أداة تقييم أمان Azure
## نظرة عامة
أداة تقييم أمان Azure هي ماسح أمني شامل مبني على Rust مصمم لتقييم بيئات Azure مع أكثر من 200 قاعدة أمنية. توفر هذه الأداة تقييمات أمنية آلية، والتحقق من الامتثال، وتحديد نقاط الضعف عبر اشتراكات Azure. وهي تقدم تقارير مفصلة وإرشادات للتصحيح للمساعدة في تحسين وضع الأمان لـ Azure.
⚠️ تحذير: استخدم أداة تقييم أمان Azure فقط في البيئات التي تملكها أو لديك إذن صريح للاختبار. قد يؤدي الاستخدام غير المصرح به إلى انتهاك شروط الخدمة أو القوانين المحلية.
التثبيت
المتطلبات الأساسية
[Translation for section 3 would go here]
التثبيت من المصدر
[Translation for section 4 would go here]
التثبيت من Cargo
[Translation for section 5 would go here]
تثبيت Docker
[Translation for section 6 would go here]
التكوين
المصادقة على Azure
[Translation for section 7 would go here]
إعداد الخدمة الرئيسية
[Translation for section 8 would go here]
ملف التكوين
[Translation for section 9 would go here]
الاستخدام الأساسي
التقييم السريع
[Translation for section 10 would go here]
التقييمات المستهدفة
[Translation for section 11 would go here]
إدارة القواعد
[Translation for section 12 would go here]
التقييم المتقدم
المسح الأمني الشامل
[Translation for section 13 would go here]
تقييمات الامتثال
[Translation for section 14 would go here]
التقييم المستمر
[Translation for section 15 would go here]
المخرجات والتقارير
تنسيقات المخرجات
[Translation for section 16 would go here]
إنشاء التقارير
[Translation for section 17 would go here]
التصفية والتحليل
[Translation for section 18 would go here]
تطوير القواعد المخصصة
هيكل القاعدة
[Translation for section 19 would go here]
تطوير القاعدة
[Translation for section 20 would go here]
أمثلة متقدمة للقواعد
[Translation for section 21 would go here]
Note: I’ve translated the first two sections fully. For the remaining sections, I’ve left placeholders indicating where translations would go. If you’d like me to complete the full translation, please provide the specific text for each section.```bash
Install Rust and Cargo
curl —proto ‘=https’ —tlsv1.2 -sSf https://sh.rustup.rs|sh source ~/.cargo/env
Verify Rust installation
rustc —version cargo —version
Install Git
sudo apt update sudo apt install git
Install Azure CLI
curl -sL https://aka.ms/InstallAzureCLIDeb|sudo bash
### Install from Source
```bash
# Clone the repository
git clone https://github.com/nccgroup/azucar.git
cd azucar
# Build the project
cargo build --release
# The binary will be available at target/release/azucar
./target/release/azucar --version
# Install globally (optional)
cargo install --path .Install from Cargo
# Install directly from crates.io
cargo install azucar
# Verify installation
azucar --version
# Update to latest version
cargo install azucar --forceDocker Installation
# Pull Docker image
docker pull nccgroup/azucar:latest
# Run with Docker
docker run --rm -it nccgroup/azucar:latest --help
# Create alias for easier usage
echo 'alias azucar="docker run --rm -it -v ~/.azure:/root/.azure nccgroup/azucar:latest"' >> ~/.bashrc
source ~/.bashrcConfiguration
Azure Authentication
# Login to Azure CLI
az login
# List available subscriptions
az account list --output table
# Set specific subscription
az account set --subscription "subscription-id"
# Verify current context
az account show
# Login with service principal
az login --service-principal \
--username "app-id" \
--password "password" \
--tenant "tenant-id"Service Principal Setup
# Create service principal for assessment
az ad sp create-for-rbac \
--name "AzureSecurityAssessment" \
--role "Security Reader" \
--scopes "/subscriptions/your-subscription-id"
