-
Notifications
You must be signed in to change notification settings - Fork 20
Home
As a result of a few projects that had numerous requirements around security a project was created to relieve the tedious task of setting security technical guidance control sets in Azure virtual machines. As a standard practice it is normal create basic automation around performing this task. Whether using scripts, group policy, or orchestrated deployments with tools like Terraform much of the repetitive tasks are removed. To validate tools and functionality to set and manage such controls in Azure native tools we created this solution accelerator project to find the gaps.
The projects initial focus was around Azure Policy, in particular Guest Configuration within Azure Policy. This was because it made sense and it has already pre-built compliance views. We found several gaps from the beginning but the first primary blocker turned out to be Azure Policy Guest Configuration is an ‘audit’ only policy so it can not set controls, only audit settings.
We then looked for an orchestrator of sorts that can manage change, either during deployment or pre-deployment. A majority, not all, initial feedback came to use as desiring pre-deployment or simply not during a deployment pipeline. This was generated for different reasons but easy enough to pivot the project. Other requirements like manageability, scalability, shareability and others leaned to project to the new Azure Image Builder which was in preview in commercial cloud.
Next was what mechanism would be used to set controls and audit. Basic scripting supported by Image Builder was the start and then a quick pivot to LGPO.exe with publicly available GPO files was next. The LGPO model had gaps in lack of support for Linux as well as somewhat complicated if variances came about like parametrized controls. This led to searching for other tools which a number are available but drifted from Azure first party requirements which would offer little learnings in making Azure better. We landed on PowerSTIG which is a desired state configuration (DSC) based technology to set and audit controls. There are numerous benefits for selecting PowerSTIG but a huge one is Policy Guest Configuration is also based on DSC which future proofs the solution to some degree. PowerSTIG still suffers from lack of Linux support but this is a backlog item for future support.
Since reporting was a requirement it made sense to consider Log Analytics Workspaces for audit logging of PowerSTIG. This presented opportunities for analytics but also incorporating into other Azure tools like Sentinel for security operations.
We now have requirements and we have landed on the major components and need to stitch them together. For the purposes of this project, we’ll have a central resource group that houses the primary components.
- Image Builder
- Image definition templates
- Share Image Gallery
- Log Analytics Workspace
- Azure Resource Manager templates
- GitHub as external available storage of templates and configurations
The basics of the project is using an ARM template to create the components needed to build and store pre-STIG’d images to use in creating virtual machines. A master template uses nested templated for these different components. These templates are stored in the GitHub repository along with Managed Object Format (MOF) files used by DSC to set and audit controls. Since Windows is the first test and currently only supported OS by PowerSTIG, for now, we use 2 PowerShell scripts. The first script sets up DSC, PowerSTIG and creates a scheduled task for auditing and reporting. Which is the second script and scheduled every 20 minutes, mostly for testing but can be modified. These scripts are also stored in the GitHub repo and pulled as needed via Image Builder. Special image definition files, much like ARM templates are used to define and manage what and how image builder creates images and VHDs.