azsk / devopskit-docs Goto Github PK

Right now i can skip controls with the task Az ARM template checker with the "skip control from file".
But i can't seem to find the option to skip files or in how the documentation said ThreatAsPassed option in the Az security verification test. Is this also an possibility in the Az svt ?

Context of my environment: I have run an custom organisation policy where i add these to my azure devops ci/cd pipeline.
Next to that i added the resource group AzSKRG and with the command Get-AzSKAzureServicesSecurityStatus Been adding attestation statusses to some of the controls I found it not necessary to fail the pipeline. But with the last step I have some problems

I am trying to make some of the manual and verify controls to "passed" so that my developing team can run this flawless in the pipeline and i just verify the controls once every 90 days (the expiration days).
The problem i have ATM is that i can't add attestation statusses to these controlID's

Azure_APIManagement_AuthZ_Restrict_Caller_IPs
Azure_APIManagement_DP_Restrict_Critical_APIs_Access
Azure_KeyVault_AuthZ_Grant_Min_Access_policies
Azure_APIManagement_DP_Use_Secure_TLS_Version
Azure_APIManagement_DP_Dont_Reveal_Backend_Info
Azure_APIManagement_AuthZ_Enable_Requires_Approval

for the keyvault i have no clue why i can't add the attestation status. this is my output of my powershell command

================================================================================
AzSK Version: 3.8.0 
================================================================================
Method Name: Get-AzSKAzureServicesSecurityStatus (GRS)
Input Parameters: 
Name                  Alias Value                                         
----                  ----- -----                                         
SubscriptionId        s     xxxxxxxxxxxxxxxxxxxxxxxxxxxxx         
DoNotOpenOutputFolder dnof  True                                          
ResourceType          rt    Microsoft.KeyVault/vaults                     
ResourceGroupNames    rgns  xxxxxxxxxx                           
ControlIds            cids  Azure_KeyVault_AuthZ_Grant_Min_Access_policies
ControlsToAttest      cta   All                                           
AttestationStatus     as    NotAnIssue                                    
JustificationText     jt    Quarterly check 

You can also use: grs -s xxxxxxxxxxxxxxxxx -dnof  -rt Microsoft.KeyVault/vaults -rgns xxxxxxxx Azure_KeyVault_AuthZ_Grant_Min_Access_policies -cta All -as NotAnIssue -jt Quarterly check  
================================================================================
Running AzSK cmdlet using security policy...
Number of resources: 1
Number of resources for which security controls will be evaluated: 1
================================================================================
Starting analysis: [FeatureName: KeyVault] [ResourceGroupName: xxxxxxxxx] [ResourceName: xxxxxxxxxx] 
--------------------------------------------------------------------------------
Checking: [KeyVault]-[All Key Vault access policies must be defined with minimum required permissions to keys and secrets]
--------------------------------------------------------------------------------
Completed analysis: [FeatureName: KeyVault] [ResourceGroupName: xxxxxxxxxxxx] [ResourceName: xxxxxxxx] 
================================================================================
Summary  Total Verify
-------  ----- ------
High         1      1
------  ------ ------
Total        1      1
------  ------ ------
================================================================================
** Next steps **
Look at the individual control evaluation status in the CSV file.
        a) If the control has passed, no action is necessary.
        b) If the control has failed, look at the control evaluation detail in the LOG file to understand why.
        c) If the control status says 'Verify', it means that human judgement is required to determine the final control stat
us. Look at the control evaluation output in the LOG file to make a determination.
        d) If the control status says 'Manual', it means that AzSK (currently) does not cover the control via automation OR A
zSK is not able to fetch the data. You need to manually implement/verify it.

Note: The 'Recommendation' column in the CSV file provides basic (generic) guidance that can help you fix a failed control. Y
ou can also use standard Azure product documentation. You should carefully consider the implications of making the required c
hange in the context of your application. 
Control results may not reflect attestation if you do not have permissions to read attestation data from AzSKRG
--------------------------------------------------------------------------------
Status and detailed logs have been exported to path - C:\Users\xxxxxxxx\AppData\Local\Microsoft\AzSKLogs\xxxxxxxx\20181218_171945_GRS\
================================================================================
################################################################################

Starting Control Attestation workflow in bulk mode...
--------------------------------------------------------------------------------
Warning: 
Please use utmost discretion when attesting controls. In particular, when choosing to not fix a failing control, you are taki
ng accountability that nothing will go wrong even though security is not correctly/fully configured. 
Also, please ensure that you provide an apt justification for each attested control to capture the rationale behind your deci
sion.
Do you want to continue (Y/N): Y
--------------------------------------------------------------------------------
No. of candidate resources for the attestation: 1
================================================================================
Info: Starting attestation [1/1]- [FeatureName: KeyVault] [ResourceGroupName: xxxxxx] [ResourceName: xxxxxxxx] 
--------------------------------------------------------------------------------
No. of controls that need to be attested: 1
--------------------------------------------------------------------------------
ControlId            : Azure_KeyVault_AuthZ_Grant_Min_Access_policies
ControlSeverity      : High
Description          : All Key Vault access policies must be defined with minimum required permissions to keys and secrets
CurrentControlStatus : Verify

--------------------------------------------------------------------------------
Attestation summary for this resource:

ControlId                                      EvaluatedResult EffectiveResult AttestationChoice
---------                                      --------------- --------------- -----------------
Azure_KeyVault_AuthZ_Grant_Min_Access_policies          Verify          Passed NotAnIssue       



Committing the attestation details for this resource...
Commit succeeded.
--------------------------------------------------------------------------------
Completed attestation: [FeatureName: KeyVault] [ResourceGroupName: xxxxxxx] [ResourceName: xxxxxx] 

As for the api management controlID's , I've looked inside my powershell module folder inside
C:\Program Files\WindowsPowerShell\Modules\AzSK\3.8.0\Framework\Configurations\SVT\Services
And searched for the control ID's in the apimanagement.json
But couldn't find it in the json files, Maybe inside the powershell module these control's are not present and inside the azsk pipeline task they are .

The VSTS Task for AzSK fails with below error. Even though the subscription details are provided.
There is no detailed logs as well which tells what were the parameter values at runtime.
#[error]Cannot validate argument on parameter 'Subscription'. The argument is null or empty.

Is it on the road map to add services to the ARM template checker for the ARM template checker ?
It would be nice if the list of services from the baseline controls are being upgraded to more Azure Services.

We found the findings for ExpressRoute vNet settings being not applicable in a hub and spoke setting.
AzSK is complaining about vNET peering and UDRs in ExpressRoute connected subnets.

Our engineers tell us that these need to be present in a hub and spoke setting.

Jörg

Hi Team,
May I ask about currently Azure Secure DevOps Kit and Security intelligence Sense only Support C# only?
Any Roadmap for future improvement to support other programming language?

Thank You.

When browsing the documentation at https://azsk.azurewebsites.net/README.html the left hand menu bar includes a link labeled "Advanced Features". This link is pointed at https://azsk.azurewebsites.net/08-Advanced-Features/Readme.md which is invalid and results in the user recieving the error
"The resource you are looking for has been removed, had its name changed, or is temporarily unavailable."

08-Advanced-Features appears to have been renamed to 08-Miscellaneous-Features in GitHub but this link has not been updated.

If the AzureRM.Profile module is already loaded I get this error when importing azsk

get-module

ModuleType   Version    Name
Script                **5.3.0      AzureRM.Profile**

I have the latest azure modules and also some old versions as well.

gmo AzureRM -List

ModuleType   Version    Name
Script              **6.3.0      AzureRM**

ipmo azsk

Import-Module : The following error occurred while loading the extended type data file: Error in TypeData
"Microsoft.Azure.Commands.Common.Authentication.Abstractions.IAzureContextContainer": The TypeConverter was ignored because it already occurs.
Error in TypeData "Microsoft.Azure.Commands.Common.Authentication.Abstractions.IAzureContextContainer": The member SerializationDepth is already
present.
Error in TypeData "Microsoft.Azure.Commands.Common.Authentication.ProtectedFileTokenCache": The member PropertySerializationSet is already present.
Error in TypeData "Microsoft.Azure.Commands.Common.Authentication.ProtectedFileTokenCache": The member SerializationMethod is already present.
Error in TypeData "Microsoft.Azure.Commands.Common.Authentication.AuthenticationStoreTokenCache": The member PropertySerializationSet is already
present.
Error in TypeData "Microsoft.Azure.Commands.Common.Authentication.AuthenticationStoreTokenCache": The member SerializationMethod is already present.
Error in TypeData "Microsoft.Azure.Commands.Profile.Models.PSAzureContext": The member SerializationDepth is already present.
Error in TypeData "Microsoft.Azure.Commands.Profile.Models.PSAzureProfile": The member SerializationDepth is already present.
At line:1 char:1
 ipmo azsk
 ~~~~~~~~~
     CategoryInfo          : InvalidOperation: (:) [Import-Module], RuntimeException
     FullyQualifiedErrorId : FormatXmlUpdateException,Microsoft.PowerShell.Commands.ImportModuleCommand

If I remove the module it loads fine. . . however I get another error.

remove-module azurerm.profile
ipmo azsk

ipmo : Exception calling "Add" with "2" argument(s): "The key 'New-AzureRmManagedApplicationDefinition:ResourceGroupName' has already been added to
the dictionary."
At line:1 char:1
+ ipmo azsk
+ ~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Import-Module], MethodInvocationException
    + FullyQualifiedErrorId : PSArgumentException,Microsoft.PowerShell.Commands.ImportModuleCommand

Then if I run it a second time, it actually loads.

ipmo azsk
Importing AzureRM modules. This may take a while...

I have seen this with other people that I collaborate with as we start to use this toolkit.

Solution/workaround

After testing a few things I found the problem relates to this:

The required module 'AzureRM.Profile' with version '4.2.0' is not loaded. Load the module or remove the module from 'RequiredModules' in the
file 'C:\Program Files\WindowsPowerShell\Modules\azsk\3.2.0\azsk.psd1'.

Since I have a newer version of the AzureRM modules and I still had the old version it was loading the old version, however that was in conflict with the other AzureRM modules that I have on the system.

As a solution for this . . would it be possible instead of doing this is the psd1

    # Modules that must be imported into the global environment prior to importing this module
    RequiredModules        = @(
        @{ModuleName = 'AzureRM.Profile'; RequiredVersion = '4.2.0'}
		@{ModuleName = 'Azure.Storage'; RequiredVersion = '4.1.0'}
		@{ModuleName = 'AzureRM.AnalysisServices'; RequiredVersion = '0.6.2'}
		@{ModuleName = 'AzureRM.ApplicationInsights'; RequiredVersion = '0.1.1'}
		@{ModuleName = 'AzureRM.Automation'; RequiredVersion = '4.2.0'}
		@{ModuleName = 'AzureRM.Batch'; RequiredVersion = '4.0.4'}
		@{ModuleName = 'AzureRM.Cdn'; RequiredVersion = '4.1.0'}
		@{ModuleName = 'AzureRM.Compute'; RequiredVersion = '4.2.0'}

Just use the parent Module instead which is AzureRM.

I.e. if you do

install-module azurerm -force it will install ALL pre-req azure modules

So replace all of the above with the following: i.e. just the parent module and use minimumversion instead of required version.

# Modules that must be imported into the global environment prior to importing this module
        RequiredModules        = @(
        @{ModuleName = 'AzureRM';ModuleVersion = '6.3.0'}
        )

Then also in the C:\Program Files\WindowsPowerShell\Modules\azsk\3.2.0\azsk.psm1

So are you able to please remove all of these ?

Import-Module AzureRM.Profile -RequiredVersion 4.2.0  
Import-Module Azure.Storage -RequiredVersion 4.1.0
Import-Module AzureRM.AnalysisServices -RequiredVersion 0.6.2
Import-Module AzureRM.ApplicationInsights -RequiredVersion 0.1.1
Import-Module AzureRM.Automation -RequiredVersion 4.2.0
Import-Module AzureRM.Batch -RequiredVersion 4.0.4
Import-Module AzureRM.Cdn -RequiredVersion 4.1.0
Import-Module AzureRM.Compute -RequiredVersion 4.2.0
Import-Module AzureRM.DataFactories -RequiredVersion 4.1.0
Import-Module AzureRM.DataFactoryV2 -RequiredVersion 0.5.0
. . . . . . ..

replace them with:

import-module -name azurerm -MinimumVersion 6.3.0

or whatever the minimum supported version is.

As Security Center is not available in Azure China yet, we need some alternative security solution badly in China Azure. Could you please update this tool to support China Azure Environment? Thank you.

Using Visual Studio 2017 hosted agent

Build task logs below...

2018-10-16T20:29:58.9274096Z ##[section]Starting: AzSK_ARMTemplateChecker
2018-10-16T20:29:58.9278046Z ==============================================================================
2018-10-16T20:29:58.9278166Z Task : AzSK ARM Template Checker
2018-10-16T20:29:58.9278259Z Description : Scan ARM templates for security issues using AzSK.
2018-10-16T20:29:58.9278331Z Version : 1.0.4
2018-10-16T20:29:58.9278413Z Author : Microsoft Corporation
2018-10-16T20:29:58.9278488Z Help : More Information
2018-10-16T20:29:58.9278583Z ==============================================================================
2018-10-16T20:30:16.9541239Z Installing Module AzSK...
2018-10-16T20:31:10.1696046Z ##[error]Package 'AzureRM.profile' failed to be installed because: End of Central Directory record could not be found.
2018-10-16T20:31:10.1995334Z ##[section]Finishing: AzSK_ARMTemplateChecker

Hello: I followed the steps here:
https://azsk.azurewebsites.net/05-Alerting-and-Monitoring/Readme.html, including setting the LAWSId and Key and reopening the PoSH session. I then execute a few Get-AzSKAzureServicesSecurityStatus commands.

I can see the empty visualization in LA, and I can see my events in the AzSK_CommandEvent_CL custom log. However, I am not seeing the AzSK_CL custom log and all queries to it fail (not found). Likewise, the charts fail - Failed to resolve table or column expression named 'AzSK_CL'

Thank you.

I get this error when running AZSK in Azure DevOps pipieline ,

All templates pass except the service bus template with this error ,

2019-10-09T22:42:49.8566355Z ##[error]One or more files were skipped during the scan. Either the files are invalid as ARM templates or those resource types are currently not supported by this command. I am using the template from your git repo and tested with other ARM templates as well.

2019-10-09T22:42:43.3991274Z No controls have been evaluated for file: D:\a\r1\a\azsktest\drop\servicebus.json
2019-10-09T22:42:43.4023614Z
2019-10-09T22:42:43.4045682Z No controls have been evaluated for file: D:\a\r1\a\azsktest\drop\servicebus2.json
2019-10-09T22:42:43.4112803Z

Whilst PowerShell ISE is installed by default on most Windows Machines, it is no longer the recommended from Microsoft Editor for PowerShell Scripts, which would now be VS Code using the PowerShell Extension.

This has many benefits

• Introduces and implements use of various Source Control Providers.
• Multi-language, cross platform, development environment
• Multi extension support

Whilst it may not be able to be a Replacement in this docs - the documentation should make it clear that VSCode is Microsoft's suggested Code Editor for PowerShell going forward and suggest that they at least investigate it further

Will be nice, if we will can install everything from trusted repository.

PS C:\Users\username> Install-Module AzSK -Scope CurrentUser

NuGet provider is required to continue
PowerShellGet requires NuGet provider version '2.8.5.201' or
newer to interact with NuGet-based repositories. The NuGet
provider must be available in 'C:\Program
Files\PackageManagement\ProviderAssemblies' or
'C:\Users\username\AppData\Local\PackageManagement\ProviderAs
semblies'. You can also install the NuGet provider by running
'Install-PackageProvider -Name NuGet -MinimumVersion
2.8.5.201 -Force'. Do you want PowerShellGet to install and
import the NuGet provider now?
[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y

Untrusted repository
You are installing the modules from an untrusted repository.
If you trust this repository, change its InstallationPolicy
value by running the Set-PSRepository cmdlet. Are you sure
you want to install the modules from 'PSGallery'?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend
[?] Help(default is "N"):

We have installed DevOps Tools kit on Ubuntu 14.04, 18.04:

$PSVersionTable
Name                           Value
----                           -----
PSVersion                      6.2.0
PSEdition                      Core
GitCommitId                    6.2.0
OS                             Linux 3.13.0-163-generic #213-Ubuntu SMP Thu Nov 15 02:19:07 UTC 2018
Platform                       Unix
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Issue When trying to execute one of the tool commands, for instance:
Get-AzSKAzureServicesSecurityStatus <subscription_id>
It fails with the following reason:
Could not find a part of the path '/Microsoft/AzSK/AzSKSettings.json'.

There is a work around to this issue - to create the folders structure and the file manually. Then the command will start executing however in the end of the execution it fails again because a folder under /Microsoft/AzSK/timestamp to store logs and report does not exist.

Is there a way to find a total list of all the checks that are being checked with the AZsk_ ARM template checker.
Reason why: I want to create a skip controls from file to dismiss checks that are not that bad for me to faile a deployment. But i can't seem to find a total list!

You might consider to change the finding on ASC auto-onboarding (auto-provisioning).
This setting is not required if an appropriate DINE policy for installing and assigning the MMA on all machines is present. In fact, this policy comes with ASC and the recommendation might be misleading.
If the admin is not careful with configuring auto-provisioning, he might end up with a new ALA workspace for each subscription. We prefer to do it with a policy.
Jörg Finkeisen, Cybersec Arch, Microsoft Services

When attempting to run Set-AzSKAzureSecurityCenterPolicies, it is returning an 400 error when attempting to update security contact information. There are no VMs configured in my subscription so this cmdlet should check if VMs are created in the subscription and then not try to update them. The report should also not flag this as an issue either when no VMs exist.

When using version 1.0.9 of the AzSK ARM Template Checker that's installed in our IaaS TFS (version 16.131.28002.2) from the marketplace, the build task "AzSK_ARMTemplateChecker" is intolerant of supplied file paths containing spaces. The error reported is "Cannot bind argument to parameter 'Path' because it is an empty string". Selecting any path that does not include spaces allows the task to run as intended. For example, consider the following two paths provided to the ARM template file path or folder path field within the task, both containing identical files and sub-folder structures.

Works: WindowsServer2016/ARMTemplates
Does not work: WindowsServer2016/ARM Templates

Note that sub-folders can contain spaces, it's just the path provided to the task that can't.

I just install DevOps Tools kit on Windows 10.

PS C:\work\azsk> $PSVersionTable

Name Value

PSVersion 5.1.17134.228
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.17134.228
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

PS C:\work> cd .\azsk
PS C:\work\azsk> Get-AzSKAzureServicesSecurityStatus -subscriptionId xxxxxxxx
Get-AzSKAzureServicesSecurityStatus : The 'Get-AzSKAzureServicesSecurityStatus' command was found in the module
'AzSK', but the module could not be loaded. For more information, run 'Import-Module AzSK'.
At line:1 char:1

• Get-AzSKAzureServicesSecurityStatus -subscriptionId xxxxxxxx ...

•   + CategoryInfo          : ObjectNotFound: (Get-AzSKAzureServicesSecurityStatus:String) [], CommandNotFoundExceptio
   n
    + FullyQualifiedErrorId : CouldNotAutoloadMatchingModule
  
  

PS C:\work\azsk> Import-Module AzSK
Import-Module : The following error occurred while loading the extended type data file: Error in TypeData
"Microsoft.Azure.Commands.Common.Authentication.Abstractions.IAzureContextContainer": The TypeConverter was ignored
because it already occurs.
Error in TypeData "Microsoft.Azure.Commands.Common.Authentication.Abstractions.IAzureContextContainer": The member
SerializationDepth is already present.