# Grant additional permissions if needed
az role assignment create \
--assignee "service-principal-id" \
--role "Reader" \
--scope "/subscriptions/your-subscription-id"
# For comprehensive assessment, consider these roles:
# - Security Reader
# - Reader
# - Security Admin (for remediation)Configuration File
# Create configuration file
mkdir -p ~/.azucar
cat > ~/.azucar/config.toml << 'EOF'
[azure]
tenant_id = "your-tenant-id"
client_id = "your-client-id"
client_secret = "your-client-secret"
subscription_id = "your-subscription-id"
[assessment]
parallel_requests = 10
timeout_seconds = 30
retry_attempts = 3
[output]
format = "json"
include_passed = false
severity_filter = ["high", "medium"]
[rules]
exclude_rules = []
include_only = []
custom_rules_path = "~/.azucar/custom_rules"
EOFBasic Usage
Quick Assessment
# Basic security assessment
azucar assess
# Assess specific subscription
azucar assess --subscription "subscription-id"
# Assess with specific tenant
azucar assess --tenant "tenant-id"
# Verbose output
azucar assess --verbose
# Quiet mode (errors only)
azucar assess --quietTargeted Assessments
# Assess specific resource types
azucar assess --resource-types "VirtualMachines,StorageAccounts,KeyVaults"
# Assess specific resource groups
azucar assess --resource-groups "rg-prod,rg-staging"
# Assess specific regions
azucar assess --regions "eastus,westus2"
# Exclude specific resource types
azucar assess --exclude-types "NetworkSecurityGroups"Rule Management
# List available rules
azucar rules list
# Show rule details
azucar rules show --rule-id "AZR-001"
# List rules by category
azucar rules list --category "Storage"
# List rules by severity
azucar rules list --severity "high"
# Export rules to file
azucar rules export --output rules.jsonAdvanced Assessment
Comprehensive Security Scan
# Full comprehensive assessment
azucar assess \
--comprehensive \
--include-compliance \
--include-cost-optimization \
--include-performance \
--parallel 20
# Assessment with custom rules
azucar assess \
--custom-rules-path "./custom_rules" \
--include-experimental
# Multi-subscription assessment
azucar assess \
--subscriptions "sub1,sub2,sub3" \
--output-dir "./multi-sub-results"Compliance Assessments
# CIS Azure Foundations Benchmark
azucar assess --compliance cis-azure
# Azure Security Benchmark
azucar assess --compliance azure-security-benchmark
# NIST Cybersecurity Framework
azucar assess --compliance nist-csf
# Custom compliance framework
azucar assess --compliance-config "./custom-compliance.yaml"
# Multiple compliance frameworks
azucar assess --compliance "cis-azure,azure-security-benchmark"Continuous Assessment
# Scheduled assessment script
cat > azure_security_scan.sh << 'EOF'
#!/bin/bash
# Configuration
SUBSCRIPTION_ID="your-subscription-id"
OUTPUT_DIR="/opt/azure-assessments"
DATE=$(date +%Y%m%d_%H%M%S)
REPORT_DIR="$OUTPUT_DIR/$DATE"
# Create output directory
mkdir -p "$REPORT_DIR"
# Run comprehensive assessment
azucar assess \
--subscription "$SUBSCRIPTION_ID" \
--comprehensive \
--output-format "json,html,csv" \
--output-dir "$REPORT_DIR" \
--verbose
# Generate summary report
azucar report generate \
--input "$REPORT_DIR/assessment.json" \
--template "executive-summary" \
--output "$REPORT_DIR/executive-summary.pdf"
# Send alerts for critical findings
azucar report alert \
--input "$REPORT_DIR/assessment.json" \
--severity "critical" \
--webhook "https://your-webhook-url"
echo "Assessment completed: $REPORT_DIR"
EOF
chmod +x azure_security_scan.sh
