Benchmark: Configuration Settings (CM-6)
Description
The organization establishes and documents configuration settings for information technology products employed within the information system using organization-defined security configuration checklists that reflect the most restrictive mode consistent with operational requirements; implements the configuration settings; identifies, documents, and approves any deviations from established configuration settings for organization-defined information system components based on organization-defined operational requirements; and monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-azure-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select Configuration Settings (CM-6).
Run this benchmark in your terminal:
powerpipe benchmark run azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_6
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run azure_compliance.benchmark.nist_sp_800_53_rev_5_cm_6 --share
Controls
- App Service apps should have Client Certificates (Incoming client certificates) enabled
- App Service apps should not have CORS configured to allow every resource to access your apps
- App Service apps should have remote debugging turned off
- Function apps should have 'Client Certificates (Incoming client certificates)' enabled
- Function apps should not have CORS configured to allow every resource to access your apps
- Function apps should have remote debugging turned off
- Linux machines should meet requirements for the Azure compute security baseline
- Windows machines should meet requirements of the Azure compute security baseline
- Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters
- Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits
- Kubernetes cluster containers should not share host process ID or host IPC namespace
- Kubernetes clusters should not allow container privilege escalation
- Kubernetes cluster containers should only use allowed AppArmor profiles
- Kubernetes cluster containers should only use allowed capabilities
- Kubernetes cluster containers should only use allowed images
- Kubernetes cluster containers should run with a read only root file system
- Kubernetes cluster pod hostPath volumes should only use allowed host paths
- Kubernetes cluster pods should only use approved host network and port range
- Kubernetes cluster pods and containers should only run with approved user and group IDs
- Kubernetes cluster should not allow privileged containers
- Kubernetes cluster services should listen only on allowed ports