Error in TypeData "Microsoft.Azure.Commands.Common.Authentication.ProtectedFileTokenCache": The member
PropertySerializationSet is already present.
Error in TypeData "Microsoft.Azure.Commands.Common.Authentication.ProtectedFileTokenCache": The member
SerializationMethod is already present.
Error in TypeData "Microsoft.Azure.Commands.Common.Authentication.AuthenticationStoreTokenCache": The member
PropertySerializationSet is already present.
Error in TypeData "Microsoft.Azure.Commands.Common.Authentication.AuthenticationStoreTokenCache": The member
SerializationMethod is already present.
Error in TypeData "Microsoft.Azure.Commands.Profile.Models.PSAzureContext": The member SerializationDepth is already
present.
Error in TypeData "Microsoft.Azure.Commands.Profile.Models.PSAzureProfile": The member SerializationDepth is already
present.
At line:1 char:1

• Import-Module AzSK

•   + CategoryInfo          : InvalidOperation: (:) [Import-Module], RuntimeException
    + FullyQualifiedErrorId : FormatXmlUpdateException,Microsoft.PowerShell.Commands.ImportModuleCommand
  
  

PS C:\work\azsk> $env:PSModulePath
C:\Users\rajin\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules

if possible please update references from Find-AzureRMResource to Get-AzureRMResource

or just add the alias:

new-alias -Name find-azurermresource -Value Get-AzureRmResource

This was updated in AzureRM v6.0 +
https://github.com/Azure/azure-powershell/releases/tag/v6.0.0-May2018

Not sure if the later azurerm modules are supported, however I prefer to use the latest azurerm modules, so this is a workaround. . .

e.g. the following works fine after updating the modules, then adding the alias back.

Get-AzSKInfo -InfoType SubscriptionInfo -SubscriptionId xyz

I am evaluating the AzSK for my enterprise. During an initial pass using the ARMTemplateChecker, I discovered that my V2 storage account in the ARM template are ignored. Will this be supported in the near future? Thanks!

I've just launched Install-AzSKContinuousAssurance to configure CA against some of our resources. I included the AutomationAccountRGName parameter to ensure resources created confirm to our naming conventions. Surprisingly the Resource Group named "AZSKRG" was created anyway and it appears to only contain blob storage.

Can Install-AzSKContinuousAssurance be updated to not create the default resource group at all... or are there steps I can follow to relocate this blob storage?

If I am using AzSK CA setup in a CentralSub mode. How do I gather information about all the subscriptions that are the Target subscriptions in the Central Mode?

I need this information to validate that all our Subscriptions are under CA.
I could locate that there is a file located in the StorageAccount\ca-multisubscan-config\TargetSubs.json which contains the subscriptionIds, is this the source of truth for the target subscriptions?

Hi

How to proceed with Install and Update if the module with the new Az module ?

PS C:\WINDOWS\system32> Get-InstalledModule Az

Even with the Enable-AzureRMAlias the install will not proceed normally:

PS C:\WINDOWS\system32> install-module azsk
PackageManagement\Install-Package : The following commands are already available on this
system:'Login-AzAccount,Logout-AzAccount,Resolve-Error,Send-Feedback'. This module 'AzureRM.profile' may override the
existing commands. If you still want to install this module 'AzureRM.profile', use -AllowClobber parameter.
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:1809 char:21
+ ...          $null = PackageManagement\Install-Package @PSBoundParameters
+                      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (Microsoft.Power....InstallPackage:InstallPackage) [Install-Package],
   Exception
    + FullyQualifiedErrorId : CommandAlreadyAvailable,Validate-ModuleCommandAlreadyAvailable,Microsoft.PowerShell.Pack
   ageManagement.Cmdlets.InstallPackage

Any recommendations to be added to the FAQ?

Cheers

I get the following error when trying to run a security status scan against my subscription: "Warning: The current user/login context does not have permission to access DevOps Kit control attestations. Due to this, control scan results may not reflect attestation."

The Execution policy is set to remote signed. The documentation says to not run Powershell ISE as an administrator, which I didn't. And I connected to my Azure subscription via Powershell using a Global admin account. What am I missing?

Thanks!

If i am correctly following step wil use the controls you give so that you can get a customated Azsk check instead of the default provided of the Azsk team.

I want to do the same thing but in my Azure devops ci/cd pipeline. For now I understand from following step that you add the blob url that was uploaded during following command but here the custom baseline controls i changed in my local folder from this step is not being uploaded or being called with the url's in the AzSK.json in the blob.
So my question is , is it possible to use custom baselinecontrols with an pipeline task and can anyone pls tell me which step I forget or which thing I did wrong ?

Showing only desktop on the screenshot and I tried with PS Core and got a lot of errors.

https://github.com/azsk/DevOpsKit-docs/blob/master/09-AzureDevOps(VSTS)-Security/ControlCoverage/Feature/Organizaiton.md

Also in the URL that the link goes to and on that documentation page.

I was wondering where the attestation status is being stored if you upload your custom organisation policy to a blob storage ?

Trying to execute AzSK.AzureDevOps, but getting an error. It seems there is an issue with the OrganizationName parameter.

Get-Command -Module AzSK.AzureDevOps version:

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Function        Get-AzSKAzureDevOpsSecurityStatus                  0.9.7      AzSK.AzureDevOps
Function        Set-AzSKAzureDevOpsPolicySettings                  0.9.7      AzSK.AzureDevOps

Exception thrown, is like expecting a Subscription ID instead of an AzureDevops/VSTS organization name:

PS C:\Users\user> Get-AzSKAzureDevOpsSecurityStatus

cmdlet Get-AzSKAzureDevOpsSecurityStatus at command pipeline position 1
Supply values for the following parameters:
(Type !? for Help.)
OrganizationName: ORGNAME
The type initializer for 'CommandHelper' threw an exception.
At C:\Users\user\Documents\WindowsPowerShell\Modules\AzSK.AzureDevOps\0.9.7\SVT\SVT.ps1:72 char:3
+         [CommandHelper]::BeginCommand($PSCmdlet.MyInvocation);
