Azure Security Assessment Tool hoja de trucos
Overview
Azure Security Assessment Tool is a comprehensive Rust-based security scanner designed to assess Azure environments with over 200 security rules. This tool provides automated security assessments, compliance checking, and vulnerabilidad identification across Azure subscriptions. It offers detailed repuertoing and remediation guidance to help organizations improve their Azure security posture.
⚠️ Warning: Only use Azure Security Assessment Tool in environments you own or have explicit permission to test. Unauthorized use may violate terms of servicio or local laws.
instalación
Prerequisites
# Install Rust and Cargo
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs|sh
source ~/.cargo/env
# Verify Rust instalación
rustc --version
cargo --version
# Install Git
sudo apt update
sudo apt install git
# Install Azure CLI
curl -sL https://aka.ms/InstallAzureCLIDeb|sudo bash
Install from Source
# Clone the repository
git clone https://github.com/nccgroup/azucar.git
cd azucar
# Build the project
cargo build --release
# The binary will be available at objetivo/release/azucar
./objetivo/release/azucar --version
# Install globally (opciónal)
cargo install --path .
Install from Cargo
# Install directly from crates.io
cargo install azucar
# Verify instalación
azucar --version
# Update to latest version
cargo install azucar --force
Docker instalación
# Pull Docker image
docker pull nccgroup/azucar:latest
# Run with Docker
docker run --rm -it nccgroup/azucar:latest --help
# Create alias for easier uso
echo 'alias azucar="docker run --rm -it -v ~/.azure:/root/.azure nccgroup/azucar:latest"' >> ~/.bashrc
source ~/.bashrc
configuración
Azure autenticación
# Login to Azure CLI
az login
# List available subscriptions
az account list --output table
# Set specific subscription
az account set --subscription "subscription-id"
# Verify current context
az account show
# Login with servicio principal
az login --servicio-principal \
--nombre de usuario "app-id" \
--contraseña "contraseña" \
--tenant "tenant-id"
servicio Principal Setup
# Create servicio principal for assessment
az ad sp create-for-rbac \
--name "AzureSecurityAssessment" \
--role "Security Reader" \
--scopes "/subscriptions/your-subscription-id"
# Grant additional permissions if needed
az role assignment create \
--assignee "servicio-principal-id" \
--role "Reader" \
--scope "/subscriptions/your-subscription-id"
# For comprehensive assessment, consider these roles:
# - Security Reader
# - Reader
# - Security Admin (for remediation)
configuración File
# Create configuración file
mkdir -p ~/.azucar
cat > ~/.azucar/config.toml << 'EOF'
[azure]
tenant_id = "your-tenant-id"
client_id = "your-client-id"
client_secret = "your-client-secret"
subscription_id = "your-subscription-id"
[assessment]
parallel_requests = 10
timeout_seconds = 30
retry_attempts = 3
[output]
format = "json"
include_passed = false
severity_filter = ["high", "medium"]
[rules]
exclude_rules = []
include_only = []
custom_rules_path = "~/.azucar/custom_rules"
EOF
Basic uso
Quick Assessment
# Basic security assessment
azucar assess
# Assess specific subscription
azucar assess --subscription "subscription-id"
# Assess with specific tenant
azucar assess --tenant "tenant-id"
# Verbose output
azucar assess --verbose
# Quiet mode (errors only)
azucar assess --quiet
objetivoed Assessments
# Assess specific resource types
azucar assess --resource-types "VirtualMachines,StorageAccounts,claveVaults"
# Assess specific resource groups
azucar assess --resource-groups "rg-prod,rg-staging"
# Assess specific regions
azucar assess --regions "eastus,westus2"
# Exclude specific resource types
azucar assess --exclude-types "NetworkSecurityGroups"
Rule Management
# List available rules
azucar rules list
# Show rule details
azucar rules show --rule-id "AZR-001"
# List rules by category
azucar rules list --category "Storage"
# List rules by severity
azucar rules list --severity "high"
# Expuerto rules to file
azucar rules expuerto --output rules.json
Advanced Assessment
Comprehensive Security Scan
# Full comprehensive assessment
azucar assess \
--comprehensive \
--include-compliance \
--include-cost-optimization \
--include-performance \
--parallel 20
# Assessment with custom rules
azucar assess \
