diff --git a/.github/workflows/translate.yml b/.github/workflows/translate.yml index f7f8b7a53..35a784dfb 100644 --- a/.github/workflows/translate.yml +++ b/.github/workflows/translate.yml @@ -1,7 +1,7 @@ name: Translation env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.PAT_FOR_PR }} on: # pull_request: @@ -112,3 +112,5 @@ jobs: # body: '${{ steps.translator.outputs.summary-details }}' title: 'Automatic translation of ${{ steps.files.outputs.all }}' body: 'Processed changed files ${{ steps.files.outputs.all }}' + token: ${{ secrets.PAT_FOR_PR }} + diff --git a/checklists/asb_security_checklist.en.json b/checklists/asb_security_checklist.en.json index bb32e7321..37cee9b7b 100644 --- a/checklists/asb_security_checklist.en.json +++ b/checklists/asb_security_checklist.en.json @@ -3,7 +3,7 @@ { "category": "Security", "subcategory": "Data Protection", - "text": "Use customer-managed key option in data at rest encryption when required", + "text": "Use customer-managed key option in data at rest encryption when required ", "description": "Azure Service Bus Premium provides encryption of data at rest. If you use your own key, the data is still encrypted using the Microsoft-managed key, but in addition the Microsoft-managed key will be encrypted using the customer-managed key. ", "guid": "87af4a79-1f89-439b-ba47-768e14c11567", "severity": "Low", @@ -23,7 +23,7 @@ { "category": "Security", "subcategory": "Identity and Access Management", - "text": "Avoid using root account when it is not necessary", + "text": "Avoid using root account when it isn't necessary", "description": "When you create a Service Bus namespace, a SAS rule named RootManageSharedAccessKey is automatically created for the namespace. This policy has Manage permissions for the entire namespace. It's recommended that you treat this rule like an administrative root account and don't use it in your application. Using AAD as an authentication provider with RBAC is recommended. ", "guid": "8bcbf59b-ce65-4de8-a03f-97879468d66a", "severity": "Medium", diff --git a/checklists/asb_security_checklist.es.json b/checklists/asb_security_checklist.es.json index 8871a4242..2e1f2e6cd 100644 --- a/checklists/asb_security_checklist.es.json +++ b/checklists/asb_security_checklist.es.json @@ -12,7 +12,7 @@ "link": "https://learn.microsoft.com/azure/service-bus-messaging/configure-customer-managed-key", "severity": "Bajo", "subcategory": "Protección de datos", - "text": "Usar la opción de clave administrada por el cliente en el cifrado de datos en reposo cuando sea necesario", + "text": "Usar la opción de clave administrada por el cliente en el cifrado de datos en reposo cuando sea necesario ", "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/" }, { @@ -87,7 +87,9 @@ } ], "metadata": { - "name": "Azure Service Bus Review" + "name": "Azure Service Bus Review", + "state": "Preview", + "timestamp": "Feb 10, 2023" }, "severities": [ { diff --git a/checklists/asb_security_checklist.ja.json b/checklists/asb_security_checklist.ja.json index 587dc4d29..633085b32 100644 --- a/checklists/asb_security_checklist.ja.json +++ b/checklists/asb_security_checklist.ja.json @@ -87,7 +87,9 @@ } ], "metadata": { - "name": "Azure Service Bus Review" + "name": "Azure Service Bus Review", + "state": "Preview", + "timestamp": "Feb 10, 2023" }, "severities": [ { diff --git a/checklists/asb_security_checklist.ko.json b/checklists/asb_security_checklist.ko.json index 355a45a07..f31c8c8e4 100644 --- a/checklists/asb_security_checklist.ko.json +++ b/checklists/asb_security_checklist.ko.json @@ -12,7 +12,7 @@ "link": "https://learn.microsoft.com/azure/service-bus-messaging/configure-customer-managed-key", "severity": "낮다", "subcategory": "데이터 보호", - "text": "필요한 경우 미사용 데이터 암호화에서 고객 관리형 키 옵션 사용", + "text": "필요한 경우 미사용 데이터 암호화에서 고객 관리형 키 옵션 사용 ", "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/" }, { @@ -32,7 +32,7 @@ "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-sas#shared-access-authorization-policies", "severity": "보통", "subcategory": "ID 및 액세스 관리", - "text": "필요하지 않은 경우 루트 계정을 사용하지 마십시오.", + "text": "필요하지 않은 경우 루트 계정 사용을 피하십시오.", "training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/" }, { @@ -87,7 +87,9 @@ } ], "metadata": { - "name": "Azure Service Bus Review" + "name": "Azure Service Bus Review", + "state": "Preview", + "timestamp": "Feb 10, 2023" }, "severities": [ { diff --git a/checklists/asb_security_checklist.pt.json b/checklists/asb_security_checklist.pt.json index aff0c8f27..f1d10a429 100644 --- a/checklists/asb_security_checklist.pt.json +++ b/checklists/asb_security_checklist.pt.json @@ -12,7 +12,7 @@ "link": "https://learn.microsoft.com/azure/service-bus-messaging/configure-customer-managed-key", "severity": "Baixo", "subcategory": "Proteção de Dados", - "text": "Usar a opção de chave gerenciada pelo cliente na criptografia de dados em repouso quando necessário", + "text": "Usar a opção de chave gerenciada pelo cliente na criptografia de dados em repouso quando necessário ", "training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/" }, { @@ -87,7 +87,9 @@ } ], "metadata": { - "name": "Azure Service Bus Review" + "name": "Azure Service Bus Review", + "state": "Preview", + "timestamp": "Feb 10, 2023" }, "severities": [ { diff --git a/checklists/azure_arc_checklist.en.json b/checklists/azure_arc_checklist.en.json new file mode 100644 index 000000000..94048224f --- /dev/null +++ b/checklists/azure_arc_checklist.en.json @@ -0,0 +1,480 @@ +{ + "items": [ + { + "category": "Foundation", + "subcategory": "Capacity Planning", + "text": "One or more resource groups is required for onboarding servers into Azure", + "description": "Define a resource group structure for placement of Azure Arc-enabled servers resources", + "guid": "585e1112-9bd7-4ba0-82f7-b94ef6e043d2", + "severity": "High" + }, + { + "category": "Foundation", + "subcategory": "Capacity Planning", + "text": "Take Azure Active Directory object limitations into account", + "guid": "aa359271-8e6e-4205-8725-769e46691e88", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#azure-subscription-and-service-limits" + }, + { + "category": "Foundation", + "subcategory": "General", + "text": "Has the Resource providers required been registered in all subscriptions", + "description": "The following resource providers needs to be registered: Microsoft.HybridCompute, Microsoft.GuestConfiguration, Microsoft.HybridConnectivity", + "guid": "deace4bb-1deb-44c6-9fc3-fc14eeaa3692", + "severity": "High", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#azure-resource-providers" + }, + { + "category": "Foundation", + "subcategory": "General", + "text": "Has a tagging stratery for Azure Arc-enabled servers been defined", + "description": "Aligning with an existing or creating an Azure tagging startegy is recommended. Resource tags allow you to quickly locate it, automate operational tasks amd more. ", + "guid": "c6d37331-65c7-4acb-b44b-be609d79f2e8", + "severity": "Low", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/decision-guides/resource-tagging/" + }, + { + "category": "Foundation", + "subcategory": "General", + "text": "What operating systems need to be Azure Arc-enabled", + "description": "Installation of the connected machine agent is supported on most newer Windows and Linux operative systems, review the link to se the latest list", + "guid": "7778424c-5167-475c-9fa9-5b96ad88408e", + "severity": "High", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#supported-operating-systems" + }, + { + "category": "Foundation", + "subcategory": "General", + "text": "Are required software installed on Windows and Linux servers to support the installation", + "description": "There are software requirements to the agent installation. Some might require a system reboot after installation, review to link", + "guid": "372734b8-76ba-428f-8145-901365d38e53", + "severity": "High", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#software-requirements" + }, + { + "category": "Foundation", + "subcategory": "General", + "text": "Make sure to use a supported Azure region", + "guid": "d44c7c89-19ca-41f6-b521-5ae514ba34d4", + "severity": "High", + "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/?products=azure-arc®ions=all" + }, + { + "category": "Foundation", + "subcategory": "Organization", + "text": "Define the structure for Azure management of resources", + "description": "The scope include organization into management groups, subscriptions, and resource groups.", + "guid": "f9ccbd86-8266-4abc-a264-f9a19bf39d95", + "severity": "Low", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/organize-inventory-servers#organize-resources-with-built-in-azure-hierarchies" + }, + { + "category": "Identity", + "subcategory": "Access", + "text": "Assign RBAC rights to Azure AD user/group access for managing Azure Arc-enabled servers", + "description": "Define RBAC rules to the servers / resource groups as required for servers management, the 'Azure Connected Machine Resource Administrator' or 'Hybrid Server Resource Administrator' role would be sufficent for management of the Azure Arc-enabled servers resouces in Azure", + "guid": "9bf39d95-d44c-47c8-a19c-a1f6d5215ae5", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#identity-and-access-control" + }, + { + "category": "Identity", + "subcategory": "Access", + "text": "Consider using managed identities for applications to access Azure resources like Key Vault example in link", + "guid": "14ba34d4-585e-4111-89bd-7ba012f7b94e", + "severity": "Low", + "link": "https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad" + }, + { + "category": "Identity", + "subcategory": "Requirements", + "text": "An Azure Active Directory tenant must be available with at least one subscription", + "description": "An Azure subscription must be parented to the same Azure AD tenant", + "guid": "35ac9322-23e1-4380-8523-081a94174158", + "severity": "High", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#azure-subscription-and-service-limits" + }, + { + "category": "Identity", + "subcategory": "Requirements", + "text": "Define which users (AAD user/groups) has access to onboard Azure Arc-enabled servers", + "description": "Users (or SPs) need the 'Azure Connected Machine Onboarding' or 'Contributor' role to onboarding of servers", + "guid": "33ee7ad6-c6d3-4733-865c-7acbe44bbe60", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#required-permissions" + }, + { + "category": "Identity", + "subcategory": "Security", + "text": "Use the priciple of least priviledged", + "description": "Ensure to only add the rights to users or groups that is required to perfor their role", + "guid": "9d79f2e8-7778-4424-a516-775c6fa95b96", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/onboard-service-principal#create-a-service-principal-for-onboarding-at-scale" + }, + { + "category": "Identity", + "subcategory": "Security", + "text": "How many Service Pricipals are needded for onboarding Arc-enabled servers into Azure", + "description": "A service priciple with the 'Azure Connected Machine Onboarding' role is required for at-scale onboarding of servers, consider more SP's if onboarding is done by different teams/decentralized management", + "guid": "ad88408e-3727-434b-a76b-a28f21459013", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/onboard-service-principal#create-a-service-principal-for-onboarding-at-scale" + }, + { + "category": "Identity", + "subcategory": "Security", + "text": "Limit the rights to onboard Azure Arc-enabled servers to the desired resource groups", + "description": "Consider assigning the rights for the 'Azure Connected Machine Onboarding' role at the resource group level, to control the resource creation", + "guid": "65d38e53-f9cc-4bd8-9826-6abca264f9a1", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#required-permissions" + }, + { + "category": "Management and Monitoring", + "subcategory": "Management", + "text": "Define a stretegy for agent provisioning", + "description": "Plan for agent deployments at scale", + "guid": "6ee79d6b-5c2a-4364-a4b6-9bad38aad53c", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/plan-at-scale-deployment" + }, + { + "category": "Management and Monitoring", + "subcategory": "Management", + "text": "Define a stratery for agent updates", + "description": "Use Microsoft Update to ensure that the connected machine agentis always up-to-date", + "guid": "c78e1d76-6673-457c-9496-74c5ed85b859", + "severity": "High", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/manage-agent#upgrade-the-agent" + }, + { + "category": "Management and Monitoring", + "subcategory": "Management", + "text": "Define a strategy for extension installation", + "description": "Recommendation is to use Azure Policy, or another automation tool like Azure DevOps - important is to avoid configuration drift.", + "guid": "c7733be2-a1a2-47b7-95a9-1be1f388ff39", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/manage-vm-extensions" + }, + { + "category": "Management and Monitoring", + "subcategory": "Management", + "text": "Define a strategy for extension updates", + "description": "Use automatic upgrades where avaliable and define an update strategy for all extensions not