diff --git a/README.md b/README.md index 59942540a..9e142819e 100644 --- a/README.md +++ b/README.md @@ -141,6 +141,12 @@ This repository is an extension of CloudSploit's [open-source scanning engine](h * [Notebook Data Encrypted](en/aws/sagemaker/notebook-data-encrypted.md) * [Notebook Direct Internet Access](en/aws/sagemaker/notebook-direct-internet-access.md) * Azure + * Active Directory + * [Minimum Password Length](en/azure/activedirectory/minimum-password-length.md) + * [Password Requires Lowercase](en/azure/activedirectory/password-requires-lowercase.md) + * [Password Requires Numbers](en/azure/activedirectory/password-requires-numbers.md) + * [Password Requires Symbols](en/azure/activedirectory/password-requires-symbols.md) + * [Password Requires Uppercase](en/azure/activedirectory/password-requires-uppercase.md) * App Service * [.NET Framework Version](en/azure/appservice/.net-framework-version.md) * [Authentication Enabled](en/azure/appservice/authentication-enabled.md) @@ -148,32 +154,48 @@ This repository is an extension of CloudSploit's [open-source scanning engine](h * [HTTP 2.0 Enabled](en/azure/appservice/http-2.0-enabled.md) * [HTTPS Only Enabled](en/azure/appservice/https-only-enabled.md) * [Identity Enabled](en/azure/appservice/identity-enabled.md) + * [Java Version](en/azure/appservice/java-version.md) + * [PHP Version](en/azure/appservice/php-version.md) * [Python Version](en/azure/appservice/python-version.md) + * [TLS Version Check](en/azure/appservice/tls-version-check.md) * Azure Policy * [Resource Location Matches Resource Group](en/azure/azurepolicy/resource-location-matches-resource-group.md) * [Resources Allowed Locations](en/azure/azurepolicy/resources-allowed-locations.md) * Blob Service * [Blob Container Private Access](en/azure/blobservice/blob-container-private-access.md) * [Blob Service Immutable](en/azure/blobservice/blob-service-immutable.md) - * CDN - * [Detect Insecure Custom Origin](en/azure/cdn/detect-insecure-custom-origin.md) + * CDN Profiles + * [Detect Insecure Custom Origin](en/azure/cdnprofiles/detect-insecure-custom-origin.md) + * [Endpoint Logging Enabled](en/azure/cdnprofiles/endpoint-logging-enabled.md) + * Disks + * [Unmanaged Disk Encryption](en/azure/disks/unmanaged-disk-encryption.md) * File Service * [File Service All Access ACL](en/azure/fileservice/file-service-all-access-acl.md) * Key Vault * [Key Expiration Enabled](en/azure/keyvault/key-expiration-enabled.md) + * [Key Vault Recovery Enabled](en/azure/keyvault/key-vault-recovery-enabled.md) * Kubernetes Service - * [RBAC Enabled](en/azure/kubernetesservice/rbac-enabled.md) + * [Kubernetes RBAC Enabled](en/azure/kubernetesservice/kubernetes-rbac-enabled.md) + * Load Balancer + * [LB HTTPS Only](en/azure/loadbalancer/lb-https-only.md) + * [LB No Instances](en/azure/loadbalancer/lb-no-instances.md) * Log Alerts + * [Network Security Groups Logging Enabled](en/azure/logalerts/network-security-groups-logging-enabled.md) * [SQL Server Firewall Rule Alerts Monitor](en/azure/logalerts/sql-server-firewall-rule-alerts-monitor.md) + * [Security Policy Alerts Enabled](en/azure/logalerts/security-policy-alerts-enabled.md) + * [Security Solution Logging](en/azure/logalerts/security-solution-logging.md) * [Virtual Network Alerts Monitor](en/azure/logalerts/virtual-network-alerts-monitor.md) * Monitor - * [Autoscale Enabled](en/azure/monitor/autoscale-enabled.md) + * [Key Vault Log Analytics Enabled](en/azure/monitor/key-vault-log-analytics-enabled.md) + * [Load Balancer Log Analytics Enabled](en/azure/monitor/load-balancer-log-analytics-enabled.md) * [Log Profile Archive Data](en/azure/monitor/log-profile-archive-data.md) + * [Log Profile Retention Policy](en/azure/monitor/log-profile-retention-policy.md) * [NSG Log Analytics Enabled](en/azure/monitor/nsg-log-analytics-enabled.md) - * MySQL Server - * [Enforce SSL Connection Enabled](en/azure/mysqlserver/enforce-ssl-connection-enabled.md) * Network Security Groups * [Default Security Group](en/azure/networksecuritygroups/default-security-group.md) + * [Deny SSH Access](en/azure/networksecuritygroups/deny-ssh-access.md) + * [Excessive Security Groups](en/azure/networksecuritygroups/excessive-security-groups.md) + * [Network Watcher Enabled](en/azure/networksecuritygroups/network-watcher-enabled.md) * [Open All Ports](en/azure/networksecuritygroups/open-all-ports.md) * [Open CIFS](en/azure/networksecuritygroups/open-cifs.md) * [Open DNS](en/azure/networksecuritygroups/open-dns.md) @@ -184,6 +206,7 @@ This repository is an extension of CloudSploit's [open-source scanning engine](h * [Open MySQL](en/azure/networksecuritygroups/open-mysql.md) * [Open NetBIOS](en/azure/networksecuritygroups/open-netbios.md) * [Open Oracle](en/azure/networksecuritygroups/open-oracle.md) + * [Open Oracle Auto Data Warehouse](en/azure/networksecuritygroups/open-oracle-auto-data-warehouse.md) * [Open PostgreSQL](en/azure/networksecuritygroups/open-postgresql.md) * [Open RDP](en/azure/networksecuritygroups/open-rdp.md) * [Open RPC](en/azure/networksecuritygroups/open-rpc.md) @@ -194,32 +217,219 @@ This repository is an extension of CloudSploit's [open-source scanning engine](h * [Open Telnet](en/azure/networksecuritygroups/open-telnet.md) * [Open VNC Client](en/azure/networksecuritygroups/open-vnc-client.md) * [Open VNC Server](en/azure/networksecuritygroups/open-vnc-server.md) + * PostgreSQL Server + * [Connection Throttling Enabled](en/azure/postgresqlserver/connection-throttling-enabled.md) + * [Enforce SSL Connection Enabled](en/azure/postgresqlserver/enforce-ssl-connection-enabled.md) + * [Log Checkpoints Enabled](en/azure/postgresqlserver/log-checkpoints-enabled.md) + * [Log Connections Enabled](en/azure/postgresqlserver/log-connections-enabled.md) + * [Log Disconnections Enabled](en/azure/postgresqlserver/log-disconnections-enabled.md) + * [Log Duration Enabled](en/azure/postgresqlserver/log-duration-enabled.md) + * [Log Retention Period](en/azure/postgresqlserver/log-retention-period.md) * Queue Service * [Queue Service All Access ACL](en/azure/queueservice/queue-service-all-access-acl.md) + * Resources + * [Management Lock Enabled](en/azure/resources/management-lock-enabled.md) + * [Resources Usage Limits](en/azure/resources/resources-usage-limits.md) + * SQL Databases + * [DB Restorable](en/azure/sqldatabases/db-restorable.md) + * [Database Auditing Enabled](en/azure/sqldatabases/database-auditing-enabled.md) + * [SQL DB Multiple AZ](en/azure/sqldatabases/sql-db-multiple-az.md) * SQL Server + * [Advanced Data Security Enabled](en/azure/sqlserver/advanced-data-security-enabled.md) + * [Audit Action Groups Enabled](en/azure/sqlserver/audit-action-groups-enabled.md) + * [SQL Server Public Access](en/azure/sqlserver/sql-server-public-access.md) * [TDE Protector Encrypted](en/azure/sqlserver/tde-protector-encrypted.md) + * SQL Servers + * [Audit Retention Policy](en/azure/sqlservers/audit-retention-policy.md) + * [Server Auditing Enabled](en/azure/sqlservers/server-auditing-enabled.md) * Security Center + * [Admin Security Alerts Enabled](en/azure/securitycenter/admin-security-alerts-enabled.md) * [Application Whitelisting Enabled](en/azure/securitycenter/application-whitelisting-enabled.md) + * [Auto Provisioning Enabled](en/azure/securitycenter/auto-provisioning-enabled.md) * [Monitor Blob Encryption](en/azure/securitycenter/monitor-blob-encryption.md) * [Monitor Disk Encryption](en/azure/securitycenter/monitor-disk-encryption.md) + * [Monitor Endpoint Protection](en/azure/securitycenter/monitor-endpoint-protection.md) + * [Monitor JIT Network Access](en/azure/securitycenter/monitor-jit-network-access.md) + * [Monitor NSG Enabled](en/azure/securitycenter/monitor-nsg-enabled.md) * [Monitor SQL Auditing](en/azure/securitycenter/monitor-sql-auditing.md) * [Monitor SQL Encryption](en/azure/securitycenter/monitor-sql-encryption.md) + * [Monitor System Updates](en/azure/securitycenter/monitor-system-updates.md) * [Monitor VM Vulnerability](en/azure/securitycenter/monitor-vm-vulnerability.md) * [Security Configuration Monitoring](en/azure/securitycenter/security-configuration-monitoring.md) + * [Security Contacts Enabled](en/azure/securitycenter/security-contacts-enabled.md) * Storage Accounts + * [Blob Service Encryption](en/azure/storageaccounts/blob-service-encryption.md) + * [File Service Encryption](en/azure/storageaccounts/file-service-encryption.md) * [Log Container Public Access](en/azure/storageaccounts/log-container-public-access.md) * [Log Storage Encryption](en/azure/storageaccounts/log-storage-encryption.md) * [Network Access Default Action](en/azure/storageaccounts/network-access-default-action.md) + * [Storage Accounts AAD Enabled](en/azure/storageaccounts/storage-accounts-aad-enabled.md) * [Storage Accounts Encryption](en/azure/storageaccounts/storage-accounts-encryption.md) * [Storage Accounts HTTPS](en/azure/storageaccounts/storage-accounts-https.md) + * [Trusted MS Access Enabled](en/azure/storageaccounts/trusted-ms-access-enabled.md) * Table Service * [Table Service All Access ACL](en/azure/tableservice/table-service-all-access-acl.md) * Virtual Machines + * [Classic Instances](en/azure/virtualmachines/classic-instances.md) + * [Scale Set Multi Az](en/azure/virtualmachines/scale-set-multi-az.md) + * [Scale Sets Autoscale Enabled](en/azure/virtualmachines/scale-sets-autoscale-enabled.md) * [VM Agent Enabled](en/azure/virtualmachines/vm-agent-enabled.md) * [VM Auto Update Enabled](en/azure/virtualmachines/vm-auto-update-enabled.md) + * [VM Availability Set Enabled](en/azure/virtualmachines/vm-availability-set-enabled.md) + * [VM Availability Set Limit](en/azure/virtualmachines/vm-availability-set-limit.md) * [VM Data Disk Encryption](en/azure/virtualmachines/vm-data-disk-encryption.md) * [VM Endpoint Protection](en/azure/virtualmachines/vm-endpoint-protection.md) + * [VM Instance Limit](en/azure/virtualmachines/vm-instance-limit.md) * [VM OS Disk Encryption](en/azure/virtualmachines/vm-os-disk-encryption.md) + * Virtual Networks + * [Multiple Subnets](en/azure/virtualnetworks/multiple-subnets.md) +* Google + * CLB + * [CLB CDN Enabled](en/google/clb/clb-cdn-enabled.md) + * [CLB HTTPS Only](en/google/clb/clb-https-only.md) + * [CLB No Instances](en/google/clb/clb-no-instances.md) + * [Security Policy Enabled](en/google/clb/security-policy-enabled.md) + * Compute + * [Autoscale Enabled](en/google/compute/autoscale-enabled.md) + * [CSEK Encryption Enabled](en/google/compute/csek-encryption-enabled.md) + * [Connect Serial Ports Disabled](en/google/compute/connect-serial-ports-disabled.md) + * [Instance Level SSH Only](en/google/compute/instance-level-ssh-only.md) + * [Instances Multi AZ](en/google/compute/instances-multi-az.md) + * [Ip Forwarding Disabled](en/google/compute/ip-forwarding-disabled.md) + * [VM Instances with No Access](en/google/compute/vm-instances-with-no-access.md) + * [VM Max Instances](en/google/compute/vm-max-instances.md) + * Cryptographic Keys + * [Key Rotation](en/google/cryptographickeys/key-rotation.md) + * DNS + * [DNS Security Enabled](en/google/dns/dns-security-enabled.md) + * IAM + * [Service Limits](en/google/iam/service-limits.md) + * Kubernetes + * [Monitoring Enabled](en/google/kubernetes/monitoring-enabled.md) + * [Private Endpoint](en/google/kubernetes/private-endpoint.md) + * SQL + * [DB Automated Backups](en/google/sql/db-automated-backups.md) + * [DB Multiple Az](en/google/sql/db-multiple-az.md) + * [DB Publicly Accessible](en/google/sql/db-publicly-accessible.md) + * [DB Restorable](en/google/sql/db-restorable.md) + * Storage + * [Bucket