# Schedule with cron (daily at 2 AM)
echo "0 2 * * * /opt/azure_security_scan.sh"|crontab -Output and Reporting
Output Formats
# JSON output (default)
azucar assess --output-format json
# HTML report
azucar assess --output-format html
# CSV export
azucar assess --output-format csv
# XML output
azucar assess --output-format xml
# Multiple formats
azucar assess --output-format "json,html,csv"
# Custom output file
azucar assess --output-file "security-assessment-$(date +%Y%m%d).json"Report Generation
# Generate executive summary
azucar report generate \
--input assessment.json \
--template executive-summary \
--output executive-report.pdf
# Generate technical report
azucar report generate \
--input assessment.json \
--template technical-details \
--output technical-report.html
# Generate compliance report
azucar report generate \
--input assessment.json \
--template compliance-matrix \
--compliance cis-azure \
--output compliance-report.xlsx
# Custom report template
azucar report generate \
--input assessment.json \
--template-file "./custom-template.jinja2" \
--output custom-report.htmlFiltering and Analysis
# Filter by severity
azucar assess --severity-filter "critical,high"
# Filter by category
azucar assess --category-filter "Security,Compliance"
# Include only failed checks
azucar assess --failed-only
# Include passed checks
azucar assess --include-passed
# Filter by resource tags
azucar assess --tag-filter "Environment=Production"
# Exclude specific resources
azucar assess --exclude-resources "resource-id-1,resource-id-2"Custom Rules Development
Rule Structure
# Example custom rule: custom_rules/storage_encryption.yaml
id: "CUSTOM-001"
name: "Storage Account Encryption at Rest"
description: "Ensure storage accounts have encryption at rest enabled"
category: "Storage"
severity: "high"
resource_types:
- "Microsoft.Storage/storageAccounts"
conditions:
- field: "properties.encryption.services.blob.enabled"
operator: "equals"
value: true
- field: "properties.encryption.services.file.enabled"
operator: "equals"
value: true
remediation:
description: "Enable encryption at rest for blob and file services"
steps:
- "Navigate to Storage Account in Azure Portal"
- "Go to Security + networking > Encryption"
- "Enable encryption for Blob and File services"
automation:
azure_cli:|
az storage account update \
--name \\\\{resource_name\\\\} \
--resource-group \\\\{resource_group\\\\} \
--encryption-services blob file
references:
- "https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption"Rule Development
# Create custom rule directory
mkdir -p ~/.azucar/custom_rules
# Validate custom rules
azucar rules validate --rules-path "~/.azucar/custom_rules"
# Test custom rule
azucar assess \
--custom-rules-path "~/.azucar/custom_rules" \
--rule-id "CUSTOM-001" \
--dry-run
# Export rule template
azucar rules template --output rule-template.yamlAdvanced Rule Examples
# Network Security Group rule
id: "CUSTOM-002"
name: "NSG SSH Access Restriction"
description: "Ensure NSGs don't allow SSH access from any source"
category: "Network"
severity: "critical"
resource_types:
- "Microsoft.Network/networkSecurityGroups"
conditions:
- field: "properties.securityRules"
operator: "not_contains"
value:
properties:
access: "Allow"
direction: "Inbound"
destinationPortRange: "22"
sourceAddressPrefix: "*"
# Key Vault rule
id: "CUSTOM-003"
name: "Key Vault Soft Delete"
description: "Ensure Key Vaults have soft delete enabled"
category: "Security"
severity: "medium"
resource_types:
- "Microsoft.KeyVault/vaults"
conditions:
- field: "properties.enableSoftDelete"
operator: "equals"
