Zum Inhalt

Azure Security Assessment Tool Cheat Sheet

generieren

Überblick

Azure Security Assessment Tool ist ein umfassender Rust-basierter Sicherheitsscanner, der die Azure-Umgebungen mit über 200 Sicherheitsregeln bewertet. Dieses Tool bietet automatisierte Sicherheitsbewertungen, Compliance- und Sicherheitskennzeichnungen über Azure Abonnements. Es bietet detaillierte Berichterstattungs- und Sanierungshinweise, um Organisationen bei der Verbesserung ihrer Azure-Sicherheitshaltung zu unterstützen.

ZEIT Warning: Verwenden Sie nur Azure Security Assessment Tool in Umgebungen, die Sie besitzen oder eine ausdrückliche Erlaubnis zum Testen haben. Unberechtigte Nutzung kann gegen Nutzungsbedingungen oder lokale Gesetze verstoßen.

Installation

Voraussetzungen

```bash

Install Rust and Cargo

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs|sh source ~/.cargo/env

Verify Rust installation

rustc --version cargo --version

Install Git

sudo apt update sudo apt install git

Install Azure CLI

curl -sL https://aka.ms/InstallAzureCLIDeb|sudo bash ```_

Installieren von Source

```bash

Clone the repository

git clone https://github.com/nccgroup/azucar.git cd azucar

Build the project

cargo build --release

The binary will be available at target/release/azucar

./target/release/azucar --version

Install globally (optional)

cargo install --path . ```_

Installieren von Cargo

```bash

Install directly from crates.io

cargo install azucar

Verify installation

azucar --version

Update to latest version

cargo install azucar --force ```_

Docker Installation

```bash

Pull Docker image

docker pull nccgroup/azucar:latest

Run with Docker

docker run --rm -it nccgroup/azucar:latest --help

Create alias for easier usage

echo 'alias azucar="docker run --rm -it -v ~/.azure:/root/.azure nccgroup/azucar:latest"' >> ~/.bashrc source ~/.bashrc ```_

Konfiguration

Azure Authentication

```bash

Login to Azure CLI

az login

List available subscriptions

az account list --output table

Set specific subscription

az account set --subscription "subscription-id"

Verify current context

az account show

Login with service principal

az login --service-principal \ --username "app-id" \ --password "password" \ --tenant "tenant-id" ```_

Service Principal Setup

```bash

Create service principal for assessment

az ad sp create-for-rbac \ --name "AzureSecurityAssessment" \ --role "Security Reader" \ --scopes "/subscriptions/your-subscription-id"

Grant additional permissions if needed

az role assignment create \ --assignee "service-principal-id" \ --role "Reader" \ --scope "/subscriptions/your-subscription-id"

For comprehensive assessment, consider these roles:

- Security Reader

- Reader

- Security Admin (for remediation)

```_

Datei konfigurieren

```bash

Create configuration file

mkdir -p ~/.azucar cat > ~/.azucar/config.toml << 'EOF' [azure] tenant_id = "your-tenant-id" client_id = "your-client-id" client_secret = "your-client-secret" subscription_id = "your-subscription-id"

[assessment] parallel_requests = 10 timeout_seconds = 30 retry_attempts = 3

[output] format = "json" include_passed = false severity_filter = ["high", "medium"]

[rules] exclude_rules = [] include_only = [] custom_rules_path = "~/.azucar/custom_rules" EOF ```_

Basisnutzung

Schnelle Bewertung

```bash

Basic security assessment

azucar assess

Assess specific subscription

azucar assess --subscription "subscription-id"

Assess with specific tenant

azucar assess --tenant "tenant-id"

Verbose output

azucar assess --verbose

Quiet mode (errors only)

azucar assess --quiet ```_

Zielgerichtete Bewertungen

```bash

Assess specific resource types

azucar assess --resource-types "VirtualMachines,StorageAccounts,KeyVaults"

Assess specific resource groups

azucar assess --resource-groups "rg-prod,rg-staging"

Assess specific regions

azucar assess --regions "eastus,westus2"

Exclude specific resource types

azucar assess --exclude-types "NetworkSecurityGroups" ```_

Regelverwaltung

```bash

List available rules

azucar rules list

Show rule details

azucar rules show --rule-id "AZR-001"

List rules by category

azucar rules list --category "Storage"

List rules by severity

azucar rules list --severity "high"

Export rules to file

azucar rules export --output rules.json ```_

Erweiterte Bewertung

Umfassender Sicherheitsscan

