-
Notifications
You must be signed in to change notification settings - Fork 1.5k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(azure): Check related with roles and vm access with MFA (#3638)
Co-authored-by: Hugo Gálvez Ureña <[email protected]> Co-authored-by: Sergio <[email protected]>
- Loading branch information
1 parent
5839d8c
commit be19ec5
Showing
14 changed files
with
391 additions
and
34 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
# General built-in roles | ||
CONTRIBUTOR_ROLE_ID = "b24988ac-6180-42a0-ab88-20f7382dd24c" | ||
OWNER_ROLE_ID = "8e3af657-a8ff-443c-a75c-2fe8c4bcb635" | ||
|
||
# Compute roles | ||
VIRTUAL_MACHINE_CONTRIBUTOR_ROLE_ID = "9980e02c-c2be-4d73-94e8-173b1dc7cf3c" | ||
VIRTUAL_MACHINE_ADMINISTRATOR_LOGIN_ROLE_ID = "1c0163c0-47e6-4577-8991-ea5c82e286e4" | ||
VIRTUAL_MACHINE_USER_LOGIN_ROLE_ID = "fb879df8-f326-4884-b1cf-06f3ad86be52" | ||
VIRTUAL_MACHINE_LOCAL_USER_LOGIN_ROLE_ID = "602da2ba-a5c2-41da-b01d-5360126ab525" | ||
WINDOWS_ADMIN_CENTER_ADMINISTRATOR_LOGIN_ROLE_ID = ( | ||
"a6333a3e-0164-44c3-b281-7a577aff287f" | ||
) |
File renamed without changes.
2 changes: 1 addition & 1 deletion
2
...ess_than_five_global_admins.metadata.json → ...min_in_less_than_five_users.metadata.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Empty file.
30 changes: 30 additions & 0 deletions
30
...s/entra/entra_user_with_vm_access_has_mfa/entra_user_with_vm_access_has_mfa.metadata.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
{ | ||
"Provider": "azure", | ||
"CheckID": "entra_user_with_vm_access_has_mfa", | ||
"CheckTitle": "Ensure only MFA enabled identities can access privileged Virtual Machine", | ||
"CheckType": [], | ||
"ServiceName": "iam", | ||
"SubServiceName": "", | ||
"ResourceIdTemplate": "", | ||
"Severity": "medium", | ||
"ResourceType": "#microsoft.graph.users", | ||
"Description": "Verify identities without MFA that can log in to a privileged virtual machine using separate login credentials. An adversary can leverage the access to move laterally and perform actions with the virtual machine's managed identity. Make sure the virtual machine only has necessary permissions, and revoke the admin-level permissions according to the least privileges principal", | ||
"Risk": "Managed disks are by default encrypted on the underlying hardware, so no additional encryption is required for basic protection. It is available if additional encryption is required. Managed disks are by design more resilient that storage accounts. For ARM-deployed Virtual Machines, Azure Adviser will at some point recommend moving VHDs to managed disks both from a security and cost management perspective.", | ||
"RelatedUrl": "", | ||
"Remediation": { | ||
"Code": { | ||
"CLI": "", | ||
"NativeIaC": "", | ||
"Other": "", | ||
"Terraform": "" | ||
}, | ||
"Recommendation": { | ||
"Text": "1. Log in to the Azure portal. Reducing access of managed identities attached to virtual machines. 2. This can be remediated by enabling MFA for user, Removing user access or • Case I : Enable MFA for users having access on virtual machines. 1. Navigate to Azure AD from the left pane and select Users from the Manage section. 2. Click on Per-User MFA from the top menu options and select each user with MULTI-FACTOR AUTH STATUS as Disabled and can login to virtual machines: From quick steps on the right side select enable. Click on enable multi-factor auth and share the link with the user to setup MFA as required. • Case II : Removing user access on a virtual machine. 