Benchmark: 3.4.2 Establish and enforce security configuration settings for information technology products employed in organizational systems
Description
Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture or functionality of the system. Information technology products for which security-related configuration settings can be defined include mainframe computers, servers, workstations, input and output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security parameters are those parameters impacting the security state of systems including the parameters required to satisfy other security requirements. Security parameters include: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-azure-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 3.4.2 Establish and enforce security configuration settings for information technology products employed in organizational systems.
Run this benchmark in your terminal:
powerpipe benchmark run azure_compliance.benchmark.nist_sp_800_171_rev_2_3_4_2
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run azure_compliance.benchmark.nist_sp_800_171_rev_2_3_4_2 --share
Controls
- App Service apps should have remote debugging turned off
- Function apps should have 'Client Certificates (Incoming client certificates)' enabled
- Function apps should not have CORS configured to allow every resource to access your apps
- Function apps should have remote debugging turned off
- App Service apps should not have CORS configured to allow every resource to access your apps
- Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
- Linux machines should meet requirements for the Azure compute security baseline
- Windows machines should meet requirements of the Azure compute security baseline
- Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters