EAST - Extensible Azure Security Tool - Documentation
Extensible Azure Security Tool (Later referred as E.A.S.T) is tool for assessing Azure and to some extent Azure AD security controls. Primary use case of EAST is Security data collection for evaluation in Azure Assessments. This information (JSON content) can then be used in various reporting tools, which we use to further correlate and investigate the data.
This tool is licensed under MIT license.
Collaborators
- Yours truly
- Nixu Cloud Security Team
Release notes
-
Preview branch introduced
Changes:
-
Installation now accounts for use of Azure Cloud Shell's updated version in regards to depedencies (Cloud Shell has now Node.JS v 16 version installed)
-
Checking of Databricks cluster types as per advisory
- Audits Databricks clusters for potential privilege elevation - This control requires typically permissions on the databricks cluster"
-
Content.json is has now key and content based sorting. This enables doing delta checks with
git diff HEAD^1
¹ as content.json has predetermined order of results
¹Word of caution, if want to check deltas of content.json, then content.json will need to be "unignored" from
.gitignore
exposing results to any upstream you might have configured.Use this feature with caution, and ensure you don't have public upstream set for the branch you are using this feature for
-
-
Change of programming patterns to avoid possible race conditions with larger datasets. This is mostly changes of using
var
tolet
infor await
-style loops
Important
- Fixes, updates etc. are done on "Best effort" basis, with no guarantee of time, or quality of the possible fix applied
- We do some additional tuning before using EAST in our daily work, such as apply various run and environment restrictions, besides formalizing ourselves with the environment in question. Thus we currently recommend, that EAST is run in only in test environments, and with read-only permissions.
- All the calls in the service are largely to Azure Cloud IP's, so it should work well in hardened environments where outbound IP restrictions are applied. This reduces the risk of this tool containing malicious packages which could "phone home" without also having C2 in Azure.
- Essentially running it in read-only mode, reduces a lot of the risk associated with possibly compromised NPM packages (Google compromised NPM)
- Bugs etc: You can protect your environment against certain mistakes in this code by running the tool with reader-only permissions
- All the calls in the service are largely to Azure Cloud IP's, so it should work well in hardened environments where outbound IP restrictions are applied. This reduces the risk of this tool containing malicious packages which could "phone home" without also having C2 in Azure.
- Lot of the code is "AS IS": Meaning, it's been serving only the purpose of creating certain result; Lot of cleaning up and modularizing remains to be finished
- There are no tests at the moment, apart from certain manual checks, that are run after changes to main.js and various more advanced controls.
- The control descriptions at this stage are not the final product, so giving feedback on them, while appreciated, is not the focus of the tooling at this stage
- As the name implies, we use it as tool to evaluate environments. It is not meant to be run as unmonitored for the time being, and should not be run in any internet exposed service that accepts incoming connections.
- Documentation could be described as incomplete for the time being
- EAST is mostly focused on PaaS resource, as most of our Azure assessments focus on this resource type
- No Input sanitization is performed on launch params, as it is always assumed, that the input of these parameters are controlled. That being said, the tool uses extensively
exec()
- While I have not reviewed all paths, I believe that achieving shellcode execution is trivial. This tool does not assume hostile input, thus the recommendation is that you don't paste launch arguments into command line without reviewing them first.