```bash

Full comprehensive assessment

azucar assess \ --comprehensive \ --include-compliance \ --include-cost-optimization \ --include-performance \ --parallel 20

Assessment with custom rules

azucar assess \ --custom-rules-path "./custom_rules" \ --include-experimental

Multi-subscription assessment

azucar assess \ --subscriptions "sub1,sub2,sub3" \ --output-dir "./multi-sub-results" ```_

Konformitätsbewertungen

```bash

CIS Azure Foundations Benchmark

azucar assess --compliance cis-azure

Azure Security Benchmark

azucar assess --compliance azure-security-benchmark

NIST Cybersecurity Framework

azucar assess --compliance nist-csf

Custom compliance framework

azucar assess --compliance-config "./custom-compliance.yaml"

Multiple compliance frameworks

azucar assess --compliance "cis-azure,azure-security-benchmark" ```_

Kontinuierliche Beurteilung

```bash

Scheduled assessment script

cat > azure_security_scan.sh << 'EOF'

!/bin/bash

Configuration

SUBSCRIPTION_ID="your-subscription-id" OUTPUT_DIR="/opt/azure-assessments" DATE=\((date +%Y%m%d_%H%M%S) REPORT_DIR="\)OUTPUT_DIR/$DATE"

Create output directory

mkdir -p "$REPORT_DIR"

Run comprehensive assessment

azucar assess \ --subscription "\(SUBSCRIPTION_ID" \ --comprehensive \ --output-format "json,html,csv" \ --output-dir "\)REPORT_DIR" \ --verbose

Generate summary report

azucar report generate \ --input "\(REPORT_DIR/assessment.json" \ --template "executive-summary" \ --output "\)REPORT_DIR/executive-summary.pdf"

Send alerts for critical findings

azucar report alert \ --input "$REPORT_DIR/assessment.json" \ --severity "critical" \ --webhook "https://your-webhook-url"

echo "Assessment completed: $REPORT_DIR" EOF

chmod +x azure_security_scan.sh

Schedule with cron (daily at 2 AM)

echo "0 2 * * * /opt/azure_security_scan.sh"|crontab - ```_

Ausgabe und Reporting

Ausgabeformate

```bash

JSON output (default)

azucar assess --output-format json

HTML report

azucar assess --output-format html

CSV export

azucar assess --output-format csv

XML output

azucar assess --output-format xml

Multiple formats

azucar assess --output-format "json,html,csv"

Custom output file

azucar assess --output-file "security-assessment-$(date +%Y%m%d).json" ```_

Bericht Generation

```bash

Generate executive summary

azucar report generate \ --input assessment.json \ --template executive-summary \ --output executive-report.pdf

Generate technical report

azucar report generate \ --input assessment.json \ --template technical-details \ --output technical-report.html

Generate compliance report

azucar report generate \ --input assessment.json \ --template compliance-matrix \ --compliance cis-azure \ --output compliance-report.xlsx

Custom report template

azucar report generate \ --input assessment.json \ --template-file "./custom-template.jinja2" \ --output custom-report.html ```_

Filter und Analyse

```bash

Filter by severity

azucar assess --severity-filter "critical,high"

Filter by category

azucar assess --category-filter "Security,Compliance"

Include only failed checks

azucar assess --failed-only

Include passed checks

azucar assess --include-passed

Filter by resource tags

azucar assess --tag-filter "Environment=Production"

Exclude specific resources

azucar assess --exclude-resources "resource-id-1,resource-id-2" ```_

Entwicklung der Zollsätze

Artikelstruktur

```yaml

Example custom rule: custom_rules/storage_encryption.yaml

id: "CUSTOM-001" name: "Storage Account Encryption at Rest" description: "Ensure storage accounts have encryption at rest enabled" category: "Storage" severity: "high" resource_types: - "Microsoft.Storage/storageAccounts"

conditions: - field: "properties.encryption.services.blob.enabled" operator: "equals" value: true - field: "properties.encryption.services.file.enabled" operator: "equals" value: true

remediation: description: "Enable encryption at rest for blob and file services" steps: - "Navigate to Storage Account in Azure Portal" - "Go to Security + networking > Encryption" - "Enable encryption for Blob and File services"

automation: azure_cli:| az storage account update \ --name \\{resource_name\\} \ --resource-group \\{resource_group\\} \ --encryption-services blob file

references: - "https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption" ```_

