kexa-io · aeppling · Nov 28, 2024 · Nov 27, 2024 · Nov 28, 2024 · Nov 28, 2024
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3822,4 +3822,16 @@ pnpm-lock.yaml was changed
 
 ### Files changed: 1
 
+
+## 
+
+### Files added: 0
+
+### Files changed: 3
+
+CHANGELOG.md was changed
+
 Kexa/services/addOn/googleWorkspaceGathering.service.ts was changed
+
+documentation/provider/GoogleWorkspace.md was changed
+
diff --git a/Kexa/models/azure/resource.models.ts b/Kexa/models/azure/resource.models.ts
@@ -28,6 +28,7 @@ export interface AzureResources {
     'KexaAzure.namedLocations': Array<any>|null;
     'KexaAzure.groups': Array<any>|null;
     'KexaAzure.servicePrincipals': Array<any>|null;
+    'KexaAzure.applications': Array<any>|null;
     'KexaAzure.domains': Array<any>|null;
 }
 
@@ -59,5 +60,6 @@ export const stringKeys: Array<String> = [
     'KexaAzure.namedLocations',
     'KexaAzure.groups',
     'KexaAzure.servicePrincipals',
+    'KexaAzure.applications',
     'KexaAzure.domains'
 ];
diff --git a/Kexa/services/addOn/azureGathering.service.ts b/Kexa/services/addOn/azureGathering.service.ts
@@ -1731,6 +1731,7 @@
 	*	- KexaAzure.groups
 	*	- KexaAzure.servicePrincipals
 	*	- KexaAzure.domains
+	*	- KexaAzure.applications
 */
 
 
@@ -1843,7 +1844,6 @@ export async function collectData(azureConfig:AzureConfig[]): Promise<Object[]|n
 						finalResources[key] = [{}];
 					}
 				  });
-
                 resources.push(finalResources);
             }
         } catch(e) {
@@ -2312,6 +2312,23 @@ const customGatherFunctions: FunctionMap = {
 		}
 	},
 
+	'KexaAzure.applications': async (name: string, credential: any, subscriptionId: any) => {
+		logger.debug("Starting " + name + " listing...");
+		try {
+			const authProvider = new TokenCredentialAuthenticationProvider(credential, {
+				scopes: [
+					'https://graph.microsoft.com/.default'
+				],
+			  });
+			const graphClient = Client.initWithMiddleware({ authProvider: authProvider });
+
+			return await applicationsListing(graphClient);
+		} catch (e) {
+			logger.debug("Error creating Azure client: " + name, e);
+			return [];
+		}
+	},
+
 	'KexaAzure.domains': async (name: string, credential: any, subscriptionId: any) => {
 		logger.debug("Starting " + name + " listing...");
 		try {
@@ -2887,6 +2904,7 @@ async function conditionnalAccessListing(client: Client): Promise<any> {
 	} catch (error) {
 		logger.debug("error:",error);
 	}
+
 	return resultsGraph;
 }
 
@@ -2942,7 +2960,7 @@ async function testGraphListing(client: Client, subscriptionId: any): Promise<an
 	let usersReponse:any = [];
 	try {
 		usersReponse = await client.api("/users")
-		.select("id,userPrincipalName,mail,userType,customSecurityAttributes,lastPasswordChangeDateTime,passwordPolicies,passwordProfile")
+		.select("id,userPrincipalName,mail,userType,customSecurityAttributes,lastPasswordChangeDateTime,passwordPolicies,passwordProfile,signInActivity")
 		.get();
 	} catch (error) {
 	  logger.error("Error retrieving users:", error);
@@ -2978,13 +2996,25 @@ async function testGraphListing(client: Client, subscriptionId: any): Promise<an
 
   async function servicePrincipalsListing(client: Client): Promise<any> {
 	let resultsGraph:any = [];
+
 	try {
 		const tmp = await client.api('/servicePrincipals').get();
 		resultsGraph = tmp.value;
 	} catch (error) {
 		logger.debug("error:",error);
 	}
+	return resultsGraph;
+  }
 