--custom-rules-path "./custom_rules" \
--include-experimental
# Multi-subscription assessment
azucar assess \
--subscriptions "sub1,sub2,sub3" \
--output-dir "./multi-sub-results"
Compliance Assessments
# CIS Azure Foundations Benchmark
azucar assess --compliance cis-azure
# Azure Security Benchmark
azucar assess --compliance azure-security-benchmark
# NIST Cybersecurity Framework
azucar assess --compliance nist-csf
# Custom compliance framework
azucar assess --compliance-config "./custom-compliance.yaml"
# Multiple compliance frameworks
azucar assess --compliance "cis-azure,azure-security-benchmark"
Continuous Assessment
# Scheduled assessment script
cat > azure_security_scan.sh << 'EOF'
#!/bin/bash
# configuración
SUBSCRIPTION_ID="your-subscription-id"
OUTPUT_DIR="/opt/azure-assessments"
DATE=$(date +%Y%m%d_%H%M%S)
REpuerto_DIR="$OUTPUT_DIR/$DATE"
# Create output directory
mkdir -p "$REpuerto_DIR"
# Run comprehensive assessment
azucar assess \
--subscription "$SUBSCRIPTION_ID" \
--comprehensive \
--output-format "json,html,csv" \
--output-dir "$REpuerto_DIR" \
--verbose
# Generate summary repuerto
azucar repuerto generate \
--input "$REpuerto_DIR/assessment.json" \
--template "executive-summary" \
--output "$REpuerto_DIR/executive-summary.pdf"
# Send alerts for critical findings
azucar repuerto alert \
--input "$REpuerto_DIR/assessment.json" \
--severity "critical" \
--webhook "https://your-webhook-url"
echo "Assessment completed: $REpuerto_DIR"
EOF
chmod +x azure_security_scan.sh
# Schedule with cron (daily at 2 AM)
echo "0 2 * * * /opt/azure_security_scan.sh"|crontab -
Output and Repuertoing
Output Formats
# JSON output (default)
azucar assess --output-format json
# HTML repuerto
azucar assess --output-format html
# CSV expuerto
azucar assess --output-format csv
# XML output
azucar assess --output-format xml
# Multiple formats
azucar assess --output-format "json,html,csv"
# Custom output file
azucar assess --output-file "security-assessment-$(date +%Y%m%d).json"
Repuerto Generation
# Generate executive summary
azucar repuerto generate \
--input assessment.json \
--template executive-summary \
--output executive-repuerto.pdf
# Generate technical repuerto
azucar repuerto generate \
--input assessment.json \
--template technical-details \
--output technical-repuerto.html
# Generate compliance repuerto
azucar repuerto generate \
--input assessment.json \
--template compliance-matrix \
--compliance cis-azure \
--output compliance-repuerto.xlsx
# Custom repuerto template
azucar repuerto generate \
--input assessment.json \
--template-file "./custom-template.jinja2" \
--output custom-repuerto.html
Filtering and Analysis
# Filter by severity
azucar assess --severity-filter "critical,high"
# Filter by category
azucar assess --category-filter "Security,Compliance"
# Include only failed checks
azucar assess --failed-only
# Include passed checks
azucar assess --include-passed
# Filter by resource tags
azucar assess --tag-filter "Environment=Production"
# Exclude specific resources
azucar assess --exclude-resources "resource-id-1,resource-id-2"
Custom Rules Development
Rule Structure
# ejemplo custom rule: custom_rules/storage_cifrado.yaml
id: "CUSTOM-001"
name: "Storage Account cifrado at Rest"
Descripción: "Ensure storage accounts have cifrado at rest enabled"
category: "Storage"
severity: "high"
resource_types:
- "Microsoft.Storage/storageAccounts"
conditions:
- field: "properties.cifrado.servicios.blob.enabled"
operator: "equals"
value: true
- field: "properties.cifrado.servicios.file.enabled"
operator: "equals"
value: true
remediation:
Descripción: "Enable cifrado at rest for blob and file servicios"
steps:
- "Navigate to Storage Account in Azure puertoal"
- "Go to Security + networking > cifrado"
- "Enable cifrado for Blob and File servicios"
automation:
azure_cli:|
az storage account update \
--name \\\\{resource_name\\\\} \
--resource-group \\\\{resource_group\\\\} \
--cifrado-servicios blob file
referencias:
- "https://docs.microsoft.com/en-us/azure/storage/common/storage-servicio-cifrado"
Rule Development
# Create custom rule directory
mkdir -p ~/.azucar/custom_rules
# Validate custom rules
azucar rules validate --rules-path "~/.azucar/custom_rules"
# Test custom rule
azucar assess \
--custom-rules-path "~/.azucar/custom_rules" \
--rule-id "CUSTOM-001" \
