We're excited to tell you about Nuclei Templates release v10.0.0! This new version includes newly added Azure Config Review templates. In this blog post, we'll discuss automating azure cloud misconfiguration review, creating custom Azure checks, and sharing results on the PDCP Cloud for review.
Following our last release on AWS Cloud Security Config Review and Kubernetes Cluster Security, we decided to expand our coverage to include Azure as well.
Azure is well-known for its powerful features and vast configuration options, which can be challenging to manage. To make securing Azure environments easier, we’ve created our security checks in a simple YAML format, allowing for easier management and review of configurations
For those particularly interested in using the Azure Config templates, feel free to skip to the end of the blog
Azure Cloud Config Security Review
Often simply referred to as Azure Security Audit, this process is crucial for assessing the security measures in place within your Azure environments. It involves a detailed review of configurations, policies, and setups to ensure they align with security best practices and compliance requirements
Some key activities in an Azure Cloud Config Security Review typically include:
- Identity and Access Management Review: This involves verifying that proper roles are assigned and that Multi-Factor Authentication (MFA) is enabled, especially for privileged users.
- Resource Configuration and Management: Checking resource locks, and ensuring that logging for resource deletion and updates is enabled to trace critical changes.
- Network Security Configuration: This includes ensuring that network security groups (NSGs) are properly set up to restrict unnecessary external access and internal traffic to minimize the risk of breaches.
- Compliance and Regulatory Adherence: Verifying that all Azure services comply with industry-specific regulations, such as HIPAA for healthcare or PCI DSS for payment processing industries.
- Security Best Practices and Policies: Ensuring that security controls like encryption for storage accounts and databases are enforced, and that only secure protocols are used for communication.
We realize that reviewing Azure cloud configurations can feel overwhelmingly complex, often more challenging than it needs to be. That’s why we’ve chosen to streamline the process by creating security checks for Azure using the straightforward YAML format used by Nuclei. These templates perform all essential checks, encompassing configurations, logging, compliance, and best practices. By leveraging these templates, we can effortlessly produce a comprehensive report on our cloud platform, detailed with remediation steps. This simplified approach makes the review process much smoother for both companies and penetration testers.
Before we launch into the scanning process, let’s discuss a bit about the Azure code review nuclei-templates. These have been crafted using code protocols to help a thorough review of Azure cloud configurations.
What are Code Protocol Templates?
Nuclei empowers users to execute external code on the host operating system, granting security researchers, pentesters, and developers the flexibility to expand its capabilities beyond standard protocol-based testing. This functionality enables interaction with the underlying OS, facilitating the execution of custom scripts or commands for a diverse array of tasks including system configurations, file operations, and network interactions. Such control and adaptability empower users to customize their security testing workflows to meet precise needs. Explore the Code protocol templates in our documentation for more details.
Because code templates can execute commands on hosts, users must first sign the template using their keys, and these are not included in default scans. To use these templates, you need to sign them using the-sign
flag. After signing, you can run the templates by providing the-code
flag.
In the example below, you'll notice that we can easily run an az
command directly from the template. However, unlike other templates that execute on target hosts, this one will run the command on our own host.
id: azure-env
info:
name: Azure Environment Validation
author: princechaddha
severity: info
description: |
Checks if Azure CLI is set up and all necessary tools are installed on the environment.
reference:
- https://portal.azure.com/
metadata:
max-request: 2
tags: cloud,devops,microsoft,azure,azure-cloud-config
self-contained: true
code:
- engine:
- sh
- bash
source: |
az account show
matchers:
- type: word
words:
- '"homeTenantId":'
extractors:
- type: json
name: environmentname
json:
- '.environmentName'
internal: true
- type: dsl
dsl:
- '"Azure CLI is properly configured for environment \"" + environmentname + "\"."'
Example #1:
In this example, we will create a template that identifies privileged Azure users who do not have Multi-Factor Authentication (MFA) enabled, a common oversight that can lead to security breaches.
- We've set
self-contained: true
because this Nuclei template operates independently of any specific host, using local Azure configurations to fetch and analyze user data. - The first code block starts by specifying the engine we wish to use for executing the command, followed by the command itself in the
source
section. This block includes an extractor that extracts the list of user principal names and stores them in theuserList
array. - After defining the initial code block, we introduce a flow, a recently added feature that controls the execution sequence of the template. Initially, we execute
code(1)
to fetch the user data. This is followed by iterating over each user in theuserList
using a for loop, setting the current user as theuserPrincipalName
, and then executing the second code block. - The second code block runs the Azure CLI command
az role assignment list --include-classic-administrators true --assignee "$userPrincipalName" --query '[].{roleDefinitionName:roleDefinitionName}' --output json
. This command checks if the user has roles like Owner, Contributor, or Administrator assigned to them. - Using matchers, we check if the role definitions returned include any of the specified roles, indicating privileged access.
