T06:21:01.8465310Z UseBaselineControls True
2019-08-08T06:21:01.8465431Z ================================================================================
2019-08-08T06:21:02.0033489Z ================================================================================
2019-08-08T06:21:02.0034551Z Starting analysis: [FileName: .\DeploymentTemplate.json]
2019-08-08T06:21:02.0035180Z --------------------------------------------------------------------------------
2019-08-08T06:21:02.0091041Z No controls have been evaluated for file: .\DeploymentTemplate.json
2019-08-08T06:21:02.0154741Z ================================================================================
2019-08-08T06:21:02.0177074Z Skipped file(s): 1
2019-08-08T06:21:02.0223989Z .\DeploymentTemplate.json
2019-08-08T06:21:02.0318365Z --------------------------------------------------------------------------------
2019-08-08T06:21:02.0687490Z One or more files were skipped during the scan.
2019-08-08T06:21:02.0740076Z Either the files are invalid as ARM templates or those resource types are currently not supported by this command.
2019-08-08T06:21:02.0742203Z Please verify the files and re-run the command.
2019-08-08T06:21:02.0742769Z For files that should not be included in the scan, you can use the '-ExcludeFiles' parameter.
2019-08-08T06:21:02.0743115Z --------------------------------------------------------------------------------
2019-08-08T06:21:02.0743391Z No controls have been evaluated for ARM Template(s).
2019-08-08T06:21:02.0743818Z --------------------------------------------------------------------------------
2019-08-08T06:21:02.0744106Z ** Next steps **
2019-08-08T06:21:02.0744388Z Look at the individual control evaluation status in the CSV file.
2019-08-08T06:21:02.0744686Z a) If the control has passed, no action is necessary.
2019-08-08T06:21:02.0744999Z b) If the control has failed, look at the control evaluation detail in the CSV file (LineNumber, ExpectedValue, CurrentValue, etc.) and fix the issue.
2019-08-08T06:21:02.0745347Z c) If the control status says 'Skipped', it means that you have chosen to skip certain controls using the '-SkipControlsFromFile' parameter.
2019-08-08T06:21:02.0745653Z For further details, refer: https://aka.ms/devopskit/cicd
2019-08-08T06:21:02.0745932Z --------------------------------------------------------------------------------
2019-08-08T06:21:02.0746595Z Status and detailed logs have been exported to: C:\Users\VssAdministrator\AppData\Local\Microsoft\AzSKLogs\ARMChecker\20190808_062101
2019-08-08T06:21:02.0746920Z ================================================================================
2019-08-08T06:21:05.6655092Z Cleaning logs from temp directory...
2019-08-08T06:21:05.8062570Z ##[error]No controls have been evaluated for ARM Template(s).
2019-08-08T06:21:05.9227313Z ##[section]Finishing: AzSK ARM Template Checker
As a note, the above logs are from a setup that works if I remove -UseBaselineControls. The template and its parameters are valid and controls can be evaluated if they are enabled.
Steps to reproduce
This can be repro'd locally with a simple deployment template:
Get-AzSKARMTemplateSecurityStatus -ARMTemplatePath "SampleDeployment.json"
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
"contentVersion": "1.0.0.0",
"parameters": {
},
"variables": {
"ApplicationInsightsName": "MySample",
},
"resources": [
{
"type": "Microsoft.Insights/components",
"apiVersion": "2014-08-01",
"name": "[variables('ApplicationInsightsName')]",
"location": "[resourceGroup().location]",
"properties": {
"ApplicationId": "[variables('ApplicationInsightsName')]",
"Application_Type": "web",
"Flow_Type": "Bluefield",
"Request_Source": "rest"
}
}
]
}
Expected behavior
In my opinion, the error here should only be written if the task actually fails, policies can't be loaded from the server (e.g. organizational policies), the template/parameters specified are invalid, or any other true error scenario. If there are simply no resources to evaluate, no policies to evaluate, or no policies to evaluate for the specified resources, then the task should be considered a success.
It would also be beneficial if the error were more specific to the scenario encountered.
The version of AzSK in the PSGallery differs from here
Title
The version of AzSK in the PSGallery differs from here
Description
The master branch here does not agree with contents of the azsk.nupkg in PSGallery.
Steps to reproduce
- git clone this repository
- grab a copy of the nupkg in PSGallery at https://www.powershellgallery.com/packages/AzSK/4.2.1
- unzip the nupkg
- diff -rq shows differences including AzSK.psm1 and ConfigurationHelper.ps1
and the get-module version using the github copy says 4.0.0.0 while the version
in current PSGallery shows 4.2.1
Expected behavior
The PSGallery package should agree with some branch in Github
Actual behavior
The PSGallery version differs
Update-AzSKOrganizationPolicy fails on Linux due to hard coded "Desktop" folder path.
Running Update-AzSKOrganizationPolicy with PowerShell Core on Linux will fail because folder "Desktop" is hard coded and it for obvious reasons doesn't exist.
Importing Az modules. This may take a while...
Join-Path: /root/.local/share/powershell/Modules/AzSK/4.5.1/Framework/Core/PolicySetup/PolicySetup.ps1:149
Line |
149 | … = Join-Path $([System.Environment]::GetFolderPath("Desktop")) ($prefi …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Cannot bind argument to parameter 'Path' because it is an empty string.
StackTrace: at CreateInstance, /root/.local/share/powershell/Modules/AzSK/4.5.1/Framework/Core/PolicySetup/PolicySetup.ps1: line 149
at PolicySetup, /root/.local/share/powershell/Modules/AzSK/4.5.1/Framework/Core/PolicySetup/PolicySetup.ps1: line 53
at Update-AzSKOrganizationPolicy<Process>, /root/.local/share/powershell/Modules/AzSK/4.5.1/PolicySetup/PolicySetup.ps1: line 246
at <ScriptBlock>, <No file>: line 12
Cannot deploy Install-AzSKOrganizationPolicy with App insights location set...
Title
Cannot deploy Install-AzSKOrganizationPolicy with App insights location set...
Description
Setting the -AppInsightLocation northeurope or westeurope will result in an error,
Install-AzSKOrganizationPolicy : Parameter set cannot be resolved using the specified named parameters.
Steps to reproduce
Call Install-AzSKOrganizationPolicy with a -AppInsightLocation of north or west europe.
Install-AzSKOrganizationPolicy -SubscriptionId <SUBID> -OrgName "<NAME>" -DepartmentName "<DEP>" -PolicyFolderPath "<C: PATH>" -ResourceGroupLocation westeurope -AppInsightLocation westeurope -ResourceGroupName "<NAME>" -AppInsightName "<NAME>"Expected behavior
Should set AppInsights location to the north or west europe.
Actual behavior
Error, if this parameter is left out, the app insights will deploy to east US, which is not compliant for us.
Log Analytics Security View shows empty graphs sometimes
Title
Log Analytics Security View shows empty graphs sometimes
Description
Log Analytics Security View shows empty graphs sometimes though corresponding Kusto query for the view gives non-empty result set.
Steps to reproduce
Setup Log Analytics and CA for multiple automation accounts as described on the page:
https://github.com/azsk/DevOpsKit-docs/tree/master/04-Continous-Assurance
Expected behavior
'Security Monitoring using the AzSK' dashboards shows graphs and tables corresponding to the scan results
Actual behavior
'Security Monitoring using the AzSK' dashboards shows sometimes empty graphs.