--dry-run
# Expuerto rule template
azucar rules template --output rule-template.yaml
Advanced Rule ejemplos
# Network Security Group rule
id: "CUSTOM-002"
name: "NSG SSH Access Restriction"
Descripción: "Ensure NSGs don't allow SSH access from any source"
category: "Network"
severity: "critical"
resource_types:
- "Microsoft.Network/networkSecurityGroups"
conditions:
- field: "properties.securityRules"
operator: "not_contains"
value:
properties:
access: "Allow"
direction: "Inbound"
destinationpuertoRange: "22"
sourceAddressPrefix: "*"
# clave Vault rule
id: "CUSTOM-003"
name: "clave Vault Soft Delete"
Descripción: "Ensure clave Vaults have soft delete enabled"
category: "Security"
severity: "medium"
resource_types:
- "Microsoft.claveVault/vaults"
conditions:
- field: "properties.enableSoftDelete"
operator: "equals"
value: true
- field: "properties.softDeleteRetentionInDays"
operator: "greater_than"
value: 7
Integration and Automation
CI/CD Pipeline Integration
# Azure DevOps Pipeline
trigger:
branches:
include:
- main
- develop
pool:
vmImage: 'ubuntu-latest'
variables:
AZURE_SUBSCRIPTION_ID: $(subscription-id)
AZURE_TENANT_ID: $(tenant-id)
steps:
- task: AzureCLI@2
displayName: 'Azure Security Assessment'
inputs:
azureSubscription: 'azure-servicio-conexión'
scriptType: 'bash'
scriptLocation: 'inlineScript'
inlineScript: |
# Install azucar
cargo install azucar
# Run security assessment
azucar assess \
--subscription $(AZURE_SUBSCRIPTION_ID) \
--output-format json \
--output-file security-assessment.json \
--severity-filter "critical,high"
# Check for critical findings
| CRITICAL_COUNT=$(jq '.findings[] | select(.severity == "critical") | length' security-assessment.json) |
if [ "$CRITICAL_COUNT" -gt 0 ]; then
echo "##vso[task.logissue type=error]Found $CRITICAL_COUNT critical security issues"
exit 1
fi
- task: PublishTestResults@2
displayName: 'Publish Security Assessment Results'
inputs:
testResultsFormat: 'JUnit'
testResultsFiles: 'security-assessment.xml'
failTaskOnFailedTests: true
GitHub Actions Integration
# .github/workflows/azure-security.yml
name: Azure Security Assessment
on:
schedule:
- cron: '0 2 * * *' # Daily at 2 AM
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
security-assessment:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup Rust
uses: actions-rs/toolchain@v1
with:
toolchain: stable
override: true
- name: Install Azure Security Assessment Tool
run: cargo install azucar
- name: Azure Login
uses: azure/login@v1
with:
creds: $\\\\{\\\\{ secrets.AZURE_credenciales \\\\}\\\\}
- name: Run Security Assessment
run: |
azucar assess \
--subscription $\\\\{\\\\{ secrets.AZURE_SUBSCRIPTION_ID \\\\}\\\\} \
--output-format json \
--output-file assessment.json \
--comprehensive
- name: Generate Repuerto
run: |
azucar repuerto generate \
--input assessment.json \
--template executive-summary \
--output security-repuerto.html
- name: Upload Assessment Results
uses: actions/upload-artifact@v3
with:
name: security-assessment
path: |
assessment.json
security-repuerto.html
- name: Check for Critical Issues
run: |
| CRITICAL=$(jq '.findings[] | select(.severity == "critical") | length' assessment.json) |
if [ "$CRITICAL" -gt 0 ]; then
echo ": :error::Found $CRITICAL critical security issues"
exit 1
fi
PowerShell Automation
# Azure Security Assessment PowerShell Module
function Invoke-AzureSecurityAssessment \\\\{
param(
[string]$SubscriptionId,
[string]$ResourceGroup,
[string]$OutputPath = ".\assessment-results",
[string[]]$Severity = @("critical", "high"),
[switch]$Comprehensive,
[switch]$GenerateRepuerto
)
# Ensure output directory exists
if (!(Test-Path $OutputPath)) \\\\{
New-Item -ItemType Directory -Path $OutputPath -Force
\\\\}
# Build assessment comando
$cmd = "azucar assess"
if ($SubscriptionId) \\\\{
$cmd += " --subscription `"$SubscriptionId`""
\\\\}
if ($ResourceGroup) \\\\{
$cmd += " --resource-groups `"$ResourceGroup`""
\\\\}
if ($Comprehensive) \\\\{
$cmd += " --comprehensive"
\\\\}
if ($Severity) \\\\{
$severityFilter = $Severity -join ","
$cmd += " --severity-filter `"$severityFilter`""
\\\\}
$timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
$outputFile = Join-Path $OutputPath "assessment_$timestamp.json"
$cmd += " --output-file `"$outputFile`""
try \\\\{
Write-host "[+] Running Azure Security Assessment..."