- Finally, the last extractor outputs the user names of those privileged users who do not have MFA enabled, providing critical information for remediation.
id: azure-mfa-not-enabled-privileged-users
info:
name: Azure MFA Not Enabled for All Privileged Users
author: princechaddha
severity: high
description: |
Ensure that Multi-Factor Authentication (MFA) is enabled for all user credentials that have write access to the cloud resources within your Microsoft Azure account. Multi-Factor Authentication is a simple, yet efficient method of verifying your Azure user identity by requiring an authentication code generated by a virtual or hardware device, also known as passcode, used in addition to your usual access credentials such as user name and password.
impact: |
Without MFA enabled for privileged users, there is an increased risk of unauthorized access which can lead to potential breaches and significant impact on cloud resources and data security.
remediation: |
Configure Multi-Factor Authentication for all privileged Azure user accounts to enhance security measures and prevent unauthorized access.
reference:
- https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks
tags: cloud,devops,azure,microsoft,multi-factor-authentication,azure-cloud-config
flow: |
code(1)
for (let User of iterate(template.userList)) {
set("userPrincipalName", User)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az ad user list --query '[].{userPrincipalName:userPrincipalName}' --output json
extractors:
- type: json
name: userList
internal: true
json:
- '.[].userPrincipalName'
- engine:
- sh
- bash
source: |
az role assignment list --include-classic-administrators true --assignee "$userPrincipalName" --query '[].{roleDefinitionName:roleDefinitionName}' --output json
matchers-condition: and
matchers:
- type: word
words:
- 'Owner'
- 'Contributor'
- 'Administrator'
extractors:
- type: dsl
dsl:
- '"userPrincipalName + " is a privileged user without MFA enabled"'
Example #2:
This template checks Azure Key Vaults to identify SSL certificates that are missing auto-renewal, helping prevent outages and security risks from expired certificates.
id: azure-keyvault-ssl-autorenewal-missing
info:
name: Missing SSL Certificate Auto-Renewal in Azure Key Vaults
author: princechaddha
severity: high
description: |
Microsoft Azure Key Vault service can renew your SSL certificates automatically to prevent application or service outages, credential leaks, or process violations that can disrupt your business. Ensure that your SSL certificates in Azure Key Vaults are set to auto-renew.
impact: |
Not enabling auto-renewal for SSL certificates can lead to expired certificates, potentially causing outages and security risks.
remediation: |
Configure SSL certificates in Azure Key Vaults to automatically renew by setting the correct policies in the Azure portal or through Azure CLI.
reference:
- https://docs.microsoft.com/en-us/azure/key-vault/certificates/how-to-renew-certificate
tags: cloud,devops,azure,microsoft,keyvault,azure-cloud-config
flow: |
code(1);
for (let KeyVaultName of iterate(template.keyVaultNames)) {
set("vaultName", KeyVaultName)
code(2);
for (let CertificateId of iterate(template.certificateIds)) {
set("certificateId", CertificateId)
code(3)
}
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az keyvault list --query '[*].name' --output json
extractors:
- type: json
name: keyVaultNames
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az keyvault certificate list --vault-name $vaultName --query '[?(attributes.enabled==`true`)].id' --output json
extractors:
- type: json
name: certificateIds
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
az keyvault certificate show --id $certificateId --query 'policy.lifetimeActions[*].action.actionType' --output json
matchers:
- type: word
words:
- '"EmailContacts"'
extractors:
- type: dsl
dsl:
- 'vaultName + " SSL certificate " + certificateId + " does not have auto-renewal enabled"'
Example #3:
This template checks if remote debugging is enabled for Azure App Service web applications, which poses a security risk by potentially exposing the application to unauthorized access.
id: azure-appservice-remote-debugging-enabled
info:
name: Azure App Service Remote Debugging Enabled
author: princechaddha
severity: high
description: |
Ensure that your Azure App Services web applications have remote debugging disabled in order to enhance security and protect the applications from unauthorized access. Remote Debugging feature is available for web applications (e.g. ASP.NET, ASP.NET Core, Node.js, Python).
impact: |
Enabling remote debugging can expose web applications to unauthorized access and potential security vulnerabilities.
remediation: |
Disable remote debugging for Azure App Services web applications through the Azure portal or using Azure CLI commands to enhance application security.
reference:
- https://docs.microsoft.com/en-us/azure/app-service/troubleshoot-remote-debug
tags: cloud,devops,azure,microsoft,appservice,azure-cloud-config
flow: |
code(1);
for (let WebAppData of iterate(template.webAppList)) {
set("ids", WebAppData);
code(2);
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
az webapp list --query '[*].{id:id}' --output json
extractors:
- type: json
name: webAppList
internal: true
json:
- '.[].[]'
- engine:
- sh
- bash
source: |
az webapp config show --ids $ids --query 'remoteDebuggingEnabled' --output json
matchers:
- type: word
words:
- "true"
extractors:
- type: dsl
dsl:
- 'id + " has remote debugging enabled."'
Check out all the other azure templates by visiting the Nuclei Templates GitHub repository.
Custom Templates for Specific Use Cases
Custom Azure security checks allow security teams, pentesters, and DevOps professionals to address unique security concerns and operational practices within their Azure environments. Here are a few scenarios where creating custom Azure Nuclei templates might be particularly beneficial:
- Custom Resource Checks: For organizations that use specialized resources in Azure, custom templates can ensure these resources adhere to security best practices. For example, a template might check if certain Azure Function Apps have proper diagnostic settings enabled or if Azure App Services have remote debugging disabled.
- Specific Compliance Audits: Different industries have specific regulatory requirements. Custom templates can help enforce compliance through continuous monitoring. For instance, a template could verify that all Azure SQL databases have Transparent Data Encryption (TDE) enabled to comply with industry security standards.
- Service-Specific Policies: Azure services like Azure Kubernetes Service (AKS) or Azure Virtual Machines may have unique security policies based on their roles and exposure. Custom templates can help ensure that each service adheres to its specific security policies, such as enforcing disk encryption on all VMs or checking that AKS clusters use the latest Kubernetes version.
- Integration with CI/CD Pipelines: Custom templates can be integrated into CI/CD pipelines to automatically check for security issues before new deployments are rolled out. For example, a template might scan new Azure Resource Manager (ARM) templates for misconfigurations or check that new services are deployed with the necessary security controls in place.
- Advanced Network Security Testing: While basic checks for network security are vital, custom templates can perform more sophisticated testing to ensure that the implemented network controls effectively protect different parts of the Azure environment. This might involve detailed checks on Network Security Groups (NSGs) or ensuring that all public-facing endpoints are protected by Azure Firewalls.
- Performance and Resource Optimization: Beyond security, custom templates can also help optimize the performance and resource usage of Azure services. For instance, a template might identify over-provisioned resources or services not using Azure Advisor recommendations effectively.
Running Azure Security Templates
To use these templates, ensure your environment is set up correctly. You need to install the Azure CLI and configure its contexts or specific access permissions.
In Nuclei-Templates, we've introduced the concept of profiles, which allow users to run a specific set of templates tailored for a particular use case. For Azure Cloud Config security reviews, we have a profile named azure-cloud-config
.
Once the environment is properly configured, users can execute the following command to ensure everything is set up correctly before running the profile:
pwnmachine@PD azure % nuclei -id azure-env -code
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.3.2
projectdiscovery.io
[INF] Current nuclei version: v3.3.2 (latest)
[INF] Current nuclei-templates version: v9.10.0 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 59
[INF] Templates loaded for current scan: 1
[INF] Executing 1 signed templates from triage
[azure-env] [code] [info] ["Azure CLI is properly configured for environment "AzureCloud"."]
If the template matches, this indicates that the environment has all the necessary tools installed and the CLI is set up.
Users can also select the subscription they want to scan using the following command if they have multiple subscriptions before running the templates:
az account set --subscription <subscription-id>
Uploading Results to ProjectDiscovery Cloud Platform
To upload results to the cloud, you need to obtain an authentication token. Here are the steps to follow:
- Go to PDCP Cloud and log in to your account.
- Click on your profile picture in the top-right corner and select API key.
- Copy your API key, and in your terminal, type
nuclei -auth <your-api-key>
.
Now you're all set to run the templates!
nuclei -profile azure-cloud-config -cloud-upload
Now that we have a lot of findings, it would be very convenient to view these on the Cloud. Simply log into PDCP Cloud, and you will find a scan created with the results.
We have added 192
templates categorized by services. We invite the community to share their feedback. We anticipate this number will grow as the security community continues to contribute and collaborate.
Conclusion
The Nuclei templates for Azure provide significant creativity and flexibility, enabling users to craft checks that cater to their specific workflow and environment. This approach not only helps in identifying and resolving security misconfigurations but also facilitates monitoring of their overall Azure environment.
You can also join our Discord server. It's a great place to connect with fellow contributors and stay updated with the latest developments. Thank you, once again!
By leveraging Nuclei and actively engaging with the open-source community, or by becoming a part of the ProjectDiscovery Cloud Platform, companies can enhance their security measures, proactively address emerging threats, and establish a more secure digital landscape. Security represents a shared endeavor, and by collaborating, we can consistently adapt and confront the ever-evolving challenges posed by cyber threats.