Folha de Dicas da Ferramenta de Avaliação de Segurança do Azure
Visão Geral
Azure Security Assessment Tool é um scanner de segurança abrangente baseado em Rust, projetado para avaliar ambientes Azure com mais de 200 regras de segurança. Esta ferramenta fornece avaliações de segurança automatizadas, verificação de conformidade e identificação de vulnerabilidades em assinaturas do Azure. Ela oferece relatórios detalhados e orientações de remediação para ajudar as organizações a melhorar sua postura de segurança no Azure.
⚠️ Aviso: Use o Azure Security Assessment Tool apenas em ambientes que você possui ou tem permissão explícita para testar. O uso não autorizado pode violar termos de serviço ou leis locais.
Instalação
Pré-requisitos
# Install Rust and Cargo
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs|sh
source ~/.cargo/env
# Verify Rust installation
rustc --version
cargo --version
# Install Git
sudo apt update
sudo apt install git
# Install Azure CLI
curl -sL https://aka.ms/InstallAzureCLIDeb|sudo bashInstalar a partir do Código-fonte
# Clone the repository
git clone https://github.com/nccgroup/azucar.git
cd azucar
# Build the project
cargo build --release
# The binary will be available at target/release/azucar
./target/release/azucar --version
# Install globally (optional)
cargo install --path .Instalar a partir do Cargo
# Install directly from crates.io
cargo install azucar
# Verify installation
azucar --version
# Update to latest version
cargo install azucar --forceInstalação com Docker
# Pull Docker image
docker pull nccgroup/azucar:latest
# Run with Docker
docker run --rm -it nccgroup/azucar:latest --help
# Create alias for easier usage
echo 'alias azucar="docker run --rm -it -v ~/.azure:/root/.azure nccgroup/azucar:latest"' >> ~/.bashrc
source ~/.bashrcConfiguração
Autenticação do Azure
# Login to Azure CLI
az login
# List available subscriptions
az account list --output table
# Set specific subscription
az account set --subscription "subscription-id"
# Verify current context
az account show
# Login with service principal
az login --service-principal \
--username "app-id" \
--password "password" \
--tenant "tenant-id"Configuração de Service Principal
# Create service principal for assessment
az ad sp create-for-rbac \
--name "AzureSecurityAssessment" \
--role "Security Reader" \
--scopes "/subscriptions/your-subscription-id"
# Grant additional permissions if needed
az role assignment create \
--assignee "service-principal-id" \
--role "Reader" \
--scope "/subscriptions/your-subscription-id"
# For comprehensive assessment, consider these roles:
# - Security Reader
# - Reader
# - Security Admin (for remediation)Arquivo de Configuração
# Create configuration file
mkdir -p ~/.azucar
cat > ~/.azucar/config.toml << 'EOF'
[azure]
tenant_id = "your-tenant-id"
client_id = "your-client-id"
client_secret = "your-client-secret"
subscription_id = "your-subscription-id"
[assessment]
parallel_requests = 10
timeout_seconds = 30
retry_attempts = 3
[output]
format = "json"
include_passed = false
severity_filter = ["high", "medium"]
[rules]
exclude_rules = []
include_only = []
custom_rules_path = "~/.azucar/custom_rules"
EOFUso Básico
Avaliação Rápida
# Basic security assessment
azucar assess
# Assess specific subscription
azucar assess --subscription "subscription-id"
# Assess with specific tenant
azucar assess --tenant "tenant-id"
# Verbose output
azucar assess --verbose
# Quiet mode (errors only)
azucar assess --quietAvaliações Direcionadas
# Assess specific resource types
azucar assess --resource-types "VirtualMachines,StorageAccounts,KeyVaults"
# Assess specific resource groups
azucar assess --resource-groups "rg-prod,rg-staging"
# Assess specific regions
azucar assess --regions "eastus,westus2"
# Exclude specific resource types
azucar assess --exclude-types "NetworkSecurityGroups"Gerenciamento de Regras
# List available rules
azucar rules list
# Show rule details
azucar rules show --rule-id "AZR-001"
# List rules by category
azucar rules list --category "Storage"
# List rules by severity
azucar rules list --severity "high"
# Export rules to file
azucar rules export --output rules.jsonAvaliação Avançada
Varredura Abrangente de Segurança
# Full comprehensive assessment
azucar assess \
--comprehensive \
--include-compliance \
--include-cost-optimization \
--include-performance \