However if I click on the "see all" link below it shows non empty result set:
Migrate code and docs to "normal" GitHub orgs
Using a separate organization and running on azurewebsites doesn't give users much confidence that this is an actual Microsoft project.
Do you have plans to migrate this under the https://github.com/Azure and https://github.com/MicrosoftDocs organizations?
ARMControls.json not taken from org policy
ARMControls.json not taken from org policy
Description
I have a custom org policy and I tried using the ARMTemplate checker cmdlet (and CI/CD extension) and it keeps getting its ARMControls.json from https://azsdkossep.azureedge.net/1.0.0/ARMControls.json instead of my org storage account. While digging a little bit, I noticed that this location is hardcoded in Constants.ps1:
static [string] $ARMControlsFileURI = "https://azsdkossep.azureedge.net/1.0.0/ARMControls.json";
and used by ARMCheckerStatus.ps1. So, it seems that there is no way to make it use the ARMControls.json stored in an org policy folder.
Steps to reproduce
Get-AzSKARMTemplateSecurityStatusExpected behavior
I would have expected the ARM template checker to read the control file provided into the org policy folder. The ARM template checker should behave like the Get-AzSKAzureServicesSecurityStatus cmdlet.
Actual behavior
Least Privilege Service Principal/Permission Rights requirement to run AzSK
Title
Least Privilege Service Principal/Permission Rights requirement to run AzSK
Description
I'm trying to find in a doc, but maybe I'm missing something. I would like to understand what is the least SP requirements to run all out-of-box checks.
Install-AzSKContinuousAssurance with custom ResourceGroup name still creates the default AzSKRG
Install-AzSKContinuousAssurance with custom ResourceGroup name still creates the default AzSKRG
Description
When specifying a custom resource group name to install continuous assurance the command still creates the default AzSKRG resource group.
Steps to reproduce
Install AzSK continous assurance to a subscription with the following command:
Install-AzSKContinuousAssurance -SubscriptionId $subscriptions[0].Id -ResourceGroupNames $rgs -WebhookUrl $webhook -OMSWorkspaceId $omsworkspace.CustomerId.ToString() -OMSSharedKey $omssharedkeys.PrimarySharedKey -AutomationAccountRGName azsk-custom-rg -AutomationAccountLocation westeurope Expected behavior
All resources deployed for the AzSK Continuous Assurance are deployed inside the custom azsk-custom-rg resource group
Actual behavior
Some resources are deployed inside the custom resource group and others are deployed inside the default resource group AzSKRG.
Install-Module AzSK Error
Install-Module AzSK -Scope CurrentUser -
Getting error when trying to install AzKSK Module
Modules loaded
Get-module Steps to reproduce
Open ISE in Admin Mode
Execute Install-Module AzSK -Scope CurrentUser
Install-Module AzSK -Scope CurrentUserExpected behavior
Module Installed
Actual behavior
error
PS C:\WINDOWS\system32> Install-Module AzSK -Scope CurrentUser
WARNING: Could not get response from query 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='Azure.Storage'&$skip=80&$top=40'.
WARNING: Could not get response from query 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='Azure.Storage'&$skip=120&$top=40'
.
PackageManagement\Install-Package : Unable to find dependent module(s) (Azure.Storage)
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.6.5\PSModule.psm1:9385 char:21
- ... $null = PackageManagement\Install-Package @PSBoundParameters
-
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~- CategoryInfo : ObjectNotFound: (Azure.Storage:String) [Install-Package], Exception
- FullyQualifiedErrorId : UnableToFindDependencyPackage,Microsoft.PowerShell.PackageManagement.Cmdlets.InstallPackage
Custom Org Policies are not picked up by multiple CA accounts
Title
Custom Org Policies are not picked up by multiple CA accounts
Description
Installed custom Org Policies are not picked up by multiple CA accounts.
The runbook under CA automation account has still a reference to org-neutral policy and the one which was setup: $onlinePolicyStoreUrl = "https://azsdkossep.azureedge.net/`$Version/`$FileName"
Steps to reproduce
Configure multiple CA accounts.
Install custom org policies
AzSK version 4.0.0Expected behavior
After the installation of the org policies the onlinePolicyStoreUrl is pointing to org policies location, the CA scans are performed according to the policies.
Actual behavior
The URL is not changed, the org-neutral policies are still used.
With AzSK 3.12.0 version the above setup was working successfully.
No configuration files found under folder
No configuration files found under folder
AzSK fails to copy configuration files onto Azure blob
Steps to reproduce
Powershell Version:
PS /Users/user1/.azsk/policies/Config> $PSVersionTable
Name Value
---- -----
PSVersion 6.2.0
PSEdition Core
GitCommitId 6.2.0
OS Darwin 18.6.0 Darwin Kernel Version 18.6.0: Thu Apr 25 23:16:27 PDT 2019; root:xnu-4903.261.4~2/RELEASE_X86_64
Platform Unix
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
PS /Users/user1/.azsk/policies/Config>
AzSK Version
AzSK Version: 3.15.0
Expected behavior
Actual behavior
I am referencing a documentation written here: https://azsk.azurewebsites.net/07-Customizing-AzSK-for-your-Org/Readme.html#create-cloud-security-compliance-report-for-your-org-in-powerbi-1
Created policy under local user directory /Users/user1/.azsk/policies. Initial setup did create necessary configuration files:
- AzSK.json
- ControlSettings.json
- ServerConfigMetadata.json
Now, I changed settings in AzSK.json and ControlSettings.json and re-run the setup. However, AzSK can't find any changes in configuration directory (i.e. /Users/user1/.azsk/policies).
Command:
Install-AzSKOrganizationPolicy -SubscriptionId "XXXX-XXXX-XXXX-XXXXXXXXX" -OrgName "Test-AK" -ResourceGroupName "AK-AzSK-Test-001" -StorageAccountName "XXXXXXXXX001" -PolicyFolderPath "/Users/user1/.azsk/policies" -AppInsightName "test-ak-azsk-poc"
The output:
================================================================================
AzSK Version: 3.15.0
================================================================================
Method Name: Install-AzSKOrganizationPolicy (IOP)
Input Parameters:
Name Alias Value
---- ----- -----
SubscriptionId XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXd
OrgName Test-AK
ResourceGroupName AK-AzSK-Test-001
StorageAccountName XXXXXXXXXXXXX001
PolicyFolderPath /Users/user1/.azsk/policies
AppInsightName test-ak-azsk-poc
You can also use: iop -SubscriptionId XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXd -OrgName Test-AK -ResourceGroupName AK-AzSK-Test-001 -StorageAccountName XXXXXXXXX001 -PolicyFolderPath /Users/user1/.azsk/policies -AppInsightName test-ak-azsk-poc
================================================================================
Running AzSK cmdlet using a generic (org-neutral) policy...
Uploading [1] file(s) to container [installer]... All files have been uploaded to container [installer]
.No configuration files found under folder [/Users/user1/.azsk/policies/Config] The setup has been completed and policies have been copied to [/Users/user1/.azsk/policies].
Run the command below to install Organization specific version.
iwr 'https://akazsktestsvc001.blob.core.windows.net/installer/AzSK-EasyInstaller.ps1' -UseBasicParsing | iex
Note: This is a basic setup and uses a public access blob for storing your org's installer. Once you have richer org policies, consider using a location/end-point protected by your tenant authentication.