supporting automatic upgrades.", + "guid": "4c2bd463-cbbb-4c86-a195-abb91a4ed90d", + "severity": "High", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/manage-automatic-vm-extension-upgrade?tabs=azure-portal" + }, + { + "category": "Management and Monitoring", + "subcategory": "Management", + "text": "Consider using Azure Automanage to control settings and avoid configuration drift on servers", + "description": "Azure Automanage help implement Microsoft best-practices for servers management in Azure", + "guid": "7a927c39-74d1-4102-aac6-aae01e6a84de", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/automanage/automanage-arc" + }, + { + "category": "Management and Monitoring", + "subcategory": "Monitoring", + "text": "Monitor for unresponsive agents", + "guid": "37b6b780-cbaf-4e6c-9658-9d457a927c39", + "severity": "High", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/plan-at-scale-deployment#phase-3-manage-and-operate" + }, + { + "category": "Management and Monitoring", + "subcategory": "Monitoring", + "text": "Design a monitoring strategy to send metrics and logs to an Log Analytics workspace", + "guid": "74d1102c-ac6a-4ae0-8e6a-84de5df47d2d", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-monitor/agents/log-analytics-agent#data-collected" + }, + { + "category": "Management and Monitoring", + "subcategory": "Monitoring", + "text": "Use notification in Activity logs to receive notification on unexpected changes to the resources", + "guid": "92881b1c-d5d1-4e54-a296-59e3958fd782", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/service-health/resource-health-alert-monitor-guide" + }, + { + "category": "Management and Monitoring", + "subcategory": "Monitoring", + "text": "Use Azure Monitor for complienance and operational monitoring", + "guid": "89c93555-6d02-4bfe-9564-b0d834a34872", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/learn/tutorial-enable-vm-insights" + }, + { + "category": "Management and Monitoring", + "subcategory": "Monitoring", + "text": "Create an alert to identify Azure Arc-enabled servers that aren't using the latest version of the Azure connected machine agent", + "guid": "5df47d2d-9288-41b1-ad5d-1e54a29659e3", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/plan-at-scale-deployment#phase-3-manage-and-operate" + }, + { + "category": "Management and Monitoring", + "subcategory": "Security", + "text": "Use Azure Arc-enabled servers to control software updates deployments to servers", + "description": "Use Update Management in Azure Automation or the new Update Management Center (preview) fuctionality to ensure update management of servers", + "guid": "ae2cc84c-37b6-4b78-8cba-fe6c46589d45", + "severity": "Low", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/hybrid/server/best-practices/arc-update-management" + }, + { + "category": "Networking", + "subcategory": "Networking", + "text": "Define a connectivity method from the server to Azure", + "description": "The Connected Machine Agent will by default communicate with Azure services over public Interet connectivity using HTTPS (TCP port 443)", + "guid": "f6e043d2-aa35-4927-88e6-e2050725769e", + "severity": "High", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/network-requirements?tabs=azure-cloud#details" + }, + { + "category": "Networking", + "subcategory": "Networking", + "text": "Is a proxy server a required for communication over the Public Internet", + "description": "The Connected Machine Agent can be configured to use a proxy server, it is recommended to define the proxy server adress using 'azcmagent config set proxy.url' command on the local system.", + "guid": "46691e88-35ac-4932-823e-13800523081a", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/manage-agent#update-or-remove-proxy-settings" + }, + { + "category": "Networking", + "subcategory": "Networking", + "text": "Is a private (not public Internet) connection required?", + "description": "The Connected Machine Agent can use a Private Link for communication with Azure Services over an existing ExpressRoute or VPN connection", + "guid": "94174158-33ee-47ad-9c6d-3733165c7acb", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/private-link-security" + }, + { + "category": "Networking", + "subcategory": "Networking", + "text": "Will Firewall configurations be needed in order to ensure communication with Azure Services?", + "description": "Firewall configuration might be required for the agent to communicate with Azure, use the link to see ServiceTags and/or URL's required", + "guid": "e44bbe60-9d79-4f2e-a777-8424c516775c", + "severity": "High", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/network-requirements?tabs=azure-cloud#service-tags" + }, + { + "category": "Networking", + "subcategory": "Networking", + "text": "Can the Firewall or Proxy rules be automated updated if Service Tags or IP adresses change", + "description": "Use avaliable automation tool for the system in question to requarly update the Azure endpoints", + "guid": "6fa95b96-ad88-4408-b372-734b876ba28f", + "severity": "Low", + "link": "https://www.microsoft.com/download/details.aspx?id=56519" + }, + { + "category": "Networking", + "subcategory": "Networking", + "text": "Always use secure communication for Azure where possible", + "description": "Configure Servers to use Transport Layer Security (TLS) version 1.2", + "guid": "21459013-65d3-48e5-9f9c-cbd868266abc", + "severity": "High", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/network-requirements?tabs=azure-cloud#transport-layer-security-12-protocol" + }, + { + "category": "Networking", + "subcategory": "Networking", + "text": "Include communcation for Azure Arc-enabled Servers extentions in the design (firewall/proxy/private link)", + "description": "All extentions (like log analytics etc.) have separate network requirements, be sure to include all in the network design.", + "guid": "a264f9a1-9bf3-49d9-9d44-c7c8919ca1f6", + "severity": "Low", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/hybrid/arc-enabled-servers/eslz-arc-servers-connectivity#define-extensions-connectivity-method" + }, + { + "category": "Security, Governance and Compliance", + "subcategory": "Management", + "text": "Use Azure Policy to implement a govnance model for hybrid connected servers", + "guid": "ac6aae01-e6a8-44de-9df4-7d2d92881b1c", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/governance/policy/" + }, + { + "category": "Security, Governance and Compliance", + "subcategory": "Management", + "text": "Consider using Machine configurations for in guest OS configurations", + "guid": "5c2a3649-4b69-4bad-98aa-d53cc78e1d76", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview" + }, + { + "category": "Security, Governance and Compliance", + "subcategory": "Management", + "text": "Evaluate the need for custom Guest Configuration policies", + "guid": "667357c4-4967-44c5-bd85-b859c7733be2", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/governance/machine-configuration/machine-configuration-create" + }, + { + "category": "Security, Governance and Compliance", + "subcategory": "Monitoring", + "text": "Cosider using change tracking for tracking changes made on the servers", + "guid": "49674c5e-d85b-4859-a773-3be2a1a27b77", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/automation/change-tracking/overview" + }, + { + "category": "Security, Governance and Compliance", + "subcategory": "Requirements", + "text": "Make sure to use an Azure region for storing the metadata approved by the organization", + "guid": "d5d1e54a-2965-49e3-a58f-d78289c93555", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/data-residency" + }, + { + "category": "Security, Governance and Compliance", + "subcategory": "Secrets", + "text": "Use Azure Key Vault for certificate management on servers", + "guid": "195abb91-a4ed-490d-ae2c-c84c37b6b780", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/key-vault/general/basic-concepts" + }, + { + "category": "Security, Governance and Compliance", + "subcategory": "Secrets", + "text": "What is the acceptable life time of the secret used by SP's", + "description": "Consider using a short-lived Azure AD service principal client secrets.", + "guid": "6d02bfe4-564b-40d8-94a3-48726ee79d6b", + "severity": "High", + "link": "https://learn.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal#option-2-create-a-new-application-secret" + }, + { + "category": "Security, Governance and Compliance", + "subcategory": "Secrets", + "text": "Secure the public key for Azure Arc-enabled Servers", + "description": "A private key is saved to the disk, ensure this is protected using disk encryption", + "guid": "a1a27b77-5a91-4be1-b388-ff394c2bd463", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#using-disk-encryption" + }, + { + "category": "Security, Governance and Compliance", + "subcategory": "Security", + "text": "Ensure there is local administrator access for executeing the agent installation", + "description": "Local administrator is required to install the Connected Machine Agent on Windows and Linux systems", + "guid": "29659e39-58fd-4782-a9c9-35556d02bfe4", + "severity": "High", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/onboard-portal#install-manually" + }, + { + "category": "Security, Governance and Compliance", + "subcategory": "Security", + "text": "Limit the amount of users with local administrator rights to the servers", + "description": "Members of the local administrator group on Windows and users with root privileges on Linux, have permissions to manage the agent via commandline.", + "guid": "564b0d83-4a34-4872-9ee7-9d6b5c2a3649", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#agent-security-and-permissions" + }, + { + "category": "Security, Governance and Compliance", + "subcategory": "Security", + "text": "Consider using and restricting access to managed identities for applications.", + "guid": "4b69bad3-8aad-453c-a78e-1d76667357c4", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/managed-identity-authentication" + }, + { + "category": "Security, Governance and Compliance", + "subcategory": "Security", + "text": "Enable Defender for Servers for all servers to secure hybrid workloads from threats", + "description": "Use Defender for Endpoint or another AV and EDR solution to protect endpoints", + "guid": "5a91be1f-388f-4f39-9c2b-d463cbbbc868", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/security-center/security-center-get-started" + }, + { + "category": "Security, Governance and Compliance", + "subcategory": "Security", + "text": "Define controls to detect security misconfigurations and track compliance", + "guid": "cbafe6c4-6589-4d45-9a92-7c3974d1102c", + "severity": "Medium" + }, + { + "category": "Security, Governance and Compliance", + "subcategory": "Securtiy", + "text": "Use allow- or block-lists to control what extensions can be installed on the Azure Arc-enabled servers", + "guid": "cbbbc868-195a-4bb9-8a4e-d90dae2cc84c", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#extension-allowlists-and-blocklists" + } + ], + "categories": [ + { + "name": "Foundation" + }, + { + "name": "Identity" + }, + { + "name": "Networking" + }, + { + "name": "Security, Governance and Compliance" + }, + { + "name": "Management and Monitoring" + } + ], + "waf": [ + { + "name": "Reliability" + }, + { + "name": "Security" + }, + { + "name": "Cost" + }, + { + "name": "Operations" + }, + { + "name": "Performance" + } + ], + "status": [ + { + "name": "Not verified", + "description": "This check has not been looked at yet" + }, + { + "name": "Open", + "description": "There is an action item associated to this check" + }, + { + "name": "Fulfilled", + "description": "This check has been verified, and there are no further action items associated to it" + }, + { + "name": "Not required", + "description": "Recommendation understood, but not needed by current requirements" + }, + { + "name": "N/A", + "description": "Not applicable for current design" + } + ], + "severities": [ + { + "name": "High" + }, + { + "name": "Medium" + }, + { + "name": "Low" + } + ], + "metadata": { + "name": "Azure Arc Review", + "state": "Preview", + "timestamp": "04/04/2023 08:39:00" + } +} \ No newline at end of file diff --git a/checklists/azure_arc_checklist.es.json b/checklists/azure_arc_checklist.es.json new file mode 100644 index 000000000..6320d7272 --- /dev/null +++ b/checklists/azure_arc_checklist.es.json @@ -0,0 +1,480 @@ +{ + "categories": [ + { + "name": "Fundación" + }, + { + "name": "Identidad" + }, + { + "name": "Gestión de redes" + }, + { + "name": "Seguridad, gobernanza y cumplimiento" + }, + { + "name": "Gestión y Monitoreo" + } + ], + "items": [ + { + "category": "Fundación", + "description": "Definición de una estructura de grupo de recursos para la ubicación de los recursos de servidores habilitados para Azure Arc", + "guid": "585e1112-9bd7-4ba0-82f7-b94ef6e043d2", + "severity": "Alto", + "subcategory": "Planificación de la capacidad", + "text": "Se requieren uno o más grupos de recursos para incorporar servidores en Azure" + }, + { + "category": "Fundación", + "guid": "aa359271-8e6e-4205-8725-769e46691e88", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#azure-subscription-and-service-limits", + "severity": "Medio", + "subcategory": "Planificación