Logging](en/google/storage/bucket-logging.md) + * [Bucket Versioning](en/google/storage/bucket-versioning.md) + * [Storage Bucket All Users Policy](en/google/storage/storage-bucket-all-users-policy.md) + * VPC Network + * [Default VPC In Use](en/google/vpcnetwork/default-vpc-in-use.md) + * [Excessive Firewall Rules](en/google/vpcnetwork/excessive-firewall-rules.md) + * [Flow Logs Enabled](en/google/vpcnetwork/flow-logs-enabled.md) + * [Multiple Subnets](en/google/vpcnetwork/multiple-subnets.md) + * [Open All Ports](en/google/vpcnetwork/open-all-ports.md) + * [Open CIFS](en/google/vpcnetwork/open-cifs.md) + * [Open DNS](en/google/vpcnetwork/open-dns.md) + * [Open FTP](en/google/vpcnetwork/open-ftp.md) + * [Open Hadoop HDFS NameNode Metadata Service](en/google/vpcnetwork/open-hadoop-hdfs-namenode-metadata-service.md) + * [Open Hadoop HDFS NameNode WebUI](en/google/vpcnetwork/open-hadoop-hdfs-namenode-webui.md) + * [Open Kibana](en/google/vpcnetwork/open-kibana.md) + * [Open MySQL](en/google/vpcnetwork/open-mysql.md) + * [Open NetBIOS](en/google/vpcnetwork/open-netbios.md) + * [Open Oracle](en/google/vpcnetwork/open-oracle.md) + * [Open Oracle Auto Data Warehouse](en/google/vpcnetwork/open-oracle-auto-data-warehouse.md) + * [Open PostgreSQL](en/google/vpcnetwork/open-postgresql.md) + * [Open RDP](en/google/vpcnetwork/open-rdp.md) + * [Open RPC](en/google/vpcnetwork/open-rpc.md) + * [Open SMBoTCP](en/google/vpcnetwork/open-smbotcp.md) + * [Open SMTP](en/google/vpcnetwork/open-smtp.md) + * [Open SQLServer](en/google/vpcnetwork/open-sqlserver.md) + * [Open SSH](en/google/vpcnetwork/open-ssh.md) + * [Open Telnet](en/google/vpcnetwork/open-telnet.md) + * [Open VNC Client](en/google/vpcnetwork/open-vnc-client.md) + * [Open VNC Server](en/google/vpcnetwork/open-vnc-server.md) + * [Private Access Enabled](en/google/vpcnetwork/private-access-enabled.md) +* GitHub + * Orgs + * [Org Default Permission](en/github/orgs/org-default-permission.md) + * [Org Excessive Owners](en/github/orgs/org-excessive-owners.md) + * [Org MFA Required](en/github/orgs/org-mfa-required.md) + * [Org Plan Limit](en/github/orgs/org-plan-limit.md) + * Repos + * [Repo Deploy Keys Rotated](en/github/repos/repo-deploy-keys-rotated.md) + * [Repo Outside Collaborators](en/github/repos/repo-outside-collaborators.md) + * Users + * [GPG Keys Rotated](en/github/users/gpg-keys-rotated.md) + * [Public Keys Rotated](en/github/users/public-keys-rotated.md) + * [User MFA Enabled](en/github/users/user-mfa-enabled.md) + * [User Private Emails](en/github/users/user-private-emails.md) +* Oracle + * Audit + * [Log Retention Period](en/oracle/audit/log-retention-period.md) + * Block Storage + * [Block Storage Policy Protection](en/oracle/blockstorage/block-storage-policy-protection.md) + * [Block Volume Backup Enabled](en/oracle/blockstorage/block-volume-backup-enabled.md) + * [Block Volume Restorable](en/oracle/blockstorage/block-volume-restorable.md) + * [Volume Groups Restorable](en/oracle/blockstorage/volume-groups-restorable.md) + * Compute + * [Autoscale Enabled](en/oracle/compute/autoscale-enabled.md) + * [Boot Volume Backup Enabled](en/oracle/compute/boot-volume-backup-enabled.md) + * [Boot Volume Restorable](en/oracle/compute/boot-volume-restorable.md) + * [Boot Volume Transit Encryption](en/oracle/compute/boot-volume-transit-encryption.md) + * [Instance Max Count](en/oracle/compute/instance-max-count.md) + * [Instance Monitoring Enabled](en/oracle/compute/instance-monitoring-enabled.md) + * [Instance Policy Protection](en/oracle/compute/instance-policy-protection.md) + * [Instance Pool Multiple AD](en/oracle/compute/instance-pool-multiple-ad.md) + * Database + * [DB Network Security Groups Enabled](en/oracle/database/db-network-security-groups-enabled.md) + * [DB Private Subnet Only](en/oracle/database/db-private-subnet-only.md) + * [Database Backup Enabled](en/oracle/database/database-backup-enabled.md) + * [Database Policy Protection](en/oracle/database/database-policy-protection.md) + * File Storage + * [File Storage Policy Protection](en/oracle/filestorage/file-storage-policy-protection.md) + * [NFS Public Access](en/oracle/filestorage/nfs-public-access.md) + * Identity + * [Empty Groups](en/oracle/identity/empty-groups.md) + * [Excessive Policies](en/oracle/identity/excessive-policies.md) + * [Excessive Policy Statements](en/oracle/identity/excessive-policy-statements.md) + * [Minimum Password Length](en/oracle/identity/minimum-password-length.md) + * [Password Requires Lowercase](en/oracle/identity/password-requires-lowercase.md) + * [Password Requires Numbers](en/oracle/identity/password-requires-numbers.md) + * [Password Requires Symbols](en/oracle/identity/password-requires-symbols.md) + * [Password Requires Uppercase](en/oracle/identity/password-requires-uppercase.md) + * [Policy Least Privilege](en/oracle/identity/policy-least-privilege.md) + * [Users MFA Enabled](en/oracle/identity/users-mfa-enabled.md) + * Networking + * [Default Security List](en/oracle/networking/default-security-list.md) + * [Excessive Security Lists](en/oracle/networking/excessive-security-lists.md) + * [LB Network Security Groups Enabled](en/oracle/networking/lb-network-security-groups-enabled.md) + * [Load Balancer HTTPS Only](en/oracle/networking/load-balancer-https-only.md) + * [Load Balancer No Instances](en/oracle/networking/load-balancer-no-instances.md) + * [Open All Ports Protocols](en/oracle/networking/open-all-ports-protocols.md) + * [Open Autonomous Data Warehouse](en/oracle/networking/open-autonomous-data-warehouse.md) + * [Open CIFS](en/oracle/networking/open-cifs.md) + * [Open DNS](en/oracle/networking/open-dns.md) + * [Open FTP](en/oracle/networking/open-ftp.md) + * [Open Hadoop HDFS NameNode Metadata Service](en/oracle/networking/open-hadoop-hdfs-namenode-metadata-service.md) + * [Open Hadoop HDFS NameNode WebUI](en/oracle/networking/open-hadoop-hdfs-namenode-webui.md) + * [Open Kibana](en/oracle/networking/open-kibana.md) + * [Open MySQL](en/oracle/networking/open-mysql.md) + * [Open NetBIOS](en/oracle/networking/open-netbios.md) + * [Open Oracle](en/oracle/networking/open-oracle.md) + * [Open PostgreSQL](en/oracle/networking/open-postgresql.md) + * [Open RDP](en/oracle/networking/open-rdp.md) + * [Open RPC](en/oracle/networking/open-rpc.md) + * [Open SMBoTCP](en/oracle/networking/open-smbotcp.md) + * [Open SMTP](en/oracle/networking/open-smtp.md) + * [Open SQLServer](en/oracle/networking/open-sqlserver.md) + * [Open SSH](en/oracle/networking/open-ssh.md) + * [Open Telnet](en/oracle/networking/open-telnet.md) + * [Open VNC Client](en/oracle/networking/open-vnc-client.md) + * [Open VNC Server](en/oracle/networking/open-vnc-server.md) + * [Stateless Security Rules](en/oracle/networking/stateless-security-rules.md) + * [Subnet Multi AD](en/oracle/networking/subnet-multi-ad.md) + * [VCN Multiple Subnets](en/oracle/networking/vcn-multiple-subnets.md) + * [WAF Public IP Enabled](en/oracle/networking/waf-public-ip-enabled.md) + * Object Store + * [Bucket Public Access Type](en/oracle/objectstore/bucket-public-access-type.md) + * [Object Store Policy Protection](en/oracle/objectstore/object-store-policy-protection.md) + * [Pre-Authenticated Requests Access](en/oracle/objectstore/pre-authenticated-requests-access.md) + * [Pre-Authenticated Requests Expiry](en/oracle/objectstore/pre-authenticated-requests-expiry.md) + ## Contributing diff --git a/en/azure/activedirectory/minimum-password-length.md b/en/azure/activedirectory/minimum-password-length.md new file mode 100644 index 000000000..5b65e0e0d --- /dev/null +++ b/en/azure/activedirectory/minimum-password-length.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Active Directory / Minimum Password Length + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Minimum Password Length | +| **Cloud** | AZURE | +| **Category** | Active Directory | +| **Description** | Ensures that all Azure passwords require a minimum length | +| **More Info** | Azure handles most password policy settings, including the minimum password length, defaulted to 8 characters. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#password-policies-that-only-apply-to-cloud-user-accounts | +| **Recommended Action** | No action necessary. Azure handles password requirement settings. | + +## Detailed Remediation Steps + diff --git a/en/azure/activedirectory/password-requires-lowercase.md b/en/azure/activedirectory/password-requires-lowercase.md new file mode 100644 index 000000000..459307af6 --- /dev/null +++ b/en/azure/activedirectory/password-requires-lowercase.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Active Directory / Password Requires Lowercase + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Password Requires Lowercase | +| **Cloud** | AZURE | +| **Category** | Active Directory | +| **Description** | Ensures that all Azure passwords require lowercase characters | +| **More Info** | Azure handles most password policy settings, including which character types are required. Azure requires 3 out of 4 of the following character types: lowercase, uppercase, special characters, and numbers. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#password-policies-that-only-apply-to-cloud-user-accounts | +| **Recommended Action** | No action necessary. Azure handles password requirement settings. | + +## Detailed Remediation Steps + diff --git a/en/azure/activedirectory/password-requires-numbers.md b/en/azure/activedirectory/password-requires-numbers.md new file mode 100644 index 000000000..a73a926ff --- /dev/null +++ b/en/azure/activedirectory/password-requires-numbers.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Active Directory / Password Requires Numbers + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Password Requires Numbers | +| **Cloud** | AZURE | +| **Category** | Active Directory | +| **Description** | Ensures that all Azure passwords require numbers | +| **More Info** | Azure handles most password policy settings, including which character types are required. Azure requires 3 out of 4 of the following character types: lowercase, uppercase, special characters, and numbers. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#password-policies-that-only-apply-to-cloud-user-accounts | +| **Recommended Action** | No action necessary. Azure handles password requirement settings. | + +## Detailed Remediation Steps + diff --git a/en/azure/activedirectory/password-requires-symbols.md b/en/azure/activedirectory/password-requires-symbols.md new file mode 100644 index 000000000..b5c8d5f58 --- /dev/null +++ b/en/azure/activedirectory/password-requires-symbols.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Active Directory / Password Requires Symbols + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Password Requires Symbols | +| **Cloud** | AZURE | +| **Category** | Active Directory | +| **Description** | Ensures that all Azure passwords require symbol characters | +| **More Info** | Azure handles most password policy settings, including which character types are required. Azure requires 3 out of 4 of the following character types: lowercase, uppercase, special characters, and numbers. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#password-policies-that-only-apply-to-cloud-user-accounts | +| **Recommended Action** | No action necessary. Azure handles password requirement settings. | + +## Detailed Remediation Steps + diff --git a/en/azure/activedirectory/password-requires-uppercase.md b/en/azure/activedirectory/password-requires-uppercase.md new file mode 100644 index 000000000..65135fc77 --- /dev/null +++ b/en/azure/activedirectory/password-requires-uppercase.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Active Directory / Password Requires Uppercase + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Password Requires Uppercase | +| **Cloud** | AZURE | +| **Category** | Active Directory | +| **Description** | Ensures that all Azure passwords require uppercase characters | +| **More Info** | Azure handles most password policy settings, including which character types are required. Azure requires 3 out of 4 of the following character types: lowercase, uppercase, special characters, and numbers. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#password-policies-that-only-apply-to-cloud-user-accounts | +| **Recommended Action** | No action necessary. Azure handles password requirement settings. | + +## Detailed Remediation Steps + diff --git a/en/azure/appservice/.net-framework-version.md b/en/azure/appservice/.net-framework-version.md index 1c80feaf1..03f138ec8 100644 --- a/en/azure/appservice/.net-framework-version.md +++ b/en/azure/appservice/.net-framework-version.md @@ -9,10 +9,10 @@ | **Plugin Title** | .NET Framework Version | | **Cloud** | AZURE | | **Category** | App Service | -| **Description** | Ensure .NET Framework is up to date for all App Services. | -| **More Info** | Keeping your .NET framework up to date will reduce the security risk vulnerabilities due to missing security patches. | +| **Description** | Ensures the latest version of the .NET Framework is installed for all App Services. | +| **More Info** | Installing the latest version of the .NET framework will reduce the security risk of missing security patches. | | **AZURE Link** | https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure | -| **Recommended Action** | Update .NET framwork version on all .NET App Services. | +| **Recommended Action** | Select the latest version of the .NET framework for all .NET-based App Services | ## Detailed Remediation Steps diff --git a/en/azure/appservice/authentication-enabled.md b/en/azure/appservice/authentication-enabled.md index a20358677..e57ca1efa 100644 --- a/en/azure/appservice/authentication-enabled.md +++ b/en/azure/appservice/authentication-enabled.md @@ -9,10 +9,10 @@ | **Plugin Title** | Authentication Enabled | | **Cloud** | AZURE | | **Category** | App Service | -| **Description** | Ensures Authentication is enabled for your App services, redirecting unauthenticated users to the login page. | -| **More Info** | Enabling authentication will redirect all unauthenticated requests to the login page. Also handles authentication of users with specified provider (Azure Active Directory, Facebook, Google, Microsoft Account, and Twitter) | +| **Description** | Ensures Authentication is enabled for App Services, redirecting unauthenticated users to the login page. | +| **More Info** | Enabling authentication will redirect all unauthenticated requests to the login page. It also handles authentication of users with specific providers (Azure Active Directory, Facebook, Google, Microsoft Account, and Twitter). | | **AZURE Link** | https://docs.microsoft.com/en-us/azure/app-service/overview-authentication-authorization | -| **Recommended Action** | In your App Service go to Authentication / Authorization > Set App Service Authentication to "On" (Enabled) | +| **Recommended Action** | Enable App Service Authentication for all App Services. | ## Detailed Remediation Steps diff --git a/en/azure/appservice/client-certificates-enabled.md b/en/azure/appservice/client-certificates-enabled.md index 70dc563a7..3a0d267eb 100644 --- a/en/azure/appservice/client-certificates-enabled.md +++ b/en/azure/appservice/client-certificates-enabled.md @@ -9,10 +9,10 @@ | **Plugin Title** | Client Certificates Enabled | | **Cloud** | AZURE | | **Category** | App Service | -| **Description** | Ensures Client Certificates are enabled for your App Service, only allowing clients with valid certificates to reach the app | -| **More Info** | Enabling Client Certificates will block all clients who do not have a valid certificate from accessing the app. | +| **Description** | Ensures Client Certificates are enabled for App Services, only allowing clients with valid certificates to reach the app | +| **More Info** | Enabling Client Certificates will block all clients that do not have a valid certificate from accessing the app. | | **AZURE Link** | https://docs.microsoft.com/en-us/azure/app-service/app-service-web-configure-tls-mutual-auth#enable-client-certificates | -| **Recommended Action** | In your App Service go to SSL Settings > Incoming client certificates and set it to "On" (Enabled). | +| **Recommended Action** | Enable incoming client certificate SSL setting for all App Services. | ## Detailed Remediation Steps diff --git a/en/azure/appservice/http-2.0-enabled.md b/en/azure/appservice/http-2.0-enabled.md index 231462279..cb62ebdde 100644 --- a/en/azure/appservice/http-2.0-enabled.md +++ b/en/azure/appservice/http-2.0-enabled.md @@ -9,10 +9,10 @@ | **Plugin Title** | HTTP 2.0 Enabled | | **Cloud** | AZURE | | **Category** | App Service | -| **Description** | Ensures the latest HTTP version is enabled for the App Service. | -| **More Info** | Enabling HTTP2.0 ensures that the App Service has the latest technology which includes security enhancements and additional functionality. | +| **Description** | Ensures the latest HTTP version is enabled for App Services | +| **More Info** | Enabling HTTP2.0 ensures that the App Service has the latest technology which improves server performance | | **AZURE Link** | https://azure.microsoft.com/en-us/blog/announcing-http-2-support-in-azure-app-service/ | -| **Recommended Action** | In your App Service go to configuration > go to the General Settings tab > select in "Http Version" version 2.0 | +| **Recommended Action** | Enable HTTP 2.0 support in the general settings for all App Services | ## Detailed Remediation Steps diff --git a/en/azure/appservice/https-only-enabled.md b/en/azure/appservice/https-only-enabled.md index e962aebfd..a07670645 100644 --- a/en/azure/appservice/https-only-enabled.md +++ b/en/azure/appservice/https-only-enabled.md @@ -9,10 +9,10 @@ | **Plugin Title** | HTTPS Only Enabled | | **Cloud** | AZURE | | **Category** | App Service | -| **Description** | Ensures HTTPS Only is enabled for your App services, redirecting all HTTP traffic to HTTPS. | +| **Description** | Ensures HTTPS Only is enabled for App Services, redirecting all HTTP traffic to HTTPS | | **More Info** | Enabling HTTPS Only traffic will redirect all non-secure HTTP requests to HTTPS. HTTPS uses the SSL/TLS protocol to provide a secure connection. | | **AZURE Link** | https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-https | -| **Recommended Action** | In your App Service go to SSL Settings > HTTPS Only and set it to "On" (Enabled). | +| **Recommended Action** | Enable HTTPS Only support SSL settings for all App Services | ## Detailed Remediation Steps diff --git a/en/azure/appservice/identity-enabled.md b/en/azure/appservice/identity-enabled.md index 106e1a02d..ff474858e 100644 --- a/en/azure/appservice/identity-enabled.md +++ b/en/azure/appservice/identity-enabled.md @@ -9,10 +9,10 @@ | **Plugin Title** | Identity Enabled | | **Cloud** | AZURE | | **Category** | App Service | -| **Description** | Ensures a system or user assigned managed identity is enabled to authenticate to App Service without storing credentials in the code. | -| **More Info** | Managing credentials in your code for authenticating to cloud services is a challenge, and maintaining the credentials secure is very important. Ideally, the credentials never appear on developer workstations and aren't checked into source control. The managed identities for Azure resources provides Azure services with an automatically managed identity in Azure AD. You can use the identity to authenticate to any service that supports Azure AD authentication, without having to include any credentials in your code. | +| **Description** | Ensures a system or user assigned managed identity is enabled to authenticate to App Services without storing credentials in the code. | +| **More Info** | Maintaining cloud connection credentials in code is a security risk. Credentials should never appear on developer workstations and should not be checked into source control. Managed identities for Azure resources provides Azure services with a managed identity in Azure AD which can be used to authenticate to any service that supports Azure AD authentication, without having to include any credentials in code. | | **AZURE Link** | https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity | -| **Recommended Action** | In your App Service go to Identity > System assigned and set it to "On" (Enabled) or go to the User assigned tab and add a user assigned managed identity. | +| **Recommended Action** | Enable system or user-assigned identities for all App Services and avoid storing credentials in code. | ## Detailed Remediation Steps diff --git a/en/azure/appservice/java-version.md b/en/azure/appservice/java-version.md new file mode 100644 index 000000000..ee2758341 --- /dev/null +++ b/en/azure/appservice/java-version.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / App Service / Java Version + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Java Version | +| **Cloud** | AZURE | +| **Category** | App Service | +| **Description** | Ensures the latest version of Java is installed for all App Services | +| **More Info** | Installing the latest version of Java will reduce the security risk of missing security patches. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/app-service/app-service-web-get-started-java | +| **Recommended Action** | Select the latest version of Java for all Java-based App Services | + +## Detailed Remediation Steps + diff --git a/en/azure/appservice/php-version.md b/en/azure/appservice/php-version.md new file mode 100644 index 000000000..7e5dc51f9 --- /dev/null +++ b/en/azure/appservice/php-version.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / App Service / PHP Version + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | PHP Version | +| **Cloud** | AZURE | +| **Category** | App Service | +| **Description** | Ensures the latest version of PHP is installed for all App Services | +| **More Info** | Installing the latest version of PHP will reduce the security risk of missing security patches. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/app-service/web-sites-php-configure | +| **Recommended Action** | Select the latest version of PHP for all PHP-based App Services | + +## Detailed Remediation Steps + diff --git a/en/azure/appservice/python-version.md b/en/azure/appservice/python-version.md index 84966464e..480371272 100644 --- a/en/azure/appservice/python-version.md +++ b/en/azure/appservice/python-version.md @@ -9,10 +9,10 @@ | **Plugin Title** | Python Version | | **Cloud** | AZURE | | **Category** | App Service | -| **Description** | Ensure the latest version of Python is installed on all App Services. | +| **Description** | Ensures the latest version of Python is installed for all App Services | | **More Info** | Installing the latest version of Python will reduce the security risk of missing security patches. | | **AZURE Link** | https://docs.microsoft.com/en-us/azure/app-service/containers/how-to-configure-python | -| **Recommended Action** | Set python version to the latest version on all your App Services | +| **Recommended Action** | Select the latest version of Python for all Python-based App Services | ## Detailed Remediation Steps diff --git a/en/azure/appservice/tls-version-check.md b/en/azure/appservice/tls-version-check.md new file mode 100644 index 000000000..58d9989f3 --- /dev/null +++ b/en/azure/appservice/tls-version-check.