Foglio Informativo dello Strumento di Valutazione della Sicurezza di Azure¶
Panoramica¶
Azure Security Assessment Tool è un scanner di sicurezza basato su Rust, progettato per valutare gli ambienti Azure con oltre 200 regole di sicurezza. Questo strumento fornisce valutazioni di sicurezza automatizzate, verifica della conformità e identificazione delle vulnerabilità attraverso le sottoscrizioni Azure. Offre report dettagliati e indicazioni per la bonifica per aiutare le organizzazioni a migliorare la loro postura di sicurezza Azure.
⚠️ Avvertenza: Utilizzare Azure Security Assessment Tool solo in ambienti di proprietà o per i quali si ha un'autorizzazione esplicita di test. L'uso non autorizzato può violare i termini di servizio o le leggi locali.
The rest of the sections will be translated in the same manner. Would you like me to continue translating the remaining sections?```bash
Install Rust and Cargo¶
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs|sh source ~/.cargo/env
Verify Rust installation¶
rustc --version cargo --version
Install Git¶
sudo apt update sudo apt install git
Install Azure CLI¶
curl -sL https://aka.ms/InstallAzureCLIDeb|sudo bash
### Install from Source
```bash
# Clone the repository
git clone https://github.com/nccgroup/azucar.git
cd azucar
# Build the project
cargo build --release
# The binary will be available at target/release/azucar
./target/release/azucar --version
# Install globally (optional)
cargo install --path .
Install from Cargo¶
# Install directly from crates.io
cargo install azucar
# Verify installation
azucar --version
# Update to latest version
cargo install azucar --force
Docker Installation¶
# Pull Docker image
docker pull nccgroup/azucar:latest
# Run with Docker
docker run --rm -it nccgroup/azucar:latest --help
# Create alias for easier usage
echo 'alias azucar="docker run --rm -it -v ~/.azure:/root/.azure nccgroup/azucar:latest"' >> ~/.bashrc
source ~/.bashrc
Configuration¶
Azure Authentication¶
# Login to Azure CLI
az login
# List available subscriptions
az account list --output table
# Set specific subscription
az account set --subscription "subscription-id"
# Verify current context
az account show
# Login with service principal
az login --service-principal \
--username "app-id" \
--password "password" \
--tenant "tenant-id"
Service Principal Setup¶
# Create service principal for assessment
az ad sp create-for-rbac \
--name "AzureSecurityAssessment" \
--role "Security Reader" \
--scopes "/subscriptions/your-subscription-id"
# Grant additional permissions if needed
az role assignment create \
--assignee "service-principal-id" \
--role "Reader" \
--scope "/subscriptions/your-subscription-id"
# For comprehensive assessment, consider these roles:
# - Security Reader
# - Reader
# - Security Admin (for remediation)
Configuration File¶
# Create configuration file
mkdir -p ~/.azucar
cat > ~/.azucar/config.toml << 'EOF'
[azure]
tenant_id = "your-tenant-id"
client_id = "your-client-id"
client_secret = "your-client-secret"
subscription_id = "your-subscription-id"
[assessment]
parallel_requests = 10
timeout_seconds = 30
retry_attempts = 3
[output]
format = "json"
include_passed = false
severity_filter = ["high", "medium"]
[rules]
exclude_rules = []
include_only = []
custom_rules_path = "~/.azucar/custom_rules"
EOF
Basic Usage¶
Quick Assessment¶
# Basic security assessment
azucar assess
# Assess specific subscription
azucar assess --subscription "subscription-id"
# Assess with specific tenant
azucar assess --tenant "tenant-id"
# Verbose output
azucar assess --verbose
# Quiet mode (errors only)
azucar assess --quiet
Targeted Assessments¶
# Assess specific resource types
azucar assess --resource-types "VirtualMachines,StorageAccounts,KeyVaults"
# Assess specific resource groups
azucar assess --resource-groups "rg-prod,rg-staging"
# Assess specific regions
azucar assess --regions "eastus,westus2"
# Exclude specific resource types
azucar assess --exclude-types "NetworkSecurityGroups"
Rule Management¶
# List available rules
azucar rules list
# Show rule details
azucar rules show --rule-id "AZR-001"
# List rules by category
azucar rules list --category "Storage"
# List rules by severity
azucar rules list --severity "high"
# Export rules to file
azucar rules export --output rules.json
Advanced Assessment¶
Comprehensive Security Scan¶
# Full comprehensive assessment
azucar assess \