de la capacidad", + "text": "Tenga en cuenta las limitaciones de objetos de Azure Active Directory" + }, + { + "category": "Fundación", + "description": "Es necesario registrar los siguientes proveedores de recursos: Microsoft.HybridCompute, Microsoft.GuestConfiguration, Microsoft.HybridConnectivity", + "guid": "deace4bb-1deb-44c6-9fc3-fc14eeaa3692", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#azure-resource-providers", + "severity": "Alto", + "subcategory": "General", + "text": "¿Se han registrado los proveedores de recursos requeridos en todas las suscripciones?" + }, + { + "category": "Fundación", + "description": "Se recomienda alinearse con un startegy de etiquetado de Azure existente o crearlo. Las etiquetas de recursos le permiten localizarlo rápidamente, automatizar tareas operativas y más. ", + "guid": "c6d37331-65c7-4acb-b44b-be609d79f2e8", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/decision-guides/resource-tagging/", + "severity": "Bajo", + "subcategory": "General", + "text": "¿Se ha definido una estrategia de etiquetado para servidores habilitados para Azure Arc?" + }, + { + "category": "Fundación", + "description": "La instalación del agente de máquina conectada es compatible con la mayoría de los sistemas operativos Windows y Linux más nuevos, revise el enlace para ver la lista más reciente", + "guid": "7778424c-5167-475c-9fa9-5b96ad88408e", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#supported-operating-systems", + "severity": "Alto", + "subcategory": "General", + "text": "Qué sistemas operativos deben estar habilitados para Azure Arc" + }, + { + "category": "Fundación", + "description": "Existen requisitos de software para la instalación del agente. Algunos pueden requerir un reinicio del sistema después de la instalación, revisar para vincular", + "guid": "372734b8-76ba-428f-8145-901365d38e53", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#software-requirements", + "severity": "Alto", + "subcategory": "General", + "text": "Se requiere software instalado en servidores Windows y Linux para admitir la instalación" + }, + { + "category": "Fundación", + "guid": "d44c7c89-19ca-41f6-b521-5ae514ba34d4", + "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/?products=azure-arc®ions=all", + "severity": "Alto", + "subcategory": "General", + "text": "Asegúrese de usar una región de Azure compatible" + }, + { + "category": "Fundación", + "description": "El ámbito incluye la organización en grupos de administración, suscripciones y grupos de recursos.", + "guid": "f9ccbd86-8266-4abc-a264-f9a19bf39d95", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/organize-inventory-servers#organize-resources-with-built-in-azure-hierarchies", + "severity": "Bajo", + "subcategory": "Organización", + "text": "Definición de la estructura para la administración de recursos de Azure" + }, + { + "category": "Identidad", + "description": "Defina reglas RBAC para los servidores / grupos de recursos según sea necesario para la administración de servidores, el rol 'Administrador de recursos de máquina conectada de Azure' o 'Administrador de recursos de servidor híbrido' sería suficiente para la administración de los recursos de servidores habilitados para Azure Arc en Azure", + "guid": "9bf39d95-d44c-47c8-a19c-a1f6d5215ae5", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#identity-and-access-control", + "severity": "Medio", + "subcategory": "Acceso", + "text": "Asignación de derechos RBAC al acceso de usuarios o grupos de Azure AD para administrar servidores habilitados para Azure Arc" + }, + { + "category": "Identidad", + "guid": "14ba34d4-585e-4111-89bd-7ba012f7b94e", + "link": "https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad", + "severity": "Bajo", + "subcategory": "Acceso", + "text": "Considere la posibilidad de usar identidades administradas para que las aplicaciones accedan a recursos de Azure, como el ejemplo de Key Vault en el vínculo" + }, + { + "category": "Identidad", + "description": "Una suscripción de Azure debe ser primaria al mismo inquilino de Azure AD", + "guid": "35ac9322-23e1-4380-8523-081a94174158", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#azure-subscription-and-service-limits", + "severity": "Alto", + "subcategory": "Requisitos", + "text": "Un inquilino de Azure Active Directory debe estar disponible con al menos una suscripción" + }, + { + "category": "Identidad", + "description": "Los usuarios (o SPs) necesitan el rol \"Incorporación de máquinas conectadas de Azure\" o \"Colaborador\" para la incorporación de servidores", + "guid": "33ee7ad6-c6d3-4733-865c-7acbe44bbe60", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#required-permissions", + "severity": "Medio", + "subcategory": "Requisitos", + "text": "Definir qué usuarios (usuarios/grupos de AAD) tienen acceso a los servidores habilitados para Azure Arc incorporados" + }, + { + "category": "Identidad", + "description": "Asegúrese de agregar solo los derechos a los usuarios o grupos necesarios para su rol", + "guid": "9d79f2e8-7778-4424-a516-775c6fa95b96", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/onboard-service-principal#create-a-service-principal-for-onboarding-at-scale", + "severity": "Medio", + "subcategory": "Seguridad", + "text": "Utilice el principio de menos privilegios" + }, + { + "category": "Identidad", + "description": "Se requiere un principio de servicio con el rol 'Azure Connected Machine Onboarding' para la incorporación a escala de servidores, considere más SP si la incorporación la realizan diferentes equipos o administración descentralizada", + "guid": "ad88408e-3727-434b-a76b-a28f21459013", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/onboard-service-principal#create-a-service-principal-for-onboarding-at-scale", + "severity": "Medio", + "subcategory": "Seguridad", + "text": "Cuántos Service Pricipals se necesitan para incorporar servidores habilitados para Arc en Azure" + }, + { + "category": "Identidad", + "description": "Considere la posibilidad de asignar los derechos para el rol 'Azure Connected Machine Onboarding' en el nivel de grupo de recursos, para controlar la creación de recursos.", + "guid": "65d38e53-f9cc-4bd8-9826-6abca264f9a1", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#required-permissions", + "severity": "Medio", + "subcategory": "Seguridad", + "text": "Limitar los derechos para incorporar servidores habilitados para Azure Arc a los grupos de recursos deseados" + }, + { + "category": "Gestión y Monitoreo", + "description": "Planeación de implementaciones de agentes a escala", + "guid": "6ee79d6b-5c2a-4364-a4b6-9bad38aad53c", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/plan-at-scale-deployment", + "severity": "Medio", + "subcategory": "Administración", + "text": "Definir una estrategia para el aprovisionamiento de agentes" + }, + { + "category": "Gestión y Monitoreo", + "description": "Use Microsoft Update para asegurarse de que el agente del equipo conectado esté siempre actualizado", + "guid": "c78e1d76-6673-457c-9496-74c5ed85b859", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/manage-agent#upgrade-the-agent", + "severity": "Alto", + "subcategory": "Administración", + "text": "Definir una estrategia para las actualizaciones de agentes" + }, + { + "category": "Gestión y Monitoreo", + "description": "Se recomienda usar Azure Policy u otra herramienta de automatización como Azure DevOps; lo importante es evitar la desviación de la configuración.", + "guid": "c7733be2-a1a2-47b7-95a9-1be1f388ff39", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/manage-vm-extensions", + "severity": "Medio", + "subcategory": "Administración", + "text": "Definir una estrategia para la instalación de extensiones" + }, + { + "category": "Gestión y Monitoreo", + "description": "Utilice actualizaciones automáticas cuando estén disponibles y defina una estrategia de actualización para todas las extensiones que no admitan actualizaciones automáticas.", + "guid": "4c2bd463-cbbb-4c86-a195-abb91a4ed90d", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/manage-automatic-vm-extension-upgrade?tabs=azure-portal", + "severity": "Alto", + "subcategory": "Administración", + "text": "Definir una estrategia para las actualizaciones de extensiones" + }, + { + "category": "Gestión y Monitoreo", + "description": "Azure Automanage ayuda a implementar los procedimientos recomendados de Microsoft para la administración de servidores en Azure", + "guid": "7a927c39-74d1-4102-aac6-aae01e6a84de", + "link": "https://learn.microsoft.com/azure/automanage/automanage-arc", + "severity": "Medio", + "subcategory": "Administración", + "text": "Considere la posibilidad de usar Azure Automanage para controlar la configuración y evitar la desviación de la configuración en los servidores" + }, + { + "category": "Gestión y Monitoreo", + "guid": "37b6b780-cbaf-4e6c-9658-9d457a927c39", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/plan-at-scale-deployment#phase-3-manage-and-operate", + "severity": "Alto", + "subcategory": "Monitorización", + "text": "Supervisar si los agentes no responden" + }, + { + "category": "Gestión y Monitoreo", + "guid": "74d1102c-ac6a-4ae0-8e6a-84de5df47d2d", + "link": "https://learn.microsoft.com/azure/azure-monitor/agents/log-analytics-agent#data-collected", + "severity": "Medio", + "subcategory": "Monitorización", + "text": "Diseñar una estrategia de supervisión para enviar métricas y registros a un área de trabajo de Log Analytics" + }, + { + "category": "Gestión y Monitoreo", + "guid": "92881b1c-d5d1-4e54-a296-59e3958fd782", + "link": "https://learn.microsoft.com/azure/service-health/resource-health-alert-monitor-guide", + "severity": "Medio", + "subcategory": "Monitorización", + "text": "Usar la notificación en los registros de actividad para recibir notificaciones sobre cambios inesperados en los recursos" + }, + { + "category": "Gestión y Monitoreo", + "guid": "89c93555-6d02-4bfe-9564-b0d834a34872", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/learn/tutorial-enable-vm-insights", + "severity": "Medio", + "subcategory": "Monitorización", + "text": "Uso de Azure Monitor para la supervisión operativa y de cumplimiento" + }, + { + "category": "Gestión y Monitoreo", + "guid": "5df47d2d-9288-41b1-ad5d-1e54a29659e3", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/plan-at-scale-deployment#phase-3-manage-and-operate", + "severity": "Medio", + "subcategory": "Monitorización", + "text": "Creación de una alerta para identificar los servidores habilitados para Azure Arc que no usan la versión más reciente del agente de máquina conectada de Azure" + }, + { + "category": "Gestión y Monitoreo", + "description": "Use Update Management en Azure Automation o la nueva funcionalidad del Update Management Center (versión preliminar) para garantizar la administración de actualizaciones de los servidores", + "guid": "ae2cc84c-37b6-4b78-8cba-fe6c46589d45", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/hybrid/server/best-practices/arc-update-management", + "severity": "Bajo", + "subcategory": "Seguridad", + "text": "Uso de servidores habilitados para Azure Arc para controlar las implementaciones de actualizaciones de software en servidores" + }, + { + "category": "Gestión de redes", + "description": "El agente de máquina conectada se comunicará de forma predeterminada con los servicios de Azure a través de la conectividad pública de Interet mediante HTTPS (puerto TCP 443)", + "guid": "f6e043d2-aa35-4927-88e6-e2050725769e", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/network-requirements?tabs=azure-cloud#details", + "severity": "Alto", + "subcategory": "Gestión de redes", + "text": "Definición de un método de conectividad desde el servidor a Azure" + }, + { + "category": "Gestión de redes", + "description": "El Agente de máquina conectada se puede configurar para usar un servidor proxy, se recomienda definir la dirección del servidor proxy usando el comando 'azcmagent config set proxy.url' en el sistema local.", + "guid": "46691e88-35ac-4932-823e-13800523081a", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/manage-agent#update-or-remove-proxy-settings", + "severity": "Medio", + "subcategory": "Gestión de redes", + "text": "¿Se requiere un servidor proxy para la comunicación a través de la Internet pública?" + }, + { + "category": "Gestión de redes", + "description": "El agente de máquina conectada puede usar un vínculo privado para comunicarse con Servicios de Azure a través de una conexión ExpressRoute o VPN existente", + "guid": "94174158-33ee-47ad-9c6d-3733165c7acb", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/private-link-security", + "severity": "Medio", + "subcategory": "Gestión de redes", + "text": "¿Se requiere una conexión privada (no pública a Internet)?" + }, + { + "category": "Gestión de redes", + "description": "Es posible que se requiera la configuración del firewall para que el agente se comunique con Azure, use el vínculo para ver ServiceTags y/o URL requeridas", + "guid": "e44bbe60-9d79-4f2e-a777-8424c516775c", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/network-requirements?tabs=azure-cloud#service-tags", + "severity": "Alto", + "subcategory": "Gestión