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / App Service / TLS Version Check + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | TLS Version Check | +| **Cloud** | AZURE | +| **Category** | App Service | +| **Description** | Ensures that all web apps are using the latest version of TLS | +| **More Info** | App Services currently allows web apps to use TLS versions 1.0, 1.1 and 1.2. It is highly recommended to use the latest TLS 1.2 version for web app TLS connections. | +| **AZURE Link** | https://azure.microsoft.com/en-in/updates/app-service-and-functions-hosted-apps-can-now-update-tls-versions/ | +| **Recommended Action** | Set the minimum TLS version to 1.2 for all App Services. | + +## Detailed Remediation Steps + diff --git a/en/azure/azurepolicy/resource-location-matches-resource-group.md b/en/azure/azurepolicy/resource-location-matches-resource-group.md index adc8439ed..ca936ef9a 100644 --- a/en/azure/azurepolicy/resource-location-matches-resource-group.md +++ b/en/azure/azurepolicy/resource-location-matches-resource-group.md @@ -9,10 +9,10 @@ | **Plugin Title** | Resource Location Matches Resource Group | | **Cloud** | AZURE | | **Category** | Azure Policy | -| **Description** | Ensures deployed resources match the resource groups they are in, as well as ensuring the Audit resource location matches resource group location policy is assigned. | -| **More Info** | Monitoring changes to resources follows Security and Compliance best practices. Being able to track resource location changes adds a level of accountability. | +| **Description** | Ensures a policy is configured to audit that deployed resource locations match their resource group locations | +| **More Info** | Using Azure Policy to monitor resource location compliance helps ensure that new resources are not launched into locations that do not match their resource group. | | **AZURE Link** | https://docs.microsoft.com/en-us/azure/governance/policy/assign-policy-portal | -| **Recommended Action** | 1. Navigate to the Policy service. 2. Select the Assignments blade. 3. Click on Assign Policy. 4. Click to search a Policy definition, search for and select: Audit resource location matches resource group location. 5. Under Parameters, select your Allowed locations. 6. Click on Assign. | +| **Recommended Action** | Enable the built-in Azure Policy definition: Audit resource location matches resource group location | ## Detailed Remediation Steps diff --git a/en/azure/azurepolicy/resources-allowed-locations.md b/en/azure/azurepolicy/resources-allowed-locations.md index 422630b7a..fb27f3865 100644 --- a/en/azure/azurepolicy/resources-allowed-locations.md +++ b/en/azure/azurepolicy/resources-allowed-locations.md @@ -9,10 +9,10 @@ | **Plugin Title** | Resources Allowed Locations | | **Cloud** | AZURE | | **Category** | Azure Policy | -| **Description** | Ensures deployed resources and resource groups belong to the list set in the Allowed locations for resource groups policy. | -| **More Info** | Monitoring changes to resources follows Security and Compliance best practices. Being able to track resource location changes adds a level of accountability. | +| **Description** | Ensures deployed resources and resource groups belong to the list set in the allowed locations for resource groups policy | +| **More Info** | Setting allowed locations for a service helps ensure the service can only be deployed in expected locations. | | **AZURE Link** | https://docs.microsoft.com/en-us/azure/governance/policy/assign-policy-portal | -| **Recommended Action** | 1. Navigate to the Policy service. 2. Select the Assignments blade. 3. Click on Assign Policy. 4. Click to search a Policy definition, search for and select: Allowed locations for resource groups. 5. Under Parameters, select your Allowed locations. 6. Click on Assign. | +| **Recommended Action** | Ensure that all services contain policy definitions that defined allowed locations. | ## Detailed Remediation Steps diff --git a/en/azure/blobservice/blob-container-private-access.md b/en/azure/blobservice/blob-container-private-access.md index 948e74710..602f0a31a 100644 --- a/en/azure/blobservice/blob-container-private-access.md +++ b/en/azure/blobservice/blob-container-private-access.md @@ -9,10 +9,10 @@ | **Plugin Title** | Blob Container Private Access | | **Cloud** | AZURE | | **Category** | Blob Service | -| **Description** | Ensure that all blob containers do not have anonymous public access level. | -| **More Info** | Blob containers set with public access, enables anonymous users to read blobs within a publicly accessible container without authenticating the request. Ensure that private access is set to all of blob containers. | +| **Description** | Ensures that all blob containers do not have anonymous public access set | +| **More Info** | Blob containers set with public access enables anonymous users to read blobs within a publicly accessible container without authentication. All blob containers should have private access configured. | | **AZURE Link** | https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction | -| **Recommended Action** | Create blob container with public access level. | +| **Recommended Action** | Ensure each blob container is configured to restrict anonymous access | ## Detailed Remediation Steps diff --git a/en/azure/blobservice/blob-service-immutable.md b/en/azure/blobservice/blob-service-immutable.md index beb478a7a..5e2d11308 100644 --- a/en/azure/blobservice/blob-service-immutable.md +++ b/en/azure/blobservice/blob-service-immutable.md @@ -9,10 +9,10 @@ | **Plugin Title** | Blob Service Immutable | | **Cloud** | AZURE | | **Category** | Blob Service | -| **Description** | Ensures data immutability is properly configured in blob services to protect critical data against deletion. | -| **More Info** | Immutable storage helps financial institutions and related industries--particularly broker-dealer organizations--to store data securely. It can also be leveraged in any scenario to protect critical data against deletion. | +| **Description** | Ensures data immutability is properly configured for blob services to protect critical data against deletion | +| **More Info** | Immutable storage helps store data securely by protecting critical data against deletion. | | **AZURE Link** | https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-immutable-storage#Getting-started | -| **Recommended Action** | In your Azure storage account, select an existing container, then select access policy under container settings, and the Add Policy under Immutable Blob Storage. | +| **Recommended Action** | Enable a data immutability policy for all storage containers in the Azure storage account. | ## Detailed Remediation Steps diff --git a/en/azure/cdnprofiles/detect-insecure-custom-origin.md b/en/azure/cdnprofiles/detect-insecure-custom-origin.md new file mode 100644 index 000000000..d28d1624c --- /dev/null +++ b/en/azure/cdnprofiles/detect-insecure-custom-origin.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / CDN Profiles / Detect Insecure Custom Origin + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Detect Insecure Custom Origin | +| **Cloud** | AZURE | +| **Category** | CDN Profiles | +| **Description** | Ensures that HTTPS is enabled for CDN endpoints with a custom origin | +| **More Info** | All Azure CDN endpoints should enable HTTPS to secure traffic to the backend custom origin. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/cdn/cdn-create-endpoint-how-to | +| **Recommended Action** | Enable HTTPS and disable HTTP for each custom origin endpoint for each CDN profile. | + +## Detailed Remediation Steps + diff --git a/en/azure/cdnprofiles/endpoint-logging-enabled.md b/en/azure/cdnprofiles/endpoint-logging-enabled.md new file mode 100644 index 000000000..812e35e6e --- /dev/null +++ b/en/azure/cdnprofiles/endpoint-logging-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / CDN Profiles / Endpoint Logging Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Endpoint Logging Enabled | +| **Cloud** | AZURE | +| **Category** | CDN Profiles | +| **Description** | Ensures that endpoint requests are being logged for CDN endpoints | +| **More Info** | Endpoint Logging ensures that all requests to a CDN endpoint are logged. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/cdn/cdn-azure-diagnostic-logs | +| **Recommended Action** | Ensure that diagnostic logging is enabled for each CDN endpoint for each CDN profile | + +## Detailed Remediation Steps + diff --git a/en/azure/disks/unmanaged-disk-encryption.md b/en/azure/disks/unmanaged-disk-encryption.md new file mode 100644 index 000000000..798385850 --- /dev/null +++ b/en/azure/disks/unmanaged-disk-encryption.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Disks / Unmanaged Disk Encryption + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Unmanaged Disk Encryption | +| **Cloud** | AZURE | +| **Category** | Disks | +| **Description** | Ensures that unmanaged disks are encrypted | +| **More Info** | Encrypting unmanaged data disks (non-boot volume) ensures that the entire contents are fully unrecoverable without a key, protecting the volume from unwarranted reads. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/security-center/security-center-apply-disk-encryption | +| **Recommended Action** | Enable Data Disk Encryption on all unmanaged disks | + +## Detailed Remediation Steps + diff --git a/en/azure/fileservice/file-service-all-access-acl.md b/en/azure/fileservice/file-service-all-access-acl.md index 692e839f0..90fd74339 100644 --- a/en/azure/fileservice/file-service-all-access-acl.md +++ b/en/azure/fileservice/file-service-all-access-acl.md @@ -9,10 +9,10 @@ | **Plugin Title** | File Service All Access ACL | | **Cloud** | AZURE | | **Category** | File Service | -| **Description** | Ensures File Shares do not allow full write, delete, or read ACL permissions | -| **More Info** | File Shares can be configured to allow to read, write or delete objects from a share. This option should not be configured unless there is a strong business requirement. | +| **Description** | Ensures file shares do not allow full write, delete, or read ACL permissions | +| **More Info** | File shares can be configured to allow to read, write, or delete permissions from a share. This option should not be configured unless there is a strong business requirement. | | **AZURE Link** | https://docs.microsoft.com/en-us/azure/storage/files/storage-how-to-create-file-share#create-a-file-share-through-the-azure-portal | -| **Recommended Action** | Disable global read/write/detele policies on all File Shares and ensure both the share ACL is configured with least privileges. | +| **Recommended Action** | Disable global read, write, and delete policies on all file shares and ensure the share ACL is configured with least privileges. | ## Detailed Remediation Steps diff --git a/en/azure/keyvault/key-vault-recovery-enabled.md b/en/azure/keyvault/key-vault-recovery-enabled.md new file mode 100644 index 000000000..e8c70455a --- /dev/null +++ b/en/azure/keyvault/key-vault-recovery-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Key Vault / Key Vault Recovery Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Key Vault Recovery Enabled | +| **Cloud** | AZURE | +| **Category** | Key Vault | +| **Description** | Ensures that Purge Protection and Soft Delete are enabled on all Key Vaults. | +| **More Info** | Purge Protection and Soft Delete are features that safeguard losing key access. With these setting enabled, key vaults have recovery actions available to restore deleted or compromised key vaults. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/key-vault/key-vault-ovw-soft-delete | +| **Recommended Action** | 1. Login to the Azure CLI. 2. Use the command and change *vaultname* to the vault to enable Soft Delete: 'az resource update --id $(az keyvault show --name *vaultname* -o tsv | awk '{print $1}') --set properties.enableSoftDelete=true'. 3. Use the command and change *vaultname* to the vault to enable Surge Protection: 'az resource update --id $(az keyvault show --name *vaultname* -o tsv | awk '{print $1}') --set properties.enablePurgeProtection=true' | + +## Detailed Remediation Steps + diff --git a/en/azure/kubernetesservice/kubernetes-rbac-enabled.md b/en/azure/kubernetesservice/kubernetes-rbac-enabled.md new file mode 100644 index 000000000..c733f2be3 --- /dev/null +++ b/en/azure/kubernetesservice/kubernetes-rbac-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Kubernetes Service / Kubernetes RBAC Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Kubernetes RBAC Enabled | +| **Cloud** | AZURE | +| **Category** | Kubernetes Service | +| **Description** | Ensures that RBAC is enabled on all Azure Kubernetes Service instances | +| **More Info** | Role Based Access Control (RBAC) provides greater control and security for Kubernetes clusters and should be enabled on all instances. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/aks/aad-integration | +| **Recommended Action** | Enable RBAC authentication for all Azure Kubernetes Clusters | + +## Detailed Remediation Steps + diff --git a/en/azure/loadbalancer/lb-https-only.md b/en/azure/loadbalancer/lb-https-only.md new file mode 100644 index 000000000..6d8ae2a9d --- /dev/null +++ b/en/azure/loadbalancer/lb-https-only.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Load Balancer / LB HTTPS Only + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | LB HTTPS Only | +| **Cloud** | AZURE | +| **Category** | Load Balancer | +| **Description** | Ensures load balancers are configured to only accept connections on HTTPS ports | +| **More Info** | For maximum security, load balancers can be configured to only accept HTTPS connections. Standard HTTP connections will be blocked. This should only be done if the client application is configured to query HTTPS directly and not rely on a redirect from HTTP. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview | +| **Recommended Action** | Ensure that each load balancer only accepts connections on port 443. | + +## Detailed Remediation Steps + diff --git a/en/azure/loadbalancer/lb-no-instances.md b/en/azure/loadbalancer/lb-no-instances.md new file mode 100644 index 000000000..40aa7d6f6 --- /dev/null +++ b/en/azure/loadbalancer/lb-no-instances.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Load Balancer / LB No Instances + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | LB No Instances | +| **Cloud** | AZURE | +| **Category** | Load Balancer | +| **Description** | Detects load balancers that have no backend instances attached | +| **More Info** | All load balancers should have backend server resources. Those without any are consuming costs without providing any functionality. Additionally, old load balancers with no instances pose a security concern if new instances are accidentally attached. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview | +| **Recommended Action** | Delete old load balancers that no longer have backend resources. | + +## Detailed Remediation Steps + diff --git a/en/azure/logalerts/network-security-groups-logging-enabled.md b/en/azure/logalerts/network-security-groups-logging-enabled.md new file mode 100644 index 000000000..502336f2d --- /dev/null +++ b/en/azure/logalerts/network-security-groups-logging-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Log Alerts / Network Security Groups Logging Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Network Security Groups Logging Enabled | +| **Cloud** | AZURE | +| **Category** | Log Alerts | +| **Description** | Ensures Activity Log alerts for the create or update and delete Network Security Group Rule events are enabled | +| **More Info** | Monitoring for create or update and delete Network Security Group events gives insight into network access changes and may reduce the time it takes to detect suspicious activity. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-log-alerts | +| **Recommended Action** | Add a new log alert to the Alerts service that monitors for Network Security Group Rule create or update and delete events. | + +## Detailed Remediation Steps + diff --git a/en/azure/logalerts/security-policy-alerts-enabled.md b/en/azure/logalerts/security-policy-alerts-enabled.md new file mode 100644 index 000000000..1c3fb917b --- /dev/null +++ b/en/azure/logalerts/security-policy-alerts-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Log Alerts / Security Policy Alerts Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Security Policy Alerts Enabled | +| **Cloud** | AZURE | +| **Category** | Log Alerts | +| **Description** | Ensures Activity Log alerts for create or update Security Policy Rule events are enabled | +| **More Info** | Monitoring for create or update Security Policy Rule events gives insight into policy changes and may reduce the time it takes to detect suspicious activity. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-log-alerts | +| **Recommended Action** | Add a new log alert to the Alerts service that monitors for Security Policy Rule create or update events. | + +## Detailed Remediation Steps + diff --git a/en/azure/logalerts/security-solution-logging.md b/en/azure/logalerts/security-solution-logging.md new file mode 100644 index 000000000..2ffec6695 --- /dev/null +++ b/en/azure/logalerts/security-solution-logging.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Log Alerts / Security Solution Logging + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Security Solution Logging | +| **Cloud** | AZURE | +| **Category** | Log Alerts | +| **Description** | Ensures Activity Log Alerts for the create or update and delete Security Solution events are enabled | +| **More Info** | Monitoring for create or update and delete Security Solution events gives insight into event changes and may reduce the time it takes to detect suspicious activity. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/security/azure-log-audit | +| **Recommended Action** | Add a new log alert to the Alerts service that monitors for Security Solution create or update and delete events. | + +## Detailed Remediation Steps + diff --git a/en/azure/logalerts/sql-server-firewall-rule-alerts-monitor.md b/en/azure/logalerts/sql-server-firewall-rule-alerts-monitor.md index 75e652af3..d8374bd55 100644 --- a/en/azure/logalerts/sql-server-firewall-rule-alerts-monitor.md +++ b/en/azure/logalerts/sql-server-firewall-rule-alerts-monitor.md @@ -9,10 +9,10 @@ | **Plugin Title** | SQL Server Firewall Rule Alerts Monitor | | **Cloud** | AZURE | | **Category** | Log Alerts | -| **Description** | Triggers alerts when SQL Server Firewall Rules are created or modified. | -| **More Info** | Monitoring SQL Server Firewall Rule events gives insight into network access changes and may reduce the risk of data breaches due to malicious alteration to firewall configuration. | +| **Description** | Ensures Activity Log Alerts for the create or update and delete SQL Server Firewall Rules events are enabled | +| **More Info** | Monitoring for create or update and delete SQL Server Firewall Rules events gives insight into event changes and may reduce the time it takes to detect suspicious activity. | | **AZURE Link** | https://docs.microsoft.com/en-us/azure/sql-database/sql-database-firewall-configure | -| **Recommended Action** | Configure SQL Server Firewall rules to limit access exclusively to those resources that need it. Create activity log alerts to monitor changes to your SQL Server security configuration. | +| **Recommended Action** | Add a new log alert to the Alerts service that monitors for SQL Server Firewall Rules create or update and delete events. | ## Detailed Remediation Steps diff --git a/en/azure/logalerts/virtual-network-alerts-monitor.md b/en/azure/logalerts/virtual-network-alerts-monitor.md index 96f842e2c..9c3b4aa70 100644 --- a/en/azure/logalerts/virtual-network-alerts-monitor.md +++ b/en/azure/logalerts/virtual-network-alerts-monitor.md @@ -9,10 +9,10 @@ | **Plugin Title** | Virtual Network Alerts Monitor | | **Cloud** | AZURE | | **Category** | Log Alerts | -| **Description** | Triggers alerts when Virtual Networks are created or modified. | -| **More Info** | Monitoring Virtual Network events gives insight into network access changes and may reduce the risk of breaches due to malicious configuration alteration. | +| **Description** | Ensures Activity Log Alerts for the create or update and delete Virtual Networks events are enabled | +| **More Info** | Monitoring for create or update and delete Virtual Networks events gives insight into event changes and may reduce the time it takes to detect suspicious activity. | | **AZURE Link** | https://docs.microsoft.com/en-us/azure/virtual-network/security-overview | -| **Recommended Action** | Configure Virtual Networks to limit access exclusively to those resources that need it. Create activity log alerts to monitor changes to your Virtual Networks configuration. | +| **Recommended Action** | Add a new log alert to the Alerts service that monitors for Virtual Networks create or update and delete events. | ## Detailed Remediation Steps diff --git a/en/azure/monitor/key-vault-log-analytics-enabled.md b/en/azure/monitor/key-vault-log-analytics-enabled.md new file mode 100644 index 000000000..43804383a --- /dev/null +++ b/en/azure/monitor/key-vault-log-analytics-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Monitor / Key Vault Log Analytics Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Key Vault Log Analytics Enabled | +| **Cloud** | AZURE | +| **Category** | Monitor | +| **Description** | Ensures Key Vault Log Analytics logs are being properly delivered to Azure Monitor | +| **More Info** | Enabling Send to Log Analytics ensures that all Key Vault logs are being properly monitored and managed. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/azure-monitor/platform/collect-activity-logs | +| **Recommended Action** | Send all diagnostic logs for Key Vault from the Azure Monitor service to Log Analytics. | + +## Detailed Remediation Steps + diff --git a/en/azure/monitor/load-balancer-log-analytics-enabled.md b/en/azure/monitor/load-balancer-log-analytics-enabled.md new file mode 100644 index 000000000..6dcd0991a --- /dev/null +++ b/en/azure/monitor/load-balancer-log-analytics-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Monitor / Load Balancer Log Analytics Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Load Balancer Log Analytics Enabled | +| **Cloud** | AZURE | +| **Category** | Monitor | +| **Description** | Ensures Load Balancers Log Analytics logs are being properly delivered to Azure Monitor | +| **More Info** | Enabling Send to Log Analytics ensures that all Load Balancer logs are being properly monitored and managed. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/azure-monitor/platform/collect-activity-logs | +| **Recommended Action** | Send all diagnostic logs for Load Balancers from the Azure Monitor service to Log Analytics. | + +## Detailed Remediation Steps + diff --git a/en/azure/monitor/log-profile-archive-data.md b/en/azure/monitor/log-profile-archive-data.md index 0ac3f1ddb..0f97cf9a0 100644 --- a/en/azure/monitor/log-profile-archive-data.md +++ b/en/azure/monitor/log-profile-archive-data.md @@ -9,10 +9,10 @@ | **Plugin Title** | Log Profile Archive Data | | **Cloud** | AZURE | | **Category** | Monitor | -| **Description** | The Log Profile should be configured to export all activities from the control/management plane in all active locations. | -| **More Info** | Enabling logging of all activities in a log profile ensures that cloud security best practices, as well as compliance and monitoring standards are followed. | +| **Description** | Ensures the Log Profile is configured to export all activities from the control and management planes in all active locations | +| **More Info** | Exporting log activity for control plane activity allows for audited access to the Azure account with event data in the case of a security incident. | | **AZURE Link** | https://docs.microsoft.com/en-us/azure/azure-monitor/platform/archive-activity-log | -| **Recommended Action** | 1. Enter the Monitor category. 2. Select Activity Log from the left hand menu. 3. On the top of activity log select Export to Event Hub to enable activity log archiving and select the storage account or event hub to send the data to. | +| **Recommended Action** | Ensure that all activity is logged to the Event Hub or storage account for archiving. | ## Detailed Remediation Steps diff --git a/en/azure/monitor/log-profile-retention-policy.md b/en/azure/monitor/log-profile-retention-policy.md new file mode 100644 index 000000000..1f04698f4 --- /dev/null +++ b/en/azure/monitor/log-profile-retention-policy.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Monitor / Log Profile Retention Policy + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Log Profile Retention Policy | +| **Cloud** | AZURE | +| **Category** | Monitor | +| **Description** | Ensures that Log Profiles have a long retention policy. | +| **More Info** | Log retention policies should be configured with sufficient retention to aid in investigation of prior security incidents and for compliance purposes. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-overview-activity-logs#export-the-activity-log-with-a-log-profile | +| **Recommended Action** | Ensure that the Activity Log export to Event Hub is configured with a retention policy of at least 90 days. | + +## Detailed Remediation Steps + diff --git a/en/azure/monitor/nsg-log-analytics-enabled.md b/en/azure/monitor/nsg-log-analytics-enabled.md index c4102d025..f4b2d7536 100644 --- a/en/azure/monitor/nsg-log-analytics-enabled.md +++ b/en/azure/monitor/nsg-log-analytics-enabled.md @@ -9,10 +9,10 @@ | **Plugin Title** | NSG Log Analytics Enabled | | **Cloud** | AZURE | | **Category** | Monitor | -| **Description** | Ensures Network Security Groups logs are sent to the Log Analytics workspace. | -| **More Info** | Enabling Log Analytics ensures that logs are shipped to a central repository that can be queried and audited, following cloud security best practices. | +| **Description** | Ensures Network Security Group logs are sent to the Log Analytics workspace | +| **More Info** | Enabling Log Analytics for Network Security Groups ensures that logs are shipped to a central repository that can be queried and audited. | | **AZURE Link** | https://docs.microsoft.com/en-us/azure/azure-monitor/platform/collect-activity-logs | -| **Recommended Action** | 1. Go to Azure Monitor. 2. Select Diagnostic setting from the settings tab on the list to the left. 3. Choose the resource. 4. If no diagnostic setting defined, add diagnostic setting and enable Send to Log Analytics, if diagnostic setting are defined, edit the setting to enable Send to Log Analytics. | +| **Recommended Action** | Enable sending of logs to Log Analytics for each Network Security Group resource in the Azure Monitor. | ## Detailed Remediation Steps diff --git a/en/azure/networksecuritygroups/default-security-group.md b/en/azure/networksecuritygroups/default-security-group.md index 087f3b189..231603398 100644 --- a/en/azure/networksecuritygroups/default-security-group.md +++ b/en/azure/networksecuritygroups/default-security-group.md @@ -9,10 +9,10 @@ | **Plugin Title** | Default Security Group | | **Cloud** | AZURE | | **Category** | Network Security Groups | -| **Description** | Ensure the default security groups block all traffic by default. | -| **More Info** | The default security group is often used for resources launched without a defined security group. For this reason, the default rules should be to block all traffic to prevent an accidental exposure. | +| **Description** | Ensures that default security groups block all traffic by default | +| **More Info** | The default security group is often used for resources launched without a defined security group. For this reason, the default rules should be set to block all traffic to prevent an accidental exposure. | | **AZURE Link** | https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group | -| **Recommended Action** | Update the rules for the default security group to deny all traffic by default. | +| **Recommended Action** | Update the rules for the default security group to deny all traffic by default | ## Detailed Remediation Steps diff --git a/en/azure/networksecuritygroups/deny-ssh-access.md b/en/azure/networksecuritygroups/deny-ssh-access.md new file mode 100644 index 000000000..c98fa5229 --- /dev/null +++ b/en/azure/networksecuritygroups/deny-ssh-access.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Network Security Groups / Deny SSH Access + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Deny SSH Access | +| **Cloud** | AZURE | +| **Category** | Network Security Groups | +| **Description** | Ensures that all Network Security Group Security Rules deny public SSH access | +| **More Info** | Inbound security group rules should prohibit inbound SSH access from the global address. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/security-center/security-center-restrict-access-through-internet-facing-endpoints | +| **Recommended Action** | For each Network Security Group attached to a Virtual Machine instance, ensure that the inbound SSH port is appropriately restricted. | + +## Detailed Remediation Steps + diff --git a/en/azure/networksecuritygroups/excessive-security-groups.md b/en/azure/networksecuritygroups/excessive-security-groups.md new file mode 100644 index 000000000..1cf2dd0ad --- /dev/null +++ b/en/azure/networksecuritygroups/excessive-security-groups.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Network Security Groups / Excessive Security Groups + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Excessive Security Groups | +| **Cloud** | AZURE | +| **Category** | Network Security Groups | +| **Description** | Determines if there are an excessive number of security groups in the account | +| **More Info** | Keeping the number of security groups to a minimum helps reduce the attack surface of an account. Rather than creating new groups with the same rules for each project, common rules should be grouped under the same security groups. For example, instead of adding port 22 from a known IP to every group, create a single "SSH" security group which can be used on multiple instances. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group | +| **Recommended Action** | Limit the number of security groups to prevent accidental authorizations. | + +## Detailed Remediation Steps + diff --git a/en/azure/networksecuritygroups/network-watcher-enabled.md b/en/azure/networksecuritygroups/network-watcher-enabled.md new file mode 100644 index 000000000..a1ffd2690 --- /dev/null +++ b/en/azure/networksecuritygroups/network-watcher-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Network Security Groups / Network Watcher Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Network Watcher Enabled | +| **Cloud** | AZURE | +| **Category** | Network Security Groups | +| **Description** | Ensures Network Watcher is enabled in all locations | +| **More Info** | Network Watcher helps locate, diagnose, and gain insights into Azure networks. Enabling Network Watcher in all locations ensures that no resources are being used in locations that are not authorized. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview | +| **Recommended Action** | Enable the Network Watcher service in all locations. | + +## Detailed Remediation Steps + diff --git a/en/azure/networksecuritygroups/open-all-ports.md b/en/azure/networksecuritygroups/open-all-ports.md index f68a5c40e..c91b9c196 100644 --- a/en/azure/networksecuritygroups/open-all-ports.md +++ b/en/azure/networksecuritygroups/open-all-ports.md @@ -9,8 +9,8 @@ | **Plugin Title** | Open All Ports | | **Cloud** | AZURE | | **Category** | Network Security Groups | -| **Description** | Determine if all ports are open to the public | -| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, services should be restricted to known IP addresses. | +| **Description** | Ensures Network Security Groups do not expose all ports to the public | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, almost all services should be restricted to known IP addresses. | | **AZURE Link** | https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group | | **Recommended Action** | Restrict ports to known IP addresses | diff --git a/en/azure/networksecuritygroups/open-oracle-auto-data-warehouse.md b/en/azure/networksecuritygroups/open-oracle-auto-data-warehouse.md new file mode 100644 index 000000000..406bcc5dc --- /dev/null +++ b/en/azure/networksecuritygroups/open-oracle-auto-data-warehouse.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Network Security Groups / Open Oracle Auto Data Warehouse + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open Oracle Auto Data Warehouse | +| **Cloud** | AZURE | +| **Category** | Network Security Groups | +| **Description** | Determine if TCP port 1522 for Oracle Auto Data Warehouse is open to the public | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as Oracle Auto Data Warehouse should be restricted to known IP addresses. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group | +| **Recommended Action** | Restrict TCP ports 1522 to known IP addresses | + +## Detailed Remediation Steps + diff --git a/en/azure/networksecuritygroups/open-rdp.md b/en/azure/networksecuritygroups/open-rdp.md index e3f1fe5a5..2990c2a8d 100644 --- a/en/azure/networksecuritygroups/open-rdp.md +++ b/en/azure/networksecuritygroups/open-rdp.md @@ -12,7 +12,7 @@ | **Description** | Determine if TCP port 3389 for RDP is open to the public | | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as RDP should be restricted to known IP addresses. | | **AZURE Link** | https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group | -| **Recommended Action** | For each VM, open the Networking blade and verify that the Inbound Port Rules do not have a rule for RDP with a source equal to "Any" OR "Internet" | +| **Recommended Action** | For each VM, open the Networking blade and verify that the Inbound Port Rules do not have a rule for RDP with a source equal to Any or Internet | ## Detailed Remediation Steps diff --git a/en/azure/postgresqlserver/connection-throttling-enabled.md b/en/azure/postgresqlserver/connection-throttling-enabled.md new file mode 100644 index 000000000..d0adf580b --- /dev/null +++ b/en/azure/postgresqlserver/connection-throttling-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / PostgreSQL Server / Connection Throttling Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Connection Throttling Enabled | +| **Cloud** | AZURE | +| **Category** | PostgreSQL Server | +| **Description** | Ensures connection throttling is enabled for PostgreSQL servers | +| **More Info** | Connection throttling slows the amount of query and error logs sent by the server from the same IP address, limiting DoS attacks or the slowing down of servers due to excessive legitimate user logs. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal | +| **Recommended Action** | Ensure the server parameters for each PostgreSQL server have the connection_throttling setting enabled. | + +## Detailed Remediation Steps + diff --git a/en/azure/postgresqlserver/enforce-ssl-connection-enabled.md b/en/azure/postgresqlserver/enforce-ssl-connection-enabled.md new file mode 100644 index 000000000..cdf244dbb --- /dev/null +++ b/en/azure/postgresqlserver/enforce-ssl-connection-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / PostgreSQL Server / Enforce SSL Connection Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Enforce SSL Connection Enabled | +| **Cloud** | AZURE | +| **Category** | PostgreSQL Server | +| **Description** | Ensures SSL connections are enforced on PostgreSQL Servers | +| **More Info** | SSL prevents infiltration attacks by encrypting the data stream between the server and application. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security | +| **Recommended Action** | Ensure the connection security settings of each PostgreSQL server are configured to enforce SSL connections. | + +## Detailed Remediation Steps + diff --git a/en/azure/postgresqlserver/log-checkpoints-enabled.md b/en/azure/postgresqlserver/log-checkpoints-enabled.md new file mode 100644 index 000000000..8593b9a80 --- /dev/null +++ b/en/azure/postgresqlserver/log-checkpoints-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / PostgreSQL Server / Log Checkpoints Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Log Checkpoints Enabled | +| **Cloud** | AZURE | +| **Category** | PostgreSQL Server | +| **Description** | Ensures log checkpoints are enabled for PostgreSQL servers | +| **More Info** | Log checkpoints logs queries and errors that arise in the server, enabling faster detection of incidents. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal | +| **Recommended Action** | Ensure the server parameters for each PostgreSQL server have the log_checkpoints setting enabled. | + +## Detailed Remediation Steps + diff --git a/en/azure/postgresqlserver/log-connections-enabled.md b/en/azure/postgresqlserver/log-connections-enabled.md new file mode 100644 index 000000000..5fda717d3 --- /dev/null +++ b/en/azure/postgresqlserver/log-connections-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / PostgreSQL Server / Log Connections Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Log Connections Enabled | +| **Cloud** | AZURE | +| **Category** | PostgreSQL Server | +| **Description** | Ensures connection logs are enabled for PostgreSQL servers | +| **More Info** | Connection logs ensure all attempted and successful connections to the server are logged. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal | +| **Recommended Action** | Ensure the server parameters for each PostgreSQL server have the log_connections setting enabled. | + +## Detailed Remediation Steps + diff --git a/en/azure/postgresqlserver/log-disconnections-enabled.md b/en/azure/postgresqlserver/log-disconnections-enabled.md new file mode 100644 index 000000000..ac6d16cb9 --- /dev/null +++ b/en/azure/postgresqlserver/log-disconnections-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / PostgreSQL Server / Log Disconnections Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Log Disconnections Enabled | +| **Cloud** | AZURE | +| **Category** | PostgreSQL Server | +| **Description** | Ensures disconnection logs are enabled for PostgreSQL servers | +| **More Info** | Disconnection logs ensure all attempted and successful disconnections from the server are logged. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal | +| **Recommended Action** | Ensure the server parameters for each PostgreSQL server have the log_disconnections setting enabled. | + +## Detailed Remediation Steps + diff --git a/en/azure/postgresqlserver/log-duration-enabled.md b/en/azure/postgresqlserver/log-duration-enabled.md new file mode 100644 index 000000000..6b5a475b6 --- /dev/null +++ b/en/azure/postgresqlserver/log-duration-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / PostgreSQL Server / Log Duration Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Log Duration Enabled | +| **Cloud** | AZURE | +| **Category** | PostgreSQL Server | +| **Description** | Ensures connection duration logs are enabled for PostgreSQL servers | +| **More Info** | Connection duration logs log duration times of connections to the server and can be used to locate suspicious long-running connections. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal | +| **Recommended Action** | Ensure the server parameters for each PostgreSQL server have the log_duration setting enabled. | + +## Detailed Remediation Steps + diff --git a/en/azure/postgresqlserver/log-retention-period.md b/en/azure/postgresqlserver/log-retention-period.md new file mode 100644 index 000000000..e0f6b1576 --- /dev/null +++ b/en/azure/postgresqlserver/log-retention-period.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / PostgreSQL Server / Log Retention Period + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Log Retention Period | +| **Cloud** | AZURE | +| **Category** | PostgreSQL Server | +| **Description** | Ensures logs are configured to be retained for 4 or more days for PostgreSQL servers | +| **More Info** | Having a long log retention policy ensures that all critical logs are stored for long enough to access and view in case of a security incident. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal | +| **Recommended Action** | Ensure the server parameters for each PostgreSQL server have the log_retention_days setting set to 4 or more days. | + +## Detailed Remediation Steps + diff --git a/en/azure/queueservice/queue-service-all-access-acl.md b/en/azure/queueservice/queue-service-all-access-acl.md index d82390000..d9f64e824 100644 --- a/en/azure/queueservice/queue-service-all-access-acl.md +++ b/en/azure/queueservice/queue-service-all-access-acl.md @@ -9,10 +9,10 @@ | **Plugin Title** | Queue Service All Access ACL | | **Cloud** | AZURE | | **Category** | Queue Service | -| **Description** | Ensures Queues do not allow full write, delete, or read ACL permissions | -| **More Info** | Queues can be configured to allow to read, write or delete objects. This option should not be configured unless there is a strong business requirement. | +| **Description** | Ensures queues do not allow full write, delete, or read ACL permissions | +| **More Info** | Queues can be configured to allow object read, write or delete. This option should not be configured unless there is a strong business requirement. | | **AZURE Link** | https://docs.microsoft.com/en-us/azure/storage/queues/storage-quickstart-queues-portal | -| **Recommended Action** | Disable global read/write/detele policies on all Queues and ensure the ACL is configured with least privileges. | +| **Recommended Action** | Disable global read, write, delete policies on all queues and ensure the ACL is configured with least privileges. | ## Detailed Remediation Steps diff --git a/en/azure/resources/management-lock-enabled.md b/en/azure/resources/management-lock-enabled.md new file mode 100644 index 000000000..318fc7ebd --- /dev/null +++ b/en/azure/resources/management-lock-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Resources / Management Lock Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Management Lock Enabled | +| **Cloud** | AZURE | +| **Category** | Resources | +| **Description** | Ensures that resources tagged as locked are actually locked | +| **More Info** | Enabling Management Locks ensures that critical resources cannot be inadvertently modified or deleted. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources | +| **Recommended Action** | 1. Go to Resources. 2. Select the resource. 3. Select the Locks blade under settings on the left side. 4. Add a lock 5. Enter the Tags Blade and add cloudsploitLock as a tag with true as its value. | + +## Detailed Remediation Steps + diff --git a/en/azure/resources/resources-usage-limits.md b/en/azure/resources/resources-usage-limits.md new file mode 100644 index 000000000..860be7de0 --- /dev/null +++ b/en/azure/resources/resources-usage-limits.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Resources / Resources Usage Limits + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Resources Usage Limits | +| **Cloud** | AZURE | +| **Category** | Resources | +| **Description** | Determines if resources are close to the Azure per-account limit | +| **More Info** | Azure limits accounts to certain numbers of resources. Exceeding those limits could prevent resources from launching. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/azure-subscription-service-limits | +| **Recommended Action** | Check if resources are close to the account limit to avoid resource launch failures | + +## Detailed Remediation Steps + diff --git a/en/azure/securitycenter/admin-security-alerts-enabled.md b/en/azure/securitycenter/admin-security-alerts-enabled.md new file mode 100644 index 000000000..ebad12796 --- /dev/null +++ b/en/azure/securitycenter/admin-security-alerts-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Security Center / Admin Security Alerts Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Admin Security Alerts Enabled | +| **Cloud** | AZURE | +| **Category** | Security Center | +| **Description** | Ensures that security alerts are configured to be sent to admins | +| **More Info** | Enabling security alerts to be sent to admins ensures that detected vulnerabilities and security issues are sent to the subscription admins for quick remediation. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details | +| **Recommended Action** | Ensure that security alerts are configured to be sent to subscription owners. | + +## Detailed Remediation Steps + diff --git a/en/azure/securitycenter/application-whitelisting-enabled.md b/en/azure/securitycenter/application-whitelisting-enabled.md index a652fc0ab..34170a135 100644 --- a/en/azure/securitycenter/application-whitelisting-enabled.md +++ b/en/azure/securitycenter/application-whitelisting-enabled.md @@ -9,10 +9,10 @@ | **Plugin Title** | Application Whitelisting Enabled | | **Cloud** | AZURE | | **Category** | Security Center | -| **Description** | Ensure that Security Center Monitor Adaptive Application Whitelisting is enabled. | -| **More Info** | Adaptive application controls work in conjunction with machine learning to analyze processes running in a VM and helps control which applications can run in the VM. This helps harden those VMs against malware. | +| **Description** | Ensures that Security Center Monitor Adaptive Application Whitelisting is enabled | +| **More Info** | Adaptive application controls work in conjunction with machine learning to analyze processes running in a VM and help control which applications can run, hardening the VM against malware. | | **AZURE Link** | https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptiveapplication | -| **Recommended Action** | 1. Go to Azure Security Center 2. Click on Security policy 3. Click on your Subscription Name 4. Look for the "Monitor application whitelisting" setting. 