Azure Security Assessment Tool Cheat Sheet
Überblick
Azure Security Assessment Tool ist ein umfassender Rust-basierter Sicherheitsscanner, der die Azure-Umgebungen mit über 200 Sicherheitsregeln bewertet. Dieses Tool bietet automatisierte Sicherheitsbewertungen, Compliance- und Sicherheitskennzeichnungen über Azure Abonnements. Es bietet detaillierte Berichterstattungs- und Sanierungshinweise, um Organisationen bei der Verbesserung ihrer Azure-Sicherheitshaltung zu unterstützen.
ZEIT Warning: Verwenden Sie nur Azure Security Assessment Tool in Umgebungen, die Sie besitzen oder eine ausdrückliche Erlaubnis zum Testen haben. Unberechtigte Nutzung kann gegen Nutzungsbedingungen oder lokale Gesetze verstoßen.
Installation
Voraussetzungen
```bash
Install Rust and Cargo
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs|sh source ~/.cargo/env
Verify Rust installation
rustc --version cargo --version
Install Git
sudo apt update sudo apt install git
Install Azure CLI
curl -sL https://aka.ms/InstallAzureCLIDeb|sudo bash ```_
Installieren von Source
```bash
Clone the repository
git clone https://github.com/nccgroup/azucar.git cd azucar
Build the project
cargo build --release
The binary will be available at target/release/azucar
./target/release/azucar --version
Install globally (optional)
cargo install --path . ```_
Installieren von Cargo
```bash
Install directly from crates.io
cargo install azucar
Verify installation
azucar --version
Update to latest version
cargo install azucar --force ```_
Docker Installation
```bash
Pull Docker image
docker pull nccgroup/azucar:latest
Run with Docker
docker run --rm -it nccgroup/azucar:latest --help
Create alias for easier usage
echo 'alias azucar="docker run --rm -it -v ~/.azure:/root/.azure nccgroup/azucar:latest"' >> ~/.bashrc source ~/.bashrc ```_
Konfiguration
Azure Authentication
```bash
Login to Azure CLI
az login
List available subscriptions
az account list --output table
Set specific subscription
az account set --subscription "subscription-id"
Verify current context
az account show
Login with service principal
az login --service-principal \ --username "app-id" \ --password "password" \ --tenant "tenant-id" ```_
Service Principal Setup
```bash
Create service principal for assessment
az ad sp create-for-rbac \ --name "AzureSecurityAssessment" \ --role "Security Reader" \ --scopes "/subscriptions/your-subscription-id"
Grant additional permissions if needed
az role assignment create \ --assignee "service-principal-id" \ --role "Reader" \ --scope "/subscriptions/your-subscription-id"
For comprehensive assessment, consider these roles:
- Security Reader
- Reader
- Security Admin (for remediation)
```_
Datei konfigurieren
```bash
Create configuration file
mkdir -p ~/.azucar cat > ~/.azucar/config.toml << 'EOF' [azure] tenant_id = "your-tenant-id" client_id = "your-client-id" client_secret = "your-client-secret" subscription_id = "your-subscription-id"
[assessment] parallel_requests = 10 timeout_seconds = 30 retry_attempts = 3
[output] format = "json" include_passed = false severity_filter = ["high", "medium"]
[rules] exclude_rules = [] include_only = [] custom_rules_path = "~/.azucar/custom_rules" EOF ```_
Basisnutzung
Schnelle Bewertung
```bash
Basic security assessment
azucar assess
Assess specific subscription
azucar assess --subscription "subscription-id"
Assess with specific tenant
azucar assess --tenant "tenant-id"
Verbose output
azucar assess --verbose
Quiet mode (errors only)
azucar assess --quiet ```_
Zielgerichtete Bewertungen
```bash
Assess specific resource types
azucar assess --resource-types "VirtualMachines,StorageAccounts,KeyVaults"
Assess specific resource groups
azucar assess --resource-groups "rg-prod,rg-staging"
Assess specific regions
azucar assess --regions "eastus,westus2"
Exclude specific resource types
azucar assess --exclude-types "NetworkSecurityGroups" ```_
Regelverwaltung
```bash
List available rules
azucar rules list
Show rule details
azucar rules show --rule-id "AZR-001"
List rules by category
azucar rules list --category "Storage"
List rules by severity
azucar rules list --severity "high"
Export rules to file
azucar rules export --output rules.json ```_
Erweiterte Bewertung
Umfassender Sicherheitsscan
```bash
Full comprehensive assessment
azucar assess \ --comprehensive \ --include-compliance \ --include-cost-optimization \ --include-performance \ --parallel 20
Assessment with custom rules
azucar assess \ --custom-rules-path "./custom_rules" \ --include-experimental
Multi-subscription assessment
azucar assess \ --subscriptions "sub1,sub2,sub3" \ --output-dir "./multi-sub-results" ```_
Konformitätsbewertungen
```bash
CIS Azure Foundations Benchmark
azucar assess --compliance cis-azure
Azure Security Benchmark
azucar assess --compliance azure-security-benchmark
NIST Cybersecurity Framework
azucar assess --compliance nist-csf
Custom compliance framework
azucar assess --compliance-config "./custom-compliance.yaml"
Multiple compliance frameworks
azucar assess --compliance "cis-azure,azure-security-benchmark" ```_
Kontinuierliche Beurteilung
```bash
Scheduled assessment script
cat > azure_security_scan.sh << 'EOF'
!/bin/bash
Configuration
SUBSCRIPTION_ID="your-subscription-id" OUTPUT_DIR="/opt/azure-assessments" DATE=$(date +%Y%m%d_%H%M%S) REPORT_DIR="$OUTPUT_DIR/$DATE"
Create output directory
mkdir -p "$REPORT_DIR"
Run comprehensive assessment
azucar assess \ --subscription "$SUBSCRIPTION_ID" \ --comprehensive \ --output-format "json,html,csv" \ --output-dir "$REPORT_DIR" \ --verbose
Generate summary report
azucar report generate \ --input "$REPORT_DIR/assessment.json" \ --template "executive-summary" \ --output "$REPORT_DIR/executive-summary.pdf"
Send alerts for critical findings
azucar report alert \ --input "$REPORT_DIR/assessment.json" \ --severity "critical" \ --webhook "https://your-webhook-url"
echo "Assessment completed: $REPORT_DIR" EOF
chmod +x azure_security_scan.sh
Schedule with cron (daily at 2 AM)
echo "0 2 * * * /opt/azure_security_scan.sh"|crontab - ```_
Ausgabe und Reporting
Ausgabeformate
```bash
JSON output (default)
azucar assess --output-format json
HTML report
azucar assess --output-format html
CSV export
azucar assess --output-format csv
XML output
azucar assess --output-format xml
Multiple formats
azucar assess --output-format "json,html,csv"
Custom output file
azucar assess --output-file "security-assessment-$(date +%Y%m%d).json" ```_
Bericht Generation
```bash
Generate executive summary
azucar report generate \ --input assessment.json \ --template executive-summary \ --output executive-report.pdf
Generate technical report
azucar report generate \ --input assessment.json \ --template technical-details \ --output technical-report.html
Generate compliance report
azucar report generate \ --input assessment.json \ --template compliance-matrix \ --compliance cis-azure \ --output compliance-report.xlsx
Custom report template
azucar report generate \ --input assessment.json \ --template-file "./custom-template.jinja2" \ --output custom-report.html ```_
Filter und Analyse
```bash
Filter by severity
azucar assess --severity-filter "critical,high"
Filter by category
azucar assess --category-filter "Security,Compliance"
Include only failed checks
azucar assess --failed-only
Include passed checks
azucar assess --include-passed
Filter by resource tags
azucar assess --tag-filter "Environment=Production"
Exclude specific resources
azucar assess --exclude-resources "resource-id-1,resource-id-2" ```_
Entwicklung der Zollsätze
Artikelstruktur
```yaml
Example custom rule: custom_rules/storage_encryption.yaml
id: "CUSTOM-001" name: "Storage Account Encryption at Rest" description: "Ensure storage accounts have encryption at rest enabled" category: "Storage" severity: "high" resource_types: - "Microsoft.Storage/storageAccounts"
conditions: - field: "properties.encryption.services.blob.enabled" operator: "equals" value: true - field: "properties.encryption.services.file.enabled" operator: "equals" value: true
remediation: description: "Enable encryption at rest for blob and file services" steps: - "Navigate to Storage Account in Azure Portal" - "Go to Security + networking > Encryption" - "Enable encryption for Blob and File services"
automation: azure_cli:| az storage account update \ --name \\{resource_name\\} \ --resource-group \\{resource_group\\} \ --encryption-services blob file
references: - "https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption" ```_
Artikel Entwicklung
```bash
Create custom rule directory
mkdir -p ~/.azucar/custom_rules
Validate custom rules
azucar rules validate --rules-path "~/.azucar/custom_rules"
Test custom rule
azucar assess \ --custom-rules-path "~/.azucar/custom_rules" \ --rule-id "CUSTOM-001" \ --dry-run