de redes", + "text": "¿Se necesitarán configuraciones de firewall para garantizar la comunicación con los servicios de Azure?" + }, + { + "category": "Gestión de redes", + "description": "Use la herramienta de automatización disponible para el sistema en cuestión para actualizar de forma contingente los puntos de conexión de Azure", + "guid": "6fa95b96-ad88-4408-b372-734b876ba28f", + "link": "https://www.microsoft.com/download/details.aspx?id=56519", + "severity": "Bajo", + "subcategory": "Gestión de redes", + "text": "¿Se pueden actualizar automáticamente las reglas de firewall o proxy si cambian las etiquetas de servicio o las direcciones IP?" + }, + { + "category": "Gestión de redes", + "description": "Configurar servidores para utilizar Seguridad de la capa de transporte (TLS) versión 1.2", + "guid": "21459013-65d3-48e5-9f9c-cbd868266abc", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/network-requirements?tabs=azure-cloud#transport-layer-security-12-protocol", + "severity": "Alto", + "subcategory": "Gestión de redes", + "text": "Use siempre que sea posible la comunicación segura para Azure siempre que sea posible" + }, + { + "category": "Gestión de redes", + "description": "Todas las extensiones (como el análisis de registros, etc.) tienen requisitos de red separados, asegúrese de incluir todos en el diseño de la red.", + "guid": "a264f9a1-9bf3-49d9-9d44-c7c8919ca1f6", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/hybrid/arc-enabled-servers/eslz-arc-servers-connectivity#define-extensions-connectivity-method", + "severity": "Bajo", + "subcategory": "Gestión de redes", + "text": "Incluir extensiones de comunicación para servidores habilitados para Azure Arc en el diseño (firewall/proxy/vínculo privado)" + }, + { + "category": "Seguridad, gobernanza y cumplimiento", + "guid": "ac6aae01-e6a8-44de-9df4-7d2d92881b1c", + "link": "https://learn.microsoft.com/azure/governance/policy/", + "severity": "Medio", + "subcategory": "Administración", + "text": "Uso de Azure Policy para implementar un modelo de gobierno para servidores híbridos conectados" + }, + { + "category": "Seguridad, gobernanza y cumplimiento", + "guid": "5c2a3649-4b69-4bad-98aa-d53cc78e1d76", + "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview", + "severity": "Medio", + "subcategory": "Administración", + "text": "Considere la posibilidad de usar configuraciones de máquina para configuraciones de SO invitado" + }, + { + "category": "Seguridad, gobernanza y cumplimiento", + "guid": "667357c4-4967-44c5-bd85-b859c7733be2", + "link": "https://learn.microsoft.com/azure/governance/machine-configuration/machine-configuration-create", + "severity": "Medio", + "subcategory": "Administración", + "text": "Evaluar la necesidad de directivas de configuración de invitados personalizadas" + }, + { + "category": "Seguridad, gobernanza y cumplimiento", + "guid": "49674c5e-d85b-4859-a773-3be2a1a27b77", + "link": "https://learn.microsoft.com/azure/automation/change-tracking/overview", + "severity": "Medio", + "subcategory": "Monitorización", + "text": "Cosider utiliza el seguimiento de cambios para el seguimiento de los cambios realizados en los servidores" + }, + { + "category": "Seguridad, gobernanza y cumplimiento", + "guid": "d5d1e54a-2965-49e3-a58f-d78289c93555", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/data-residency", + "severity": "Medio", + "subcategory": "Requisitos", + "text": "Asegúrese de usar una región de Azure para almacenar los metadatos aprobados por la organización" + }, + { + "category": "Seguridad, gobernanza y cumplimiento", + "guid": "195abb91-a4ed-490d-ae2c-c84c37b6b780", + "link": "https://learn.microsoft.com/azure/key-vault/general/basic-concepts", + "severity": "Medio", + "subcategory": "Secretos", + "text": "Uso del Almacén de claves de Azure para la administración de certificados en servidores" + }, + { + "category": "Seguridad, gobernanza y cumplimiento", + "description": "Considere la posibilidad de usar secretos de cliente de entidad de seguridad de servicio de Azure AD de corta duración.", + "guid": "6d02bfe4-564b-40d8-94a3-48726ee79d6b", + "link": "https://learn.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal#option-2-create-a-new-application-secret", + "severity": "Alto", + "subcategory": "Secretos", + "text": "¿Cuál es el tiempo de vida aceptable del secreto utilizado por los SP?" + }, + { + "category": "Seguridad, gobernanza y cumplimiento", + "description": "Se guarda una clave privada en el disco, asegúrese de que esté protegida mediante el cifrado de disco", + "guid": "a1a27b77-5a91-4be1-b388-ff394c2bd463", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#using-disk-encryption", + "severity": "Medio", + "subcategory": "Secretos", + "text": "Protección de la clave pública para servidores habilitados para Azure Arc" + }, + { + "category": "Seguridad, gobernanza y cumplimiento", + "description": "Se requiere un administrador local para instalar el Agente de máquina conectada en sistemas Windows y Linux", + "guid": "29659e39-58fd-4782-a9c9-35556d02bfe4", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/onboard-portal#install-manually", + "severity": "Alto", + "subcategory": "Seguridad", + "text": "Asegúrese de que hay acceso de administrador local para ejecutar la instalación del agente" + }, + { + "category": "Seguridad, gobernanza y cumplimiento", + "description": "Los miembros del grupo de administradores locales en Windows y los usuarios con privilegios de root en Linux tienen permisos para administrar el agente a través de la línea de comandos.", + "guid": "564b0d83-4a34-4872-9ee7-9d6b5c2a3649", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#agent-security-and-permissions", + "severity": "Medio", + "subcategory": "Seguridad", + "text": "Limitar la cantidad de usuarios con derechos de administrador local a los servidores" + }, + { + "category": "Seguridad, gobernanza y cumplimiento", + "guid": "4b69bad3-8aad-453c-a78e-1d76667357c4", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/managed-identity-authentication", + "severity": "Medio", + "subcategory": "Seguridad", + "text": "Considere la posibilidad de usar y restringir el acceso a identidades administradas para aplicaciones." + }, + { + "category": "Seguridad, gobernanza y cumplimiento", + "description": "Utilice Defender for Endpoint u otra solución AV y EDR para proteger los endpoints", + "guid": "5a91be1f-388f-4f39-9c2b-d463cbbbc868", + "link": "https://learn.microsoft.com/azure/security-center/security-center-get-started", + "severity": "Medio", + "subcategory": "Seguridad", + "text": "Habilite Defender for Servers para todos los servidores para proteger las cargas de trabajo híbridas de las amenazas" + }, + { + "category": "Seguridad, gobernanza y cumplimiento", + "guid": "cbafe6c4-6589-4d45-9a92-7c3974d1102c", + "severity": "Medio", + "subcategory": "Seguridad", + "text": "Definir controles para detectar configuraciones incorrectas de seguridad y realizar un seguimiento del cumplimiento" + }, + { + "category": "Seguridad, gobernanza y cumplimiento", + "guid": "cbbbc868-195a-4bb9-8a4e-d90dae2cc84c", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#extension-allowlists-and-blocklists", + "severity": "Medio", + "subcategory": "Seguridad", + "text": "Uso de listas de permitidos o bloqueados para controlar qué extensiones se pueden instalar en los servidores habilitados para Azure Arc" + } + ], + "metadata": { + "name": "Azure Arc Review", + "state": "Preview", + "timestamp": "04/04/2023 08:39:00" + }, + "severities": [ + { + "name": "Alto" + }, + { + "name": "Medio" + }, + { + "name": "Bajo" + } + ], + "status": [ + { + "description": "Esta comprobación aún no se ha examinado", + "name": "No verificado" + }, + { + "description": "Hay un elemento de acción asociado a esta comprobación", + "name": "Abrir" + }, + { + "description": "Esta comprobación se ha comprobado y no hay más elementos de acción asociados a ella", + "name": "Cumplido" + }, + { + "description": "Recomendación entendida, pero no necesaria por los requisitos actuales", + "name": "No es necesario" + }, + { + "description": "No aplicable para el diseño actual", + "name": "N/A" + } + ], + "waf": [ + { + "name": "Fiabilidad" + }, + { + "name": "Seguridad" + }, + { + "name": "Costar" + }, + { + "name": "Operaciones" + }, + { + "name": "Rendimiento" + } + ] +} \ No newline at end of file diff --git a/checklists/azure_arc_checklist.ja.json b/checklists/azure_arc_checklist.ja.json new file mode 100644 index 000000000..15236258d --- /dev/null +++ b/checklists/azure_arc_checklist.ja.json @@ -0,0 +1,480 @@ +{ + "categories": [ + { + "name": "財団" + }, + { + "name": "同一性" + }, + { + "name": "ネットワーキング" + }, + { + "name": "セキュリティ、ガバナンス、コンプライアンス" + }, + { + "name": "管理と監視" + } + ], + "items": [ + { + "category": "財団", + "description": "Azure Arc 対応サーバー リソースを配置するためのリソース グループ構造を定義する", + "guid": "585e1112-9bd7-4ba0-82f7-b94ef6e043d2", + "severity": "高い", + "subcategory": "キャパシティ プランニング", + "text": "サーバーを Azure にオンボードするには、1 つ以上のリソース グループが必要です。" + }, + { + "category": "財団", + "guid": "aa359271-8e6e-4205-8725-769e46691e88", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#azure-subscription-and-service-limits", + "severity": "中程度", + "subcategory": "キャパシティ プランニング", + "text": "Azure Active Directory オブジェクトの制限を考慮する" + }, + { + "category": "財団", + "description": "次のリソース プロバイダーを登録する必要があります: Microsoft.HybridCompute、Microsoft.GuestConfiguration、Microsoft.HybridConnectivity", + "guid": "deace4bb-1deb-44c6-9fc3-fc14eeaa3692", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#azure-resource-providers", + "severity": "高い", + "subcategory": "全般", + "text": "必要なリソース プロバイダーがすべてのサブスクリプションに登録されているか" + }, + { + "category": "財団", + "description": "既存のタグ設定に合わせるか、Azure タグ付けの開始を作成することをお勧めします。リソースタグを使用すると、リソースをすばやく見つけ、運用タスクを自動化できます。", + "guid": "c6d37331-65c7-4acb-b44b-be609d79f2e8", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/decision-guides/resource-tagging/", + "severity": "低い", + "subcategory": "全般", + "text": "Azure Arc 対応サーバーのタグ付けストラテリが定義されている" + }, + { + "category": "財団", + "description": "接続されたマシンエージェントのインストールは、ほとんどの新しいWindowsおよびLinuxオペレーティングシステムでサポートされており、リンクを確認して最新のリストを確認してください", + "guid": "7778424c-5167-475c-9fa9-5b96ad88408e", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#supported-operating-systems", + "severity": "高い", + "subcategory": "全般", + "text": "Azure Arc 対応にする必要があるオペレーティング システム" + }, + { + "category": "財団", + "description": "エージェントのインストールにはソフトウェア要件があります。インストール後にシステムの再起動が必要な場合があります。", + "guid": "372734b8-76ba-428f-8145-901365d38e53", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#software-requirements", + "severity": "高い", + "subcategory": "全般", + "text": "インストールをサポートするために Windows および Linux サーバーにインストールされているソフトウェアが必要です。" + }, + { + "category": "財団", + "guid": "d44c7c89-19ca-41f6-b521-5ae514ba34d4", + "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/?products=azure-arc®ions=all", + "severity": "高い", + "subcategory": "全般", + "text": "サポートされている Azure リージョンを使用していることを確認する" + }, + { + "category": "財団", + "description": "スコープには、管理グループ、サブスクリプション、およびリソース グループへの組織が含まれます。", + "guid": "f9ccbd86-8266-4abc-a264-f9a19bf39d95", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/organize-inventory-servers#organize-resources-with-built-in-azure-hierarchies", + "severity": "低い", + "subcategory": "組織", + "text": "リソースの Azure 管理の構造を定義する" + }, + { + "category": "同一性", + "description": "サーバー管理に必要なサーバー/リソース グループに RBAC ルールを定義する場合、Azure での Azure Arc 対応サーバーのリソースの管理には、\"Azure 接続マシン リソース管理者\" または \"ハイブリッド サーバー リソース管理者\" ロールで十分です。", + "guid": "9bf39d95-d44c-47c8-a19c-a1f6d5215ae5", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#identity-and-access-control", + "severity": "中程度", + "subcategory": "アクセス", + "text": "Azure Arc 対応サーバーを管理するための RBAC 権限を Azure AD ユーザー/グループ アクセスに割り当てる" + }, + { + "category": "同一性", + "guid": "14ba34d4-585e-4111-89bd-7ba012f7b94e", + "link": "https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad", + "severity": "低い", + "subcategory": "アクセス", + "text": "アプリケーションが Azure リソースにアクセスするためにマネージド ID を使用することを検討してください (リンクの Key Vault の例など)" + }, + { + "category": "同一性", + "description": "Azure サブスクリプションは、同じ Azure AD テナントの親である必要があります", + "guid": "35ac9322-23e1-4380-8523-081a94174158", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#azure-subscription-and-service-limits", + "severity": "高い", + "subcategory": "必要条件", + "text": "Azure Active Directory テナントは、少なくとも 1 つのサブスクリプションで使用できる必要があります" + }, + { + "category": "同一性", + "description": "ユーザー (または SP) は、サーバーのオンボードに \"Azure コネクテッド マシンのオンボード\" または \"共同作成者\" ロールが必要です。", + "guid": "33ee7ad6-c6d3-4733-865c-7acbe44bbe60", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#required-permissions", + "severity": "中程度", + "subcategory": "必要条件", + "text": "オンボードの Azure Arc 対応サーバーにアクセスできるユーザー (AAD ユーザー/グループ) を定義する" + }, + { + "category": "同一性", + "description": "ユーザーまたはグループには、その役割を実行するために必要な権限のみを追加してください。", + "guid": "9d79f2e8-7778-4424-a516-775c6fa95b96", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/onboard-service-principal#create-a-service-principal-for-onboarding-at-scale", + "severity": "中程度", + "subcategory": "安全", + "text": "最小特権のプリシプルを使用する" + }, + { + "category": "同一性", + "description": "サーバーの大規模なオンボーディングには、\"Azure