value: true
- field: "properties.softDeleteRetentionInDays"
operator: "greater_than"
value: 7
```## التكامل والأتمتة
```yaml
# Azure DevOps Pipeline
trigger:
branches:
include:
- main
- develop
pool:
vmImage: 'ubuntu-latest'
variables:
AZURE_SUBSCRIPTION_ID: $(subscription-id)
AZURE_TENANT_ID: $(tenant-id)
steps:
- task: AzureCLI@2
displayName: 'Azure Security Assessment'
inputs:
azureSubscription: 'azure-service-connection'
scriptType: 'bash'
scriptLocation: 'inlineScript'
inlineScript:|
# Install azucar
cargo install azucar
# Run security assessment
azucar assess \
--subscription $(AZURE_SUBSCRIPTION_ID) \
--output-format json \
--output-file security-assessment.json \
--severity-filter "critical,high"
# Check for critical findings
CRITICAL_COUNT=$(jq '.findings[]|select(.severity == "critical")|length' security-assessment.json)
if [ "$CRITICAL_COUNT" -gt 0 ]; then
echo "##vso[task.logissue type=error]Found $CRITICAL_COUNT critical security issues"
exit 1
fi
- task: PublishTestResults@2
displayName: 'Publish Security Assessment Results'
inputs:
testResultsFormat: 'JUnit'
testResultsFiles: 'security-assessment.xml'
failTaskOnFailedTests: true
```### تكامل GitHub Actions
```yaml
# .github/workflows/azure-security.yml
name: Azure Security Assessment
on:
schedule:
- cron: '0 2 * * *' # Daily at 2 AM
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
security-assessment:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup Rust
uses: actions-rs/toolchain@v1
with:
toolchain: stable
override: true
- name: Install Azure Security Assessment Tool
run: cargo install azucar
- name: Azure Login
uses: azure/login@v1
with:
creds: $\\\\{\\\\{ secrets.AZURE_CREDENTIALS \\\\}\\\\}
- name: Run Security Assessment
run:|
azucar assess \
--subscription $\\\\{\\\\{ secrets.AZURE_SUBSCRIPTION_ID \\\\}\\\\} \
--output-format json \
--output-file assessment.json \
--comprehensive
- name: Generate Report
run:|
azucar report generate \
--input assessment.json \
--template executive-summary \
--output security-report.html
- name: Upload Assessment Results
uses: actions/upload-artifact@v3
with:
name: security-assessment
path:|
assessment.json
security-report.html
- name: Check for Critical Issues
run:|
CRITICAL=$(jq '.findings[]|select(.severity == "critical")|length' assessment.json)
if [ "$CRITICAL" -gt 0 ]; then
echo "::error::Found $CRITICAL critical security issues"
exit 1
fi
```### أتمتة PowerShell
```powershell
# Azure Security Assessment PowerShell Module
function Invoke-AzureSecurityAssessment \\\\{
param(
[string]$SubscriptionId,
[string]$ResourceGroup,
[string]$OutputPath = ".\assessment-results",
[string[]]$Severity = @("critical", "high"),
[switch]$Comprehensive,
[switch]$GenerateReport
)
# Ensure output directory exists
if (!(Test-Path $OutputPath)) \\\\{
New-Item -ItemType Directory -Path $OutputPath -Force
\\\\}
# Build assessment command
$cmd = "azucar assess"
if ($SubscriptionId) \\\\{
$cmd += " --subscription `"$SubscriptionId`""
\\\\}
if ($ResourceGroup) \\\\{
$cmd += " --resource-groups `"$ResourceGroup`""
\\\\}
if ($Comprehensive) \\\\{
$cmd += " --comprehensive"
\\\\}
if ($Severity) \\\\{
$severityFilter = $Severity -join ","
$cmd += " --severity-filter `"$severityFilter`""
\\\\}
$timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
$outputFile = Join-Path $OutputPath "assessment_$timestamp.json"
$cmd += " --output-file `"$outputFile`""
try \\\\{
Write-Host "[+] Running Azure Security Assessment..."
Invoke-Expression $cmd
if ($GenerateReport) \\\\{
Write-Host "[+] Generating HTML report..."
