The Secure DevOps Kit for Azure is a collection of scripts, tools, extensions, automations.
The kit is based on Powershell and can be extended to Azure log analytics with some nice dashboarding. But if you have a large subscription the Powershell query can take some time. With this toolkit Devops teams using extensive automation and smoothly integrating security into native Devops workflows helping accomplish secure Devops with these 6 focus areas:
- Secure the subscription: A secure cloud subscription provides a core foundation upon which subsequent development and deployment activities can be conducted. An engineering team should have the capabilities to deploy and configure security in the subscription including elements such as alerts, ARM policies, RBAC, Security Center policies, JEA, Resource Locks, etc. Likewise, it should be possible to check that all settings are in conformance to a secure baseline
- Enable secure development: During the coding and early development stages, developers should have the ability to write secure code and to test the secure configuration of their cloud applications. Just like build verification tests (BVTs), we introduce the concept of security verification tests (SVTs) which can check for security of various resource types in Azure
- Integrate security into CICD: Test automation is a core tenet of devops. We emphasize this by providing the ability to run SVTs as part of the VSTS CICD pipeline. These SVTs can be used to ensure that the target subscription used to deploy a cloud application and the Azure resources the application is built upon are all setup in a secure manner
- Continuous Assurance: In the constantly changing dev ops environment, it is important to move away from the mindset of security being a milestone. We have to treat security as a continuously varying state of a system. This is made possible through capabilities that enable continuous assurance using a combination of automation runbooks, schedules, etc.
- Alerting & Monitoring: Visibility of security status is important for individual application teams and also for central enterprise teams. We provide solutions that cater to the needs of both. Moreover, the solution spans across all stages of dev ops in effect bridging the gap between the dev team and the ops team from a security standpoint through the single, integrated views it generates
- Cloud Risk Governance: Lastly, underlying all activities in the kit is a telemetry framework that generates events capturing usage, adoption, evaluation results, etc. This allows us to make measured improvements to security targeting areas of high risk and maximum usage before others.
Keep in mind that The OMS portal will is retired on January 15, 2019. You can continue to use your existing services and licensing in the Azure portal.
Even in the Azure portal you can still connect to OMS
Complete feature set of Secure DevOps Kit for Azure
Feature Area | Secure DevOps Kit Feature |
---|---|
Secure the subscription |
|
Enable secure development |
|
Integrate security into CICD |
|
Continuous Assurance |
|
Alerting & Monitoring |
|
Cloud Risk Governance |
|
Setting up Secure DevOps Kit for Azure (AzSK)
First make sure you have the right Azure modules installed, I noticed the automation module failed So I added this manualy.
Import-Module AzureRM.Automation
Get-AzSKAzureServicesSecurityStatus -SubscriptionId
Installing the Secure DevOps Kit for Azure (AzSK)
Install-Module AzSK -Scope CurrentUser
Now that the Powershell modules are installed we can start the (AzSK) Scan
Get-AzSKAzureServicesSecurityStatus –SubscriptionId ID
In this subscription there are 44 items that are been checked
Items are been checked on the security issues
Nice detailed overview is shown. Also a log folder is been created with all the issues. per resource Item.
As you can see I have some failed items and with a High, so I need to take a good look at this and fix this.
This maybe one of the best Items here an excel sheet with al the issues listed with the solution mentioned and if this can be automated.
If needed there is an URL that points you to the right solution.
As Azure log analytics is great and it can be integrated with some OMS (Azure monitoring Dashboards)
The OMS portal will be retired on January 15, 2019. You can continue to use your existing services and licensing in the Azure portal. So the current documentation need some updating.
Pressing the OMS button in the Azure portal brings you to the OMS portal but then nothing. As it is now all Azure portal.
Setting up the dashboards failed on me during the first installation but when I did run this a second time the dashboard was there. (Timing)
Creating the OMS default dashboard we need to run some powershell scripts.
$omsSubId =”id” #subscription hosting the OMS workspace
$omsWSId =’OMS ID’
$omsRGName =’omsrsg’ #RG where the OMS workspace is hosted
$azSkViewName = ‘MVP_AzSK_view’ #This will identify the tile for AzSK view in OMS.
#This command will deploy the AzSK view in the OMS workspace.
Install-AzSKOMSSolution -OMSSubscriptionId $omsSubId `
-OMSResourceGroup $omsRGName `
-OMSWorkspaceId $omsWSId `
-ViewName $azSkViewName
Note:
1) The blades of the OMS view created by this command will start populating only after AzSK scan events become available in the corresponding OMS workspace.
To understand how to send AzSK events to an OMS workspace see https://aka.ms/devopskit/oms.
2) The OMS view installed contains a basic set of queries over DevOps Kit scan events. Please feel free to customize them once you get familiar with the que
ries.
We also periodically publish updated/richer queries at: https://aka.ms/devopskit/omsqueries.
Checking the OMS – log analytics workspace it has not much issues as this is a test subscription and if it was all perfect then there is no fun.
and with longer logging and more Items in azure you will get a different overview.
There are lots of options you can set and there is a detailed description on how to use this on Github
Setting up ARM policys is also one of the options
Set-AzSKARMPolicies –SubscriptionId
So get started with the DevOpsKit https://github.com/azsk/DevOpsKit-docs
https://github.com/azsk/DevOpsKit-docs/tree/master/05-Alerting-and-Monitoring
AzSK Security Controls Portal @https://aka.ms/azskosstcp
With this it’s a nice tool and yes a bit time consuming but learned a lot and make me see things different in the Azure Subscription
And If you combine this directly and not afterwards then this could be your time saver to fix all the security items
Follow Me on Twitter @ClusterMVP
Follow My blog https://robertsmit.wordpress.com
Linkedin Profile Robert Smit MVP Linkedin profile
Google : Robert Smit MVP profile