+  async function applicationsListing(client: Client): Promise<any> {
+	let resultsGraph:any = [];
+
+	try {
+		const tmp = await client.api(`/applications`).get();
+		resultsGraph = tmp.value;
+	} catch (error) {
+		logger.debug("error:",error);
+	}
 	return resultsGraph;
   }
 

diff --git a/Kexa/services/addOn/display/azureDisplay.service.ts b/Kexa/services/addOn/display/azureDisplay.service.ts
@@ -2,7 +2,17 @@ import { Rules } from "../../../models/settingFile/rules.models";
 
 export function propertyToSend(rule: Rules, objectContent: any, isSms: boolean=false): string{
     if (isSms)
-        return 'Id : '+ objectContent?.id + ' | Link: https://portal.azure.com/#@/resource/' + objectContent?.id + '';
+        if (rule.objectName == 'KexaAzure.users')
+            return 'Id : '+ objectContent?.id + ' | Link: https://portal.azure.com/#view/Microsoft_AAD_UsersAndTenants/UserProfileMenuBlade/~/overview/userId/' + objectContent?.id + '';
+        else if (rule.objectName == 'KexaAzure.conditionnalAccess')
+            return 'Id : '+ objectContent?.id + ' | Link: https://portal.azure.com/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Overview' + '';
+        else
+            return 'Id : '+ objectContent?.id + ' | Link: https://portal.azure.com/#@/resource/' + objectContent?.id + '';
     else
-        return `<div style="width: 200px;">Id : <a href="https://portal.azure.com/#@/resource/` + objectContent?.id + '">' + objectContent?.id + `</a></div>`
+        if (rule.objectName == 'KexaAzure.user')
+            return `<div style="width: 200px;">Id : <a href="https://portal.azure.com/#view/Microsoft_AAD_UsersAndTenants/UserProfileMenuBlade/~/overview/userId/` + objectContent?.id + '">' + objectContent?.id + `</a></div>`
+        else if (rule.objectName == 'KexaAzure.conditionnalAccess')
+            return `<div style="width: 200px;">Id : <a href="https://portal.azure.com/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Overview` + objectContent?.id + '">' + objectContent?.id + `</a></div>`
+        else
+            return `<div style="width: 200px;">Id : <a href="https://portal.azure.com/#@/resource/` + objectContent?.id + '">' + objectContent?.id + `</a></div>`
 }
diff --git a/rules/azureBenchmarkRules.yaml b/rules/azureBenchmarkRules.yaml
@@ -689,7 +689,10 @@
       cloudProvider: azure
       objectName: KexaAzure.conditionnalAccess
       conditions:
-        - property: policies
+        - property: .
+          condition: COUNT_SUP_OR_EQUAL
+          value: 0
+        - property: .
           condition: SOME
           value:
             - property: templateId
@@ -705,28 +708,38 @@
       cloudProvider: azure
       objectName: KexaAzure.conditionnalAccess
       conditions:
-        - property: policies
+        - property: .
+          condition: COUNT_SUP_OR_EQUAL
+          value: 0
+        - property: .
           condition: SOME
           value:
             - property: templateId
               condition: EQUAL
               value: 'a3d0a415-b068-4326-9251-f9cdf9feeb64'
             - property: state
               condition: EQUAL
-              value: 'enabled'
+              value: 'enabledForReportingButNotEnforced'
     - name: "azure-global-ensure-az-policy-mfa-azure-service-mgmt"
       description: "this rule is to ensure MFA is enabled for azure service management"
       applied: true
       level: 1
       cloudProvider: azure
       objectName: KexaAzure.conditionnalAccess
       conditions:
-        - property: templateId
-          condition: EQUAL
-          value: 'd8c51a9a-e6b1-454d-86af-554e7872e2c1'
-        - property: state
-          condition: EQUAL
-          value: 'enabled'
+        - property: .
+          condition: COUNT_SUP_OR_EQUAL
+          value: 0
+        - property: .
+          condition: SOME
+          value:
+            - property: templateId