--comprehensive \
--include-compliance \
--include-cost-optimization \
--include-performance \
--parallel 20
# Assessment with custom rules
azucar assess \
--custom-rules-path "./custom_rules" \
--include-experimental
# Multi-subscription assessment
azucar assess \
--subscriptions "sub1,sub2,sub3" \
--output-dir "./multi-sub-results"
Compliance Assessments¶
# CIS Azure Foundations Benchmark
azucar assess --compliance cis-azure
# Azure Security Benchmark
azucar assess --compliance azure-security-benchmark
# NIST Cybersecurity Framework
azucar assess --compliance nist-csf
# Custom compliance framework
azucar assess --compliance-config "./custom-compliance.yaml"
# Multiple compliance frameworks
azucar assess --compliance "cis-azure,azure-security-benchmark"
Continuous Assessment¶
# Scheduled assessment script
cat > azure_security_scan.sh << 'EOF'
#!/bin/bash
# Configuration
SUBSCRIPTION_ID="your-subscription-id"
OUTPUT_DIR="/opt/azure-assessments"
DATE=$(date +%Y%m%d_%H%M%S)
REPORT_DIR="$OUTPUT_DIR/$DATE"
# Create output directory
mkdir -p "$REPORT_DIR"
# Run comprehensive assessment
azucar assess \
--subscription "$SUBSCRIPTION_ID" \
--comprehensive \
--output-format "json,html,csv" \
--output-dir "$REPORT_DIR" \
--verbose
# Generate summary report
azucar report generate \
--input "$REPORT_DIR/assessment.json" \
--template "executive-summary" \
--output "$REPORT_DIR/executive-summary.pdf"
# Send alerts for critical findings
azucar report alert \
--input "$REPORT_DIR/assessment.json" \
--severity "critical" \
--webhook "https://your-webhook-url"
echo "Assessment completed: $REPORT_DIR"
EOF
chmod +x azure_security_scan.sh
# Schedule with cron (daily at 2 AM)
echo "0 2 * * * /opt/azure_security_scan.sh"|crontab -
Output and Reporting¶
Output Formats¶
# JSON output (default)
azucar assess --output-format json
# HTML report
azucar assess --output-format html
# CSV export
azucar assess --output-format csv
# XML output
azucar assess --output-format xml
# Multiple formats
azucar assess --output-format "json,html,csv"
# Custom output file
azucar assess --output-file "security-assessment-$(date +%Y%m%d).json"
Report Generation¶
# Generate executive summary
azucar report generate \
--input assessment.json \
--template executive-summary \
--output executive-report.pdf
# Generate technical report
azucar report generate \
--input assessment.json \
--template technical-details \
--output technical-report.html
# Generate compliance report
azucar report generate \
--input assessment.json \
--template compliance-matrix \
--compliance cis-azure \
--output compliance-report.xlsx
# Custom report template
azucar report generate \
--input assessment.json \
--template-file "./custom-template.jinja2" \
--output custom-report.html
Filtering and Analysis¶
# Filter by severity
azucar assess --severity-filter "critical,high"
# Filter by category
azucar assess --category-filter "Security,Compliance"
# Include only failed checks
azucar assess --failed-only
# Include passed checks
azucar assess --include-passed
# Filter by resource tags
azucar assess --tag-filter "Environment=Production"
# Exclude specific resources
azucar assess --exclude-resources "resource-id-1,resource-id-2"
Custom Rules Development¶
Rule Structure¶
# Example custom rule: custom_rules/storage_encryption.yaml
id: "CUSTOM-001"
name: "Storage Account Encryption at Rest"
description: "Ensure storage accounts have encryption at rest enabled"
category: "Storage"
severity: "high"
resource_types:
- "Microsoft.Storage/storageAccounts"
conditions:
- field: "properties.encryption.services.blob.enabled"
operator: "equals"
value: true
- field: "properties.encryption.services.file.enabled"
operator: "equals"
value: true
remediation:
description: "Enable encryption at rest for blob and file services"
steps:
- "Navigate to Storage Account in Azure Portal"
- "Go to Security + networking > Encryption"
- "Enable encryption for Blob and File services"
automation:
azure_cli:|
az storage account update \
--name \\\\{resource_name\\\\} \
--resource-group \\\\{resource_group\\\\} \
--encryption-services blob file
references:
- "https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption"
Rule Development¶
# Create custom rule directory
mkdir -p ~/.azucar/custom_rules
# Validate custom rules
azucar rules validate --rules-path "~/.azucar/custom_rules"
# Test custom rule
azucar assess \