--parallel 20
# Assessment with custom rules
azucar assess \
--custom-rules-path "./custom_rules" \
--include-experimental
# Multi-subscription assessment
azucar assess \
--subscriptions "sub1,sub2,sub3" \
--output-dir "./multi-sub-results"Avaliações de Conformidade
# CIS Azure Foundations Benchmark
azucar assess --compliance cis-azure
# Azure Security Benchmark
azucar assess --compliance azure-security-benchmark
# NIST Cybersecurity Framework
azucar assess --compliance nist-csf
# Custom compliance framework
azucar assess --compliance-config "./custom-compliance.yaml"
# Multiple compliance frameworks
azucar assess --compliance "cis-azure,azure-security-benchmark"Avaliação Contínua
# Scheduled assessment script
cat > azure_security_scan.sh << 'EOF'
#!/bin/bash
# Configuration
SUBSCRIPTION_ID="your-subscription-id"
OUTPUT_DIR="/opt/azure-assessments"
DATE=$(date +%Y%m%d_%H%M%S)
REPORT_DIR="$OUTPUT_DIR/$DATE"
# Create output directory
mkdir -p "$REPORT_DIR"
# Run comprehensive assessment
azucar assess \
--subscription "$SUBSCRIPTION_ID" \
--comprehensive \
--output-format "json,html,csv" \
--output-dir "$REPORT_DIR" \
--verbose
# Generate summary report
azucar report generate \
--input "$REPORT_DIR/assessment.json" \
--template "executive-summary" \
--output "$REPORT_DIR/executive-summary.pdf"
# Send alerts for critical findings
azucar report alert \
--input "$REPORT_DIR/assessment.json" \
--severity "critical" \
--webhook "https://your-webhook-url"
echo "Assessment completed: $REPORT_DIR"
EOF
chmod +x azure_security_scan.sh
# Schedule with cron (daily at 2 AM)
echo "0 2 * * * /opt/azure_security_scan.sh"|crontab -Saída e Relatórios
Formatos de Saída
# JSON output (default)
azucar assess --output-format json
# HTML report
azucar assess --output-format html
# CSV export
azucar assess --output-format csv
# XML output
azucar assess --output-format xml
# Multiple formats
azucar assess --output-format "json,html,csv"
# Custom output file
azucar assess --output-file "security-assessment-$(date +%Y%m%d).json"Geração de Relatórios
# Generate executive summary
azucar report generate \
--input assessment.json \
--template executive-summary \
--output executive-report.pdf
# Generate technical report
azucar report generate \
--input assessment.json \
--template technical-details \
--output technical-report.html
# Generate compliance report
azucar report generate \
--input assessment.json \
--template compliance-matrix \
--compliance cis-azure \
--output compliance-report.xlsx
# Custom report template
azucar report generate \
--input assessment.json \
--template-file "./custom-template.jinja2" \
--output custom-report.htmlFiltragem e Análise
# Filter by severity
azucar assess --severity-filter "critical,high"
# Filter by category
azucar assess --category-filter "Security,Compliance"
# Include only failed checks
azucar assess --failed-only
# Include passed checks
azucar assess --include-passed
# Filter by resource tags
azucar assess --tag-filter "Environment=Production"
# Exclude specific resources
azucar assess --exclude-resources "resource-id-1,resource-id-2"Desenvolvimento de Regras Personalizadas
Estrutura de Regras
# Example custom rule: custom_rules/storage_encryption.yaml
id: "CUSTOM-001"
name: "Storage Account Encryption at Rest"
description: "Ensure storage accounts have encryption at rest enabled"
category: "Storage"
severity: "high"
resource_types:
- "Microsoft.Storage/storageAccounts"
conditions:
- field: "properties.encryption.services.blob.enabled"
operator: "equals"
value: true
- field: "properties.encryption.services.file.enabled"
operator: "equals"
value: true
remediation:
description: "Enable encryption at rest for blob and file services"
steps:
- "Navigate to Storage Account in Azure Portal"
- "Go to Security + networking > Encryption"
- "Enable encryption for Blob and File services"
automation:
azure_cli:|
az storage account update \
--name \\\\{resource_name\\\\} \
--resource-group \\\\{resource_group\\\\} \
--encryption-services blob file
references:
- "https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption"Desenvolvimento de Regras
# Create custom rule directory
mkdir -p ~/.azucar/custom_rules
# Validate custom rules
azucar rules validate --rules-path "~/.azucar/custom_rules"
# Test custom rule
azucar assess \
--custom-rules-path "~/.azucar/custom_rules" \
--rule-id "CUSTOM-001" \
--dry-run
# Export rule template
azucar rules template --output rule-template.yamlExemplos Avançados de Regras
Would you like me to continue with the remaining sections?```yaml
Network Security Group rule
id: “CUSTOM-002” name: “NSG SSH Access Restriction” description: “Ensure NSGs don’t allow SSH access from any source” category: “Network” severity: “critical” resource_types:
- “Microsoft.Network/networkSecurityGroups”
conditions:
- field: “properties.securityRules” operator: “not_contains” value: properties: access: “Allow” direction: “Inbound” destinationPortRange: “22” sourceAddressPrefix: ”*“
Key Vault rule
id: “CUSTOM-003” name: “Key Vault Soft Delete” description: “Ensure Key Vaults have soft delete enabled” category: “Security” severity: “medium” resource_types:
- “Microsoft.KeyVault/vaults”
conditions:
- field: “properties.enableSoftDelete” operator: “equals” value: true
- field: “properties.softDeleteRetentionInDays” operator: “greater_than” value: 7
```yaml
# Azure DevOps Pipeline
trigger:
branches:
include:
- main
- develop
pool:
vmImage: 'ubuntu-latest'
variables:
AZURE_SUBSCRIPTION_ID: $(subscription-id)
AZURE_TENANT_ID: $(tenant-id)
steps:
- task: AzureCLI@2
displayName: 'Azure Security Assessment'
inputs:
azureSubscription: 'azure-service-connection'
scriptType: 'bash'
scriptLocation: 'inlineScript'
inlineScript:|
# Install azucar
cargo install azucar
# Run security assessment
azucar assess \
--subscription $(AZURE_SUBSCRIPTION_ID) \
--output-format json \
--output-file security-assessment.json \
--severity-filter "critical,high"
# Check for critical findings
CRITICAL_COUNT=$(jq '.findings[]|select(.severity == "critical")|length' security-assessment.json)
if [ "$CRITICAL_COUNT" -gt 0 ]; then
echo "##vso[task.logissue type=error]Found $CRITICAL_COUNT critical security issues"
exit 1
fi
- task: PublishTestResults@2
displayName: 'Publish Security Assessment Results'
inputs:
testResultsFormat: 'JUnit'
testResultsFiles: 'security-assessment.xml'
failTaskOnFailedTests: true
```### Integração de Pipeline CI/CD
```yaml
# .github/workflows/azure-security.yml
name: Azure Security Assessment
on:
schedule:
- cron: '0 2 * * *' # Daily at 2 AM
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
security-assessment:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup Rust
uses: actions-rs/toolchain@v1
with:
toolchain: stable
override: true
- name: Install Azure Security Assessment Tool
run: cargo install azucar
- name: Azure Login
uses: azure/login@v1
with:
creds: $\\\\{\\\\{ secrets.AZURE_CREDENTIALS \\\\}\\\\}
- name: Run Security Assessment
run:|
azucar assess \
--subscription $\\\\{\\\\{ secrets.AZURE_SUBSCRIPTION_ID \\\\}\\\\} \
--output-format json \
--output-file assessment.json \
--comprehensive
- name: Generate Report
run:|
azucar report generate \
--input assessment.json \
--template executive-summary \
--output security-report.html
- name: Upload Assessment Results
uses: actions/upload-artifact@v3
with:
name: security-assessment
path:|
assessment.json
security-report.html
- name: Check for Critical Issues
run:|
CRITICAL=$(jq '.findings[]|select(.severity == "critical")|length' assessment.json)
if [ "$CRITICAL" -gt 0 ]; then
echo "::error::Found $CRITICAL critical security issues"
exit 1
fi
```### Integração do GitHub Actions
```powershell
# Azure Security Assessment PowerShell Module
function Invoke-AzureSecurityAssessment \\\\{
param(
[string]$SubscriptionId,
[string]$ResourceGroup,
[string]$OutputPath = ".\assessment-results",
[string[]]$Severity = @("critical", "high"),
[switch]$Comprehensive,
[switch]$GenerateReport
)
# Ensure output directory exists
if (!(Test-Path $OutputPath)) \\\\{
New-Item -ItemType Directory -Path $OutputPath -Force
\\\\}
# Build assessment command
$cmd = "azucar assess"
if ($SubscriptionId) \\\\{
$cmd += " --subscription `"$SubscriptionId`""
\\\\}
if ($ResourceGroup) \\\\{
$cmd += " --resource-groups `"$ResourceGroup`""
\\\\}
if ($Comprehensive) \\\\{
$cmd += " --comprehensive"
\\\\}
if ($Severity) \\\\{
$severityFilter = $Severity -join ","
$cmd += " --severity-filter `"$severityFilter`""
\\\\}
$timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
$outputFile = Join-Path $OutputPath "assessment_$timestamp.json"
$cmd += " --output-file `"$outputFile`""
try \\\\{
Write-Host "[+] Running Azure Security Assessment..."