+              condition: EQUAL
+              value: 'd8c51a9a-e6b1-454d-86af-554e7872e2c1'
+            - property: state
+              condition: EQUAL
+              value: 'enabled'
+
     ##################################
     #    !!! STILL IN TESTING !!!    #
     ##################################
@@ -764,4 +777,108 @@
       conditions:
         - property: appRoles
           condition: COUNT_SUP_OR_EQUAL
-          value: 1
+          value: 1
+
+
+    ###################################
+    #        SERVICE PRINCIPALS       #
+    ###################################
+    - name: "azure-user-not-logged-in-since-X-days"
+      description: "user sign in 200days"
+      applied: true
+      level: 2
+      cloudProvider: azure
+      objectName: KexaAzure.users
+      conditions:
+        - property: signInActivity.lastSuccessfulSignInDateTime
+          condition: DATE_INF
+          value: 0 0 0 200 0 0 0 # not logged in since 200 days
+          date: "YYYY-MM-DDThh:mm:ss.SSSZ"
+
+    - name: "azure-service-principal-credentials-expiration-is-set"
+      description: "ensure service principal credentials expiration is set"
+      applied: true
+      level: 2
+      cloudProvider: azure
+      objectName: KexaAzure.servicePrincipals
+      conditions:
+        - property: passwordCredentials
+          condition: ALL
+          value:
+            - property: endDateTime
+              condition: DIFFERENT
+              value: null
+        - property: keyCredentials
+          condition: ALL
+          value:
+            - property: endDateTime
+              condition: DIFFERENT
+              value: null
+
+    - name: "azure-service-principal-credentials-expiration-in-10days"
+      description: "notify of service principal credentials expiration in 10 days"
+      applied: true
+      level: 2
+      cloudProvider: azure
+      objectName: KexaAzure.servicePrincipals
+      conditions:
+        - property: passwordCredentials
+          condition: ALL
+          value:
+            - property: endDateTime
+              condition: DATE_INF
+              value: 0 0 0 10 0 0 0
+              date: "YYYY-MM-DDThh:mm:ss.SSSZ"
+        - property: keyCredentials
+          condition: ALL
+          value:
+            - property: endDateTime
+              condition: DATE_INF
+              value: 0 0 0 10 0 0 0
+              date: "YYYY-MM-DDThh:mm:ss.SSSZ"
+
+
+    ###################################
+    #        REGISTERRED APP       #
+    ###################################
+    - name: "azure-application-credentials-expiration-is-set"
+      description: "ensure application credentials expiration is set"
+      applied: true
+      level: 2
+      cloudProvider: azure
+      objectName: KexaAzure.applications
+      conditions:
+        - property: passwordCredentials
+          condition: ALL
+          value:
+            - property: endDateTime
+              condition: DIFFERENT
+              value: null
+        - property: keyCredentials
+          condition: ALL
+          value:
+            - property: endDateTime
+              condition: DIFFERENT
+              value: null
+
+    - name: "azure-application-credentials-expiration-in-10days"
+      description: "notify of application credentials expiration in 10 days"
+      applied: true
+      level: 2
+      cloudProvider: azure
+      objectName: KexaAzure.applications
+      conditions:
+        - property: passwordCredentials
+          condition: ALL
+          value:
+            - property: endDateTime
+              condition: DATE_INF
+              value: 0 0 0 10 0 0 0
+              date: "YYYY-MM-DDThh:mm:ss.SSSZ"
+        - property: keyCredentials
+          condition: ALL
+          value:
+            - property: endDateTime
+              condition: DATE_INF
+              value: 0 0 0 10 0 0 0
+              date: "YYYY-MM-DDThh:mm:ss.SSSZ"