Export rule template
azucar rules template --output rule-template.yaml ```_
Erweiterte Regelbeispiele
```yaml
Network Security Group rule
id: "CUSTOM-002" name: "NSG SSH Access Restriction" description: "Ensure NSGs don't allow SSH access from any source" category: "Network" severity: "critical" resource_types: - "Microsoft.Network/networkSecurityGroups"
conditions: - field: "properties.securityRules" operator: "not_contains" value: properties: access: "Allow" direction: "Inbound" destinationPortRange: "22" sourceAddressPrefix: "*"
Key Vault rule
id: "CUSTOM-003" name: "Key Vault Soft Delete" description: "Ensure Key Vaults have soft delete enabled" category: "Security" severity: "medium" resource_types: - "Microsoft.KeyVault/vaults"
conditions: - field: "properties.enableSoftDelete" operator: "equals" value: true - field: "properties.softDeleteRetentionInDays" operator: "greater_than" value: 7 ```_
Integration und Automatisierung
CI/CD Pipeline Integration
```yaml
Azure DevOps Pipeline
trigger: branches: include: - main - develop
pool: vmImage: 'ubuntu-latest'
variables: AZURE_SUBSCRIPTION_ID: $(subscription-id) AZURE_TENANT_ID: $(tenant-id)
steps: - task: AzureCLI@2 displayName: 'Azure Security Assessment' inputs: azureSubscription: 'azure-service-connection' scriptType: 'bash' scriptLocation: 'inlineScript' inlineScript: | # Install azucar cargo install azucar
# Run security assessment
azucar assess \
--subscription $(AZURE_SUBSCRIPTION_ID) \
--output-format json \
--output-file security-assessment.json \
--severity-filter "critical,high"
# Check for critical findings
| CRITICAL_COUNT=$(jq '.findings[] | select(.severity == "critical") | length' security-assessment.json) |
if [ "$CRITICAL_COUNT" -gt 0 ]; then
echo "##vso[task.logissue type=error]Found $CRITICAL_COUNT critical security issues"
exit 1
fi
- task: PublishTestResults@2 displayName: 'Publish Security Assessment Results' inputs: testResultsFormat: 'JUnit' testResultsFiles: 'security-assessment.xml' failTaskOnFailedTests: true ```_
GitHub Aktionen Integration
```yaml
.github/workflows/azure-security.yml
name: Azure Security Assessment
on: schedule: - cron: '0 2 * * *' # Daily at 2 AM push: branches: [ main ] pull_request: branches: [ main ]
jobs: security-assessment: runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup Rust
uses: actions-rs/toolchain@v1
with:
toolchain: stable
override: true
- name: Install Azure Security Assessment Tool
run: cargo install azucar
- name: Azure Login
uses: azure/login@v1
with:
creds: $\\\\{\\\\{ secrets.AZURE_CREDENTIALS \\\\}\\\\}
- name: Run Security Assessment
run: |
azucar assess \
--subscription $\\\\{\\\\{ secrets.AZURE_SUBSCRIPTION_ID \\\\}\\\\} \
--output-format json \
--output-file assessment.json \
--comprehensive
- name: Generate Report
run: |
azucar report generate \
--input assessment.json \
--template executive-summary \
--output security-report.html
- name: Upload Assessment Results
uses: actions/upload-artifact@v3
with:
name: security-assessment
path: |
assessment.json
security-report.html
- name: Check for Critical Issues
run: |
| CRITICAL=$(jq '.findings[] | select(.severity == "critical") | length' assessment.json) | if [ "$CRITICAL" -gt 0 ]; then echo ": :error::Found $CRITICAL critical security issues" exit 1 fi ```_
PowerShell Automation
```powershell
Azure Security Assessment PowerShell Module
function Invoke-AzureSecurityAssessment \\{ param( [string]$SubscriptionId, [string]$ResourceGroup, [string]$OutputPath = ".\assessment-results", [string[]]$Severity = @("critical", "high"), [switch]$Comprehensive, [switch]$GenerateReport )
# Ensure output directory exists
if (!(Test-Path $OutputPath)) \\\\{
New-Item -ItemType Directory -Path $OutputPath -Force
\\\\}
# Build assessment command
$cmd = "azucar assess"
if ($SubscriptionId) \\\\{
$cmd += " --subscription `"$SubscriptionId`""
\\\\}
if ($ResourceGroup) \\\\{
$cmd += " --resource-groups `"$ResourceGroup`""
\\\\}
if ($Comprehensive) \\\\{
$cmd += " --comprehensive"
\\\\}
if ($Severity) \\\\{
$severityFilter = $Severity -join ","
$cmd += " --severity-filter `"$severityFilter`""
\\\\}
$timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
$outputFile = Join-Path $OutputPath "assessment_$timestamp.json"
$cmd += " --output-file `"$outputFile`""
try \\\\{
Write-Host "[+] Running Azure Security Assessment..."