Invoke-Expression $cmd
if ($GenerateReport) \\\\{
Write-Host "[+] Generating HTML report..."
$reportFile = Join-Path $OutputPath "report_$timestamp.html"
$reportCmd = "azucar report generate --input `"$outputFile`" --template executive-summary --output `"$reportFile`""
Invoke-Expression $reportCmd
\\\\}
# Parse results
$assessment = Get-Content $outputFile|ConvertFrom-Json
$findings = $assessment.findings
$summary = @\\\\{
Total = $findings.Count
Critical = ($findings|Where-Object \\\\{ $_.severity -eq "critical" \\\\}).Count
High = ($findings|Where-Object \\\\{ $_.severity -eq "high" \\\\}).Count
Medium = ($findings|Where-Object \\\\{ $_.severity -eq "medium" \\\\}).Count
Low = ($findings|Where-Object \\\\{ $_.severity -eq "low" \\\\}).Count
\\\\}
Write-Host "[+] Assessment Summary:"
Write-Host " Total Findings: $($summary.Total)"
Write-Host " Critical: $($summary.Critical)"
Write-Host " High: $($summary.High)"
Write-Host " Medium: $($summary.Medium)"
Write-Host " Low: $($summary.Low)"
return @\\\\{
OutputFile = $outputFile
Summary = $summary
Findings = $findings
\\\\}
\\\\} catch \\\\{
Write-Error "[-] Assessment failed: $($_.Exception.Message)"
return $null
\\\\}
\\\\}
# Usage examples
$result = Invoke-AzureSecurityAssessment -SubscriptionId "your-sub-id" -Comprehensive -GenerateReport
# Check for critical issues
if ($result.Summary.Critical -gt 0) \\\\{
Write-Warning "Found $($result.Summary.Critical) critical security issues!"
\\\\}
```### Automação do PowerShell
```bash
# Check Azure CLI authentication
az account show
# Re-authenticate
az login --tenant "tenant-id"
# Verify service principal permissions
az role assignment list --assignee "service-principal-id"
# Test API access
az rest --method get --url "https://management.azure.com/subscriptions/your-sub-id/resources?api-version=2021-04-01"
```## Resolução de Problemas
```bash
# Check required permissions
az role definition show --name "Security Reader"
# Grant additional permissions
az role assignment create \
--assignee "principal-id" \
--role "Reader" \
--scope "/subscriptions/subscription-id"
# List current permissions
az role assignment list --assignee "principal-id" --output table
```### Problemas Comuns
```bash
# Reduce parallel requests
azucar assess --parallel 5
# Increase timeout
azucar assess --timeout 60
# Assess specific regions only
azucar assess --regions "eastus"
# Exclude large resource types
azucar assess --exclude-types "Microsoft.Compute/virtualMachines"
```#### Problemas de Autenticação
```bash
# Validate custom rules
azucar rules validate --rules-path "./custom_rules"
# Test specific rule
azucar assess --rule-id "AZR-001" --dry-run
# Debug rule execution
azucar assess --rule-id "AZR-001" --verbose --debug
# Export default rules for reference
azucar rules export --output default-rules.json
```#### Problemas de Permissão
```bash
# Enable debug logging
export RUST_LOG=debug
azucar assess --verbose
# Save logs to file
azucar assess --verbose 2>&1|tee assessment.log
# Check specific rule execution
azucar assess --rule-id "AZR-001" --debug
# Validate configuration
azucar config validate
```#### Problemas de Desempenho
https://github.com/nccgroup/azucar###
# Problemas de Regras
https://docs.microsoft.com/en-us/azure/security/##
# Depuração e Registro de Logs
https://docs.microsoft.com/en-us/azure/security/benchmarks/#
# Recursos
https://www.cisecurity.org/benchmark/azure- [Repositório da Ferramenta de Avaliação de Segurança do Azure](https://docs.microsoft.com/en-us/azure/role-based-access-control/)https://www.rust-lang.org/- [Documentação de Segurança do Azure](https://docs.microsoft.com/en-us/rest/api/azure/)