コネクテッド マシン オンボーディング\" ロールを持つサービス原則が必要であり、オンボーディングが異なるチーム/分散管理によって行われる場合は、より多くの SP を検討してください", + "guid": "ad88408e-3727-434b-a76b-a28f21459013", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/onboard-service-principal#create-a-service-principal-for-onboarding-at-scale", + "severity": "中程度", + "subcategory": "安全", + "text": "Arc 対応サーバーを Azure にオンボードするために必要なサービス プライパルの数" + }, + { + "category": "同一性", + "description": "リソースの作成を制御するために、リソース グループ レベルで \"Azure 接続済みコンピューターのオンボード\" ロールの権限を割り当てることを検討してください", + "guid": "65d38e53-f9cc-4bd8-9826-6abca264f9a1", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#required-permissions", + "severity": "中程度", + "subcategory": "安全", + "text": "Azure Arc 対応サーバーをオンボードする権限を目的のリソース グループに制限する" + }, + { + "category": "管理と監視", + "description": "大規模なエージェント展開を計画する", + "guid": "6ee79d6b-5c2a-4364-a4b6-9bad38aad53c", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/plan-at-scale-deployment", + "severity": "中程度", + "subcategory": "管理", + "text": "エージェントプロビジョニングのストリーテジーを定義する" + }, + { + "category": "管理と監視", + "description": "Microsoft Update を使用して、接続されているマシンエージェントが常に最新であることを確認する", + "guid": "c78e1d76-6673-457c-9496-74c5ed85b859", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/manage-agent#upgrade-the-agent", + "severity": "高い", + "subcategory": "管理", + "text": "エージェント更新の戦略を定義する" + }, + { + "category": "管理と監視", + "description": "Azure Policy または Azure DevOps などの別の自動化ツールを使用することをお勧めします - 重要なのは、構成のずれを回避することです。", + "guid": "c7733be2-a1a2-47b7-95a9-1be1f388ff39", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/manage-vm-extensions", + "severity": "中程度", + "subcategory": "管理", + "text": "拡張機能のインストール戦略を定義する" + }, + { + "category": "管理と監視", + "description": "使用可能な場合は自動アップグレードを使用し、自動アップグレードをサポートしていないすべての拡張機能の更新戦略を定義します。", + "guid": "4c2bd463-cbbb-4c86-a195-abb91a4ed90d", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/manage-automatic-vm-extension-upgrade?tabs=azure-portal", + "severity": "高い", + "subcategory": "管理", + "text": "拡張機能の更新戦略を定義する" + }, + { + "category": "管理と監視", + "description": "Azure 自動管理は、Azure でのサーバー管理に関するマイクロソフトのベスト プラクティスの実装に役立ちます", + "guid": "7a927c39-74d1-4102-aac6-aae01e6a84de", + "link": "https://learn.microsoft.com/azure/automanage/automanage-arc", + "severity": "中程度", + "subcategory": "管理", + "text": "Azure 自動管理を使用して設定を制御し、サーバーでの構成のずれを回避することを検討してください" + }, + { + "category": "管理と監視", + "guid": "37b6b780-cbaf-4e6c-9658-9d457a927c39", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/plan-at-scale-deployment#phase-3-manage-and-operate", + "severity": "高い", + "subcategory": "モニタリング", + "text": "応答しないエージェントを監視する" + }, + { + "category": "管理と監視", + "guid": "74d1102c-ac6a-4ae0-8e6a-84de5df47d2d", + "link": "https://learn.microsoft.com/azure/azure-monitor/agents/log-analytics-agent#data-collected", + "severity": "中程度", + "subcategory": "モニタリング", + "text": "メトリックとログを Log Analytics ワークスペースに送信する監視戦略を設計する" + }, + { + "category": "管理と監視", + "guid": "92881b1c-d5d1-4e54-a296-59e3958fd782", + "link": "https://learn.microsoft.com/azure/service-health/resource-health-alert-monitor-guide", + "severity": "中程度", + "subcategory": "モニタリング", + "text": "アクティビティ ログの通知を使用して、リソースに対する予期しない変更に関する通知を受け取る" + }, + { + "category": "管理と監視", + "guid": "89c93555-6d02-4bfe-9564-b0d834a34872", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/learn/tutorial-enable-vm-insights", + "severity": "中程度", + "subcategory": "モニタリング", + "text": "コンプライアンスと運用の監視に Azure Monitor を使用する" + }, + { + "category": "管理と監視", + "guid": "5df47d2d-9288-41b1-ad5d-1e54a29659e3", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/plan-at-scale-deployment#phase-3-manage-and-operate", + "severity": "中程度", + "subcategory": "モニタリング", + "text": "最新バージョンの Azure 接続マシン エージェントを使用していない Azure Arc 対応サーバーを識別するアラートを作成する" + }, + { + "category": "管理と監視", + "description": "Azure Automation の更新管理または新しい更新管理センター (プレビュー) 機能を使用して、サーバーの更新管理を確実にする", + "guid": "ae2cc84c-37b6-4b78-8cba-fe6c46589d45", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/hybrid/server/best-practices/arc-update-management", + "severity": "低い", + "subcategory": "安全", + "text": "Azure Arc 対応サーバーを使用して、サーバーへのソフトウェア更新プログラムのデプロイを制御する" + }, + { + "category": "ネットワーキング", + "description": "接続されたマシンエージェントは、デフォルトでHTTPS(TCPポート443)を使用したパブリックインターレット接続を介してAzureサービスと通信します", + "guid": "f6e043d2-aa35-4927-88e6-e2050725769e", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/network-requirements?tabs=azure-cloud#details", + "severity": "高い", + "subcategory": "ネットワーキング", + "text": "サーバーから Azure への接続方法を定義する" + }, + { + "category": "ネットワーキング", + "description": "接続されたマシンエージェントはプロキシサーバーを使用するように構成できますが、ローカルシステムで「azcmagent構成set proxy.url」コマンドを使用してプロキシサーバーのアドレスを定義することをお勧めします。", + "guid": "46691e88-35ac-4932-823e-13800523081a", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/manage-agent#update-or-remove-proxy-settings", + "severity": "中程度", + "subcategory": "ネットワーキング", + "text": "プロキシサーバーは、パブリックインターネットを介した通信に必要ですか" + }, + { + "category": "ネットワーキング", + "description": "接続されたマシン エージェントは、既存の ExpressRoute または VPN 接続を介して Azure サービスとの通信にプライベート リンクを使用できます。", + "guid": "94174158-33ee-47ad-9c6d-3733165c7acb", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/private-link-security", + "severity": "中程度", + "subcategory": "ネットワーキング", + "text": "プライベート(パブリックインターネットではない)接続が必要ですか?" + }, + { + "category": "ネットワーキング", + "description": "エージェントが Azure と通信するにはファイアウォールの構成が必要な場合があり、リンクを使用して必要な ServiceTags や URL を確認します。", + "guid": "e44bbe60-9d79-4f2e-a777-8424c516775c", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/network-requirements?tabs=azure-cloud#service-tags", + "severity": "高い", + "subcategory": "ネットワーキング", + "text": "Azure サービスとの通信を確保するためにファイアウォール構成は必要ですか?" + }, + { + "category": "ネットワーキング", + "description": "問題のシステムで使用可能な自動化ツールを使用して、Azure エンドポイントを再更新する", + "guid": "6fa95b96-ad88-4408-b372-734b876ba28f", + "link": "https://www.microsoft.com/download/details.aspx?id=56519", + "severity": "低い", + "subcategory": "ネットワーキング", + "text": "サービスタグまたはIPアドレスが変更された場合、ファイアウォールまたはプロキシルールを自動的に更新できますか" + }, + { + "category": "ネットワーキング", + "description": "トランスポート層セキュリティ (TLS) バージョン 1.2 を使用するようにサーバーを構成する", + "guid": "21459013-65d3-48e5-9f9c-cbd868266abc", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/network-requirements?tabs=azure-cloud#transport-layer-security-12-protocol", + "severity": "高い", + "subcategory": "ネットワーキング", + "text": "可能な限り、常に Azure のセキュリティで保護された通信を使用する" + }, + { + "category": "ネットワーキング", + "description": "すべての拡張機能 (ログ分析など) には個別のネットワーク要件があるため、必ずネットワーク設計にすべてを含めてください。", + "guid": "a264f9a1-9bf3-49d9-9d44-c7c8919ca1f6", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/hybrid/arc-enabled-servers/eslz-arc-servers-connectivity#define-extensions-connectivity-method", + "severity": "低い", + "subcategory": "ネットワーキング", + "text": "Azure Arc 対応サーバー拡張機能の通信を設計に含める (ファイアウォール/プロキシ/プライベート リンク)" + }, + { + "category": "セキュリティ、ガバナンス、コンプライアンス", + "guid": "ac6aae01-e6a8-44de-9df4-7d2d92881b1c", + "link": "https://learn.microsoft.com/azure/governance/policy/", + "severity": "中程度", + "subcategory": "管理", + "text": "Azure Policy を使用して、ハイブリッド接続サーバーの政府モデルを実装する" + }, + { + "category": "セキュリティ、ガバナンス、コンプライアンス", + "guid": "5c2a3649-4b69-4bad-98aa-d53cc78e1d76", + "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview", + "severity": "中程度", + "subcategory": "管理", + "text": "ゲスト OS 構成でのマシン構成の使用を検討する" + }, + { + "category": "セキュリティ、ガバナンス、コンプライアンス", + "guid": "667357c4-4967-44c5-bd85-b859c7733be2", + "link": "https://learn.microsoft.com/azure/governance/machine-configuration/machine-configuration-create", + "severity": "中程度", + "subcategory": "管理", + "text": "カスタムゲスト構成ポリシーの必要性を評価する" + }, + { + "category": "セキュリティ、ガバナンス、コンプライアンス", + "guid": "49674c5e-d85b-4859-a773-3be2a1a27b77", + "link": "https://learn.microsoft.com/azure/automation/change-tracking/overview", + "severity": "中程度", + "subcategory": "モニタリング", + "text": "サーバー上で行われた変更を追跡するために変更追跡を使用するコサイダー" + }, + { + "category": "セキュリティ、ガバナンス、コンプライアンス", + "guid": "d5d1e54a-2965-49e3-a58f-d78289c93555", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/data-residency", + "severity": "中程度", + "subcategory": "必要条件", + "text": "組織によって承認されたメタデータを格納するために Azure リージョンを必ず使用してください" + }, + { + "category": "セキュリティ、ガバナンス、コンプライアンス", + "guid": "195abb91-a4ed-490d-ae2c-c84c37b6b780", + "link": "https://learn.microsoft.com/azure/key-vault/general/basic-concepts", + "severity": "中程度", + "subcategory": "秘密", + "text": "サーバー上の証明書管理に Azure Key Vault を使用する" + }, + { + "category": "セキュリティ、ガバナンス、コンプライアンス", + "description": "有効期間が短い Azure AD サービス プリンシパルのクライアント シークレットの使用を検討してください。", + "guid": "6d02bfe4-564b-40d8-94a3-48726ee79d6b", + "link": "https://learn.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal#option-2-create-a-new-application-secret", + "severity": "高い", + "subcategory": "秘密", + "text": "SPが使用するシークレットの許容可能な有効期間はどれくらいですか" + }, + { + "category": "セキュリティ、ガバナンス、コンプライアンス", + "description": "秘密キーがディスクに保存され、ディスク暗号化を使用して保護されていることを確認します", + "guid": "a1a27b77-5a91-4be1-b388-ff394c2bd463", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#using-disk-encryption", + "severity": "中程度", + "subcategory": "秘密", + "text": "Azure Arc 対応サーバーの公開キーをセキュリティで保護する" + }, + { + "category": "セキュリティ、ガバナンス、コンプライアンス", + "description": "ローカル管理者は、Windows および Linux システムにコネクテッドマシンエージェントをインストールする必要があります。", + "guid": "29659e39-58fd-4782-a9c9-35556d02bfe4", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/onboard-portal#install-manually", + "severity": "高い", + "subcategory": "安全", + "text": "エージェントのインストールを実行するためのローカル管理者アクセス権があることを確認する" + }, + { + "category": "セキュリティ、ガバナンス、コンプライアンス", + "description": "Windows のローカル管理者グループのメンバーと Linux のルート権限を持つユーザーは、コマンドラインを使用してエージェントを管理する権限を持ちます。", + "guid": "564b0d83-4a34-4872-9ee7-9d6b5c2a3649", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#agent-security-and-permissions", + "severity": "中程度", + "subcategory": "安全", + "text": "サーバーに対するローカル管理者権限を持つユーザーの数を制限する" + }, + { + "category": "セキュリティ、ガバナンス、コンプライアンス", + "guid": "4b69bad3-8aad-453c-a78e-1d76667357c4", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/managed-identity-authentication", + "severity": "中程度", + "subcategory": "安全", + "text": "アプリケーションのマネージド ID へのアクセスの使用と制限を検討してください。" + }, + { + "category": "セキュリティ、ガバナンス、コンプライアンス", + "description": "エンドポイントまたは別の AV および EDR ソリューションに Defender を使用してエンドポイントを保護する", + "guid": "5a91be1f-388f-4f39-9c2b-d463cbbbc868", + "link": "https://learn.microsoft.com/azure/security-center/security-center-get-started", + "severity": "中程度", + "subcategory": "安全", + "text": "すべてのサーバーに対して Defender for Server を有効にして、ハイブリッド ワークロードを脅威から保護する" + }, + { + "category": "セキュリティ、ガバナンス、コンプライアンス", + "guid": "cbafe6c4-6589-4d45-9a92-7c3974d1102c", + "severity": "中程度", + "subcategory": "安全", + "text": "セキュリティの構成ミスを検出し、コンプライアンスを追跡するコントロールを定義する" + }, + { + "category": "セキュリティ、ガバナンス、コンプライアンス", + "guid": "cbbbc868-195a-4bb9-8a4e-d90dae2cc84c", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#extension-allowlists-and-blocklists", + "severity": "中程度", + "subcategory": "セキュリティ", + "text": "許可リストまたはブロックリストを使用して、Azure Arc 対応サーバーにインストールできる拡張機能を制御する" + } + ], + "metadata": { + "name": "Azure Arc Review", + "state": "Preview", + "timestamp": "04/04/2023 08:39:00" + }, + "severities": [ + { + "name": "高い" + }, + { + "name": "中程度" + }, + { + "name": "低い" + } + ], + "status": [ + { + "description": "このチェックはまだ確認されていません", + "name": "未確認" + }, + { + "description": "このチェックに関連付けられているアクションアイテムがあります", + "name": "開ける" + }, + { + "description": "このチェックは検証済みであり、それ以上のアクションアイテムは関連付けられていません", + "name": "達成" + }, + { + "description": "推奨事項は理解されていますが、現在の要件では必要ありません", + "name": "必須ではありません" + }, + { + "description": "現在のデザインには適用できません", + "name": "該当なし" + } + ], + "waf": [ + { + "name": "確実" + }, + { + "name": "安全" + }, + { + "name": "費用" + }, + { + "name": "オペレーションズ" + }, + { + "name": "パフォーマンス" + } + ] +} \ No newline at end of file diff --git a/checklists/azure_arc_checklist.ko.json b/checklists/azure_arc_checklist.ko.json new file mode 100644 index 000000000..c1e6fa85c --- /dev/null +++ b/checklists/azure_arc_checklist.ko.json @@ -0,0 +1,480 @@ +{ + "categories": [ + { + "name": "토대" + }, + { + "name": "신원" + }, + { + "name": "네트워킹" + }, + { + "name": "보안, 거버넌스 및 규정 준수" + }, + { + "name": "관리 및 모니터링" + } + ], + "items": [ + { + "category": "토대", + "description": "Azure Arc 지원 서버 리소스 배치를 위한 리소스 그룹 구조 정의", + "guid": "585e1112-9bd7-4ba0-82f7-b94ef6e043d2", + "severity": "높다", + "subcategory": "용량 계획", + "text": "Azure에 서버를 온보딩하는 데 하나 이상의 리소스 그룹이 필요합니다." + }, + { + "category": "토대", + "guid": "aa359271-8e6e-4205-8725-769e46691e88", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#azure-subscription-and-service-limits", + "severity": "보통", + "subcategory": "용량 계획", + "text": "Azure Active Directory 개체 제한 사항 고려" + }, + { + "category": "토대", + "description": "다음 리소스 공급자를 등록해야 합니다: Microsoft.HybridCompute, Microsoft.GuestConfiguration, Microsoft.HybridConnectivity", + "guid": "deace4bb-1deb-44c6-9fc3-fc14eeaa3692", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#azure-resource-providers", + "severity": "높다", + "subcategory": "일반", + "text": "필요한 리소스 공급자가 모든 구독에 등록되어 있습니까?" + }, + { + "category": "토대", + "description": "기존 항목과 일치하거나 Azure 태그 지정 시작을 만드는 것이 좋습니다. 