Artikel Entwicklung

```bash

Create custom rule directory

mkdir -p ~/.azucar/custom_rules

Validate custom rules

azucar rules validate --rules-path "~/.azucar/custom_rules"

Test custom rule

azucar assess \ --custom-rules-path "~/.azucar/custom_rules" \ --rule-id "CUSTOM-001" \ --dry-run

Export rule template

azucar rules template --output rule-template.yaml ```_

Erweiterte Regelbeispiele

```yaml

Network Security Group rule

id: "CUSTOM-002" name: "NSG SSH Access Restriction" description: "Ensure NSGs don't allow SSH access from any source" category: "Network" severity: "critical" resource_types: - "Microsoft.Network/networkSecurityGroups"

conditions: - field: "properties.securityRules" operator: "not_contains" value: properties: access: "Allow" direction: "Inbound" destinationPortRange: "22" sourceAddressPrefix: "*"

Key Vault rule

id: "CUSTOM-003" name: "Key Vault Soft Delete" description: "Ensure Key Vaults have soft delete enabled" category: "Security" severity: "medium" resource_types: - "Microsoft.KeyVault/vaults"

conditions: - field: "properties.enableSoftDelete" operator: "equals" value: true - field: "properties.softDeleteRetentionInDays" operator: "greater_than" value: 7 ```_

Integration und Automatisierung

CI/CD Pipeline Integration

```yaml

Azure DevOps Pipeline

trigger: branches: include: - main - develop

pool: vmImage: 'ubuntu-latest'

variables: AZURE_SUBSCRIPTION_ID: $(subscription-id) AZURE_TENANT_ID: $(tenant-id)

steps: - task: AzureCLI@2 displayName: 'Azure Security Assessment' inputs: azureSubscription: 'azure-service-connection' scriptType: 'bash' scriptLocation: 'inlineScript' inlineScript: | # Install azucar cargo install azucar

  # Run security assessment
  azucar assess \
    --subscription $(AZURE_SUBSCRIPTION_ID) \
    --output-format json \
    --output-file security-assessment.json \
    --severity-filter "critical,high"

  # Check for critical findings

| | CRITICAL_COUNT=$(jq '.findings[] | select(.severity == "critical") | length' security-assessment.json) | |

  if [ "$CRITICAL_COUNT" -gt 0 ]; then
    echo "##vso[task.logissue type=error]Found $CRITICAL_COUNT critical security issues"
    exit 1
  fi
  • task: PublishTestResults@2 displayName: 'Publish Security Assessment Results' inputs: testResultsFormat: 'JUnit' testResultsFiles: 'security-assessment.xml' failTaskOnFailedTests: true ```_

GitHub Aktionen Integration

```yaml

.github/workflows/azure-security.yml

name: Azure Security Assessment

on: schedule: - cron: '0 2 * * *' # Daily at 2 AM push: branches: [ main ] pull_request: branches: [ main ]

jobs: security-assessment: runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v3

- name: Setup Rust
  uses: actions-rs/toolchain@v1
  with:
    toolchain: stable
    override: true

- name: Install Azure Security Assessment Tool
  run: cargo install azucar

- name: Azure Login
  uses: azure/login@v1
  with:
    creds: $\\\\{\\\\{ secrets.AZURE_CREDENTIALS \\\\}\\\\}

- name: Run Security Assessment
  run: |
    azucar assess \
      --subscription $\\\\{\\\\{ secrets.AZURE_SUBSCRIPTION_ID \\\\}\\\\} \
      --output-format json \
      --output-file assessment.json \
      --comprehensive

- name: Generate Report
  run: |
    azucar report generate \
      --input assessment.json \
      --template executive-summary \
      --output security-report.html

- name: Upload Assessment Results
  uses: actions/upload-artifact@v3
  with:
    name: security-assessment
    path: |
      assessment.json
      security-report.html

- name: Check for Critical Issues
  run: |

| | CRITICAL=\((jq '.findings[] | select(.severity == "critical") | length' assessment.json) | | if [ "\)CRITICAL" -gt 0 ]; then echo ": :error::Found $CRITICAL critical security issues" exit 1 fi ```_