================================================================================
Logs have been exported to: '/Users/user1/.local/share/Microsoft/AzSKLogs/Sub_Enterprise/20190808_143354_IOP'
================================================================================
/Users/user1/.local/share/Microsoft/AzSKLogs/Sub_Enterprise/20190808_143354_IOP
PS /Users/user1/.azsk/policies/Config>
It however finds everything under /Users/user1/.azsk/installer directory and uploads to a blob.
Unable to run AzSK Security Verification Tests due to AzureRM.AnalysisServices
Description
Running the AzSK Security Verification Tests as part of the VSTS Pipeline fails with the following errors:
2018-08-08T17:33:38.0050374Z ##[section]Starting: Security Verification Tests
2018-08-08T17:33:38.0055921Z ==============================================================================
2018-08-08T17:33:38.0056308Z Task : AzSK Security Verification Tests
2018-08-08T17:33:38.0056638Z Description : Scan Azure resources for security issues using AzSK.
2018-08-08T17:33:38.0056947Z Version : 3.0.2
2018-08-08T17:33:38.0057209Z Author : Microsoft Corporation
2018-08-08T17:33:38.0057527Z Help : [More Information](http://aka.ms/azskossdocs)
2018-08-08T17:33:38.0057866Z ==============================================================================
2018-08-08T17:33:45.3993773Z Installing Module AzSK...
2018-08-08T17:34:27.1179273Z ##[error]Cannot process argument transformation on parameter 'InstalledModuleInfo'. Cannot convert the "System.Object[]" value of type "System.Object[]" to type "System.Management.Automation.PSModuleInfo".
2018-08-08T17:34:27.1560834Z ##[section]Finishing: Security Verification Tests
Steps to reproduce
PS C:\Users\buildadmin> Install-Module AzSK -Scope CurrentUser -Force -Verbose
VERBOSE: Using the provider 'PowerShellGet' for searching packages.
VERBOSE: The -Repository parameter was not specified. PowerShellGet will use all of the registered repositories.
VERBOSE: Getting the provider object for the PackageManagement Provider 'NuGet'.
VERBOSE: The specified Location is 'https://www.powershellgallery.com/api/v2/' and PackageManagementProvider is
'NuGet'.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzSK'' for ''.
VERBOSE: Total package yield:'1' for the specified package 'AzSK'.
VERBOSE: Performing the operation "Install-Module" on target "Version '3.4.0' of module 'AzSK'".
VERBOSE: The installation scope is specified to be 'CurrentUser'.
VERBOSE: The specified module will be installed in 'C:\Users\buildadmin\Documents\WindowsPowerShell\Modules'.
VERBOSE: The specified Location is 'NuGet' and PackageManagementProvider is 'NuGet'.
VERBOSE: Downloading module 'AzSK' with version '3.4.0' from the repository
'https://www.powershellgallery.com/api/v2/'.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzSK'' for ''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.Profile'' for
''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='Azure.Storage'' for ''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.Profile'' for
''.
VERBOSE: Searching repository
'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.AnalysisServices'' for ''.
VERBOSE: Searching repository
'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.ApplicationInsights'' for ''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.Automation'' for
''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.Batch'' for ''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.Cdn'' for ''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.Compute'' for
''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.DataFactories''
for ''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.DataFactoryV2''
for ''.
VERBOSE: Searching repository
'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.DataLakeAnalytics'' for ''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.DataLakeStore''
for ''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.EventHub'' for
''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.HDInsight'' for
''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.Insights'' for
''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.KeyVault'' for
''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.LogicApp'' for
''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.Network'' for
''.
VERBOSE: Searching repository
'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.NotificationHubs'' for ''.
VERBOSE: Searching repository
'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.OperationalInsights'' for ''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.RedisCache'' for
''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.Resources'' for
''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.Scheduler'' for
''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.ServiceBus'' for
''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.ServiceFabric''
for ''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.Sql'' for ''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.Storage'' for
''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='Azure.Storage'' for ''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.Profile'' for
''.
VERBOSE: Searching repository
'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.StreamAnalytics'' for ''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.Tags'' for ''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.Profile'' for
''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.TrafficManager''
for ''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.Websites'' for
''.
VERBOSE: Searching repository
'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.ContainerInstance'' for ''.
VERBOSE: InstallPackage' - name='AzureRM.profile',
version='4.2.0',destination='C:\Users\buildadmin\AppData\Local\Temp\767117022'
VERBOSE: DownloadPackage' - name='AzureRM.profile',
version='4.2.0',destination='C:\Users\buildadmin\AppData\Local\Temp\767117022\AzureRM.profile\AzureRM.profile.nupkg',
uri='https://www.powershellgallery.com/api/v2/package/AzureRM.profile/4.2.0'
VERBOSE: Downloading 'https://www.powershellgallery.com/api/v2/package/AzureRM.profile/4.2.0'.
VERBOSE: Completed downloading 'https://www.powershellgallery.com/api/v2/package/AzureRM.profile/4.2.0'.
VERBOSE: Completed downloading 'AzureRM.profile'.
VERBOSE: Hash for package 'AzureRM.profile' does not match hash provided from the server.
VERBOSE: InstallPackageLocal' - name='AzureRM.profile',
version='4.2.0',destination='C:\Users\buildadmin\AppData\Local\Temp\767117022'
VERBOSE: InstallPackage' - name='Azure.Storage',
version='4.1.0',destination='C:\Users\buildadmin\AppData\Local\Temp\767117022'
VERBOSE: DownloadPackage' - name='Azure.Storage',
version='4.1.0',destination='C:\Users\buildadmin\AppData\Local\Temp\767117022\Azure.Storage\Azure.Storage.nupkg',
uri='https://www.powershellgallery.com/api/v2/package/Azure.Storage/4.1.0'
VERBOSE: Downloading 'https://www.powershellgallery.com/api/v2/package/Azure.Storage/4.1.0'.
VERBOSE: Completed downloading 'https://www.powershellgallery.com/api/v2/package/Azure.Storage/4.1.0'.
VERBOSE: Completed downloading 'Azure.Storage'.
VERBOSE: Hash for package 'Azure.Storage' does not match hash provided from the server.
VERBOSE: InstallPackageLocal' - name='Azure.Storage',
version='4.1.0',destination='C:\Users\buildadmin\AppData\Local\Temp\767117022'
VERBOSE: InstallPackage' - name='AzureRM.AnalysisServices',
version='0.6.2',destination='C:\Users\buildadmin\AppData\Local\Temp\767117022'
VERBOSE: DownloadPackage' - name='AzureRM.AnalysisServices',
version='0.6.2',destination='C:\Users\buildadmin\AppData\Local\Temp\767117022\AzureRM.AnalysisServices\AzureRM.Analysis
Services.nupkg', uri='https://www.powershellgallery.com/api/v2/package/AzureRM.AnalysisServices/0.6.2'
VERBOSE: Downloading 'https://www.powershellgallery.com/api/v2/package/AzureRM.AnalysisServices/0.6.2'.
VERBOSE: Could not find a part of the path
'C:\Users\buildadmin\AppData\Local\Temp\767117022\AzureRM.AnalysisServices\AzureRM.AnalysisServices.nupkg'.
VERBOSE: Retry downloading 'https://www.powershellgallery.com/api/v2/package/AzureRM.AnalysisServices/0.6.2' for '2'
more times
VERBOSE: Download is incomplete. Downloaded '0' out of '0' bytes.