1. Select the Subscription, then click on Access control (IAM). 2. Select Role assignments and search for Virtual Machine Administrator Login or Virtual Machine User Login or any role that provides access to log into virtual machines. 3. Click on Role Name, Select Assignments, and remove identities with no MFA configured. • Case III : Reducing access of managed identities attached to virtual machines. 1. Select the Subscription, then click on Access control (IAM). 2. Select Role Assignments from the top menu and apply filters on Assignment type as Privileged administrator roles and Type as Virtual Machines. 3. Click on Role Name, Select Assignments, and remove identities access make sure this follows the least privileges principal.", | ||
"Url": "" | ||
} | ||
}, | ||
"Categories": [], | ||
"DependsOn": [], | ||
"RelatedTo": [], | ||
"Notes": "This recommendation requires an Azure AD P2 License to implement. Ensure that identities that are provisioned to a virtual machine utilizes an RBAC/ABAC group and is allocated a role using Azure PIM, and the Role settings require MFA or use another PAM solution (like CyberArk) for accessing Virtual Machines." | ||
} |
53 changes: 53 additions & 0 deletions
53
...ure/services/entra/entra_user_with_vm_access_has_mfa/entra_user_with_vm_access_has_mfa.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
from prowler.lib.check.models import Check, Check_Report_Azure | ||
from prowler.providers.azure.config import ( | ||
CONTRIBUTOR_ROLE_ID, | ||
OWNER_ROLE_ID, | ||
VIRTUAL_MACHINE_ADMINISTRATOR_LOGIN_ROLE_ID, | ||
VIRTUAL_MACHINE_CONTRIBUTOR_ROLE_ID, | ||
VIRTUAL_MACHINE_LOCAL_USER_LOGIN_ROLE_ID, | ||
VIRTUAL_MACHINE_USER_LOGIN_ROLE_ID, | ||
WINDOWS_ADMIN_CENTER_ADMINISTRATOR_LOGIN_ROLE_ID, | ||
) | ||
from prowler.providers.azure.services.entra.entra_client import entra_client | ||
from prowler.providers.azure.services.iam.iam_client import iam_client | ||
|
||
|
||
class entra_user_with_vm_access_has_mfa(Check): | ||
def execute(self) -> Check_Report_Azure: | ||
findings = [] | ||
|
||
for users in entra_client.users.values(): | ||
for user_domain_name, user in users.items(): | ||
for ( | ||
subscription_name, | ||
role_assigns, | ||
) in iam_client.role_assignments.items(): | ||
for assignment in role_assigns.values(): | ||
if ( | ||
assignment.agent_type == "User" | ||
and assignment.role_id | ||
in [ | ||
CONTRIBUTOR_ROLE_ID, | ||
OWNER_ROLE_ID, | ||
VIRTUAL_MACHINE_CONTRIBUTOR_ROLE_ID, | ||
VIRTUAL_MACHINE_ADMINISTRATOR_LOGIN_ROLE_ID, | ||
VIRTUAL_MACHINE_USER_LOGIN_ROLE_ID, | ||
VIRTUAL_MACHINE_LOCAL_USER_LOGIN_ROLE_ID, | ||
WINDOWS_ADMIN_CENTER_ADMINISTRATOR_LOGIN_ROLE_ID, | ||
] | ||
and assignment.agent_id == user.id | ||
): | ||
report = Check_Report_Azure(self.metadata()) | ||
report.status = "FAIL" | ||
report.status_extended = f"User {user.name} without MFA can access VMs in subscription {subscription_name}" | ||
report.subscription = subscription_name | ||
report.resource_name = user_domain_name | ||
report.resource_id = user.id | ||
|
||
if len(user.authentication_methods) > 1: | ||
report.status = "PASS" | ||
report.status_extended = f"User {user.name} can access VMs in subscription {subscription_name} but it has MFA." | ||
|
||
findings.append(report) | ||
|
||
return findings |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.