리소스 태그를 사용하면 신속하게 찾고 운영 작업을 자동화할 수 있습니다. ", + "guid": "c6d37331-65c7-4acb-b44b-be609d79f2e8", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/decision-guides/resource-tagging/", + "severity": "낮다", + "subcategory": "일반", + "text": "Azure Arc 지원 서버에 대한 태그 지정 계층이 정의되었습니다." + }, + { + "category": "토대", + "description": "연결된 컴퓨터 에이전트의 설치는 대부분의 최신 Windows 및 Linux 운영 체제에서 지원되며 최신 목록에 대한 링크를 검토하십시오.", + "guid": "7778424c-5167-475c-9fa9-5b96ad88408e", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#supported-operating-systems", + "severity": "높다", + "subcategory": "일반", + "text": "Azure Arc를 지원해야 하는 운영 체제" + }, + { + "category": "토대", + "description": "에이전트 설치에 대한 소프트웨어 요구 사항이 있습니다. 일부는 설치 후 시스템 재부팅이 필요할 수 있습니다.", + "guid": "372734b8-76ba-428f-8145-901365d38e53", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#software-requirements", + "severity": "높다", + "subcategory": "일반", + "text": "설치를 지원하기 위해 Windows 및 Linux 서버에 설치된 소프트웨어가 필요합니다." + }, + { + "category": "토대", + "guid": "d44c7c89-19ca-41f6-b521-5ae514ba34d4", + "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/?products=azure-arc®ions=all", + "severity": "높다", + "subcategory": "일반", + "text": "지원되는 Azure 지역을 사용해야 합니다." + }, + { + "category": "토대", + "description": "범위에는 관리 그룹, 구독 및 리소스 그룹으로 구성된 조직이 포함됩니다.", + "guid": "f9ccbd86-8266-4abc-a264-f9a19bf39d95", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/organize-inventory-servers#organize-resources-with-built-in-azure-hierarchies", + "severity": "낮다", + "subcategory": "조직", + "text": "Azure 리소스 관리를 위한 구조 정의" + }, + { + "category": "신원", + "description": "서버 관리에 필요한 대로 서버/리소스 그룹에 대한 RBAC 규칙을 정의하면 'Azure 연결된 컴퓨터 리소스 관리자' 또는 '하이브리드 서버 리소스 관리자' 역할이 Azure에서 Azure Arc 지원 서버 리소스를 관리하는 데 충분합니다.", + "guid": "9bf39d95-d44c-47c8-a19c-a1f6d5215ae5", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#identity-and-access-control", + "severity": "보통", + "subcategory": "접근", + "text": "Azure Arc 지원 서버를 관리하기 위해 Azure AD 사용자/그룹 액세스에 RBAC 권한 할당" + }, + { + "category": "신원", + "guid": "14ba34d4-585e-4111-89bd-7ba012f7b94e", + "link": "https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad", + "severity": "낮다", + "subcategory": "접근", + "text": "애플리케이션에 관리 ID를 사용하여 링크의 Key Vault 예제와 같은 Azure 리소스에 액세스하는 것이 좋습니다." + }, + { + "category": "신원", + "description": "Azure 구독은 동일한 Azure AD 테넌트에 대한 부모가 되어야 합니다.", + "guid": "35ac9322-23e1-4380-8523-081a94174158", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#azure-subscription-and-service-limits", + "severity": "높다", + "subcategory": "요구 사항", + "text": "Azure Active Directory 테넌트는 하나 이상의 구독에서 사용할 수 있어야 합니다." + }, + { + "category": "신원", + "description": "사용자(또는 SP)는 서버 온보딩에 'Azure 연결된 컴퓨터 온보딩' 또는 '참가자' 역할이 필요합니다.", + "guid": "33ee7ad6-c6d3-4733-865c-7acbe44bbe60", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#required-permissions", + "severity": "보통", + "subcategory": "요구 사항", + "text": "온보드 Azure Arc 지원 서버에 액세스할 수 있는 사용자(AAD 사용자/그룹) 정의" + }, + { + "category": "신원", + "description": "역할을 수행하는 데 필요한 사용자 또는 그룹에만 권한을 추가해야 합니다.", + "guid": "9d79f2e8-7778-4424-a516-775c6fa95b96", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/onboard-service-principal#create-a-service-principal-for-onboarding-at-scale", + "severity": "보통", + "subcategory": "안전", + "text": "최소한의 특권을 사용하십시오." + }, + { + "category": "신원", + "description": "서버의 대규모 온보딩에는 'Azure 연결된 컴퓨터 온보딩' 역할이 있는 서비스 원칙이 필요하며, 다른 팀/분산 관리에서 온보딩을 수행하는 경우 더 많은 SP를 고려합니다.", + "guid": "ad88408e-3727-434b-a76b-a28f21459013", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/onboard-service-principal#create-a-service-principal-for-onboarding-at-scale", + "severity": "보통", + "subcategory": "안전", + "text": "Arc 지원 서버를 Azure에 온보딩하는 데 필요한 서비스 기본 서비스 수" + }, + { + "category": "신원", + "description": "리소스 그룹 수준에서 'Azure 연결된 컴퓨터 온보딩' 역할에 대한 권한을 할당하여 리소스 만들기를 제어하는 것이 좋습니다.", + "guid": "65d38e53-f9cc-4bd8-9826-6abca264f9a1", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#required-permissions", + "severity": "보통", + "subcategory": "안전", + "text": "Azure Arc 지원 서버를 온보딩할 수 있는 권한을 원하는 리소스 그룹으로 제한" + }, + { + "category": "관리 및 모니터링", + "description": "대규모 에이전트 배포 계획", + "guid": "6ee79d6b-5c2a-4364-a4b6-9bad38aad53c", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/plan-at-scale-deployment", + "severity": "보통", + "subcategory": "경영", + "text": "에이전트 프로비저닝에 대한 전략 정의" + }, + { + "category": "관리 및 모니터링", + "description": "Microsoft 업데이트를 사용하여 연결된 컴퓨터 에이전트가 항상 최신 상태인지 확인", + "guid": "c78e1d76-6673-457c-9496-74c5ed85b859", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/manage-agent#upgrade-the-agent", + "severity": "높다", + "subcategory": "경영", + "text": "에이전트 업데이트에 대한 전략 정의" + }, + { + "category": "관리 및 모니터링", + "description": "Azure 정책 또는 Azure DevOps와 같은 다른 자동화 도구를 사용하는 것이 좋습니다 - 중요한 것은 구성 드리프트를 방지하는 것입니다.", + "guid": "c7733be2-a1a2-47b7-95a9-1be1f388ff39", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/manage-vm-extensions", + "severity": "보통", + "subcategory": "경영", + "text": "확장 설치 전략 정의" + }, + { + "category": "관리 및 모니터링", + "description": "사용 가능한 경우 자동 업그레이드를 사용하고 자동 업그레이드를 지원하지 않는 모든 확장에 대한 업데이트 전략을 정의합니다.", + "guid": "4c2bd463-cbbb-4c86-a195-abb91a4ed90d", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/manage-automatic-vm-extension-upgrade?tabs=azure-portal", + "severity": "높다", + "subcategory": "경영", + "text": "확장 업데이트 전략 정의" + }, + { + "category": "관리 및 모니터링", + "description": "Azure 자동 관리는 Azure에서 서버 관리를 위한 Microsoft 모범 사례를 구현하는 데 도움이 됩니다.", + "guid": "7a927c39-74d1-4102-aac6-aae01e6a84de", + "link": "https://learn.microsoft.com/azure/automanage/automanage-arc", + "severity": "보통", + "subcategory": "경영", + "text": "Azure 자동 관리를 사용하여 설정을 제어하고 서버의 구성 드리프트를 방지하는 것이 좋습니다." + }, + { + "category": "관리 및 모니터링", + "guid": "37b6b780-cbaf-4e6c-9658-9d457a927c39", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/plan-at-scale-deployment#phase-3-manage-and-operate", + "severity": "높다", + "subcategory": "모니터링", + "text": "응답하지 않는 에이전트 모니터링" + }, + { + "category": "관리 및 모니터링", + "guid": "74d1102c-ac6a-4ae0-8e6a-84de5df47d2d", + "link": "https://learn.microsoft.com/azure/azure-monitor/agents/log-analytics-agent#data-collected", + "severity": "보통", + "subcategory": "모니터링", + "text": "메트릭 및 로그를 Log Analytics 작업 영역으로 보내는 모니터링 전략 설계" + }, + { + "category": "관리 및 모니터링", + "guid": "92881b1c-d5d1-4e54-a296-59e3958fd782", + "link": "https://learn.microsoft.com/azure/service-health/resource-health-alert-monitor-guide", + "severity": "보통", + "subcategory": "모니터링", + "text": "활동 로그의 알림을 사용하여 리소스의 예기치 않은 변경 내용에 대한 알림 받기" + }, + { + "category": "관리 및 모니터링", + "guid": "89c93555-6d02-4bfe-9564-b0d834a34872", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/learn/tutorial-enable-vm-insights", + "severity": "보통", + "subcategory": "모니터링", + "text": "규정 준수 및 운영 모니터링을 위해 Azure 모니터 사용" + }, + { + "category": "관리 및 모니터링", + "guid": "5df47d2d-9288-41b1-ad5d-1e54a29659e3", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/plan-at-scale-deployment#phase-3-manage-and-operate", + "severity": "보통", + "subcategory": "모니터링", + "text": "최신 버전의 Azure 연결된 컴퓨터 에이전트를 사용하지 않는 Azure Arc 지원 서버를 식별하는 경고 만들기" + }, + { + "category": "관리 및 모니터링", + "description": "Azure 자동화 또는 새로운 업데이트 관리 센터(미리 보기) 기능에서 업데이트 관리를 사용하여 서버의 업데이트 관리 보장", + "guid": "ae2cc84c-37b6-4b78-8cba-fe6c46589d45", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/hybrid/server/best-practices/arc-update-management", + "severity": "낮다", + "subcategory": "안전", + "text": "Azure Arc 지원 서버를 사용하여 서버에 대한 소프트웨어 업데이트 배포 제어" + }, + { + "category": "네트워킹", + "description": "연결된 컴퓨터 에이전트는 기본적으로 HTTPS(TCP 포트 443)를 사용하여 공용 인터렛 연결을 통해 Azure 서비스와 통신합니다.", + "guid": "f6e043d2-aa35-4927-88e6-e2050725769e", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/network-requirements?tabs=azure-cloud#details", + "severity": "높다", + "subcategory": "네트워킹", + "text": "서버에서 Azure로의 연결 방법 정의" + }, + { + "category": "네트워킹", + "description": "연결된 컴퓨터 에이전트는 프록시 서버를 사용하도록 구성할 수 있으므로 로컬 시스템에서 'azcmagent config set proxy.url' 명령을 사용하여 프록시 서버 주소를 정의하는 것이 좋습니다.", + "guid": "46691e88-35ac-4932-823e-13800523081a", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/manage-agent#update-or-remove-proxy-settings", + "severity": "보통", + "subcategory": "네트워킹", + "text": "공용 인터넷을 통한 통신에 필요한 프록시 서버입니까?" + }, + { + "category": "네트워킹", + "description": "연결된 컴퓨터 에이전트는 기존 Express 경로 또는 VPN 연결을 통해 Azure 서비스와 통신하기 위해 프라이빗 링크를 사용할 수 있습니다.", + "guid": "94174158-33ee-47ad-9c6d-3733165c7acb", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/private-link-security", + "severity": "보통", + "subcategory": "네트워킹", + "text": "사설(공용 인터넷 아님) 연결이 필요합니까?" + }, + { + "category": "네트워킹", + "description": "에이전트가 Azure와 통신하려면 방화벽 구성이 필요할 수 있으며, 링크를 사용하여 서비스 태그 및/또는 URL이 필요한지 확인합니다.", + "guid": "e44bbe60-9d79-4f2e-a777-8424c516775c", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/network-requirements?tabs=azure-cloud#service-tags", + "severity": "높다", + "subcategory": "네트워킹", + "text": "Azure 서비스와의 통신을 보장하기 위해 방화벽 구성이 필요한가요?" + }, + { + "category": "네트워킹", + "description": "해당 시스템에 사용 가능한 자동화 도구를 사용하여 Azure 엔드포인트를 다시 업데이트합니다.", + "guid": "6fa95b96-ad88-4408-b372-734b876ba28f", + "link": "https://www.microsoft.com/download/details.aspx?id=56519", + "severity": "낮다", + "subcategory": "네트워킹", + "text": "서비스 태그 또는 IP 주소가 변경되는 경우 방화벽 또는 프록시 규칙을 자동으로 업데이트할 수 있습니까?" + }, + { + "category": "네트워킹", + "description": "TLS(전송 계층 보안) 버전 1.2를 사용하도록 서버 구성", + "guid": "21459013-65d3-48e5-9f9c-cbd868266abc", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/network-requirements?tabs=azure-cloud#transport-layer-security-12-protocol", + "severity": "높다", + "subcategory": "네트워킹", + "text": "가능한 경우 항상 Azure에 보안 통신 사용" + }, + { + "category": "네트워킹", + "description": "모든 확장(예: 로그 분석 등)에는 별도의 네트워크 요구 사항이 있으므로 네트워크 설계에 모두 포함해야 합니다.", + "guid": "a264f9a1-9bf3-49d9-9d44-c7c8919ca1f6", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/hybrid/arc-enabled-servers/eslz-arc-servers-connectivity#define-extensions-connectivity-method", + "severity": "낮다", + "subcategory": "네트워킹", + "text": "디자인에 Azure Arc 지원 서버 확장에 대한 통신 포함(방화벽/프록시/프라이빗 링크)" + }, + { + "category": "보안, 거버넌스 및 규정 준수", + "guid": "ac6aae01-e6a8-44de-9df4-7d2d92881b1c", + "link": "https://learn.microsoft.com/azure/governance/policy/", + "severity": "보통", + "subcategory": "경영", + "text": "Azure Policy를 사용하여 하이브리드 연결된 서버에 대한 정부 모델 구현" + }, + { + "category": "보안, 거버넌스 및 규정 준수", + "guid": "5c2a3649-4b69-4bad-98aa-d53cc78e1d76", + "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview", + "severity": "보통", + "subcategory": "경영", + "text": "게스트 OS 구성에서 컴퓨터 구성 사용 고려" + }, + { + "category": "보안, 거버넌스 및 규정 준수", + "guid": "667357c4-4967-44c5-bd85-b859c7733be2", + "link": "https://learn.microsoft.com/azure/governance/machine-configuration/machine-configuration-create", + "severity": "보통", + "subcategory": "경영", + "text": "사용자 지정 게스트 구성 정책의 필요성 평가" + }, + { + "category": "보안, 거버넌스 및 규정 준수", + "guid": "49674c5e-d85b-4859-a773-3be2a1a27b77", + "link": "https://learn.microsoft.com/azure/automation/change-tracking/overview", + "severity": "보통", + "subcategory": "모니터링", + "text": "서버에서 수행된 변경 내용을 추적하기 위해 변경 내용 추적을 사용하는 Cosider" + }, + { + "category": "보안, 거버넌스 및 규정 준수", + "guid": "d5d1e54a-2965-49e3-a58f-d78289c93555", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/data-residency", + "severity": "보통", + "subcategory": "요구 사항", + "text": "조직에서 승인한 메타데이터를 저장하기 위해 Azure 지역을 사용해야 합니다." + }, + { + "category": "보안, 거버넌스 및 규정 준수", + "guid": "195abb91-a4ed-490d-ae2c-c84c37b6b780", + "link": "https://learn.microsoft.com/azure/key-vault/general/basic-concepts", + "severity": "보통", + "subcategory": "비밀", + "text": "서버에서 인증서 관리를 위해 Azure 키 자격 증명 모음 사용" + }, + { + "category": "보안, 거버넌스 및 규정 준수", + "description": "수명이 짧은 Azure AD 서비스 주체 클라이언트 비밀을 사용하는 것이 좋습니다.", + "guid": "6d02bfe4-564b-40d8-94a3-48726ee79d6b", + "link": "https://learn.