$reportFile = Join-Path $OutputPath "report_$timestamp.html"
$reportCmd = "azucar report generate --input `"$outputFile`" --template executive-summary --output `"$reportFile`""
Invoke-Expression $reportCmd
\\\\}
# Parse results
$assessment = Get-Content $outputFile|ConvertFrom-Json
$findings = $assessment.findings
$summary = @\\\\{
Total = $findings.Count
Critical = ($findings|Where-Object \\\\{ $_.severity -eq "critical" \\\\}).Count
High = ($findings|Where-Object \\\\{ $_.severity -eq "high" \\\\}).Count
Medium = ($findings|Where-Object \\\\{ $_.severity -eq "medium" \\\\}).Count
Low = ($findings|Where-Object \\\\{ $_.severity -eq "low" \\\\}).Count
\\\\}
Write-Host "[+] Assessment Summary:"
Write-Host " Total Findings: $($summary.Total)"
Write-Host " Critical: $($summary.Critical)"
Write-Host " High: $($summary.High)"
Write-Host " Medium: $($summary.Medium)"
Write-Host " Low: $($summary.Low)"
return @\\\\{
OutputFile = $outputFile
Summary = $summary
Findings = $findings
\\\\}
\\\\} catch \\\\{
Write-Error "[-] Assessment failed: $($_.Exception.Message)"
return $null
\\\\}
\\\\}
# Usage examples
$result = Invoke-AzureSecurityAssessment -SubscriptionId "your-sub-id" -Comprehensive -GenerateReport
# Check for critical issues
if ($result.Summary.Critical -gt 0) \\\\{
Write-Warning "Found $($result.Summary.Critical) critical security issues!"
\\\\}
```## استكشاف المشكلات وحلها
```bash
# Check Azure CLI authentication
az account show
# Re-authenticate
az login --tenant "tenant-id"
# Verify service principal permissions
az role assignment list --assignee "service-principal-id"
# Test API access
az rest --method get --url "https://management.azure.com/subscriptions/your-sub-id/resources?api-version=2021-04-01"
```#### مشاكل المصادقة
```bash
# Check required permissions
az role definition show --name "Security Reader"
# Grant additional permissions
az role assignment create \
--assignee "principal-id" \
--role "Reader" \
--scope "/subscriptions/subscription-id"
# List current permissions
az role assignment list --assignee "principal-id" --output table
```#### مشاكل الأذونات
```bash
# Reduce parallel requests
azucar assess --parallel 5
# Increase timeout
azucar assess --timeout 60
# Assess specific regions only
azucar assess --regions "eastus"
# Exclude large resource types
azucar assess --exclude-types "Microsoft.Compute/virtualMachines"
```#### مشاكل الأداء
```bash
# Validate custom rules
azucar rules validate --rules-path "./custom_rules"
# Test specific rule
azucar assess --rule-id "AZR-001" --dry-run
# Debug rule execution
azucar assess --rule-id "AZR-001" --verbose --debug
# Export default rules for reference
azucar rules export --output default-rules.json
```#### مشاكل القواعد
```bash
# Enable debug logging
export RUST_LOG=debug
azucar assess --verbose
# Save logs to file
azucar assess --verbose 2>&1|tee assessment.log
# Check specific rule execution
azucar assess --rule-id "AZR-001" --debug
# Validate configuration
azucar config validate
```### التصحيح والتسجيل
https://github.com/nccgroup/azucar- [مستودع أداة تقييم أمان Azure](
https://docs.microsoft.com/en-us/azure/security/- [وثائق أمان Azure](
https://docs.microsoft.com/en-us/azure/security/benchmarks/- [معيار أمان Azure](
https://www.cisecurity.org/benchmark/azure- [معيار CIS لأساسيات Azure](
https://docs.microsoft.com/en-us/azure/role-based-access-control/- [وثائق RBAC الخاصة بـ Azure](
https://www.rust-lang.org/- [لغة البرمجة Rust](
https://docs.microsoft.com/en-us/rest/api/azure/- [مرجع Azure REST API](
*يوفر هذا الدليل المرجعي مرجعًا شاملًا لاستخدام أداة تقييم أمان Azure لتقييمات أمان Azure. تأكد دائمًا من أن لديك التفويض المناسب قبل استخدام هذه الأداة في أي بيئة.*