PackageManagement\Install-Package : Cannot process argument transformation on parameter 'InstalledModuleInfo'. Cannot
convert the "System.Object[]" value of type "System.Object[]" to type "System.Management.Automation.PSModuleInfo".
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:1772 char:21
+ ... $null = PackageManagement\Install-Package @PSBoundParameters
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (Microsoft.Power....InstallPackage:InstallPackage) [Install-Package], Excep
tion
+ FullyQualifiedErrorId : ParameterArgumentTransformationError,Validate-ModuleAuthenticodeSignature,Microsoft.Powe
rShell.PackageManagement.Cmdlets.InstallPackageAnd finally trying to install the specific module:
PS C:\Users\buildadmin> Install-Module -Name AzureRM.AnalysisServices -RequiredVersion 0.6.2 -Force -Verbose
VERBOSE: Using the provider 'PowerShellGet' for searching packages.
VERBOSE: The -Repository parameter was not specified. PowerShellGet will use all of the registered repositories.
VERBOSE: Getting the provider object for the PackageManagement Provider 'NuGet'.
VERBOSE: The specified Location is 'https://www.powershellgallery.com/api/v2/' and PackageManagementProvider is
'NuGet'.
VERBOSE: Searching repository
'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.AnalysisServices'' for ''.
VERBOSE: Total package yield:'1' for the specified package 'AzureRM.AnalysisServices'.
VERBOSE: Performing the operation "Install-Module" on target "Version '0.6.2' of module 'AzureRM.AnalysisServices'".
VERBOSE: The installation scope is specified to be 'AllUsers'.
VERBOSE: The specified module will be installed in 'C:\Program Files\WindowsPowerShell\Modules'.
VERBOSE: The specified Location is 'NuGet' and PackageManagementProvider is 'NuGet'.
VERBOSE: Downloading module 'AzureRM.AnalysisServices' with version '0.6.2' from the repository
'https://www.powershellgallery.com/api/v2/'.
VERBOSE: Searching repository
'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.AnalysisServices'' for ''.
VERBOSE: Searching repository 'https://www.powershellgallery.com/api/v2/FindPackagesById()?id='AzureRM.Profile'' for
''.
VERBOSE: InstallPackage' - name='AzureRM.profile',
version='5.3.4',destination='C:\Users\buildadmin\AppData\Local\Temp\803675978'
VERBOSE: DownloadPackage' - name='AzureRM.profile',
version='5.3.4',destination='C:\Users\buildadmin\AppData\Local\Temp\803675978\AzureRM.profile\AzureRM.profile.nupkg',
uri='https://www.powershellgallery.com/api/v2/package/AzureRM.profile/5.3.4'
VERBOSE: Downloading 'https://www.powershellgallery.com/api/v2/package/AzureRM.profile/5.3.4'.
VERBOSE: Completed downloading 'https://www.powershellgallery.com/api/v2/package/AzureRM.profile/5.3.4'.
VERBOSE: Completed downloading 'AzureRM.profile'.
VERBOSE: Hash for package 'AzureRM.profile' does not match hash provided from the server.
VERBOSE: InstallPackageLocal' - name='AzureRM.profile',
version='5.3.4',destination='C:\Users\buildadmin\AppData\Local\Temp\803675978'
VERBOSE: InstallPackage' - name='AzureRM.AnalysisServices',
version='0.6.2',destination='C:\Users\buildadmin\AppData\Local\Temp\803675978'
VERBOSE: DownloadPackage' - name='AzureRM.AnalysisServices',
version='0.6.2',destination='C:\Users\buildadmin\AppData\Local\Temp\803675978\AzureRM.AnalysisServices\AzureRM.Analysis
Services.nupkg', uri='https://www.powershellgallery.com/api/v2/package/AzureRM.AnalysisServices/0.6.2'
VERBOSE: Downloading 'https://www.powershellgallery.com/api/v2/package/AzureRM.AnalysisServices/0.6.2'.
VERBOSE: Completed downloading 'https://www.powershellgallery.com/api/v2/package/AzureRM.AnalysisServices/0.6.2'.
VERBOSE: Completed downloading 'AzureRM.AnalysisServices'.
VERBOSE: Hash for package 'AzureRM.AnalysisServices' does not match hash provided from the server.
VERBOSE: InstallPackageLocal' - name='AzureRM.AnalysisServices',
version='0.6.2',destination='C:\Users\buildadmin\AppData\Local\Temp\803675978'
PackageManagement\Install-Package : Cannot process argument transformation on parameter 'InstalledModuleInfo'. Cannot
convert the "System.Object[]" value of type "System.Object[]" to type "System.Management.Automation.PSModuleInfo".
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:1772 char:21
+ ... $null = PackageManagement\Install-Package @PSBoundParameters
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (Microsoft.Power....InstallPackage:InstallPackage) [Install-Package], Excep
tion
+ FullyQualifiedErrorId : ParameterArgumentTransformationError,Validate-ModuleAuthenticodeSignature,Microsoft.Powe
rShell.PackageManagement.Cmdlets.InstallPackage
PS C:\Users\buildadmin>
Positive and Negative drifts of controls are always showing 0 change
Title
Positive and Negative drifts of controls are always showing 0 change
Description
Positive and Negative drifts of controls are always showing 0 change in App Insights Dashboard
Steps to reproduce
Setup Org Policy Monitoring dashboard using a guide here: https://github.com/azsk/DevOpsKit-docs/blob/master/Images/07_OrgPolicy_MonitoringDashboard.png
Expected behavior
Positive and Negative drifts of controls shows actual change across the old and the latest scan.
Actual behavior
Positive and Negative drifts of controls are always showing 0 change in App Insights Dashboard. The query always gives 0 change.
//Negative Drift
let ControlResults = customEvents
| where timestamp < ago(2d) and timestamp >= ago(4d)
| where name == "Control Scanned" and customDimensions.HasAttestationReadPermissions == "True" and customDimensions.HasRequiredAccess == "True"
| summarize arg_max(timestamp, *) by tostring(customDimensions.SubscriptionId), tostring(customDimensions.SubscriptionName), tostring(customDimensions.ControlId)
| project tostring(customDimensions.SubscriptionId), tostring(customDimensions.SubscriptionName),tostring(customDimensions.ResourceId), tostring(customDimensions.ControlId), Oldresult =tostring(customDimensions.VerificationResult)
| join
(
customEvents
| where timestamp >= ago(2d)
| where name == "Control Scanned" and customDimensions.HasAttestationReadPermissions == "True" and customDimensions.HasRequiredAccess == "True"
| summarize arg_max(timestamp, *) by tostring(customDimensions.SubscriptionId), tostring(customDimensions.SubscriptionName), tostring(customDimensions.ControlId)
| project tostring(customDimensions.SubscriptionId), tostring(customDimensions.SubscriptionName),tostring(customDimensions.ResourceId), tostring(customDimensions.ControlId), Latestresult = tostring(customDimensions.VerificationResult)
)
on customDimensions_SubscriptionId, customDimensions_SubscriptionName,customDimensions_ResourceId, customDimensions_ControlId
| project tostring(customDimensions_SubscriptionId), tostring(customDimensions_SubscriptionName),tostring(customDimensions_ResourceId), tostring(customDimensions_ControlId),Oldresult,Latestresult;
let OldScan = ControlResults
| where Oldresult == "Passed"
| summarize OldScanCount = count() by tostring(customDimensions_ControlId);
let LatestScan = ControlResults
| where Latestresult == "Passed"
| summarize LatestScanCount = count() by tostring(customDimensions_ControlId);
OldScan
| join
(
LatestScan
)
on customDimensions_ControlId
| project ControlId=tostring(customDimensions_ControlId),OldStatusCount=OldScanCount,LatestStatusCount=LatestScanCount
| where OldStatusCount != LatestStatusCount and LatestStatusCount < OldStatusCount
| extend Change =OldStatusCount-LatestStatusCount
| order by Change desc
| project ControlId,OldStatusCount,LatestStatusCount,Change
Non-interactively run Get-AzSKAzureDevOpsSecurityStatus
Title
Non-interactively run Get-AzSKAzureDevOpsSecurityStatus
Description
We want to be able to run this under a non user account, so that there's not interactive login needed. Is this something that can be placed on your backlog or anything?