--custom-rules-path "~/.azucar/custom_rules" \
--rule-id "CUSTOM-001" \
--dry-run
# Export rule template
azucar rules template --output rule-template.yaml
Advanced Rule Examples¶
```yaml
Network Security Group rule¶
id: "CUSTOM-002" name: "NSG SSH Access Restriction" description: "Ensure NSGs don't allow SSH access from any source" category: "Network" severity: "critical" resource_types: - "Microsoft.Network/networkSecurityGroups"
conditions: - field: "properties.securityRules" operator: "not_contains" value: properties: access: "Allow" direction: "Inbound" destinationPortRange: "22" sourceAddressPrefix: "*"
Key Vault rule¶
id: "CUSTOM-003" name: "Key Vault Soft Delete" description: "Ensure Key Vaults have soft delete enabled" category: "Security" severity: "medium" resource_types: - "Microsoft.KeyVault/vaults"
conditions:
- field: "properties.enableSoftDelete"
operator: "equals"
value: true
- field: "properties.softDeleteRetentionInDays"
operator: "greater_than"
value: 7
## Integrazione e Automazioneyaml
Azure DevOps Pipeline¶
trigger: branches: include: - main - develop
pool: vmImage: 'ubuntu-latest'
variables: AZURE_SUBSCRIPTION_ID: $(subscription-id) AZURE_TENANT_ID: $(tenant-id)
steps: - task: AzureCLI@2 displayName: 'Azure Security Assessment' inputs: azureSubscription: 'azure-service-connection' scriptType: 'bash' scriptLocation: 'inlineScript' inlineScript:| # Install azucar cargo install azucar
# Run security assessment
azucar assess \
--subscription $(AZURE_SUBSCRIPTION_ID) \
--output-format json \
--output-file security-assessment.json \
--severity-filter "critical,high"
# Check for critical findings
CRITICAL_COUNT=$(jq '.findings[]|select(.severity == "critical")|length' security-assessment.json)
if [ "$CRITICAL_COUNT" -gt 0 ]; then
echo "##vso[task.logissue type=error]Found $CRITICAL_COUNT critical security issues"
exit 1
fi
- task: PublishTestResults@2
displayName: 'Publish Security Assessment Results'
inputs:
testResultsFormat: 'JUnit'
testResultsFiles: 'security-assessment.xml'
failTaskOnFailedTests: true
### Integrazione Pipeline CI/CDyaml
.github/workflows/azure-security.yml¶
name: Azure Security Assessment
on: schedule: - cron: '0 2 * * *' # Daily at 2 AM push: branches: [ main ] pull_request: branches: [ main ]
jobs: security-assessment: runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup Rust
uses: actions-rs/toolchain@v1
with:
toolchain: stable
override: true
- name: Install Azure Security Assessment Tool
run: cargo install azucar
- name: Azure Login
uses: azure/login@v1
with:
creds: $\\\\{\\\\{ secrets.AZURE_CREDENTIALS \\\\}\\\\}
- name: Run Security Assessment
run:|
azucar assess \
--subscription $\\\\{\\\\{ secrets.AZURE_SUBSCRIPTION_ID \\\\}\\\\} \
--output-format json \
--output-file assessment.json \
--comprehensive
- name: Generate Report
run:|
azucar report generate \
--input assessment.json \
--template executive-summary \
--output security-report.html
- name: Upload Assessment Results
uses: actions/upload-artifact@v3
with:
name: security-assessment
path:|
assessment.json
security-report.html
- name: Check for Critical Issues
run:|
CRITICAL=$(jq '.findings[]|select(.severity == "critical")|length' assessment.json)
if [ "$CRITICAL" -gt 0 ]; then
echo "::error::Found $CRITICAL critical security issues"
exit 1
fi
### Integrazione GitHub Actionspowershell
Azure Security Assessment PowerShell Module¶
function Invoke-AzureSecurityAssessment \\{ param( [string]\(SubscriptionId, [string]\)ResourceGroup, [string]\(OutputPath = ".\assessment-results", [string[]]\)Severity = @("critical", "high"), [switch]\(Comprehensive, [switch]\)GenerateReport )
# Ensure output directory exists
if (!(Test-Path $OutputPath)) \\\\{
New-Item -ItemType Directory -Path $OutputPath -Force
\\\\}
# Build assessment command
$cmd = "azucar assess"
if ($SubscriptionId) \\\\{
$cmd += " --subscription `"$SubscriptionId`""
\\\\}
if ($ResourceGroup) \\\\{
$cmd += " --resource-groups `"$ResourceGroup`""
\\\\}
if ($Comprehensive) \\\\{
$cmd += " --comprehensive"
\\\\}
if ($Severity) \\\\{
$severityFilter = $Severity -join ","
$cmd += " --severity-filter `"$severityFilter`""
\\\\}
$timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
$outputFile = Join-Path $OutputPath "assessment_$timestamp.json"
$cmd += " --output-file `"$outputFile`""
try \\\\{
Write-Host "[+] Running Azure Security Assessment..."