Invoke-Expression $cmd
if ($GenerateReport) \\\\{
Write-Host "[+] Generating HTML report..."
$reportFile = Join-Path $OutputPath "report_$timestamp.html"
$reportCmd = "azucar report generate --input `"$outputFile`" --template executive-summary --output `"$reportFile`""
Invoke-Expression $reportCmd
\\\\}
# Parse results
$assessment = Get-Content $outputFile|ConvertFrom-Json
$findings = $assessment.findings
$summary = @\\\\{
Total = $findings.Count
Critical = ($findings|Where-Object \\\\{ $_.severity -eq "critical" \\\\}).Count
High = ($findings|Where-Object \\\\{ $_.severity -eq "high" \\\\}).Count
Medium = ($findings|Where-Object \\\\{ $_.severity -eq "medium" \\\\}).Count
Low = ($findings|Where-Object \\\\{ $_.severity -eq "low" \\\\}).Count
\\\\}
Write-Host "[+] Assessment Summary:"
Write-Host " Total Findings: $($summary.Total)"
Write-Host " Critical: $($summary.Critical)"
Write-Host " High: $($summary.High)"
Write-Host " Medium: $($summary.Medium)"
Write-Host " Low: $($summary.Low)"
return @\\\\{
OutputFile = $outputFile
Summary = $summary
Findings = $findings
\\\\}
\\\\} catch \\\\{
Write-Error "[-] Assessment failed: $($_.Exception.Message)"
return $null
\\\\}
\\}
Usage examples
$result = Invoke-AzureSecurityAssessment -SubscriptionId "your-sub-id" -Comprehensive -GenerateReport
Check for critical issues
if ($result.Summary.Critical -gt 0) \\{ Write-Warning "Found $($result.Summary.Critical) critical security issues!" \\} ```_
Fehlerbehebung
Gemeinsame Themen
Authentication Probleme
```bash
Check Azure CLI authentication
az account show
Re-authenticate
az login --tenant "tenant-id"
Verify service principal permissions
az role assignment list --assignee "service-principal-id"
Test API access
az rest --method get --url "https://management.azure.com/subscriptions/your-sub-id/resources?api-version=2021-04-01" ```_
Genehmigungsfragen
```bash
Check required permissions
az role definition show --name "Security Reader"
Grant additional permissions
az role assignment create \ --assignee "principal-id" \ --role "Reader" \ --scope "/subscriptions/subscription-id"
List current permissions
az role assignment list --assignee "principal-id" --output table ```_
Leistungsfragen
```bash
Reduce parallel requests
azucar assess --parallel 5
Increase timeout
azucar assess --timeout 60
Assess specific regions only
azucar assess --regions "eastus"
Exclude large resource types
azucar assess --exclude-types "Microsoft.Compute/virtualMachines" ```_
Regelfragen
```bash
Validate custom rules
azucar rules validate --rules-path "./custom_rules"
Test specific rule
azucar assess --rule-id "AZR-001" --dry-run
Debug rule execution
azucar assess --rule-id "AZR-001" --verbose --debug
Export default rules for reference
azucar rules export --output default-rules.json ```_
Debugging und Logging
```bash
Enable debug logging
export RUST_LOG=debug azucar assess --verbose
Save logs to file
azucar assess --verbose 2>&1|tee assessment.log
Check specific rule execution
azucar assess --rule-id "AZR-001" --debug
Validate configuration
azucar config validate ```_
Ressourcen
- (__LINK_7___)
- (__LINK_7___)
- (__LINK_7___)
- CIS Azure Foundations Benchmark
- (__LINK_7___)
- (__LINK_7___)
- (__LINK_7___)
--
*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung von Azure Security Assessment Tool für Azure Sicherheitsbewertungen. Stellen Sie immer sicher, dass Sie eine richtige Berechtigung haben, bevor Sie dieses Tool in jeder Umgebung verwenden. *