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [], TypeInitializationException
    + FullyQualifiedErrorId : System.TypeInitializationException

Subscription Id [ORGNAME] is malformed. Subscription Id should contain 32 digits with 4 dashes (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx).
At C:\Users\user\Documents\WindowsPowerShell\Modules\azsk\3.15.0\Framework\Abstracts\AzSKRoot.ps1:25 char:4
+             throw [SuppressedException] ("Subscription Id [$subscript ...
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [], SuppressedException
    + FullyQualifiedErrorId : Subscription Id [ORGNAME] is malformed. Subscription Id should contain 32 digits with 4 dashes (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx).


StackTrace: at AzSKRoot, C:\Users\user\Documents\WindowsPowerShell\Modules\azsk\3.15.0\Framework\Abstracts\AzSKRoot.ps1: line 25
at CommandBase, C:\Users\user\Documents\WindowsPowerShell\Modules\azsk\3.15.0\Framework\Abstracts\CommandBase.ps1: line 9
at SVTCommandBase, C:\Users\user\Documents\WindowsPowerShell\Modules\AzSK.AzureDevOps\0.9.7\Framework\Abstracts\SVTCommandBase.ps1: line 18
at ServicesSecurityStatus, C:\Users\user\Documents\WindowsPowerShell\Modules\AzSK.AzureDevOps\0.9.7\Framework\Core\SVT\ServicesSecurityStatus.ps1: line 5
at Get-AzSKAzureDevOpsSecurityStatus, C:\Users\user\Documents\WindowsPowerShell\Modules\AzSK.AzureDevOps\0.9.7\SVT\SVT.ps1: line 81
at , : line 1

When running the SVT for Azure Blob Storage V2, we get failures to the controlID Azure_Storage_Audit_AuthN_Requests. On debugging we found that it's due to the fact that for the "File" Azure Storage type diagnostics retention days is not set to 365. While we have ARM templates to set Retention days for Blob, Queue and Table, we have not found any ARM template that can help us set the Retention Days of "File" Storage type for Hour metrics. The example ARM template for Storage does not have sections for setting Diagnostic metric logging at all. Any guidance?

It seems so far we can only use the custom policies defined under \Framework\Configurations\SVT\Services\<service>.json
https://github.com/azsk/DevOpsKit-docs/tree/master/07-Customizing-AzSK-for-your-Org#c-creating-a-custom-control-baseline-for-your-org
Would it be possible to add custom policies to <service.json>? For example looks at VirtualNetwork140 in \Framework\Configurations\SVT\Services\VirtualNetwork.json, if I need to add custom condition to check list trusted white listed IP's of my organization in inbound NSG rules, would it be possible?

 {
      "ControlID": "Azure_VNet_NetSec_Configure_NSG",
      "Description": "NSG should be used for subnets in a virtual network to permit traffic only on required inbound/outbound ports. NSGs should not have a rule to allow any-to-any traffic",
      "Id": "VirtualNetwork140",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckNSGConfigured",
      "Rationale":  "Restricting inbound and outbound traffic via NSGs limits the network exposure of the subnets within a virtual network and limits the attack surface.",
      "Recommendation": "Configure NSG rules to be as restrictive as possible via: (a) Azure Portal -> Network security groups -> <Your NSG> -> Inbound security rules -> Edit 'Allow' action rules. (b) Azure Portal -> Network security groups. -> <Your NSG> -> Outbound security rules -> Edit 'Allow' action rules.",
      "Tags": [
        "SDL",
        "Best Practice",
        "Automated",
        "NetSec"
      ],
      "Enabled": true,
      "DataObjectProperties": [
        "Name",
        "Properties"
      ]
    },

I have modules AzureRM v6.6.0 and AzSK v3.4.0

This is the error I get while executing Import-Module AzSK

PS C:\> Import-Module AzSk
Import-Module : The following error occurred while loading the extended type data file: Error in TypeData 
"Microsoft.Azure.Commands.Common.Authentication.Abstractions.IAzureContextContainer": The TypeConverter was 
ignored because it already occurs.
Error in TypeData "Microsoft.Azure.Commands.Common.Authentication.Abstractions.IAzureContextContainer": The 
member SerializationDepth is already present.
Error in TypeData "Microsoft.Azure.Commands.Common.Authentication.ProtectedFileTokenCache": The member 
PropertySerializationSet is already present.
Error in TypeData "Microsoft.Azure.Commands.Common.Authentication.ProtectedFileTokenCache": The member 
SerializationMethod is already present.
Error in TypeData "Microsoft.Azure.Commands.Common.Authentication.AuthenticationStoreTokenCache": The 
member PropertySerializationSet is already present.
Error in TypeData "Microsoft.Azure.Commands.Common.Authentication.AuthenticationStoreTokenCache": The 
member SerializationMethod is already present.
Error in TypeData "Microsoft.Azure.Commands.Profile.Models.PSAzureContext": The member SerializationDepth 
is already present.
Error in TypeData "Microsoft.Azure.Commands.Profile.Models.PSAzureProfile": The member SerializationDepth 
is already present.
At line:1 char:1
+ Import-Module AzSk
+ ~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Import-Module], RuntimeException
    + FullyQualifiedErrorId : FormatXmlUpdateException,Microsoft.PowerShell.Commands.ImportModuleCommand

Hi,
This is a great tool to take the proactive decisions before deploying any unsafe resource to the cloud.
I am trying to use Get-AzSKARMTemplateSecurityStatus this command to automate the security checking for ARM templates. The thing that I observed after running this command is - the pattern of the output folder is fixed which is yyyymmdd_hhmmss.
My scenario here is running multiple security scans for ARM templates simultaneously. If I am running same command for multiple different ARM templates at the same time let's say 20181210_121212, then all the results will clash. To avoid this, if we could get the ability to rename/create custom folder for this result then it would be very helpful.

I am not sure if anybody needed this in the past, I am not using VSTS CI/CD pipeline right now, but using some other automation tool to automate the things, hence need this custom output folder name change.

Is it possible to get this done?

Thanks,
Avinash

https://azsk.azurewebsites.net/

The three links under the get started section are not clickable.
F12 on chrome indicates that the "What's New" text in the next div is messing with the layout.
The links work fine on deleting the "What's new" part.

Hi there,