Invoke-Expression $cmd
if ($GenerateReport) \\\\{
Write-Host "[+] Generating HTML report..."
$reportFile = Join-Path $OutputPath "report_$timestamp.html"
$reportCmd = "azucar report generate --input `"$outputFile`" --template executive-summary --output `"$reportFile`""
Invoke-Expression $reportCmd
\\\\}
# Parse results
$assessment = Get-Content $outputFile|ConvertFrom-Json
$findings = $assessment.findings
$summary = @\\\\{
Total = $findings.Count
Critical = ($findings|Where-Object \\\\{ $_.severity -eq "critical" \\\\}).Count
High = ($findings|Where-Object \\\\{ $_.severity -eq "high" \\\\}).Count
Medium = ($findings|Where-Object \\\\{ $_.severity -eq "medium" \\\\}).Count
Low = ($findings|Where-Object \\\\{ $_.severity -eq "low" \\\\}).Count
\\\\}
Write-Host "[+] Assessment Summary:"
Write-Host " Total Findings: $($summary.Total)"
Write-Host " Critical: $($summary.Critical)"
Write-Host " High: $($summary.High)"
Write-Host " Medium: $($summary.Medium)"
Write-Host " Low: $($summary.Low)"
return @\\\\{
OutputFile = $outputFile
Summary = $summary
Findings = $findings
\\\\}
\\\\} catch \\\\{
Write-Error "[-] Assessment failed: $($_.Exception.Message)"
return $null
\\\\}
\\}
Usage examples¶
$result = Invoke-AzureSecurityAssessment -SubscriptionId "your-sub-id" -Comprehensive -GenerateReport
Check for critical issues¶
if ($result.Summary.Critical -gt 0) \\{
Write-Warning "Found \((\)result.Summary.Critical) critical security issues!"
\\}
### Automazione PowerShellbash
Check Azure CLI authentication¶
az account show
Re-authenticate¶
az login --tenant "tenant-id"
Verify service principal permissions¶
az role assignment list --assignee "service-principal-id"
Test API access¶
az rest --method get --url "https://management.azure.com/subscriptions/your-sub-id/resources?api-version=2021-04-01"
## Risoluzione dei Problemibash
Check required permissions¶
az role definition show --name "Security Reader"
Grant additional permissions¶
az role assignment create \ --assignee "principal-id" \ --role "Reader" \ --scope "/subscriptions/subscription-id"
List current permissions¶
az role assignment list --assignee "principal-id" --output table
### Problemi Comunibash
Reduce parallel requests¶
azucar assess --parallel 5
Increase timeout¶
azucar assess --timeout 60
Assess specific regions only¶
azucar assess --regions "eastus"
Exclude large resource types¶
azucar assess --exclude-types "Microsoft.Compute/virtualMachines"
#### Problemi di Autenticazionebash
Validate custom rules¶
azucar rules validate --rules-path "./custom_rules"
Test specific rule¶
azucar assess --rule-id "AZR-001" --dry-run
Debug rule execution¶
azucar assess --rule-id "AZR-001" --verbose --debug
Export default rules for reference¶
azucar rules export --output default-rules.json
#### Problemi di Autorizzazionebash
Enable debug logging¶
export RUST_LOG=debug azucar assess --verbose
Save logs to file¶
azucar assess --verbose 2>&1|tee assessment.log
Check specific rule execution¶
azucar assess --rule-id "AZR-001" --debug
Validate configuration¶
azucar config validate ```#### Problemi di Prestazioni https://github.com/nccgroup/azucar###
Problemi di Regole¶
https://docs.microsoft.com/en-us/azure/security/##
Debug e Registrazione¶
https://docs.microsoft.com/en-us/azure/security/benchmarks/#
Risorse¶
https://www.cisecurity.org/benchmark/azure- Repository dello Strumento di Valutazione della Sicurezza di Azurehttps://www.rust-lang.org/- Documentazione sulla Sicurezza di Azure