Invoke-Expression $cmd
if ($GenerateRepuerto) \\\\{
Write-host "[+] Generating HTML repuerto..."
$repuertoFile = Join-Path $OutputPath "repuerto_$timestamp.html"
$repuertoCmd = "azucar repuerto generate --input `"$outputFile`" --template executive-summary --output `"$repuertoFile`""
Invoke-Expression $repuertoCmd
\\\\}
# Parse results
$assessment = Get-Content $outputFile|ConvertFrom-Json
$findings = $assessment.findings
$summary = @\\\\{
Total = $findings.Count
Critical = ($findings|Where-Object \\\\{ $_.severity -eq "critical" \\\\}).Count
High = ($findings|Where-Object \\\\{ $_.severity -eq "high" \\\\}).Count
Medium = ($findings|Where-Object \\\\{ $_.severity -eq "medium" \\\\}).Count
Low = ($findings|Where-Object \\\\{ $_.severity -eq "low" \\\\}).Count
\\\\}
Write-host "[+] Assessment Summary:"
Write-host " Total Findings: $($summary.Total)"
Write-host " Critical: $($summary.Critical)"
Write-host " High: $($summary.High)"
Write-host " Medium: $($summary.Medium)"
Write-host " Low: $($summary.Low)"
return @\\\\{
OutputFile = $outputFile
Summary = $summary
Findings = $findings
\\\\}
\\\\} catch \\\\{
Write-Error "[-] Assessment failed: $($_.Exception.Message)"
return $null
\\\\}
\\\\}
# uso ejemplos
$result = Invoke-AzureSecurityAssessment -SubscriptionId "your-sub-id" -Comprehensive -GenerateRepuerto
# Check for critical issues
if ($result.Summary.Critical -gt 0) \\\\{
Write-Warning "Found $($result.Summary.Critical) critical security issues!"
\\\\}
solución de problemas
Common Issues
autenticación Problems
# Check Azure CLI autenticación
az account show
# Re-authenticate
az login --tenant "tenant-id"
# Verify servicio principal permissions
az role assignment list --assignee "servicio-principal-id"
# Test API access
az rest --method get --url "https://management.azure.com/subscriptions/your-sub-id/resources?api-version=2021-04-01"
Permission Issues
# Check required permissions
az role definition show --name "Security Reader"
# Grant additional permissions
az role assignment create \
--assignee "principal-id" \
--role "Reader" \
--scope "/subscriptions/subscription-id"
# List current permissions
az role assignment list --assignee "principal-id" --output table
Performance Issues
# Reduce parallel requests
azucar assess --parallel 5
# Increase timeout
azucar assess --timeout 60
# Assess specific regions only
azucar assess --regions "eastus"
# Exclude large resource types
azucar assess --exclude-types "Microsoft.Compute/virtualMachines"
Rule Issues
# Validate custom rules
azucar rules validate --rules-path "./custom_rules"
# Test specific rule
azucar assess --rule-id "AZR-001" --dry-run
# Debug rule execution
azucar assess --rule-id "AZR-001" --verbose --debug
# Expuerto default rules for reference
azucar rules expuerto --output default-rules.json
Debugging and Logging
# Enable debug logging
expuerto RUST_LOG=debug
azucar assess --verbose
# Save logs to file
azucar assess --verbose 2>&1|tee assessment.log
# Check specific rule execution
azucar assess --rule-id "AZR-001" --debug
# Validate configuración
azucar config validate
Resources
- Azure Security Assessment Tool Repository
- Azure Security documentación
- Azure Security Benchmark
- CIS Azure Foundations Benchmark
- Azure RBAC documentación
- Rust Programming Language
- Azure REST API Reference
This hoja de trucos provides a comprehensive reference for using Azure Security Assessment Tool for Azure security assessments. Always ensure you have proper autorización before using this tool in any environment.