diff --git a/CHANGELOG.md b/CHANGELOG.md index 3c4e964..32096d5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3822,4 +3822,16 @@ pnpm-lock.yaml was changed ### Files changed: 1 + +## + +### Files added: 0 + +### Files changed: 3 + +CHANGELOG.md was changed + Kexa/services/addOn/googleWorkspaceGathering.service.ts was changed + +documentation/provider/GoogleWorkspace.md was changed + diff --git a/Kexa/models/azure/resource.models.ts b/Kexa/models/azure/resource.models.ts index 204646c..f0439be 100644 --- a/Kexa/models/azure/resource.models.ts +++ b/Kexa/models/azure/resource.models.ts @@ -28,6 +28,7 @@ export interface AzureResources { 'KexaAzure.namedLocations': Array|null; 'KexaAzure.groups': Array|null; 'KexaAzure.servicePrincipals': Array|null; + 'KexaAzure.applications': Array|null; 'KexaAzure.domains': Array|null; } @@ -59,5 +60,6 @@ export const stringKeys: Array = [ 'KexaAzure.namedLocations', 'KexaAzure.groups', 'KexaAzure.servicePrincipals', + 'KexaAzure.applications', 'KexaAzure.domains' ]; \ No newline at end of file diff --git a/Kexa/services/addOn/azureGathering.service.ts b/Kexa/services/addOn/azureGathering.service.ts index 5106aa2..7b1b335 100644 --- a/Kexa/services/addOn/azureGathering.service.ts +++ b/Kexa/services/addOn/azureGathering.service.ts @@ -1731,6 +1731,7 @@ * - KexaAzure.groups * - KexaAzure.servicePrincipals * - KexaAzure.domains + * - KexaAzure.applications */ @@ -1843,7 +1844,6 @@ export async function collectData(azureConfig:AzureConfig[]): Promise { + logger.debug("Starting " + name + " listing..."); + try { + const authProvider = new TokenCredentialAuthenticationProvider(credential, { + scopes: [ + 'https://graph.microsoft.com/.default' + ], + }); + const graphClient = Client.initWithMiddleware({ authProvider: authProvider }); + + return await applicationsListing(graphClient); + } catch (e) { + logger.debug("Error creating Azure client: " + name, e); + return []; + } + }, + 'KexaAzure.domains': async (name: string, credential: any, subscriptionId: any) => { logger.debug("Starting " + name + " listing..."); try { @@ -2887,6 +2904,7 @@ async function conditionnalAccessListing(client: Client): Promise { } catch (error) { logger.debug("error:",error); } + return resultsGraph; } @@ -2942,7 +2960,7 @@ async function testGraphListing(client: Client, subscriptionId: any): Promise { let resultsGraph:any = []; + try { const tmp = await client.api('/servicePrincipals').get(); resultsGraph = tmp.value; } catch (error) { logger.debug("error:",error); } + return resultsGraph; + } + async function applicationsListing(client: Client): Promise { + let resultsGraph:any = []; + + try { + const tmp = await client.api(`/applications`).get(); + resultsGraph = tmp.value; + } catch (error) { + logger.debug("error:",error); + } return resultsGraph; } diff --git a/Kexa/services/addOn/display/azureDisplay.service.ts b/Kexa/services/addOn/display/azureDisplay.service.ts index 92b2aad..5548cd4 100644 --- a/Kexa/services/addOn/display/azureDisplay.service.ts +++ b/Kexa/services/addOn/display/azureDisplay.service.ts @@ -2,7 +2,17 @@ import { Rules } from "../../../models/settingFile/rules.models"; export function propertyToSend(rule: Rules, objectContent: any, isSms: boolean=false): string{ if (isSms) - return 'Id : '+ objectContent?.id + ' | Link: https://portal.azure.com/#@/resource/' + objectContent?.id + ''; + if (rule.objectName == 'KexaAzure.users') + return 'Id : '+ objectContent?.id + ' | Link: https://portal.azure.com/#view/Microsoft_AAD_UsersAndTenants/UserProfileMenuBlade/~/overview/userId/' + objectContent?.id + ''; + else if (rule.objectName == 'KexaAzure.conditionnalAccess') + return 'Id : '+ objectContent?.id + ' | Link: https://portal.azure.com/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Overview' + ''; + else + return 'Id : '+ objectContent?.id + ' | Link: https://portal.azure.com/#@/resource/' + objectContent?.id + ''; else - return `` + if (rule.objectName == 'KexaAzure.user') + return `` + else if (rule.objectName == 'KexaAzure.conditionnalAccess') + return `` + else + return `` } \ No newline at end of file diff --git a/rules/azureBenchmarkRules.yaml b/rules/azureBenchmarkRules.yaml index d7f5efa..e6dee08 100644 --- a/rules/azureBenchmarkRules.yaml +++ b/rules/azureBenchmarkRules.yaml @@ -689,7 +689,10 @@ cloudProvider: azure objectName: KexaAzure.conditionnalAccess conditions: - - property: policies + - property: . + condition: COUNT_SUP_OR_EQUAL + value: 0 + - property: . condition: SOME value: - property: templateId @@ -705,7 +708,10 @@ cloudProvider: azure objectName: KexaAzure.conditionnalAccess conditions: - - property: policies + - property: . + condition: COUNT_SUP_OR_EQUAL + value: 0 + - property: . condition: SOME value: - property: templateId @@ -713,7 +719,7 @@ value: 'a3d0a415-b068-4326-9251-f9cdf9feeb64' - property: state condition: EQUAL - value: 'enabled' + value: 'enabledForReportingButNotEnforced' - name: "azure-global-ensure-az-policy-mfa-azure-service-mgmt" description: "this rule is to ensure MFA is enabled for azure service management" applied: true @@ -721,12 +727,19 @@ cloudProvider: azure objectName: KexaAzure.conditionnalAccess conditions: - - property: templateId - condition: EQUAL - value: 'd8c51a9a-e6b1-454d-86af-554e7872e2c1' - - property: state - condition: EQUAL - value: 'enabled' + - property: . + condition: COUNT_SUP_OR_EQUAL + value: 0 + - property: . + condition: SOME + value: + - property: templateId + condition: EQUAL + value: 'd8c51a9a-e6b1-454d-86af-554e7872e2c1' + - property: state + condition: EQUAL + value: 'enabled' + ################################## # !!! STILL IN TESTING !!! # ################################## @@ -764,4 +777,108 @@ conditions: - property: appRoles condition: COUNT_SUP_OR_EQUAL - value: 1 \ No newline at end of file + value: 1 + + + ################################### + # SERVICE PRINCIPALS # + ################################### + - name: "azure-user-not-logged-in-since-X-days" + description: "user sign in 200days" + applied: true + level: 2 + cloudProvider: azure + objectName: KexaAzure.users + conditions: + - property: signInActivity.lastSuccessfulSignInDateTime + condition: DATE_INF + value: 0 0 0 200 0 0 0 # not logged in since 200 days + date: "YYYY-MM-DDThh:mm:ss.SSSZ" + + - name: "azure-service-principal-credentials-expiration-is-set" + description: "ensure service principal credentials expiration is set" + applied: true + level: 2 + cloudProvider: azure + objectName: KexaAzure.servicePrincipals + conditions: + - property: passwordCredentials + condition: ALL + value: + - property: endDateTime + condition: DIFFERENT + value: null + - property: keyCredentials + condition: ALL + value: + - property: endDateTime + condition: DIFFERENT + value: null + + - name: "azure-service-principal-credentials-expiration-in-10days" + description: "notify of service principal credentials expiration in 10 days" + applied: true + level: 2 + cloudProvider: azure + objectName: KexaAzure.servicePrincipals + conditions: + - property: passwordCredentials + condition: ALL + value: + - property: endDateTime + condition: DATE_INF + value: 0 0 0 10 0 0 0 + date: "YYYY-MM-DDThh:mm:ss.SSSZ" + - property: keyCredentials + condition: ALL + value: + - property: endDateTime + condition: DATE_INF + value: 0 0 0 10 0 0 0 + date: "YYYY-MM-DDThh:mm:ss.SSSZ" + + + ################################### + # REGISTERRED APP # + ################################### + - name: "azure-application-credentials-expiration-is-set" + description: "ensure application credentials expiration is set" + applied: true + level: 2 + cloudProvider: azure + objectName: KexaAzure.applications + conditions: + - property: passwordCredentials + condition: ALL + value: + - property: endDateTime + condition: DIFFERENT + value: null + - property: keyCredentials + condition: ALL + value: + - property: endDateTime + condition: DIFFERENT + value: null + + - name: "azure-application-credentials-expiration-in-10days" + description: "notify of application credentials expiration in 10 days" + applied: true + level: 2 + cloudProvider: azure + objectName: KexaAzure.applications + conditions: + - property: passwordCredentials + condition: ALL + value: + - property: endDateTime + condition: DATE_INF + value: 0 0 0 10 0 0 0 + date: "YYYY-MM-DDThh:mm:ss.SSSZ" + - property: keyCredentials + condition: ALL + value: + - property: endDateTime + condition: DATE_INF + value: 0 0 0 10 0 0 0 + date: "YYYY-MM-DDThh:mm:ss.SSSZ" \ No newline at end of file diff --git a/rules/perProvider/azureSetRules.yaml b/rules/perProvider/azureSetRules.yaml index 9fae786..7a1972a 100644 --- a/rules/perProvider/azureSetRules.yaml +++ b/rules/perProvider/azureSetRules.yaml @@ -235,4 +235,99 @@ value: 'Microsoft.Keyvault' - property: encryption.services.blob.keySource condition: EQUAL - value: 'Microsoft.Keyvault' \ No newline at end of file + value: 'Microsoft.Keyvault' + - name: "azure-user-not-logged-in-since-X-days" + description: "user sign in 200days" + applied: true + level: 2 + cloudProvider: azure + objectName: KexaAzure.users + conditions: + - property: signInActivity.lastSuccessfulSignInDateTime + condition: DATE_INF + value: 0 0 0 200 0 0 0 # not logged in since 200 days + date: "YYYY-MM-DDThh:mm:ss.SSSZ" + + - name: "azure-service-principal-credentials-expiration-is-set" + description: "ensure service principal credentials expiration is set" + applied: true + level: 2 + cloudProvider: azure + objectName: KexaAzure.servicePrincipals + conditions: + - property: passwordCredentials + condition: ALL + value: + - property: endDateTime + condition: DIFFERENT + value: null + - property: keyCredentials + condition: ALL + value: + - property: endDateTime + condition: DIFFERENT + value: null + + - name: "azure-service-principal-credentials-expiration-in-10days" + description: "notify of service principal credentials expiration in 10 days" + applied: true + level: 2 + cloudProvider: azure + objectName: KexaAzure.servicePrincipals + conditions: + - property: passwordCredentials + condition: ALL + value: + - property: endDateTime + condition: DATE_INF + value: 0 0 0 10 0 0 0 + date: "YYYY-MM-DDThh:mm:ss.SSSZ" + - property: keyCredentials + condition: ALL + value: + - property: endDateTime + condition: DATE_INF + value: 0 0 0 10 0 0 0 + date: "YYYY-MM-DDThh:mm:ss.SSSZ" + + - name: "azure-application-credentials-expiration-is-set" + description: "ensure application credentials expiration is set" + applied: true + level: 2 + cloudProvider: azure + objectName: KexaAzure.applications + conditions: + - property: passwordCredentials + condition: ALL + value: + - property: endDateTime + condition: DIFFERENT + value: null + - property: keyCredentials + condition: ALL + value: + - property: endDateTime + condition: DIFFERENT + value: null + + - name: "azure-application-credentials-expiration-in-10days" + description: "notify of application credentials expiration in 10 days" + applied: true + level: 2 + cloudProvider: azure + objectName: KexaAzure.applications + conditions: + - property: passwordCredentials + condition: ALL + value: + - property: endDateTime + condition: DATE_INF + value: 0 0 0 10 0 0 0 + date: "YYYY-MM-DDThh:mm:ss.SSSZ" + - property: keyCredentials + condition: ALL + value: + - property: endDateTime + condition: DATE_INF + value: 0 0 0 10 0 0 0 + date: "YYYY-MM-DDThh:mm:ss.SSSZ" \ No newline at end of file