I am trying to perform Security Test on the one of the Resource Groups with this task on my Azure DevOps instance and using 3.1.2 version of task. It throwing the below error:

2019-06-20T18:12:12.7170594Z ##[section]Starting: AzSK_SVTs
2019-06-20T18:12:12.7472686Z ==============================================================================
2019-06-20T18:12:12.7472814Z Task : AzSK Security Verification Tests
2019-06-20T18:12:12.7472915Z Description : Scan Azure resources for security issues using AzSK.
2019-06-20T18:12:12.7472987Z Version : 3.0.11
2019-06-20T18:12:12.7473071Z Author : Microsoft Corporation
2019-06-20T18:12:12.7473144Z Help : More Information
2019-06-20T18:12:12.7473484Z ==============================================================================
2019-06-20T18:12:21.2618687Z Installing Module AzSK...
2019-06-20T18:13:18.2599929Z Importing Az modules. This may take a while...
2019-06-20T18:13:25.5984563Z Successfully updated privacy settings.
2019-06-20T18:13:26.5352767Z --------------------------------------------------------------------------------
2019-06-20T18:13:26.5353812Z We have added new queries for the Monitoring solution. These will help reflect the aggregate control pass/fail status more accurately. Please go here to get them: https://aka.ms/devopskit/omsqueries
2019-06-20T18:13:26.5389920Z Successfully changed policy settings
2019-06-20T18:13:26.6125100Z Log Analytics workspace logging is turned off.
2019-06-20T18:13:26.6254443Z Clearing AzSK session state...
2019-06-20T18:13:26.6504576Z Session state cleared.
2019-06-20T18:13:33.0769212Z A new version of AzSK is available. Starting the auto-update workflow...
2019-06-20T18:13:33.0769694Z To prepare for auto-update, please:
2019-06-20T18:13:33.0769868Z a) Save your work from all active PS sessions including the current one and
2019-06-20T18:13:33.0822784Z b) Close all PS sessions other than the current one.
2019-06-20T18:13:33.1770434Z Read-Host : Windows PowerShell is in NonInteractive mode. Read and Prompt functionality is not available.
2019-06-20T18:13:33.1771257Z At C:\Program Files\WindowsPowerShell\Modules\AzSK\3.13.0\Framework\Abstracts\CommandBase.ps1:250 char:22
2019-06-20T18:13:33.1771891Z + $userChoice = Read-Host "Continue (Y/N)"
2019-06-20T18:13:33.1772083Z + ~~~~~~~~~~~~~~~~~~~~~~~~~~
2019-06-20T18:13:33.1773553Z + CategoryInfo : InvalidOperation: (:) [Read-Host], PSInvalidOperationException
2019-06-20T18:13:33.1773772Z + FullyQualifiedErrorId : InvalidOperation,Microsoft.PowerShell.Commands.ReadHostCommand
2019-06-20T18:13:33.1773963Z
2019-06-20T18:13:33.1774044Z
2019-06-20T18:13:33.1774201Z StackTrace: at InvokeAutoUpdate, C:\Program Files\WindowsPowerShell\Modules\AzSK\3.13.0\Framework\Abstracts\CommandBase.ps1: line 250
2019-06-20T18:13:33.1774380Z at CheckModuleVersion, C:\Program Files\WindowsPowerShell\Modules\AzSK\3.13.0\Framework\Abstracts\CommandBase.ps1: line 183
2019-06-20T18:13:33.1774573Z at CommandStarted, C:\Program Files\WindowsPowerShell\Modules\AzSK\3.13.0\Framework\Abstracts\SVTCommandBase.ps1: line 68
2019-06-20T18:13:33.1774741Z at InvokeFunction, C:\Program Files\WindowsPowerShell\Modules\AzSK\3.13.0\Framework\Abstracts\CommandBase.ps1: line 98
2019-06-20T18:13:33.1775169Z at InvokeFunction, C:\Program Files\WindowsPowerShell\Modules\AzSK\3.13.0\Framework\Abstracts\CommandBase.ps1: line 82
2019-06-20T18:13:33.1775347Z at EvaluateControlStatus, C:\Program Files\WindowsPowerShell\Modules\AzSK\3.13.0\Framework\Abstracts\SVTCommandBase.ps1: line 132
2019-06-20T18:13:33.1775532Z at Get-AzSKAzureServicesSecurityStatus, C:\Program Files\WindowsPowerShell\Modules\AzSK\3.13.0\SVT\SVT.ps1: line 253
2019-06-20T18:13:33.1775682Z at , : line 1
2019-06-20T18:13:33.1775855Z at , G:\AZSKagent_work_tasks\AzSKSVTs_c016cc55-9914-4a9c-b9df-f24d6f9a40f6\3.0.11\AzSKSVTRuntime.ps1: line 250
2019-06-20T18:13:33.1776007Z at , : line 1
2019-06-20T18:13:33.1776129Z at , : line 22
2019-06-20T18:13:33.1776803Z at , : line 18
2019-06-20T18:13:33.1778607Z at , : line 1
2019-06-20T18:13:34.1910152Z ##[error]Could not perform AzSK SVTs scan. Please check if task configurations are correct.
2019-06-20T18:13:34.2917287Z ##[error]Unable to perform security scan. Please check task configurations/variables
2019-06-20T18:13:34.5041713Z ##[section]Finishing: AzSK_SVTs

When I try to perform the same test using the same task in other Azure DevOps instance, it is working fine. Could you please help

Hi,
Since last week, all of a sudden the SVT task in our release is giving the error "The specified module 'AzSK' was not loaded because no valid module file was found in any module directory" out of nothing. I have read the FAQ which is mentioning this issue and disabled the checkbox as mentioned.
Nevertheless the issue stil exists.

I also tried to delete the task in all build agents on our build server, it downloads the task again when a release is kicked of, but it ends up in the same issue.

Does anyone have an idea on how to resolve this issue when using your own build server w. agents?

Hi,
Great product! I encountered an issue with ARM Template Checker. I know the posts says "but it is possible that folder may contain some ARM Template(s) that are not valid or currently not supported by ARM Checker. In this case AzSK ARM Template Checker Task will skip those file(s) and will fail."

I wonder what kind of ARM templates won't work?

All my ARM templates got skipped:

Skipped file(s): 9
\DV\AppServiceAppSettings_Short.parameters.json
\DV\DV-DV-Teleclaim-AI.parameters.json
\DV\DV-DV-Teleclaim-FCN.parameters.json
\DV\DV-DV-Teleclaim-PLAN.parameters.json
\DV\DV-DV-Teleclaim-WEB.parameters.json
\DV\DV-DV-Teleclaim-WEB_AppSettings.parameters.json
\DV\DV-DV-Teleclaim-WEB_IpRestriction.parameters.json
\DV\DV-DV-Teleclaim-WEB_Slots.parameters.json
\DV\wsdvteleclaim01.parameters.json

One or more files were skipped during the scan. Either the files are invalid as ARM templates or those resource types are currently not supported by this command.
Please verify the files and re-run the command. For files that should not be included in the scan, you can use the '-ExcludeFiles' parameter.

Thanks,
Dennis

All the controls that fail on the Enable_Diagnostics_Log. Give the exception that the retention policy days must be at least 365 (or the number you give in ControlSettings : Diagnostics_RetentionPeriod_Min) and must be enabled.

