{"id":756,"date":"2023-08-24T23:30:45","date_gmt":"2023-08-24T22:30:45","guid":{"rendered":"https:\/\/www.seven-stones.biz\/blog\/?p=756"},"modified":"2023-12-18T01:37:53","modified_gmt":"2023-12-18T01:37:53","slug":"bash-cli-scripts-for-cis-benchmarks-for-azure","status":"publish","type":"post","link":"https:\/\/www.seven-stones.biz\/blog\/bash-cli-scripts-for-cis-benchmarks-for-azure\/","title":{"rendered":"BASH cli Scripts for CIS Benchmarks for Azure"},"content":{"rendered":"\n<p>Like the catchy title? <\/p>\n\n\n\n<p>Anyway &#8211; here&#8217;s a few cheeky scripts for testing a handful (for now) of aspects of the CIS Benchmarks 2.0 for Azure. You have to populate the subscriptions.txt file for each. <\/p>\n\n\n\n<p class=\"wp-block-heading\" style=\"background-color:#303030;font-size:25px;margin-top:25px\"><a href=\"https:\/\/github.com\/SevenStones\/azure-CIS-cli-script\" target=\"_blank\" rel=\"noreferrer noopener\">Go To Github<\/a><\/p>\n\n\n\n<p>Each subdirectory under the repository root corrresponds with a CIS Benchmark reference for Azure 2.0:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>1.4, 1.5 &#8211; Review Guest Users &#8211; script list the Guest users configured in Entra<\/li>\n\n\n\n<li>1.23 &#8211; Ensure That No Custom Subscription Administrator Roles Exist<\/li>\n\n\n\n<li>3.1 &#8211; Ensure that &#8216;Secure transfer required&#8217; is set to &#8216;Enabled&#8217; [Storage Accounts]<\/li>\n\n\n\n<li>3.2 &#8211; Ensure that \u2018Enable Infrastructure Encryption\u2019 for Each Storage Account in Azure Storage is Set to \u2018enabled\u2019<\/li>\n\n\n\n<li>3.7 &#8211; Ensure that &#8216;Public access level&#8217; is disabled for storage accounts with blob containers<\/li>\n\n\n\n<li>3.10 &#8211; Ensure Private Endpoints are used to access Storage Accounts<\/li>\n\n\n\n<li>3.11 &#8211; Ensure Soft Delete is Enabled for Azure Containers and Blob Storage<\/li>\n\n\n\n<li>3.12 &#8211; Ensure Storage for Critical Data are Encrypted with Customer Managed Keys<\/li>\n\n\n\n<li>3.15 &#8211; Ensure the &#8220;Minimum TLS version&#8221; for storage accounts is set to &#8220;Version 1.2&#8221;<\/li>\n\n\n\n<li>5.1.3 &#8211; Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible<\/li>\n\n\n\n<li>5.1.6 &#8211; Ensure that Network Security Group Flow logs are captured and sent to Log Analytics<\/li>\n\n\n\n<li>6.5 &#8211; Ensure that Network Security Group Flow Log retention period is &#8216;greater than 90 days&#8217;<\/li>\n\n\n\n<li>6.7 &#8211; Ensure that Public IP addresses are Evaluated on a Periodic Basis (lists the addresses)<\/li>\n\n\n\n<li>7.4 &#8211; Ensure that &#8216;Unattached disks&#8217; are encrypted with &#8216;Customer Managed Key&#8217; (CMK) (lists unattached disks)<\/li>\n\n\n\n<li>8.2 &#8211; Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults (usually all key vaults will be RBAC enabled, making this control non-applicable. One script lists the RBAC and non-RBAC Key Vaults, then there&#8217;s an&nbsp;<strong>untested<\/strong>&nbsp;script for listing the non-expiring keys)<\/li>\n\n\n\n<li>8.3 &#8211; Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults. The script is untested because of a lack of access to a test key vault(s).<\/li>\n\n\n\n<li>8.4 &#8211; Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults (usually all key vaults will be RBAC enabled, making this control non-applicable. One script lists the RBAC and non-RBAC Key Vaults, then there&#8217;s an&nbsp;<strong>untested<\/strong>&nbsp;script for listing the non-expiring secrets)<\/li>\n\n\n\n<li>10.1 &#8211; Ensure that Resource Locks are set for Mission-Critical Azure Resources<\/li>\n<\/ul>\n\n\n\n<p>Some of the cli scripts offered by CIS in their Azure benchmark don&#8217;t work &#8211; Azure changes faster than the benchmarks after all. The above were tried and tested in a real live environment (no, those are not the subscription IDs listed in the subscriptions.txt files!!). 