Tool operation
Depedencies
To reduce amount of code we use the following depedencies for operation and aesthetics are used (Kudos to the maintainers of these fantastic packages)
package | aesthetics | operation | license |
---|---|---|---|
axios | ✅ | MIT | |
yargs | ✅ | MIT | |
jsonwebtoken | ✅ | MIT | |
chalk | ✅ | MIT | |
js-beautify | ✅ | MIT |
Other depedencies for running the tool: If you are planning to run this in Azure Cloud Shell you don't need to install Azure CLI:
- This tool does not include or distribute Microsoft Azure CLI, but rather uses it when it has been installed on the source system (Such as Azure Cloud Shell, which is primary platform for running EAST)
Azure Cloud Shell (BASH) or applicable Linux Distro / WSL
Requirement | description | Install |
---|---|---|
✅ AZ CLI | AZCLI USE | curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash |
✅ Node.js runtime 14 | Node.js runtime for EAST | install with NVM |
Controls
EAST provides three categories of controls: Basic, Advanced, and Composite
The machine readable control looks like this, regardless of the type (Basic/advanced/composite):
{
"name": "fn-sql-2079",
"resource": "/subscriptions/6193053b-408b-44d0-b20f-4e29b9b67394/resourcegroups/rg-fn-2079/providers/microsoft.web/sites/fn-sql-2079",
"controlId": "managedIdentity",
"isHealthy": true,
"id": "/subscriptions/6193053b-408b-44d0-b20f-4e29b9b67394/resourcegroups/rg-fn-2079/providers/microsoft.web/sites/fn-sql-2079",
"Description": "\r\n Ensure The Service calls downstream resources with managed identity",
"metadata": {
"principalId": {
"type": "SystemAssigned",
"tenantId": "033794f5-7c9d-4e98-923d-7b49114b7ac3",
"principalId": "cb073f1e-03bc-440e-874d-5ed3ce6df7f8"
},
"roles": [{
"role": [{
"properties": {
"roleDefinitionId": "/subscriptions/6193053b-408b-44d0-b20f-4e29b9b67394/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"principalId": "cb073f1e-03b c-440e-874d-5ed3ce6df7f8",
"scope": "/subscriptions/6193053b-408b-44d0-b20f-4e29b9b67394/resourceGroups/RG-FN-2079",
"createdOn": "2021-12-27T06:03:09.7052113Z",
"updatedOn": "2021-12-27T06:03:09.7052113Z",
"createdBy": "4257db31-3f22-4c0f-bd57-26cbbd4f5851",
"updatedBy": "4257db31-3f22-4c0f-bd57-26cbbd4f5851"
},
"id": "/subscriptions/6193053b-408b-44d0-b20f-4e29b9b67394/resourceGroups/RG-FN-2079/providers/Microsoft.Authorization/roleAssignments/ada69f21-790e-4386-9f47-c9b8a8c15674",
"type": "Microsoft.Authorization/roleAssignments",
"name": "ada69f21-790e-4386-9f47-c9b8a8c15674",
"RoleName": "Contributor"
}]
}]
},
"category": "Access"
},
Basic
Basic controls include checks on the initial ARM object for simple "toggle on/off"- boolean settings of said service.
Example: Azure Container Registry adminUser
Portal | EAST |
---|---|
if (item.properties?.adminUserEnabled == false ){returnObject.isHealthy = true } |
Advanced
Advanced controls include checks beyond the initial ARM object. Often invoking new requests to get further information about the resource in scope and it's relation to other services.
Example: Role Assignments
Besides checking the role assignments of subscription, additional check is performed via Azure AD Conditional Access Reporting for MFA, and that privileged accounts are not only protected by passwords (SPN's with client secrets)
Example: Azure Data Factory
Azure Data Factory pipeline mapping combines pipelines -> activities -> and data targets together and then checks for secrets leaked on the logs via run history of the said activities.
Composite
Composite controls combines two or more control results from pipeline, in order to form one, or more new controls. Using composites solves two use cases for EAST
- You cant guarantee an order of control results being returned in the pipeline
- You need to return more than one control result from single check
Example: composite_resolve_alerts
- Get alerts from Microsoft Cloud Defender on subscription check
- Form new controls per resourceProvider for alerts
Reporting
EAST is not focused to provide automated report generation, as it provides mostly JSON files with control and evaluation status. The idea is to use separate tooling to create reports, which are fairly trivial to automate via markdown creation scripts and tools such as Pandoc
- While focus is not on the reporting, this repo includes example automation for report creation with pandoc to ease reading of the results in single document format.