Steps to reproduce
Get-AzSKAzureDevOpsSecurityStatus -OrganizationName <"Whatever"> -Credentials $credentialObjectExpected behavior
User is logged in non-interactively.
Actual behavior
Does not exist
CA Multiple accounts setup with custom Org policy
Title
CA Multiple accounts setup with custom Org policy
Description
CA Scan failing with the following error:
Get-AzStorageAccount : Resource group 'AzSKRG' could not be found. At C:\Modules\User\AzSK\Framework\Core\SVT\SubscriptionCore\SubscriptionCore.ps1:1532 char:27 + ... rageAccount = Get-AzStorageAccount -ResourceGroupName $AzSKRG | Where ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : CloseError: (:) [Get-AzStorageAccount], CloudException + FullyQualifiedErrorId : Microsoft.Azure.Commands.Management.Storage.GetAzureStorageAccountCommand
Steps to reproduce
Setup multiple CA accounts following instructions here:
https://github.com/azsk/DevOpsKit-docs/tree/master/04-Continous-Assurance
Expected behavior
Scan completed successfully
Actual behavior
The error occurs during a scan execution:
Get-AzStorageAccount : Resource group 'AzSKRG' could not be found. At C:\Modules\User\AzSK\Framework\Core\SVT\SubscriptionCore\SubscriptionCore.ps1:1532 char:27 + ... rageAccount = Get-AzStorageAccount -ResourceGroupName $AzSKRG | Where ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : CloseError: (:) [Get-AzStorageAccount], CloudException + FullyQualifiedErrorId : Microsoft.Azure.Commands.Management.Storage.GetAzureStorageAccountCommand
Setting UseOnlinePolicyStore to false does not support custom organization policies
Title
Setting UseOnelinePolicyStore to false does not support custom organization policies
Description
Feature request.
Some enterprises have policies restricting the use of Azure storage accounts (FinTech and data exfiltration concerns are one misuse case).
There is no documented (easy) way to create an organization extension according to the instructions at Extending AzSK Modules while disabling UseOnlinePolicyStore.
Steps to reproduce
- In AzSKSettings.json, set UseOnlinePolicyStore: false
- Follow the instructions in 'Extending AzSK Modules
- Run a test and the *.ext.ps1 files are ignored
Expected behavior
A parameter like Get-AzSKOrganizationPolicyStatus -PolicyFolderPath LOCALEXTENSIONS
would allow for local extensions to be made and kept local.
Actual behavior
*.ext.ps1 files are ignored
As a work-around, one can fork the AzSK DevOpsKit and place the extensions directly in the forked SVT/* directory code. At that point the UseOnelinePolicyStore: false, will work, but this requires forking and altering AzSK.
Malfunctions on PowershellCore OSX & LInux
Title
Malfunctions on PowershellCore OSX & Linux
Description
On OSX and Linux AzSK runs the builtin policies, but fails to upload organization policy extensions to the storage account and fails to run them.
Since outside pull requests are not being accepted, applying the following diffs will make things work:
master...gfrascadorio:master
Steps to reproduce
Issue 685 may also be caused by this problem. If one uses Linux or OSX to follow the instructions for Extending AzSK Modules and then call Install-AzSKOrganizationPolicy or Update-AzSKOrganizationPolicy, no *.ext.ps1 files will be uploaded to the storage account.
The issue seems to be the use of Windows specific:
- directory separators
- path separators
- mode bits
- non-portable construction of paths using + instead of Join-Path
Expected behavior
*.ext.ps1 files would be uploaded
Actual behavior
Files not uploaded
Standardize Indentation using spaces
Standardize Indentation using spaces
Description
The code is using a mix and match of spaces and tabs at the moment for indenting code.
This is a sore to eye while reading the code, can this be standardized to only using spaces (1tab=4spaces)?
Steps to reproduce
Open the *.ps1 files from the source code in VSCode (or any other editor) and you'd notice that there.
Expected behavior
Standardized indentation using whitespaces instead of tabs.
Actual behavior
Mix & match of tab & whitespace for indentation.
Support for Azure Government
This would be a variable valuable tool for government customers but when I attempt to run it and even try to set the -Environment I received a "the provided account ... does not have access to subscription ID ..." which is inline with an error trying to execute against a commercial endpoint.
SVT Jenkins plugin support for Windows node
SVT Jenkins plugin support for Windows node
Description
Adjustments to the Jenkins SVT plugin should occur such that execution is directed at the selected node and not forced to run on the host. Essentially all Jenkins jobs have this node-specific context. It's certainly acceptable to assume that an environment with PowerShell (Windows) is needed, but execution can happen perfectly fine on the node. It's quite common to have a Jenkins setup where the host is not running Windows but a Windows node is available.
Steps to reproduce
- Install Jenkins plugin via steps described in https://github.com/azsk/DevOpsKit-docs/blob/master/03-Security-In-CICD/Readme.md#security-verification-tests-svts-in-jenkins-pipeline-preview-1.
- Configure new job as described using plugin. Associate job to run on a Windows node.
- Receive immediate
FATAL: /tmpAzSDKSVTRuntime.ps1 (Permission denied).
Expected behavior
Job runs on the Windows node in its entirety.
Actual behavior
AzSK plugin ignores node-specific environment and attempts to run on the Jenkins host.
Get-AzSKARMTemplateSecurityStatus hangs when receives a bad ARM template as an input for scan
Title
Help to fix the bug which occurs when running Get-AzSKARMTemplateSecurityStatus command on a bad ARM template
Description
I have an ARM template and I am running a security scan against it. When I run the Get-AzSKARMTemplateSecurityStatus command, it hangs in between the scan. It doesn't end or give any errors, just hangs.
Here is my ARM template:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"AppServiceName": {
"type": "string",
"metadata": {
"description": "The name of the function app that you wish to create."
