Added Trustes Services Enables rule

mhuckaby · Jul 25, 2019 · 34d51b9 · 34d51b9
1 parent 2eb57c0
commit 34d51b9
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 0 deletions.
diff --git a/ScoutSuite/providers/azure/resources/storageaccounts/base.py b/ScoutSuite/providers/azure/resources/storageaccounts/base.py
@@ -32,6 +32,7 @@ def _parse_storage_account(self, raw_storage_account):
         storage_account['name'] = raw_storage_account.name
         storage_account['https_traffic_enabled'] = raw_storage_account.enable_https_traffic_only
         storage_account['public_traffic_allowed'] = self._is_public_traffic_allowed(raw_storage_account)
+        storage_account['trusted_microsoft_services_enabled'] = self._is_trusted_microsoft_services_enabled(raw_storage_account)
         storage_account['access_keys_last_rotation_date'] =\
             self._parse_access_keys_last_rotation_date(raw_storage_account.activity_logs)
 
@@ -40,6 +41,9 @@ def _parse_storage_account(self, raw_storage_account):
     def _is_public_traffic_allowed(self, storage_account):
         return storage_account.network_rule_set.default_action == "Allow"
 
+    def _is_trusted_microsoft_services_enabled(self, storage_account):
+        return storage_account.network_rule_set.bypass == "AzureServices"
+
     def _parse_access_keys_last_rotation_date(self, activity_logs):
         last_rotation_date = None
         for log in activity_logs:

diff --git a/ScoutSuite/providers/azure/rules/findings/storageaccount-trusted-microsoft-services.json b/ScoutSuite/providers/azure/rules/findings/storageaccount-trusted-microsoft-services.json
@@ -0,0 +1,10 @@
+{
+    "dashboard_name": "Storage Accounts",
+    "description": "Trusted Microsoft Services enabled",
+	"rationale": "<b>Description:</b><br><br><br><br><b>References:</b><ul><li>CIS Microsoft Azure Foundations v1.0.0 3.3</li></ul>",
+    "path": "storageaccounts.storage_accounts.id",
+    "conditions": [ "and",
+        [ "storageaccounts.storage_accounts.id.trusted_microsoft_services_enabled", "false", ""]
+    ],
+    "id_suffix": "trusted_microsoft_services_enabled"
+}
diff --git a/ScoutSuite/providers/azure/rules/rulesets/default.json b/ScoutSuite/providers/azure/rules/rulesets/default.json
@@ -206,6 +206,12 @@
                 "enabled": true,
                 "level": "warning"
             }
+        ],
+        "storageaccount-trusted-microsoft-services.json": [
+            {
+                "enabled": true,
+                "level": "warning"
+            }
         ]
     }
 }