5.1.6 is an example. The &#8216;nsg&#8217; parameter was made obsolete. Technically the script will run with a warning if the &#8216;nsg&#8217; parameter is used, but anyway I have done as suggested and used the &#8216;&#8211;location and &#8211;name combination&#8217; in the <strong>az network watcher<\/strong> command instead. <\/p>\n\n\n\n<p>There will be more to come! Watch this space. <\/p>\n\n\n\n<p><script type=\"text\/javascript\" src=\"https:\/\/cdnjs.buymeacoffee.com\/1.0.0\/button.prod.min.js\" data-name=\"bmc-button\" data-slug=\"itibbleH\" data-color=\"#FFDD00\" data-emoji=\"\" data-font=\"Cookie\" data-text=\"Buy me a coffee\" data-outline-color=\"#000000\" data-font-color=\"#000000\" data-coffee-color=\"#ffffff\"><\/script><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Like the catchy title? Anyway &#8211; here&#8217;s a few cheeky scripts for testing a handful (for now) of aspects of the CIS Benchmarks 2.0 for Azure. You have to populate the subscriptions.txt file for each. Go To Github Each subdirectory &hellip; <a href=\"https:\/\/www.seven-stones.biz\/blog\/bash-cli-scripts-for-cis-benchmarks-for-azure\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[58,26,65,50,169],"tags":[240,242,86,241,243,244,60,79],"class_list":["post-756","post","type-post","status-publish","format-standard","hentry","category-accreditation","category-blog","category-cis-benchmarks","category-cloud","category-devops-and-security","tag-azure","tag-bash","tag-cis-benchmarks","tag-cli","tag-github","tag-pci-dss","tag-security-accreditation","tag-vulnerability-assessment"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>BASH cli Scripts for CIS Benchmarks for Azure - Security Macromorphosis<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.seven-stones.biz\/blog\/bash-cli-scripts-for-cis-benchmarks-for-azure\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"BASH cli Scripts for CIS Benchmarks for Azure - Security Macromorphosis\" \/>\n<meta property=\"og:description\" content=\"Like the catchy title? Anyway &#8211; here&#8217;s a few cheeky scripts for testing a handful (for now) of aspects of the CIS Benchmarks 2.0 for Azure. You have to populate the subscriptions.txt file for each. Go To Github Each subdirectory &hellip; Continue reading &rarr;\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.seven-stones.biz\/blog\/bash-cli-scripts-for-cis-benchmarks-for-azure\/\" \/>\n<meta property=\"og:site_name\" content=\"Security Macromorphosis\" \/>\n<meta property=\"article:published_time\" content=\"2023-08-24T22:30:45+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-12-18T01:37:53+00:00\" \/>\n<meta name=\"author\" content=\"itibble@gmail.com\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@seven_stones\" \/>\n<meta name=\"twitter:site\" content=\"@seven_stones\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"itibble@gmail.com\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/bash-cli-scripts-for-cis-benchmarks-for-azure\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/bash-cli-scripts-for-cis-benchmarks-for-azure\\\/\"},\"author\":{\"name\":\"itibble@gmail.com\",\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/#\\\/schema\\\/person\\\/dd7adbe0152f2279b133661b823e0c28\"},\"headline\":\"BASH cli Scripts for CIS Benchmarks for Azure\",\"datePublished\":\"2023-08-24T22:30:45+00:00\",\"dateModified\":\"2023-12-18T01:37:53+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/bash-cli-scripts-for-cis-benchmarks-for-azure\\\/\"},\"wordCount\":486,\"commentCount\":0,\"keywords\":[\"Azure\",\"BASH\",\"CIS Benchmarks\",\"cli\",\"github\",\"PCI-DSS\",\"security accreditation\",\"Vulnerability Assessment\"],\"articleSection\":[\"accreditation\",\"Blog\",\"CIS Benchmarks\",\"Cloud\",\"Devops and security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/bash-cli-scripts-for-cis-benchmarks-for-azure\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/bash-cli-scripts-for-cis-benchmarks-for-azure\\\/\",\"url\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/bash-cli-scripts-for-cis-benchmarks-for-azure\\\/\",\"name\":\"BASH cli Scripts for CIS Benchmarks for Azure - Security Macromorphosis\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/#website\"},\"datePublished\":\"2023-08-24T22:30:45+00:00\",\"dateModified\":\"2023-12-18T01:37:53+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/#\\\/schema\\\/person\\\/dd7adbe0152f2279b133661b823e0c28\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/bash-cli-scripts-for-cis-benchmarks-for-azure\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/bash-cli-scripts-for-cis-benchmarks-for-azure\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/bash-cli-scripts-for-cis-benchmarks-for-azure\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"BASH cli Scripts for CIS Benchmarks for Azure\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/\",\"name\":\"Security Macromorphosis\",\"description\":\"Ian Tibble&#039;s Security Blog\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/#\\\/schema\\\/person\\\/dd7adbe0152f2279b133661b823e0c28\",\"name\":\"itibble@gmail.com\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/4efc9caa4c914912bcf9dd199b33f34a0d42e56752f4f713cd8d0c5416733603?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/4efc9caa4c914912bcf9dd199b33f34a0d42e56752f4f713cd8d0c5416733603?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/4efc9caa4c914912bcf9dd199b33f34a0d42e56752f4f713cd8d0c5416733603?s=96&d=mm&r=g\",\"caption\":\"itibble@gmail.com\"},\"description\":\"Author of Security De-engineering, CTO at Seven Stones (Indonesia)\",\"sameAs\":[\"http:\\\/\\\/www.seven-stones.biz\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"BASH cli Scripts for CIS Benchmarks for Azure - Security Macromorphosis","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.seven-stones.biz\/blog\/bash-cli-scripts-for-cis-benchmarks-for-azure\/","og_locale":"en_US","og_type":"article","og_title":"BASH cli Scripts for CIS Benchmarks for Azure - Security Macromorphosis","og_description":"Like the catchy title? Anyway &#8211; here&#8217;s a few cheeky scripts for testing a handful (for now) of aspects of the CIS Benchmarks 2.0 for Azure. You have to populate the subscriptions.txt file for each. Go To Github Each subdirectory &hellip; Continue reading &rarr;","og_url":"https:\/\/www.seven-stones.biz\/blog\/bash-cli-scripts-for-cis-benchmarks-for-azure\/","og_site_name":"Security Macromorphosis","article_published_time":"2023-08-24T22:30:45+00:00","article_modified_time":"2023-12-18T01:37:53+00:00","author":"itibble@gmail.com","twitter_card":"summary_large_image","twitter_creator":"@seven_stones","twitter_site":"@seven_stones","twitter_misc":{"Written by":"itibble@gmail.com","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.seven-stones.biz\/blog\/bash-cli-scripts-for-cis-benchmarks-for-azure\/#article","isPartOf":{"@id":"https:\/\/www.seven-stones.biz\/blog\/bash-cli-scripts-for-cis-benchmarks-for-azure\/"},"author":{"name":"itibble@gmail.com","@id":"https:\/\/www.seven-stones.biz\/blog\/#\/schema\/person\/dd7adbe0152f2279b133661b823e0c28"},"headline":"BASH cli Scripts for CIS Benchmarks for Azure","datePublished":"2023-08-24T22:30:45+00:00","dateModified":"2023-12-18T01:37:53+00:00","mainEntityOfPage":{"@id":"https:\/\/www.seven-stones.biz\/blog\/bash-cli-scripts-for-cis-benchmarks-for-azure\/"},"wordCount":486,"commentCount":0,"keywords":["Azure","BASH","CIS Benchmarks","cli","github","PCI-DSS","security accreditation","Vulnerability Assessment"],"articleSection":["accreditation","Blog","CIS Benchmarks","Cloud","Devops and security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.seven-stones.biz\/blog\/bash-cli-scripts-for-cis-benchmarks-for-azure\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.seven-stones.biz\/blog\/bash-cli-scripts-for-cis-benchmarks-for-azure\/","url":"https:\/\/www.seven-stones.biz\/blog\/bash-cli-scripts-for-cis-benchmarks-for-azure\/","name":"BASH cli Scripts for CIS Benchmarks for Azure - Security Macromorphosis","isPartOf":{"@id":"https:\/\/www.seven-stones.biz\/blog\/#website"},"datePublished":"2023-08-24T22:30:45+00:00","dateModified":"2023-12-18T01:37:53+00:00","author":{"@id":"https:\/\/www.seven-stones.biz\/blog\/#\/schema\/person\/dd7adbe0152f2279b133661b823e0c28"},"breadcrumb":{"@id":"https:\/\/www.seven-stones.biz\/blog\/bash-cli-scripts-for-cis-benchmarks-for-azure\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.seven-stones.biz\/blog\/bash-cli-scripts-for-cis-benchmarks-for-azure\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.seven-stones.biz\/blog\/bash-cli-scripts-for-cis-benchmarks-for-azure\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.seven-stones.biz\/blog\/"},{"@type":"ListItem","position":2,"name":"BASH cli Scripts for CIS Benchmarks for Azure"}]},{"@type":"WebSite","@id":"https:\/\/www.seven-stones.biz\/blog\/#website","url":"https:\/\/www.seven-stones.biz\/blog\/","name":"Security Macromorphosis","description":"Ian Tibble&#039;s Security Blog","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.seven-stones.biz\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.seven-stones.biz\/blog\/#\/schema\/person\/dd7adbe0152f2279b133661b823e0c28","name":"itibble@gmail.com","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/4efc9caa4c914912bcf9dd199b33f34a0d42e56752f4f713cd8d0c5416733603?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/4efc9caa4c914912bcf9dd199b33f34a0d42e56752f4f713cd8d0c5416733603?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4efc9caa4c914912bcf9dd199b33f34a0d42e56752f4f713cd8d0c5416733603?s=96&d=mm&r=g","caption":"itibble@gmail.com"},"description":"Author of Security De-engineering, CTO at Seven Stones (Indonesia)","sameAs":["http:\/\/www.seven-stones.biz"]}]}},"_links":{"self":[{"href":"https:\/\/www.seven-stones.biz\/blog\/wp-json\/wp\/v2\/posts\/756","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.seven-stones.biz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.seven-stones.biz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.seven-stones.biz\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.seven-stones.biz\/blog\/wp-json\/wp\/v2\/comments?post=756"}],"version-history":[{"count":12,"href":"https:\/\/www.seven-stones.biz\/blog\/wp-json\/wp\/v2\/posts\/756\/revisions"}],"predecessor-version":[{"id":775,"href":"https:\/\/www.seven-stones.biz\/blog\/wp-json\/wp\/v2\/posts\/756\/revisions\/775"}],"wp:attachment":[{"href":"https:\/\/www.seven-stones.biz\/blog\/wp-json\/wp\/v2\/media?parent=756"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.seven-stones.biz\/blog\/wp-json\/wp\/v2\/categories?post=756"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.seven-stones.biz\/blog\/wp-json\/wp\/v2\/tags?post=756"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}