PowerShell Automation

```powershell

Azure Security Assessment PowerShell Module

function Invoke-AzureSecurityAssessment \\{ param( [string]\(SubscriptionId, [string]\)ResourceGroup, [string]\(OutputPath = ".\assessment-results", [string[]]\)Severity = @("critical", "high"), [switch]\(Comprehensive, [switch]\)GenerateReport )

# Ensure output directory exists
if (!(Test-Path $OutputPath)) \\\\{
    New-Item -ItemType Directory -Path $OutputPath -Force
\\\\}

# Build assessment command
$cmd = "azucar assess"

if ($SubscriptionId) \\\\{
    $cmd += " --subscription `"$SubscriptionId`""
\\\\}

if ($ResourceGroup) \\\\{
    $cmd += " --resource-groups `"$ResourceGroup`""
\\\\}

if ($Comprehensive) \\\\{
    $cmd += " --comprehensive"
\\\\}

if ($Severity) \\\\{
    $severityFilter = $Severity -join ","
    $cmd += " --severity-filter `"$severityFilter`""
\\\\}

$timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
$outputFile = Join-Path $OutputPath "assessment_$timestamp.json"
$cmd += " --output-file `"$outputFile`""

try \\\\{
    Write-Host "[+] Running Azure Security Assessment..."
    Invoke-Expression $cmd

    if ($GenerateReport) \\\\{
        Write-Host "[+] Generating HTML report..."
        $reportFile = Join-Path $OutputPath "report_$timestamp.html"
        $reportCmd = "azucar report generate --input `"$outputFile`" --template executive-summary --output `"$reportFile`""
        Invoke-Expression $reportCmd
    \\\\}

    # Parse results
    $assessment = Get-Content $outputFile|ConvertFrom-Json
    $findings = $assessment.findings

    $summary = @\\\\{
        Total = $findings.Count
        Critical = ($findings|Where-Object \\\\{ $_.severity -eq "critical" \\\\}).Count
        High = ($findings|Where-Object \\\\{ $_.severity -eq "high" \\\\}).Count
        Medium = ($findings|Where-Object \\\\{ $_.severity -eq "medium" \\\\}).Count
        Low = ($findings|Where-Object \\\\{ $_.severity -eq "low" \\\\}).Count
    \\\\}

    Write-Host "[+] Assessment Summary:"
    Write-Host "    Total Findings: $($summary.Total)"
    Write-Host "    Critical: $($summary.Critical)"
    Write-Host "    High: $($summary.High)"
    Write-Host "    Medium: $($summary.Medium)"
    Write-Host "    Low: $($summary.Low)"

    return @\\\\{
        OutputFile = $outputFile
        Summary = $summary
        Findings = $findings
    \\\\}

\\\\} catch \\\\{
    Write-Error "[-] Assessment failed: $($_.Exception.Message)"
    return $null
\\\\}

\\}

Usage examples

$result = Invoke-AzureSecurityAssessment -SubscriptionId "your-sub-id" -Comprehensive -GenerateReport

Check for critical issues

if ($result.Summary.Critical -gt 0) \\{ Write-Warning "Found \((\)result.Summary.Critical) critical security issues!" \\} ```_

Fehlerbehebung

Gemeinsame Themen

Authentication Probleme

```bash

Check Azure CLI authentication

az account show

Re-authenticate

az login --tenant "tenant-id"

Verify service principal permissions

az role assignment list --assignee "service-principal-id"

Test API access

az rest --method get --url "https://management.azure.com/subscriptions/your-sub-id/resources?api-version=2021-04-01" ```_

Genehmigungsfragen

```bash

Check required permissions

az role definition show --name "Security Reader"

Grant additional permissions

az role assignment create \ --assignee "principal-id" \ --role "Reader" \ --scope "/subscriptions/subscription-id"

List current permissions

az role assignment list --assignee "principal-id" --output table ```_

Leistungsfragen

```bash

Reduce parallel requests

azucar assess --parallel 5

Increase timeout

azucar assess --timeout 60

Assess specific regions only

azucar assess --regions "eastus"

Exclude large resource types

azucar assess --exclude-types "Microsoft.Compute/virtualMachines" ```_

Regelfragen

```bash

Validate custom rules

azucar rules validate --rules-path "./custom_rules"

Test specific rule

azucar assess --rule-id "AZR-001" --dry-run

Debug rule execution

azucar assess --rule-id "AZR-001" --verbose --debug

Export default rules for reference

azucar rules export --output default-rules.json ```_

Debugging und Logging

```bash

Enable debug logging

export RUST_LOG=debug azucar assess --verbose

Save logs to file

azucar assess --verbose 2>&1|tee assessment.log

Check specific rule execution

azucar assess --rule-id "AZR-001" --debug

Validate configuration

azucar config validate ```_

Ressourcen

--

*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung von Azure Security Assessment Tool für Azure Sicherheitsbewertungen. Stellen Sie immer sicher, dass Sie eine richtige Berechtigung haben, bevor Sie dieses Tool in jeder Umgebung verwenden. *