}
},
"DomainName": {
"type": "string"
},
"AzureFunction.StorageAccountType": {
"type": "string",
"defaultValue": "Standard_LRS",
"allowedValues": [
"Standard_LRS",
"Standard_GRS",
"Standard_ZRS",
"Premium_LRS"
],
"metadata": {
"description": "Storage Account type"
}
},
"AzureFunction.StorageAccountName": {
"type": "string"
},
"AppInsightsLocation": {
"type": "string"
},
"HostingPlanName": {
"type": "string"
},
"HostingPlanResourceGroup": {
"type": "string"
},
"SSLThumbprint": {
"type": "string",
"metadata": {
"description": "The thumbprint of the SSL certificate as it should be defined in a hosting plan"
}
}
},
"variables": {
"storageAccountid": "[concat(resourceGroup().id,'/providers/','Microsoft.Storage/storageAccounts/', parameters('AzureFunction.StorageAccountName'))]",
"serverFarmId": "[resourceId(parameters('HostingPlanResourceGroup'),'Microsoft.Web/serverfarms/', parameters('HostingPlanName'))]"
},
"resources": [
{
"apiVersion": "2015-05-01",
"name": "[parameters('AppServiceName')]",
"type": "Microsoft.Insights/components",
"location": "[parameters('AppInsightsLocation')]",
"properties": {
"applicationId": "[parameters('AppServiceName')]"
}
},
{
"type": "Microsoft.Storage/storageAccounts",
"name": "[parameters('AzureFunction.StorageAccountName')]",
"apiVersion": "2017-06-01",
"location": "[resourceGroup().location]",
"kind": "Storage",
"sku": {
"name": "[parameters('AzureFunction.StorageAccountType')]"
}
},
{
"apiVersion": "2016-08-01",
"type": "Microsoft.Web/sites",
"name": "[parameters('AppServiceName')]",
"location": "[resourceGroup().location]",
"kind": "functionapp",
"dependsOn": [
"[resourceId('Microsoft.Insights/components', parameters('AppServiceName'))]",
"[resourceId('Microsoft.Storage/storageAccounts', parameters('AzureFunction.StorageAccountName'))]"
],
"properties": {
"enabledHostnames": [ "[parameters('DomainName')]" ],
"hostNameSslStates": [
{
"name": "[parameters('DomainName')]",
"sslState": "SniEnabled",
"thumbprint": "[parameters('SSLThumbprint')]",
"toUpdate": true
}
],
"serverFarmId": "[variables('serverFarmId')]"
},
"resources": [
{
"apiVersion": "2016-08-01",
"name": "web",
"type": "config",
"dependsOn": [
"[concat('Microsoft.Web/sites/',parameters('AppServiceName'))]"
],
"properties": {
}
}
]
},
{
"type": "Microsoft.Web/sites/hostnameBindings",
"name": "[concat(parameters('AppServiceName'),'/',parameters('DomainName'))]",
"apiVersion": "2016-08-01",
"location": "[resourceGroup().location]",
"dependsOn": [
"[concat('Microsoft.Web/sites/',parameters('AppServiceName'))]"
],
"properties": {
"domainId": null,
"hostNameType": "Verified",
"siteName": "[parameters('DomainName')]",
"toUpdate": true
}
}
],
"outputs": {
"AppInsightsInstrumentationKey": {
"value": "[reference(resourceId('Microsoft.Insights/components', parameters('AppServiceName')), '2015-05-01').InstrumentationKey]",
"type": "string"
}
}
}
Save this ARM somewhere on your File System to reproduce the issue.
Steps to reproduce
Get-AzSKARMTemplateSecurityStatus -ARMTemplatePath "PathToTheAboveARM"Expected behavior
It should result in giving me an ARMChecker folder with the result in the form of csv file and the PowerShell output file.
Actual behavior
It hangs in between the security scan.
Is it a known issue? When any bad ARM template receives as an input to the command, it hangs?
Could you please work on this bug of handling the hang issue?
Install-AzSKContinuousAssurance fails when specifying a list of RG
Title
Install-AzSKContinuousAssurance fails when specifying a list of RG
Description
Install-AzSKContinuousAssurance fails when specifying a comma separated list of resource groups as parameters
Steps to reproduce
Execute Install-AzSKContinuousAssurance command providing for ResourceGroupNames parameter a comma separated list of resource groups
Install-AzSKContinuousAssurance -SubscriptionId <SubscriptionId> `
-ResourceGroupNames <ResourceGroupName1>, <ResourceGroupName1>`
-OMSWorkspaceId <WorkspaceId> `
-OMSSharedKey <SharedKey> Expected behavior
The command executed successfully
Actual behavior
The command fails with the following error:
Get-AzSKARMTemplateSecurityStatus seems to fail under linux containers
Title
Get-AzSKARMTemplateSecurityStatus seems to fail under linux containers
Description
Get-AzSKARMTemplateSecurityStatus seems to fail under linux containers
Steps to reproduce
Run Get-AzSKARMTemplateSecurityStatus under any linux docker container. It fails on CSV file creation because of the path issues. $Env:LOCALAPPDATA is null under Linux containers, and then the path does not get created at all.
Export-Csv : Could not find a part of the path '/Microsoft/AzSKLogs/ARMChecker/20190325_061020/ARMCheckerResults_20190325_061020.csv'.
At /opt/microsoft/powershell/6/Modules/AzSK/3.11.0/Framework/Core/ARMChecker/ARMCheckerStatus.ps1:232 char:16
+ ... $csvResults| Export-Csv $csvFilePath -NoTypeInformation -Force
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (:) [Export-Csv], DirectoryNotFoundException
+ FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.ExportCsvCommand
Name Value
---- -----
PSVersion 6.1.3
PSEdition Core
GitCommitId 6.1.3
OS Linux 4.9.125-linuxkit #1 SMP Fri Sep 7 08:20:28 UTC 2018
Platform Unix
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0Expected behavior
- It works
- Ideally, there is a docker container for this project
Actual behavior
It fails on path creation under linux container.
This is actually related to Enable Get-AzSKARMTemplateSecurityStatus to Output results to Array #267 issue raised by @PlagueHO. A very opinionated approach on creating CSV files with no way to specify path or disable it at all, or get the output array of result objects. Should we have an option to get an array as output, this problem partly go away.
The very challenge is integration with other tools:
- CI/CD scenarios
- broader analytic gathering across hundreds of applications and templates (we need to push output data into Splunk, AppInsights, etc but don't have this ability)
- making additional decisions on should we fail / pass the build
- other internal automation where we need to analyse output and trigger different rules (eg, notify security team on specific violations)
I might help with this fix, looking into source code.
SA: The module: {AzSK} is not available/ready. Skipping AzSK scan. Will retry in the next run.
Title
SA: The module: {AzSK} is not available/ready. Skipping AzSK scan. Will retry in the next run.
Description
AzSK ContinuousAssurance fails to run with the message:
SA: The module: {AzSK} is not available/ready. Skipping AzSK scan. Will retry in the next run.
Steps to reproduce
PS /Users/user1/.azsk/policies/Config> $PSVersionTable
Name Value
---- -----
PSVersion 6.2.0
PSEdition Core
GitCommitId 6.2.0
OS Darwin 18.6.0 Darwin Kernel Version 18.6.0: Thu Apr 25 23:16:27 PDT 2019; root:xnu-4903.261.4~2/RELEASE_X86_64
Platform Unix
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
PS /Users/user1/.azsk/policies/Config>Expected behavior
I expected AzSK CA to run properly
Actual behavior
AzSK CA errors out complaining that AzSK module is not available.
SA: The module: {AzSK} is not available/ready. Skipping AzSK scan. Will retry in the next run.
However it is listed under modules:
Enable encryption of Automation account (Preview)
Title
Enable encryption of Automation account (Preview)
Description
Make the variables used for the CA_Runbook encrypted
Steps to reproduce
Just look at security center after install of the CA runbook from AZSK
Incorrectly tagged code needs to be ignorable
Description
I have discovered that game code, which needs to be secured now, with everything being online and with online transactions,
The issue is that some code like Random rng = new Random(); triggers an error. There needs to be a way to in code ignore that one line, otherwise these checks are useless for secured game development.
Cannot specify location of RG "AzSKRG".
Cannot specify location of RG "AzSKRG".
Description
When executing Set-AzSKSubscriptionSecurity ... -TargetResourceGroup azsk it still provisio a AzSKRG in "East US ".
Is it possible to specify that all resources gets provisioned to "West Europe"?
Steps to reproduce
Set-AzSKSubscriptionSecurity -SubscriptionId xxx -SecurityContactEmails "xxx" -SecurityPhoneNumber "xxx" -TargetResourceGroup xxx -AlertResourceGroupLocation "West Europe"
Expected behavior
It should be possible to specify to target location of all provisioned resources.
Actual behavior
It always creates resources in "East US 2".
Integration of DevOpsKit with Terraform
Title
Integration of DevOpsKit with Terraform
Description
I am looking at leveraging the DevOpsKit with a number of different infrastructure orchestrators. Are there plans to extend the ARM Template checker to integrate more tightly with terraform?
Enable Get-AzSKARMTemplateSecurityStatus to Output results to Array
Title
Enable Get-AzSKARMTemplateSecurityStatus to Output results to Array so that it facilitates use cases within test automation frameworks like PowerShell Pester.
Description
This is a fantastic module! But I'd like to see it providing better functionality in the automation/CI/CD/DevOps space. For example, I'd like to be able to easily use this in Pester (PowerShell Testing framework).
I also want to easily suppress/prevent Write-Host output as well as forcing output to the host isn't a PowerShell best practice - I should be allowed to decide if I want to see the output.
Describe 'ARM template best practices' -Tag 'AzSK' {
Context 'When AzSK module is installed and run on all files in the Templates folder' {
It 'Should not have any failed results' {
$results = Get-AzSKARMTemplateSecurityStatus -ARMTemplatePath (Join-Path -Path $TemplatePath -ChildPath '*.json') -Preview:$true -DoNotOpenOutputFolder
$results.FailedCount | Should -Be 0
}
}
}Note: I would be happy to contribute a PR for this, but as you've not got a contribution model set up then... 😢 Also, as there aren't don't appear to be any unit tests for the module then I'd be a little bit hesitant.
Steps to reproduce
I want to be able to do something like this (a Pester test):
Describe 'ARM template best practices' -Tag 'AzSK' {
Context 'When AzSK module is installed and run on all files in the Templates folder' {
It 'Should not have any failed results' {
$results = Get-AzSKARMTemplateSecurityStatus -ARMTemplatePath (Join-Path -Path $TemplatePath -ChildPath '*.json') -Preview:$true -DoNotOpenOutputFolder -SuppressHostOutput
$results.FailedCount | Should -Be 0
}
}
}Expected behavior
My test is run and no additional host output is generated and $results object contains a summary of the result and the passed and failed tests on each ARM template.
Actual behavior
Lots of Write-Host and the result is just a path to the location the files are output to. I then need to use additional steps to load and parse the output for failures.
Azure_AppService_DP_Dont_Allow_HTTP_Access_Fn not reporting a valid state
Azure_AppService_DP_Dont_Allow_HTTP_Access_Fn not reporting a valid state
Description
When running a subscription scan, the control Azure_AppService_DP_Dont_Allow_HTTP_Access_Fn reports functions as "passed" although SSL is not enforced.
Steps to reproduce
Get-AzSKAzureServicesSecurityStatusExpected behavior
I assume that the function apps which do not have HTTPS enforced should be reported as failed.
Actual behavior
Function Apps allowing both HTTP & HTTPS are listed as "passed" for the above control.
Enforcing MSI at App Service level
[feature request] Azure_AppService_AuthN_Use_Managed_Service_Identity
Description
As described by the below pointer, a few controls are available to enforce some behavior right from the ARM template.
https://github.com/azsk/DevOpsKit-docs/blob/master/ARMTemplates/AppService.json
It'd be nice to be able to add the MSI check as well.
Steps to reproduce
N/A
Could not find a part of the path '/Microsoft/AzSK/AzSKSettings.json'
Title
Could not find a part of the path '/Microsoft/AzSK/AzSKSettings.json'
Description
When executing any of AzSK commands under Ubuntu 14.04, 18.04 they fail with a reason:
Could not find a part of the path '/Microsoft/AzSK/AzSKSettings.json'
Steps to reproduce
Execute
$PSVersionTable
Name Value
---- -----
PSVersion 6.2.0
PSEdition Core
GitCommitId 6.2.0
OS Linux 3.13.0-163-generic #213-Ubuntu SMP Thu Nov 15 02:19:07 UTC 2018
Platform Unix
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Get-AzSKAzureServicesSecurityStatus <subscription_id>Expected behavior
The command execute successfully
Actual behavior
The commands gives an error: "Could not find a part of the path '/Microsoft/AzSK/AzSKSettings.json'" and does not execute till the end
CA: Error importing module AzSK
Title
CA: Error importing module AzSK
Description
When installing a CA solution for a subscription very often importing AzSK module fails.
To fix it you need to reinstall the CA for the subscription.
Steps to reproduce
Install-AzSKContinuousAssurance -SubscriptionId <SubscriptionId> `
-ResourceGroupNames <ResourceGroupNames> `
-OMSWorkspaceId <WorkspaceId> `
-OMSSharedKey <SharedKey> Expected behavior
AzSK module status is Available
Actual behavior
AzSK module status is Failed
Install-AzSKContinuousAssurance Error
Install-AzSKContinuousAssurance Error
Error Mesage: "New-AzureRmAutomationSchedule : BadRequest: Argument requestScheduleData with value Orchestrator.Schedules.DataAccess.Models.ScheduleAllData is not valid. At \AzSKPreview\3.3.0\Framework\Core\ContinuousAssurance\CAAutomation.ps1:2554 char:4
Error message: The
start time of the schedule must be at least 5 minutes after the time you create the schedule.
Steps to reproduce
Open Visual Studio Code
I have tested against both AzSK 3.2.0 and 3.3.0
Install-Module AzSK -Scope CurrentUser -force -allowclobber
Install-AzSKContinuousAssurance -SubscriptionId -ResourceGroupNames -OMSWorkspaceId -OMSSharedKey
Expected behavior
Actual behavior
Error. AZSK module is not available in automation account
AZSK module is not available in automation account
Description
Trying to install AzSK Continuous Assurance Automation account:
Steps to reproduce
Create AzSK Continuous Assurance Account:
PS C:\Users\azureuser> Install-AzSKContinuousAssurance -SubscriptionId $subId -AutomationAccountLocation $location -AutomationAccountRGName $rgname -ResourceGroupNames 'AK-TEST-0001,captain-america,aaas-rg' -OMSWorkspaceId $lawsId -OMSSharedKey $omsKey -AzureADAppName 'AzSk-Assurance' -ScanIntervalInHours 24
Auto-update for AzSK is currently not enabled for your machine. To set it, run the command below:
Set-AzSKPolicySettings -AutoUpdate On
A newer version of AzSK is available: Version 4.0.0
To update, run the command below in a fresh PS window:
Install-Module -Name AzSK -Scope CurrentUser -AllowClobber -Force
Using the latest version ensures that AzSK security commands you run use the latest, most up-to-date controls.
Results from the current version should not be considered towards compliance requirements.
================================================================================
================================================================================
AzSK Version: 3.15.0
================================================================================
Method Name: Install-AzSKContinuousAssurance (ICA)
Input Parameters:
Name Alias Value
---- ----- -----
SubscriptionId sid XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
AutomationAccountLocation loc eastus2
AutomationAccountRGName aargn AK-AzSK-Test-001
ResourceGroupNames rgns AK-TEST-0001,aaas-rg
LAWSId wid XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXXX
LAWSSharedKey wkey XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
AzureADAppName spn AzSk-Assurance
ScanIntervalInHours si 24
You can also use: ica -sid XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX -loc eastus2 -aargn AK-AzSK-Test-001 -rgns AK-TEST-0001,aaas-rg -wid XXXXXXXX-XXXX-X
-si 24
================================================================================
Running AzSK cmdlet using a generic (org-neutral) policy...
================================================================================
Started setting up Automation Account for Continuous Assurance (CA)
================================================================================
Creating Automation Account: [AzSKContinuousAssurance]
Found AAD application in the directory: [AzSk-Assurance]
Generating new credential for AzSK CA SPN
Configuring permissions for AzSK CA SPN. This may take a few min...
Adding SPN to [Contributor] role at [AzSKRG] resource group scope...
WARNING: Ignoring error while assigning CA SPN permissions for SPN: [XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX].
WARNING: Make sure this SPN is 'Contributor' on AzSKRG and 'Reader' on the subscription.
Successfully configured AzSK CA Automation Account with SPN.
Creating a storage account: [azsk201908XXXXXXXX] for storing reports from CA scans.
Updating runbook: [Continuous_Assurance_Runbook]
--------------------------------------------------------------------------------
Completed setup phase-1 for AzSK Continuous Assurance.
Setup phase-2 has been triggered and will continue automatically in the background. This involves loading all PS modules CA requires to run, scheduling runbook, etc
You can check the overall status of installation using the 'Get-AzSKContinuousAssurance' command 2 hours after running 'Install-AzSKContinuousAssurance' command.
Once phase-2 setup completes, your subscription and resources (from the specified resource groups) will be scanned periodically by CA. All security control evaluati
You may subsequently update any of the parameters specified during installation using the 'Update-AzSKContinuousAssurance' command. If you specified '*' for resourc
You should use the AzSK Monitoring solution to monitor your subscription and resource health status.
================================================================================
Logs have been exported to: 'C:\Users\azureuser\AppData\Local\Microsoft\AzSKLogs\Sub_Enterprise\20190814_130552_ICA'
================================================================================
C:\Users\azureuser\AppData\Local\Microsoft\AzSKLogs\Sub_Enterprise\20190814_130552_ICA
PS C:\Users\azureuser>
Wait 2hours for phase2 to get completed. Display AzSK Continuous Assurance Account:
PS C:\Users\azureuser> Get-AzSKContinuousAssurance -AutomationAccountName AzSKContinuousAssurance -SubscriptionId $subId -AutomationAccountRGName $rgname
Auto-update for AzSK is currently not enabled for your machine. To set it, run the command below:
Set-AzSKPolicySettings -AutoUpdate On
A newer version of AzSK is available: Version 4.0.0
To update, run the command below in a fresh PS window:
Install-Module -Name AzSK -Scope CurrentUser -AllowClobber -Force
Using the latest version ensures that AzSK security commands you run use the latest, most up-to-date controls.
Results from the current version should not be considered towards compliance requirements.
================================================================================
================================================================================
AzSK Version: 3.15.0
================================================================================
Method Name: Get-AzSKContinuousAssurance (GCA)
Input Parameters:
Name Alias Value
---- ----- -----
AutomationAccountName aan AzSKContinuousAssurance
SubscriptionId s XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
AutomationAccountRGName aargn AK-AzSK-Test-001
You can also use: gca -aan AzSKContinuousAssurance -s XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX -aargn AK-AzSK-Test-001
================================================================================
Running AzSK cmdlet using a generic (org-neutral) policy...
================================================================================
Started validating your AzSK Continuous Assurance (CA) setup...
================================================================================
Check 01: Presence of CA Automation Account.
Status: OK. Found the CA Automation Account: [AzSKContinuousAssurance].
--------------------------------------------------------------------------------
Check 02: Checking CA Runbook version.
Status: OK. CA runbook is healthy.
--------------------------------------------------------------------------------
Check 03: Inspecting CA module: [AZSK].
Status: Failed. AZSK module is not available in automation account.
To resolve this please run command 'Remove-AzSKContinuousAssurance' followed by 'Install-AzSKContinuousAssurance'.
--------------------------------------------------------------------------------
Summary of CA configuration:
Name Value
---- -----
AltLAWSId NULL
AppResourceGroupNames AK-TEST-0001,aaas-rg
AutomationAccountName AzSKContinuousAssurance
AzSKReportsStorageAccountName azsk201908XXXXXXXX
AzureADAppID XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
AzureADAppName AzSk-Assurance
CertificateExpiry 2/15/2020 1:05:59 PM -05:00
LAWSId XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
Runbooks Continuous_Assurance_Runbook
RunbookVersion Current version: [3.1902.0] Latest version: [3.1902.0]
Schedules CA_Scan_Schedule (Frequency: 24 Hour)
WebhookUrl NULL
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Found that AzSK Continuous Assurance (CA) is not correctly setup or functioning properly.
Review the failed check and follow the remedy suggested. If it does not work, please file a support request after reviewing the FAQ.
--------------------------------------------------------------------------------
================================================================================
Logs have been exported to: 'C:\Users\azureuser\AppData\Local\Microsoft\AzSKLogs\Sub_Enterprise\20190814_151456_GCA'
================================================================================
C:\Users\azureuser\AppData\Local\Microsoft\AzSKLogs\Sub_Enterprise\20190814_151456_GCA
PS C:\Users\azureuser>
As you can see the account creation failed. I don't know what is going on here. Why would it fail?
:(
Status of this project
Hi team,
The project looks interesting yet there are a few things which are really confusing.
- what is this at all? pet-project or official guide? if so, by whom?
- future / roadmap, the doco has not been updated since 2017 (will it go away?)
- support model?
- who is behind this project? most commiters aren't in Microsoft org as per GitHub profiles
- should we rely / use it?
- will it be dropped or abandoned?
- is this another "open-source, fix your problems yourself"?
- is this production ready?
- who does these guides?
- how to evaluate a risk of using this project and then being stuck with issues, bugs and no to little support?
- etc
I hope this is a reasonable concerns. Again, the project looks great yet this is not the only variable on usage evaluation.
Help for SecurityIntellisenseCS points to Microsoft internal corporate resource
Title
Help for SecurityIntellisenseCS
Description
Steps to reproduce
Help for SecurityIntellisenseCS points to https://aka.ms/acecrc which directs to a Microsoft internal corporate resource. There is no help supported.
Expected behavior
Actual behavior
Source code of the AzSK Azure DevOps Extension
Hello,
I know it might not be the right location to post this issue but you might help and redirect me to the appropriate location. I'm testing the AzSK Azure DevOps marketplace extension and I would have liked to propose a new feature (through a fork & pull request) but the source isn't published on GitHub it seems. Any clue why or am I wrong? I can of course change it only for myself but I had the impression that AzSK is a community driven effort.
Thanks
Best Regards
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.