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal#option-2-create-a-new-application-secret", + "severity": "높다", + "subcategory": "비밀", + "text": "SP가 사용하는 비밀의 허용 가능한 수명은 얼마입니까?" + }, + { + "category": "보안, 거버넌스 및 규정 준수", + "description": "개인 키가 디스크에 저장되므로 디스크 암호화를 사용하여 보호되는지 확인하십시오.", + "guid": "a1a27b77-5a91-4be1-b388-ff394c2bd463", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#using-disk-encryption", + "severity": "보통", + "subcategory": "비밀", + "text": "Azure Arc 지원 서버에 대한 공개 키 보안" + }, + { + "category": "보안, 거버넌스 및 규정 준수", + "description": "로컬 관리자는 Windows 및 Linux 시스템에 연결된 컴퓨터 에이전트를 설치해야 합니다.", + "guid": "29659e39-58fd-4782-a9c9-35556d02bfe4", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/onboard-portal#install-manually", + "severity": "높다", + "subcategory": "안전", + "text": "에이전트 설치를 실행하기 위한 로컬 관리자 액세스 권한이 있는지 확인" + }, + { + "category": "보안, 거버넌스 및 규정 준수", + "description": "Windows의 로컬 관리자 그룹 구성원과 Linux의 루트 권한이 있는 사용자는 명령줄을 통해 에이전트를 관리할 수 있는 권한이 있습니다.", + "guid": "564b0d83-4a34-4872-9ee7-9d6b5c2a3649", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#agent-security-and-permissions", + "severity": "보통", + "subcategory": "안전", + "text": "서버에 대한 로컬 관리자 권한이 있는 사용자 수 제한" + }, + { + "category": "보안, 거버넌스 및 규정 준수", + "guid": "4b69bad3-8aad-453c-a78e-1d76667357c4", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/managed-identity-authentication", + "severity": "보통", + "subcategory": "안전", + "text": "애플리케이션의 관리 ID에 대한 액세스를 사용하고 제한하는 것이 좋습니다." + }, + { + "category": "보안, 거버넌스 및 규정 준수", + "description": "엔드포인트용 Defender 또는 다른 AV 및 EDR 솔루션을 사용하여 엔드포인트 보호", + "guid": "5a91be1f-388f-4f39-9c2b-d463cbbbc868", + "link": "https://learn.microsoft.com/azure/security-center/security-center-get-started", + "severity": "보통", + "subcategory": "안전", + "text": "모든 서버에 대해 서버용 Defender를 사용하도록 설정하여 위협으로부터 하이브리드 워크로드를 보호합니다." + }, + { + "category": "보안, 거버넌스 및 규정 준수", + "guid": "cbafe6c4-6589-4d45-9a92-7c3974d1102c", + "severity": "보통", + "subcategory": "안전", + "text": "보안 구성 오류를 감지하고 규정 준수를 추적하는 제어 정의" + }, + { + "category": "보안, 거버넌스 및 규정 준수", + "guid": "cbbbc868-195a-4bb9-8a4e-d90dae2cc84c", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#extension-allowlists-and-blocklists", + "severity": "보통", + "subcategory": "보안", + "text": "허용 또는 차단 목록을 사용하여 Azure Arc 지원 서버에 설치할 수 있는 확장 제어" + } + ], + "metadata": { + "name": "Azure Arc Review", + "state": "Preview", + "timestamp": "04/04/2023 08:39:00" + }, + "severities": [ + { + "name": "높다" + }, + { + "name": "보통" + }, + { + "name": "낮다" + } + ], + "status": [ + { + "description": "이 검사는 아직 검토되지 않았습니다.", + "name": "확인되지 않음" + }, + { + "description": "이 검사와 연결된 작업 항목이 있습니다.", + "name": "열다" + }, + { + "description": "이 검사가 확인되었으며 연결된 추가 작업 항목이 없습니다.", + "name": "성취" + }, + { + "description": "권장 사항을 이해했지만 현재 요구 사항에서 필요하지 않음", + "name": "필요하지 않음" + }, + { + "description": "현재 디자인에는 적용되지 않음", + "name": "해당 없음" + } + ], + "waf": [ + { + "name": "신뢰도" + }, + { + "name": "안전" + }, + { + "name": "비용" + }, + { + "name": "작업" + }, + { + "name": "공연" + } + ] +} \ No newline at end of file diff --git a/checklists/azure_arc_checklist.pt.json b/checklists/azure_arc_checklist.pt.json new file mode 100644 index 000000000..d954550e4 --- /dev/null +++ b/checklists/azure_arc_checklist.pt.json @@ -0,0 +1,480 @@ +{ + "categories": [ + { + "name": "Fundação" + }, + { + "name": "Identidade" + }, + { + "name": "Rede" + }, + { + "name": "Segurança, Governança e Conformidade" + }, + { + "name": "Gestão e Monitoramento" + } + ], + "items": [ + { + "category": "Fundação", + "description": "Definir uma estrutura de grupo de recursos para posicionamento de recursos de servidores habilitados para Arco do Azure", + "guid": "585e1112-9bd7-4ba0-82f7-b94ef6e043d2", + "severity": "Alto", + "subcategory": "Planejamento de capacidade", + "text": "Um ou mais grupos de recursos são necessários para integrar servidores no Azure" + }, + { + "category": "Fundação", + "guid": "aa359271-8e6e-4205-8725-769e46691e88", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#azure-subscription-and-service-limits", + "severity": "Média", + "subcategory": "Planejamento de capacidade", + "text": "Leve em conta as limitações de objeto do Active Directory do Azure" + }, + { + "category": "Fundação", + "description": "Os seguintes provedores de recursos precisam ser registrados: Microsoft.HybridCompute, Microsoft.GuestConfiguration, Microsoft.HybridConnectivity", + "guid": "deace4bb-1deb-44c6-9fc3-fc14eeaa3692", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#azure-resource-providers", + "severity": "Alto", + "subcategory": "Geral", + "text": "Os provedores de recursos necessários foram registrados em todas as assinaturas" + }, + { + "category": "Fundação", + "description": "Recomenda-se alinhar com um startegy de marcação existente ou criar um Azure. As tags de recursos permitem localizá-lo rapidamente, automatizar tarefas operacionais e muito mais. ", + "guid": "c6d37331-65c7-4acb-b44b-be609d79f2e8", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/decision-guides/resource-tagging/", + "severity": "Baixo", + "subcategory": "Geral", + "text": "Uma estratégia de marcação para servidores habilitados para o Azure Arc foi definida" + }, + { + "category": "Fundação", + "description": "A instalação do agente de máquina conectada é suportada na maioria dos sistemas operacionais Windows e Linux mais recentes, revise o link para se a lista mais recente", + "guid": "7778424c-5167-475c-9fa9-5b96ad88408e", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#supported-operating-systems", + "severity": "Alto", + "subcategory": "Geral", + "text": "Quais sistemas operacionais precisam ser habilitados para o Azure Arc" + }, + { + "category": "Fundação", + "description": "Há requisitos de software para a instalação do agente. Alguns podem exigir uma reinicialização do sistema após a instalação, revise para vincular", + "guid": "372734b8-76ba-428f-8145-901365d38e53", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#software-requirements", + "severity": "Alto", + "subcategory": "Geral", + "text": "São necessários softwares instalados em servidores Windows e Linux para suportar a instalação" + }, + { + "category": "Fundação", + "guid": "d44c7c89-19ca-41f6-b521-5ae514ba34d4", + "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/?products=azure-arc®ions=all", + "severity": "Alto", + "subcategory": "Geral", + "text": "Certifique-se de usar uma região do Azure com suporte" + }, + { + "category": "Fundação", + "description": "O escopo inclui organização em grupos de gerenciamento, assinaturas e grupos de recursos.", + "guid": "f9ccbd86-8266-4abc-a264-f9a19bf39d95", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/organize-inventory-servers#organize-resources-with-built-in-azure-hierarchies", + "severity": "Baixo", + "subcategory": "Organização", + "text": "Definir a estrutura para o gerenciamento de recursos do Azure" + }, + { + "category": "Identidade", + "description": "Definir regras RBAC para os servidores/grupos de recursos conforme necessário para o gerenciamento de servidores, a função 'Administrador de Recursos de Máquina Conectada do Azure' ou 'Administrador de Recursos de Servidor Híbrido' seria suficiente para o gerenciamento dos recursos de servidores habilitados para Arco do Azure no Azure", + "guid": "9bf39d95-d44c-47c8-a19c-a1f6d5215ae5", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#identity-and-access-control", + "severity": "Média", + "subcategory": "Acesso", + "text": "Atribuir direitos RBAC ao acesso de usuário/grupo do Azure AD para gerenciar servidores habilitados para Arco do Azure" + }, + { + "category": "Identidade", + "guid": "14ba34d4-585e-4111-89bd-7ba012f7b94e", + "link": "https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad", + "severity": "Baixo", + "subcategory": "Acesso", + "text": "Considere o uso de identidades gerenciadas para aplicativos para acessar recursos do Azure, como o exemplo do Cofre da Chave no link" + }, + { + "category": "Identidade", + "description": "Uma assinatura do Azure deve ser parente do mesmo locatário do Azure AD", + "guid": "35ac9322-23e1-4380-8523-081a94174158", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#azure-subscription-and-service-limits", + "severity": "Alto", + "subcategory": "Requisitos", + "text": "Um locatário do Active Directory do Azure deve estar disponível com pelo menos uma assinatura" + }, + { + "category": "Identidade", + "description": "Os usuários (ou SPs) precisam da função 'Azure Connected Machine Onboarding' ou 'Contributor' para a integração de servidores", + "guid": "33ee7ad6-c6d3-4733-865c-7acbe44bbe60", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#required-permissions", + "severity": "Média", + "subcategory": "Requisitos", + "text": "Definir quais usuários (usuários/grupos do AAD) têm acesso aos servidores habilitados para Arco do Azure integrados" + }, + { + "category": "Identidade", + "description": "Certifique-se de adicionar apenas os direitos a usuários ou grupos necessários para realizar sua função", + "guid": "9d79f2e8-7778-4424-a516-775c6fa95b96", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/onboard-service-principal#create-a-service-principal-for-onboarding-at-scale", + "severity": "Média", + "subcategory": "Segurança", + "text": "Use o princípio de menos privilegiado" + }, + { + "category": "Identidade", + "description": "Um princípio de serviço com a função 'Azure Connected Machine Onboarding' é necessário para a integração em escala de servidores, considere mais SPs se a integração for feita por diferentes equipes/gerenciamento descentralizado", + "guid": "ad88408e-3727-434b-a76b-a28f21459013", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/onboard-service-principal#create-a-service-principal-for-onboarding-at-scale", + "severity": "Média", + "subcategory": "Segurança", + "text": "Quantos Princípios de Serviço são necessários para integrar servidores habilitados para Arc no Azure" + }, + { + "category": "Identidade", + "description": "Considere atribuir os direitos para a função 'Integração de Máquina Conectada do Azure' no nível do grupo de recursos, para controlar a criação de recursos", + "guid": "65d38e53-f9cc-4bd8-9826-6abca264f9a1", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#required-permissions", + "severity": "Média", + "subcategory": "Segurança", + "text": "Limitar os direitos de integrar servidores habilitados para o Azure Arc aos grupos de recursos desejados" + }, + { + "category": "Gestão e Monitoramento", + "description": "Planejar implantações de agentes em escala", + "guid": "6ee79d6b-5c2a-4364-a4b6-9bad38aad53c", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/plan-at-scale-deployment", + "severity": "Média", + "subcategory": "Gestão", + "text": "Definir um stretegy para provisionamento de agente" + }, + { + "category": "Gestão e Monitoramento", + "description": "Use o Microsoft Update para garantir que o agente da máquina conectada esteja sempre atualizado", + "guid": "c78e1d76-6673-457c-9496-74c5ed85b859", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/manage-agent#upgrade-the-agent", + "severity": "Alto", + "subcategory": "Gestão", + "text": "Definir um estrato para atualizações de agente" + }, + { + "category": "Gestão e Monitoramento", + "description": "A recomendação é usar a Política do Azure ou outra ferramenta de automação como o Azure DevOps - importante é evitar desvios de configuração.", + "guid": "c7733be2-a1a2-47b7-95a9-1be1f388ff39", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/manage-vm-extensions", + "severity": "Média", + "subcategory": "Gestão", + "text": "Definir uma estratégia para a instalação da extensão" + }, + { + "category": "Gestão e Monitoramento", + "description": "Use atualizações automáticas quando disponíveis e defina uma estratégia de atualização para todas as extensões que não oferecem suporte a atualizações automáticas.", + "guid": "4c2bd463-cbbb-4c86-a195-abb91a4ed90d", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/manage-automatic-vm-extension-upgrade?tabs=azure-portal", + "severity": "Alto", + "subcategory": "Gestão", + "text": "Definir uma estratégia para atualizações de extensão" + }, + { + "category": "Gestão e Monitoramento", + "description": "O Azure Automanage ajuda a implementar as práticas recomendadas da Microsoft para gerenciamento de servidores no Azure", + "guid": "7a927c39-74d1-4102-aac6-aae01e6a84de", + "link": "https://learn.microsoft.com/azure/automanage/automanage-arc", + "severity": "Média", + "subcategory": "Gestão", + "text": "Considere o uso do Azure Automanage para controlar as configurações e evitar desvios de configuração nos servidores" + }, + { + "category": "Gestão e Monitoramento", + "guid": "37b6b780-cbaf-4e6c-9658-9d457a927c39", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/plan-at-scale-deployment#phase-3-manage-and-operate", + "severity": "Alto", + "subcategory": "Monitorização", + "text": "Monitorar agentes que não respondem" + }, + { + "category": "Gestão e Monitoramento", + "guid": "74d1102c-ac6a-4ae0-8e6a-84de5df47d2d", + "link": "https://learn.microsoft.com/azure/azure-monitor/agents/log-analytics-agent#data-collected", + "severity": "Média", + "subcategory": "Monitorização", + "text": "Projetar uma estratégia de monitoramento para enviar métricas e logs para um espaço de trabalho do Log Analytics" + }, + { + "category": "Gestão e Monitoramento", + "guid": "92881b1c-d5d1-4e54-a296-59e3958fd782", + "link": "https://learn.microsoft.com/azure/service-health/resource-health-alert-monitor-guide", + "severity": "Média", + "subcategory": "Monitorização", + "text": "Usar notificação nos Logs de atividades para receber notificações sobre alterações inesperadas nos recursos" + }, + { + "category": "Gestão e Monitoramento", + "guid": "89c93555-6d02-4bfe-9564-b0d834a34872", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/learn/tutorial-enable-vm-insights", + "severity": "Média", + "subcategory": "Monitorização", + "text": "Usar o Azure Monitor para conformidade e monitoramento operacional" + }, + { + "category": "Gestão e Monitoramento", + "guid": "5df47d2d-9288-41b1-ad5d-1e54a29659e3", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/plan-at-scale-deployment#phase-3-manage-and-operate", + "severity": "Média", + "subcategory": "Monitorização", + "text": "Criar um alerta para identificar servidores habilitados para Arco do Azure que não estão usando a versão mais recente do agente de máquina conectada do Azure" + }, + { + "category": "Gestão e Monitoramento", + "description": "Usar o Gerenciamento de Atualizações na Automação do Azure ou a nova funcionalidade