But when i change the number in Controlsettings to 7 (just as an example) and my retention policy is set to 100 days it still fails . After some debugging i found out the retention policy must be set on the amount i set in ControlSettings.

In the file ´C:\Program Files\WindowsPowerShell\Modules\AzSK\3.9.0\Framework\Abstracts\SVTBase` I found the Powershell method checkDiagnosticSetting whereby the code says

($_.RetentionPolicy.Days -eq $this.ControlSettings.Diagnostics_RetentionPeriod_Forever -or $_.RetentionPolicy.Days -eq $this.ControlSettings.Diagnostics_RetentionPeriod_Min))};

I think the issue is whereby the function -eq is used . instead of equal or greater to create the situation 'at least x days '
To change this inside my custom orginisation to my policy folder is somewhat of a challenge.
Can someone give me any help on this issue , Isn't it strange that the retention policy need all to be the same as the one in the ControlSettings , and that contradicts the error message "at least".

Hi,

For SVT, we want to setup our own organizational online policy URL, so we can choose which rules to scan. How do you do that with OnlinePolicyStoreUrl?

Is there any sample Policy file we can explore around?

from "AzSKSettings.json file":
"EnableAADAuthForOnlinePolicyStore": false,
"OnlinePolicyStoreUrl": "https://azsdkossep.azureedge.net/$Version/$FileName",

Thanks,
Dennis

For your actual (production) policies, we recommend that you check them into source control and use the local close of that folder as the location for the AzSK org policy setup command when uploading to the policy server. In fact, setting things up so that any policy modifications are pushed to the policy server via a CICD pipeline would be ideal. (That is how we do it at CSE.)

Hello,

Do you have an example of this? Since I would like to start with doing that.

preferably an azure-pipelines.yml ;)

Hi there,

We're trying to specify our own controls to validate and check our arm templates. We notice however when we integrate the solution in Azure DevOps it still applies the default controls in addition to our own custom policy and proceeds giving the warning as listed in the subject.

How can we make sure the default control set is disabled? I've tried following along with the documentation but couldn't find a clear answer. Is there any updated documentation on MSFT side?

I get this error when trying to run Get-AzSKSubscriptionSecurityStatus:
Get-AzSKSubscriptionSecurityStatus : Unable to find type [GeneratePDF].
At line:3 char:1

• Get-AzSKSubscriptionSecurityStatus -SubscriptionId $subId

•   + CategoryInfo          : InvalidOperation: (GeneratePDF:TypeName) [], RuntimeException
    + FullyQualifiedErrorId : TypeNotFound
  

I am very new to Azure resources. When i deploy a custom organization i see that next to the storage account a Dashboard and a Insights resource are getting deployed. My understanding is that I can see logs like failed controls are being monitored. But when I check these resources both are empty when are there being logs written to these resources ?
Can i check if these logs are even being saved in Azure ?

*Probably you guys already noted this somewhere but I somehow can't see it. sorry for the dumb question in that case.

Hello,

While this kit is very promising, we'd need to be able to leverage Azure Policies to define what we want to control or not at either subscription level, either resource group level.
When provisioning app services (including the resource group) from an Azure DevOps pipeline, the resource does not exist yet. Therefore, impossible to skip some controls as described here:
https://github.com/azsk/DevOpsKit-docs/tree/master/00c-Addressing-Control-Failures
because this only applies to existing resources.

A good example is the Azure_AppService_AuthN_Use_AAD_for_Client_AuthN control. Most of the times, AAD auth is triggered through middlewares such as OWIN. So, it'd be nice to be able to define a policy that allows to skip that control (and others) for every new resource to come, because we know we work a certain way.

The alternative right now is to either run assertion on existing resources (so, post-deployment), either to scan ARM templates from within the build or release pipeline, extract the CSV from the logs and create a Skipcontrol file out of it but that's very tedious plus it gives too much power to developers. Enforcing/Relaxing controls through Azure Policies would make much more sense.

Normally Get is to retrieve status of something rather than an action. I'd like to propose to change the name of this cmdlet to Run-AzSKAzureServiceSecurity to give more sense. And we can have Get-AzSKAzureServicesSecurityStatus to return existing configuration of our security services (including specified resource group, storage account and other pre-configured settings).

I got the error after i run my release pipeline.
I think it's the fault of the task and not with my setup because everytime i tried to run it. it fails after the task is installing the module. inside the terminal of azure devops.

2018-12-14T10:17:24.6581640Z Installing Module AzSK...
2018-12-14T10:18:09.8947837Z ##[error]Cannot process argument transformation on parameter 'InstalledModuleInfo'. Cannot convert the "System.Object[]" value of type "System.Object[]" to type "System.Management.Automation.PSModuleInfo".

In the documentation about the attestation i found following ps1 script to add an attestation status to 1 control id at a time
`$subscriptionId = 'xxxxxxxxxxxxxxxxx'
$resourceGroupNames = 'xxxxxxxxxxxxxxxxxxx'
$resourceNames = 'xxxxxxxxxxxxx'
$ControlIds = 'Azure_KeyVault_DP_Identify_Roles' # You can get this from the CSV file, first column.
$justificationText = 'xxxxxxxxxx'

Get-AzSKAzureServicesSecurityStatus -SubscriptionId $subscriptionId -ResourceGroupNames $resourceGroupNames
-ResourceName $resourceName -ControlIds $ControlIds
-ControlsToAttest All -AttestationStatus NotAnIssue
-JustificationText $justificationText

The problem with this solution , i need to run this command a couple of times to add the attesting status to each control i want to skip ,and then add this to my storage account (with the first install policy or update policy command) so that my CI / CD pipeline can notice the change. But if i have multiple skip controls that i need to pass I have to execute the command multiple times. Is this not possible to add control id's with the attestation status in a file instead of executing a command multiple times ?
I thought that this is possible in the services json files of each resource type.