While this tool does not distribute pandoc, it can be used when creation of the reports, thus the following citation is added: https://github.com/jgm/pandoc/blob/master/CITATION.cff
cff-version: 1.2.0
title: Pandoc
message: "If you use this software, please cite it as below."
type: software
url: "https://github.com/jgm/pandoc"
authors:
- given-names: John
family-names: MacFarlane
email: [email protected]
orcid: 'https://orcid.org/0000-0003-2557-9090'
- given-names: Albert
family-names: Krewinkel
email: [email protected]
orcid: '0000-0002-9455-0796'
- given-names: Jesse
family-names: Rosenthal
email: [email protected]
Running EAST scan
This part has guide how to run this either on BASH@linux, or BASH on Azure Cloud Shell (obviously Cloud Shell is Linux too, but does not require that you have your own linux box to use this)
Fire and forget prerequisites on cloud shell
curl -o- https://raw.githubusercontent.com/jsa2/EAST/preview/sh/initForuse.sh | bash;
Detailed Prerequisites (This is if you opted no to do the "fire and forget version")
Prerequisites
git clone https://github.com/jsa2/EAST --branch preview
cd EAST;
npm install
Pandoc installation on cloud shell
# Get pandoc for reporting (first time only)
wget "https://github.com/jgm/pandoc/releases/download/2.17.1.1/pandoc-2.17.1.1-linux-amd64.tar.gz";
tar xvzf "pandoc-2.17.1.1-linux-amd64.tar.gz" --strip-components 1 -C ~
Installing pandoc on distros that support APT
# Get pandoc for reporting (first time only)
sudo apt install pandoc
Login Az CLI and run the scan
# Relogin is required to ensure token cache is placed on session on cloud shell
az account clear
az login
#
cd EAST
# replace the subid below with your subscription ID!
subId=6193053b-408b-44d0-b20f-4e29b9b67394
#
node ./plugins/main.js --batch=10 --nativescope=true --roleAssignments=true --helperTexts=true --checkAad=true --scanAuditLogs --composites --subInclude=$subId
Generate report
cd EAST; node templatehelpers/eastReports.js --doc
- If you want to include all Azure Security Benchmark results in the report
cd EAST; node templatehelpers/eastReports.js --doc --asb
Export report from cloud shell
pandoc -s fullReport2.md -f markdown -t docx --reference-doc=pandoc-template.docx -o fullReport2.docx
Azure Devops (Experimental) There is Azure Devops control for dumping pipeline logs. You can specify the control run by following example:
node ./plugins/main.js --batch=10 --nativescope=true --roleAssignments=true --helperTexts=true --checkAad=true --scanAuditLogs --composites --subInclude=$subId --azdevops "organizationName"
Licensing
Community use
- Share relevant controls across multiple environments as community effort
Company use
- Companies have possibility to develop company specific controls which apply to company specific work. Companies can then control these implementations by decision to share, or not share them based on the operating principle of that company.
Non IPR components
- Code logic and functions are under MIT license. since code logic and functions are alredy based on open-source components & vendor API's, it does not make sense to restrict something that is already based on open source
If you use this tool as part of your commercial effort we only require, that you follow the very relaxed terms of MIT license
Tool operation documentation
Principles
AZCLI USE
Existing tooling enhanced with Node.js runtime
Use rich and maintained context of Microsoft Azure CLI login & commands
with Node.js control flow which supplies enhanced rest-requests and maps results to schema.
- This tool does not include or distribute Microsoft Azure CLI, but rather uses it when it has been installed on the source system (Such as Azure Cloud Shell, which is primary platform for running EAST)
Speedup
View more details
Parameters reference
Example:
node ./plugins/main.js --batch=10 --nativescope --roleAssignments --helperTexts=true --checkAad --scanAuditLogs --composites --shuffle --clearTokens
Param | Description | Default if undefined |
---|---|---|
--nativescope | Currently mandatory parameter | no values |
--shuffle | Can help with throttling. Shuffles the resource list to reduce the possibility of resource provider throttling threshold being met | no values |
--roleAssignments | Checks controls as per microsoft.authorization | no values |
--includeRG | Checks controls with ResourceGroups as per microsoft.authorization | no values |
--checkAad | Checks controls as per microsoft.azureactivedirectory | no values |
--subInclude | Defines subscription scope | no default, requires subscriptionID/s, if not defined will enumerate all subscriptions the user have access to |