do Centro de Gerenciamento de Atualizações (visualização) para garantir o gerenciamento de atualizações dos servidores", + "guid": "ae2cc84c-37b6-4b78-8cba-fe6c46589d45", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/hybrid/server/best-practices/arc-update-management", + "severity": "Baixo", + "subcategory": "Segurança", + "text": "Usar servidores habilitados para Arco do Azure para controlar implantações de atualizações de software em servidores" + }, + { + "category": "Rede", + "description": "Por padrão, o Connected Machine Agent se comunicará com os serviços do Azure por meio da conectividade pública Interet usando HTTPS (porta TCP 443)", + "guid": "f6e043d2-aa35-4927-88e6-e2050725769e", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/network-requirements?tabs=azure-cloud#details", + "severity": "Alto", + "subcategory": "Rede", + "text": "Definir um método de conectividade do servidor para o Azure" + }, + { + "category": "Rede", + "description": "O Connected Machine Agent pode ser configurado para usar um servidor proxy, recomenda-se definir o endereço do servidor proxy usando o comando 'azcmagent config set proxy.url' no sistema local.", + "guid": "46691e88-35ac-4932-823e-13800523081a", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/manage-agent#update-or-remove-proxy-settings", + "severity": "Média", + "subcategory": "Rede", + "text": "Um servidor proxy é necessário para a comunicação pela Internet Pública" + }, + { + "category": "Rede", + "description": "O Connected Machine Agent pode usar um Link Privado para comunicação com os Serviços do Azure em uma conexão VPN ou Rota Expressa existente", + "guid": "94174158-33ee-47ad-9c6d-3733165c7acb", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/private-link-security", + "severity": "Média", + "subcategory": "Rede", + "text": "É necessária uma conexão privada (não pública com a Internet)?" + }, + { + "category": "Rede", + "description": "A configuração do firewall pode ser necessária para que o agente se comunique com o Azure, use o link para ver ServiceTags e/ou URLs necessárias", + "guid": "e44bbe60-9d79-4f2e-a777-8424c516775c", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/network-requirements?tabs=azure-cloud#service-tags", + "severity": "Alto", + "subcategory": "Rede", + "text": "As configurações de firewall serão necessárias para garantir a comunicação com os Serviços do Azure?" + }, + { + "category": "Rede", + "description": "Use a ferramenta de automação disponível para o sistema em questão para atualizar requamente os pontos de extremidade do Azure", + "guid": "6fa95b96-ad88-4408-b372-734b876ba28f", + "link": "https://www.microsoft.com/download/details.aspx?id=56519", + "severity": "Baixo", + "subcategory": "Rede", + "text": "As regras de Firewall ou Proxy podem ser atualizadas automaticamente se as Etiquetas de Serviço ou endereços IP forem alterados" + }, + { + "category": "Rede", + "description": "Configurar servidores para usar o TLS (Transport Layer Security) versão 1.2", + "guid": "21459013-65d3-48e5-9f9c-cbd868266abc", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/network-requirements?tabs=azure-cloud#transport-layer-security-12-protocol", + "severity": "Alto", + "subcategory": "Rede", + "text": "Sempre use a comunicação segura para o Azure sempre que possível" + }, + { + "category": "Rede", + "description": "Todas as extensões (como análise de logs, etc.) têm requisitos de rede separados, certifique-se de incluir todos no design da rede.", + "guid": "a264f9a1-9bf3-49d9-9d44-c7c8919ca1f6", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/hybrid/arc-enabled-servers/eslz-arc-servers-connectivity#define-extensions-connectivity-method", + "severity": "Baixo", + "subcategory": "Rede", + "text": "Incluir comunicação para extensões de Servidores habilitados para Arco do Azure no design (firewall/proxy/link privado)" + }, + { + "category": "Segurança, Governança e Conformidade", + "guid": "ac6aae01-e6a8-44de-9df4-7d2d92881b1c", + "link": "https://learn.microsoft.com/azure/governance/policy/", + "severity": "Média", + "subcategory": "Gestão", + "text": "Usar a Política do Azure para implementar um modelo de governo para servidores conectados híbridos" + }, + { + "category": "Segurança, Governança e Conformidade", + "guid": "5c2a3649-4b69-4bad-98aa-d53cc78e1d76", + "link": "https://learn.microsoft.com/azure/governance/machine-configuration/overview", + "severity": "Média", + "subcategory": "Gestão", + "text": "Considere o uso de configurações de máquina para configurações de SO convidado" + }, + { + "category": "Segurança, Governança e Conformidade", + "guid": "667357c4-4967-44c5-bd85-b859c7733be2", + "link": "https://learn.microsoft.com/azure/governance/machine-configuration/machine-configuration-create", + "severity": "Média", + "subcategory": "Gestão", + "text": "Avaliar a necessidade de políticas personalizadas de Configuração de Convidado" + }, + { + "category": "Segurança, Governança e Conformidade", + "guid": "49674c5e-d85b-4859-a773-3be2a1a27b77", + "link": "https://learn.microsoft.com/azure/automation/change-tracking/overview", + "severity": "Média", + "subcategory": "Monitorização", + "text": "Cosider usando o controle de alterações para controlar as alterações feitas nos servidores" + }, + { + "category": "Segurança, Governança e Conformidade", + "guid": "d5d1e54a-2965-49e3-a58f-d78289c93555", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/data-residency", + "severity": "Média", + "subcategory": "Requisitos", + "text": "Certifique-se de usar uma região do Azure para armazenar os metadados aprovados pela organização" + }, + { + "category": "Segurança, Governança e Conformidade", + "guid": "195abb91-a4ed-490d-ae2c-c84c37b6b780", + "link": "https://learn.microsoft.com/azure/key-vault/general/basic-concepts", + "severity": "Média", + "subcategory": "Segredos", + "text": "Usar o Cofre da Chave do Azure para gerenciamento de certificados em servidores" + }, + { + "category": "Segurança, Governança e Conformidade", + "description": "Considere o uso de segredos de cliente principal de serviço do Azure AD de curta duração.", + "guid": "6d02bfe4-564b-40d8-94a3-48726ee79d6b", + "link": "https://learn.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal#option-2-create-a-new-application-secret", + "severity": "Alto", + "subcategory": "Segredos", + "text": "Qual é o tempo de vida aceitável do segredo usado por SP's" + }, + { + "category": "Segurança, Governança e Conformidade", + "description": "Uma chave privada é salva no disco, certifique-se de que ela esteja protegida usando criptografia de disco", + "guid": "a1a27b77-5a91-4be1-b388-ff394c2bd463", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#using-disk-encryption", + "severity": "Média", + "subcategory": "Segredos", + "text": "Proteger a chave pública para os Servidores habilitados para Arco do Azure" + }, + { + "category": "Segurança, Governança e Conformidade", + "description": "O administrador local é necessário para instalar o Connected Machine Agent em sistemas Windows e Linux", + "guid": "29659e39-58fd-4782-a9c9-35556d02bfe4", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/onboard-portal#install-manually", + "severity": "Alto", + "subcategory": "Segurança", + "text": "Verifique se há acesso de administrador local para executar a instalação do agente" + }, + { + "category": "Segurança, Governança e Conformidade", + "description": "Os membros do grupo de administradores locais no Windows e os usuários com privilégios de root no Linux têm permissões para gerenciar o agente via linha de comando.", + "guid": "564b0d83-4a34-4872-9ee7-9d6b5c2a3649", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#agent-security-and-permissions", + "severity": "Média", + "subcategory": "Segurança", + "text": "Limitar a quantidade de usuários com direitos de administrador local aos servidores" + }, + { + "category": "Segurança, Governança e Conformidade", + "guid": "4b69bad3-8aad-453c-a78e-1d76667357c4", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/managed-identity-authentication", + "severity": "Média", + "subcategory": "Segurança", + "text": "Considere usar e restringir o acesso a identidades gerenciadas para aplicativos." + }, + { + "category": "Segurança, Governança e Conformidade", + "description": "Use o Defender for Endpoint ou outra solução AV e EDR para proteger endpoints", + "guid": "5a91be1f-388f-4f39-9c2b-d463cbbbc868", + "link": "https://learn.microsoft.com/azure/security-center/security-center-get-started", + "severity": "Média", + "subcategory": "Segurança", + "text": "Habilite o Defender for Servers para todos os servidores para proteger cargas de trabalho híbridas contra ameaças" + }, + { + "category": "Segurança, Governança e Conformidade", + "guid": "cbafe6c4-6589-4d45-9a92-7c3974d1102c", + "severity": "Média", + "subcategory": "Segurança", + "text": "Definir controles para detectar erros de configuração de segurança e controlar a conformidade" + }, + { + "category": "Segurança, Governança e Conformidade", + "guid": "cbbbc868-195a-4bb9-8a4e-d90dae2cc84c", + "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#extension-allowlists-and-blocklists", + "severity": "Média", + "subcategory": "Securtiy •", + "text": "Use listas de permissões ou bloqueios para controlar quais extensões podem ser instaladas nos servidores habilitados para Arco do Azure" + } + ], + "metadata": { + "name": "Azure Arc Review", + "state": "Preview", + "timestamp": "04/04/2023 08:39:00" + }, + "severities": [ + { + "name": "Alto" + }, + { + "name": "Média" + }, + { + "name": "Baixo" + } + ], + "status": [ + { + "description": "Esta verificação ainda não foi analisada", + "name": "Não verificado" + }, + { + "description": "Há um item de ação associado a essa verificação", + "name": "Abrir" + }, + { + "description": "Essa verificação foi verificada e não há mais itens de ação associados a ela", + "name": "Cumprido" + }, + { + "description": "Recomendação entendida, mas não necessária pelos requisitos atuais", + "name": "Não é necessário" + }, + { + "description": "Não aplicável ao projeto atual", + "name": "N/A" + } + ], + "waf": [ + { + "name": "Fiabilidade" + }, + { + "name": "Segurança" + }, + { + "name": "Custar" + }, + { + "name": "Operações" + }, + { + "name": "Desempenho" + } + ] +} \ No newline at end of file diff --git a/spreadsheet/macrofree/asb_security_checklist.en.xlsx b/spreadsheet/macrofree/asb_security_checklist.en.xlsx index d22ecb660..b91aaf984 100644 Binary files a/spreadsheet/macrofree/asb_security_checklist.en.xlsx and b/spreadsheet/macrofree/asb_security_checklist.en.xlsx differ diff --git a/spreadsheet/macrofree/asb_security_checklist.es.xlsx b/spreadsheet/macrofree/asb_security_checklist.es.xlsx index bd302c2b4..b64bbfceb 100644 Binary files a/spreadsheet/macrofree/asb_security_checklist.es.xlsx and b/spreadsheet/macrofree/asb_security_checklist.es.xlsx differ diff --git a/spreadsheet/macrofree/asb_security_checklist.ja.xlsx b/spreadsheet/macrofree/asb_security_checklist.ja.xlsx index 6de42aaed..bec20960b 100644 Binary files a/spreadsheet/macrofree/asb_security_checklist.ja.xlsx and b/spreadsheet/macrofree/asb_security_checklist.ja.xlsx differ diff --git a/spreadsheet/macrofree/asb_security_checklist.ko.xlsx b/spreadsheet/macrofree/asb_security_checklist.ko.xlsx index bd9e15b83..25df8c46b 100644 Binary files a/spreadsheet/macrofree/asb_security_checklist.ko.xlsx and b/spreadsheet/macrofree/asb_security_checklist.ko.xlsx differ diff --git a/spreadsheet/macrofree/asb_security_checklist.pt.xlsx b/spreadsheet/macrofree/asb_security_checklist.pt.xlsx index bac82f8de..7d82c002d 100644 Binary files a/spreadsheet/macrofree/asb_security_checklist.pt.xlsx and b/spreadsheet/macrofree/asb_security_checklist.pt.xlsx differ diff --git a/spreadsheet/macrofree/azure_arc_checklist.en.xlsx b/spreadsheet/macrofree/azure_arc_checklist.en.xlsx new file mode 100644 index 000000000..19f5591d4 Binary files /dev/null and b/spreadsheet/macrofree/azure_arc_checklist.en.xlsx differ diff --git a/spreadsheet/macrofree/azure_arc_checklist.es.xlsx b/spreadsheet/macrofree/azure_arc_checklist.es.xlsx new file mode 100644 index 000000000..69e6e0932 Binary files /dev/null and b/spreadsheet/macrofree/azure_arc_checklist.es.xlsx differ diff --git a/spreadsheet/macrofree/azure_arc_checklist.ja.xlsx b/spreadsheet/macrofree/azure_arc_checklist.ja.xlsx new file mode 100644 index 000000000..5cc01edde Binary files /dev/null and b/spreadsheet/macrofree/azure_arc_checklist.ja.xlsx differ diff --git a/spreadsheet/macrofree/azure_arc_checklist.ko.xlsx b/spreadsheet/macrofree/azure_arc_checklist.ko.xlsx new file mode 100644 index 000000000..f08426cd8 Binary files /dev/null and b/spreadsheet/macrofree/azure_arc_checklist.ko.xlsx differ diff --git a/spreadsheet/macrofree/azure_arc_checklist.pt.xlsx b/spreadsheet/macrofree/azure_arc_checklist.pt.xlsx new file mode 100644 index 000000000..53e5bebbb Binary files /dev/null and b/spreadsheet/macrofree/azure_arc_checklist.pt.xlsx differ diff --git a/spreadsheet/review_checklist_empty.xlsx b/spreadsheet/review_checklist_empty.xlsx new file mode 100644 index 000000000..2671a8702 Binary files /dev/null and b/spreadsheet/review_checklist_empty.xlsx differ