--namespace | text filter which matches full, or part of the resource ID example /microsoft.storage/storageaccounts all storage accounts in the scope | optional parameter |
--notIncludes | text filter which matches full, or part of the resource ID example /microsoft.storage/storageaccounts all storage accounts in the scope are excluded | optional parameter |
--batch | size of batch interval between throttles | 5 |
--wait | size of batch interval between throttles | 1500 |
--scanAuditLogs | optional parameter. When defined in hours will toggle Azure Activity Log scanning for weak authentication events defined in: scanAuditLogs | 24h |
--composites | read composite | no values |
--clearTokens | clears tokens in session folder, use this if you get authorization errors, or have just changed to other az login account use az account clear if you want to clear AZ CLI cache too | no values |
--tag | Filter all results in the end based on single tag--tag=svc=aksdev | no values |
--ignorePreCheck | use this option when used with browser delegated tokens | no values |
--helperTexts | Will append text descriptions from general to manual controls | no values |
--reprocess | Will update results to existing content.json. Useful for incremental runs | no values |
Parameters reference for example report:
node templatehelpers/eastReports.js --asb
Param | Description | Default if undefined |
---|---|---|
--asb | gets all ASB results available to users | no values |
--policy | gets all Policy results available to users | no values |
--doc | prints pandoc string for export to console | no values |
(Highly experimental) Running in restricted environments where only browser use is available
Read here Running in restricted environments
Developing controls
Developer guide including control flow description is here dev-guide.md
Updates and examples
Auditing Microsoft.Web provider (Functions and web apps)
.appRoleAssignmentRequired
- Function or Azure AD Authentication enabled
- Count and type of triggers
Azure RBAC baseline authorization
- Checks for users without MFA policies applied for set of conditions
- Checks for ServicePrincipals protected only by password (as opposed to using Certificate Credential, workload federation and or workload identity CA policy)
Maps to App Registration Best Practices
- An unused credential on an application can result in security breach. While it's convenient to use password. secrets as a credential, we strongly recommend that you use x509 certificates as the only credential type for getting tokens for your application
✅State healthy
- User result example
{
"subscriptionName": "EAST -msdn",
"friendlyName": "[email protected]",
"mfaResults": {
"oid": "138ac68f-d8a7-4000-8d41-c10ff26a9097",
"appliedPol": [{
"GrantConditions": "challengeWithMfa",
"policy": "baseline",
"oid": "138ac68f-d8a7-4000-8d41-c10ff26a9097"
}],
"checkType": "mfa"
},
"basicAuthResults": {
"oid": "138ac68f-d8a7-4000-8d41-c10aa26a9097",
"appliedPol": [{
"GrantConditions": "challengeWithMfa",
"policy": "baseline",
"oid": "138ac68f-d8a7-4000-8d41-c10aa26a9097"
}],
"checkType": "basicAuth"
},
}
⚠️State unHealthy
- Application principal example
{
"subscriptionName": "EAST - HoneyPot",
"friendlyName": "thx138-kvref-6193053b-408b-44d0-b20f-4e29b9b67394",
"creds": {
"@odata.context": "https://graph.microsoft.com/beta/$metadata#servicePrincipals(id,displayName,appId,keyCredentials,passwordCredentials,servicePrincipalType)/$entity",
"id": "babec804-037d-4caf-946e-7a2b6de3a45f",
"displayName": "thx138-kvref-6193053b-408b-44d0-b20f-4e29b9b67394",
"appId": "5af1760e-89ff-46e4-a968-0ac36a7b7b69",
"servicePrincipalType": "Application",
"keyCredentials": [],
"passwordCredentials": [],
"OnlySingleFactor": [{
"customKeyIdentifier": null,
"endDateTime": "2023-10-20T06:54:59.2014093Z",
"keyId": "7df44f81-a52c-4fd6-b704-4b046771f85a",
"startDateTime": "2021-10-20T06:54:59.2014093Z",
"secretText": null,
"hint": nu ll,
"displayName": null
}],
"StrongSingleFactor": []
}
}
Contributing
Following methods work for contributing for the time being:
- Submit a pull request with code / documentation change
- Submit a issue
- issue can be a:
- ⚠️Problem (issue)
- Feature request
- ❔Question
Other
- By default EAST tries to work with the current depedencies - Introducing new (direct) depedencies is not directly encouraged with EAST. If such vital depedency is introduced, then review licensing of such depedency, and update readme.md - depedencies
- There is nothing to prevent you from creating your own fork of EAST with your own depedencies