5. Ensure that it is not set to Disabled | +| **Recommended Action** | Enable Adaptive Application Controls for Virtual Machines from the Azure Security Center by ensuring AuditIfNotExists setting is used. | ## Detailed Remediation Steps diff --git a/en/azure/securitycenter/auto-provisioning-enabled.md b/en/azure/securitycenter/auto-provisioning-enabled.md new file mode 100644 index 000000000..b7c4a3f9d --- /dev/null +++ b/en/azure/securitycenter/auto-provisioning-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Security Center / Auto Provisioning Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Auto Provisioning Enabled | +| **Cloud** | AZURE | +| **Category** | Security Center | +| **Description** | Ensures that automatic provisioning of the monitoring agent is enabled | +| **More Info** | The Microsoft Monitoring Agent scans for various security-related configurations and events such as system updates, OS vulnerabilities, and endpoint protection and provides alerts. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection | +| **Recommended Action** | Ensure that the data collection settings of the subscription have Auto Provisioning set to enabled. | + +## Detailed Remediation Steps + diff --git a/en/azure/securitycenter/monitor-blob-encryption.md b/en/azure/securitycenter/monitor-blob-encryption.md index 65775acb6..c7084c65b 100644 --- a/en/azure/securitycenter/monitor-blob-encryption.md +++ b/en/azure/securitycenter/monitor-blob-encryption.md @@ -9,10 +9,10 @@ | **Plugin Title** | Monitor Blob Encryption | | **Cloud** | AZURE | | **Category** | Security Center | -| **Description** | Ensures that Blob Storage Encryption monitoring is enabled. | +| **Description** | Ensures that Blob Storage Encryption monitoring is enabled | | **More Info** | When this setting is enabled, Security Center audits blob encryption in all storage accounts to enhance data at rest protection. | | **AZURE Link** | https://docs.microsoft.com/en-us/azure/security-center/security-center-policies | -| **Recommended Action** | 1. Go to Azure Security Center 2. Click on Security policy 3. Click on your Subscription Name 4. Look for the "Audit missing blob encryption for storage accounts." setting. 5. Ensure that it is not set to Disabled | +| **Recommended Action** | Enable Adaptive Application Controls for Storage Accounts from the Azure Security Center by ensuring AuditIfNotExists setting is used for blob encryption. | ## Detailed Remediation Steps diff --git a/en/azure/securitycenter/monitor-disk-encryption.md b/en/azure/securitycenter/monitor-disk-encryption.md index 15f68912c..f14661906 100644 --- a/en/azure/securitycenter/monitor-disk-encryption.md +++ b/en/azure/securitycenter/monitor-disk-encryption.md @@ -9,10 +9,10 @@ | **Plugin Title** | Monitor Disk Encryption | | **Cloud** | AZURE | | **Category** | Security Center | -| **Description** | Ensures Disk Encryption monitoring is enabled in Security Center. | -| **More Info** | When this setting is enabled, Security Center audits disk encryption in all virtual machines (Windows and Linux as well) to enhance data at rest protection. | +| **Description** | Ensures Disk Encryption monitoring is enabled in Security Center | +| **More Info** | When this setting is enabled, Security Center audits disk encryption in all virtual machines to enhance data at rest protection. | | **AZURE Link** | https://docs.microsoft.com/en-us/azure/security-center/security-center-policy-definitions | -| **Recommended Action** | 1. Go to Azure Security Center 2. Click On the security policy to Open Policy Management Blade. 3. Click Subscription View 4. Click on Subscription Name to open Security Policy Blade for the Subscription. 5. Expand Compute And Apps 6. Ensure that Disk Encryption is not set to Disabled | +| **Recommended Action** | Enable Adaptive Application Controls for Disk Encryption from the Azure Security Center by ensuring AuditIfNotExists setting is used for virtual machines. | ## Detailed Remediation Steps diff --git a/en/azure/securitycenter/monitor-endpoint-protection.md b/en/azure/securitycenter/monitor-endpoint-protection.md new file mode 100644 index 000000000..d86532b2f --- /dev/null +++ b/en/azure/securitycenter/monitor-endpoint-protection.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Security Center / Monitor Endpoint Protection + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Monitor Endpoint Protection | +| **Cloud** | AZURE | +| **Category** | Security Center | +| **Description** | Ensures Endpoint Protection monitoring is enabled in Security Center | +| **More Info** | When this setting is enabled, Security Center audits the Endpoint Protection setting for all virtual machines for malware protection. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/security-center/security-center-policy-definitions | +| **Recommended Action** | Enable Adaptive Application Controls for Endpoint Protection from the Azure Security Center by ensuring AuditIfNotExists setting is used to monitor missing Endpoint Protection. | + +## Detailed Remediation Steps + diff --git a/en/azure/securitycenter/monitor-jit-network-access.md b/en/azure/securitycenter/monitor-jit-network-access.md new file mode 100644 index 000000000..a464dc493 --- /dev/null +++ b/en/azure/securitycenter/monitor-jit-network-access.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Security Center / Monitor JIT Network Access + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Monitor JIT Network Access | +| **Cloud** | AZURE | +| **Category** | Security Center | +| **Description** | Ensures Just In Time Network Access monitoring is enabled in Security Center | +| **More Info** | When this setting is enabled, Security Center audits Just In Time Network Access on all virtual machines (Windows and Linux as well) to enhance data protection at rest | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/security-center/security-center-policy-definitions | +| **Recommended Action** | Ensure JIT Network Access monitoring is configured for compute and apps from the Azure Security Center. | + +## Detailed Remediation Steps + diff --git a/en/azure/securitycenter/monitor-nsg-enabled.md b/en/azure/securitycenter/monitor-nsg-enabled.md new file mode 100644 index 000000000..ac699fbe9 --- /dev/null +++ b/en/azure/securitycenter/monitor-nsg-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Security Center / Monitor NSG Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Monitor NSG Enabled | +| **Cloud** | AZURE | +| **Category** | Security Center | +| **Description** | Ensures Network Security Groups monitoring is enabled in Security Center | +| **More Info** | When this setting is enabled, Security Center will audit the Network Security Groups that are enabled on the VM for permissive rules. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/security-center/security-center-policy-definitions | +| **Recommended Action** | Ensure Network Security Group monitoring is configured from the Azure Security Center. | + +## Detailed Remediation Steps + diff --git a/en/azure/securitycenter/monitor-sql-auditing.md b/en/azure/securitycenter/monitor-sql-auditing.md index 545f4b17a..fae891258 100644 --- a/en/azure/securitycenter/monitor-sql-auditing.md +++ b/en/azure/securitycenter/monitor-sql-auditing.md @@ -9,10 +9,10 @@ | **Plugin Title** | Monitor SQL Auditing | | **Cloud** | AZURE | | **Category** | Security Center | -| **Description** | Ensure that Monitor SQL Auditing is enabled in Security Center. | -| **More Info** | When this setting is Disabled, Security Center will ignore monitoring of unaudited SQL databases. | +| **Description** | Ensures that Monitor SQL Auditing is enabled in Security Center | +| **More Info** | When this setting is enabled, Security Center will monitor SQL databases. | | **AZURE Link** | https://docs.microsoft.com/en-us/azure/security-center/security-center-policy-definitions | -| **Recommended Action** | 1. Go to Azure Security Center 2. Click on Security policy 3. Click on your Subscription Name 4. Look for the "Monitor SQL auditing" setting. 5. Ensure that it is not set to Disabled | +| **Recommended Action** | Ensure SQL auditing monitoring is configured for SQL databases from the Azure Security Center. | ## Detailed Remediation Steps diff --git a/en/azure/securitycenter/monitor-sql-encryption.md b/en/azure/securitycenter/monitor-sql-encryption.md index 34c5c51b1..366070e28 100644 --- a/en/azure/securitycenter/monitor-sql-encryption.md +++ b/en/azure/securitycenter/monitor-sql-encryption.md @@ -9,10 +9,10 @@ | **Plugin Title** | Monitor SQL Encryption | | **Cloud** | AZURE | | **Category** | Security Center | -| **Description** | Ensure that Monitor SQL Encryption is enabled in Security Center. | -| **More Info** | When this setting is Disabled, Security Center will ignore unencrypted SQL databases, associated backups, and transaction log files. | +| **Description** | Ensures that Monitor SQL Encryption is enabled in Security Center | +| **More Info** | When this setting is enabled, Security Center will monitor for unencrypted SQL databases, associated backups, and transaction log files. | | **AZURE Link** | https://docs.microsoft.com/en-us/azure/security-center/security-center-policy-definitions | -| **Recommended Action** | 1. Go to Azure Security Center 2. Click on Security policy 3. Click on your Subscription Name 4. Look for the "Monitor SQL encryption" setting. 5. Ensure that it is not set to Disabled | +| **Recommended Action** | Ensure SQL encryption monitoring is configured for SQL databases from the Azure Security Center. | ## Detailed Remediation Steps diff --git a/en/azure/securitycenter/monitor-system-updates.md b/en/azure/securitycenter/monitor-system-updates.md new file mode 100644 index 000000000..f3ba2692d --- /dev/null +++ b/en/azure/securitycenter/monitor-system-updates.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Security Center / Monitor System Updates + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Monitor System Updates | +| **Cloud** | AZURE | +| **Category** | Security Center | +| **Description** | Ensures that Monitor System Updates is enabled in Security Center | +| **More Info** | When this setting is enabled, Security Center will audit virtual machines for pending OS or system updates. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/security-center/security-center-policy-definitions | +| **Recommended Action** | Ensure System Update monitoring is configured for virtual machines from the Azure Security Center. | + +## Detailed Remediation Steps + diff --git a/en/azure/securitycenter/monitor-vm-vulnerability.md b/en/azure/securitycenter/monitor-vm-vulnerability.md index 8b932f529..096f16dd2 100644 --- a/en/azure/securitycenter/monitor-vm-vulnerability.md +++ b/en/azure/securitycenter/monitor-vm-vulnerability.md @@ -9,10 +9,10 @@ | **Plugin Title** | Monitor VM Vulnerability | | **Cloud** | AZURE | | **Category** | Security Center | -| **Description** | Ensure that Monitor Vulnerability Assessment is enabled in Security Center. | -| **More Info** | When this setting is Disabled, Security Center will ignore Virtual Machine vulnerabilities detected. | +| **Description** | Ensures that Monitor Vulnerability Assessment is enabled in Security Center. | +| **More Info** | When this setting is enabled, Security Center will monitor virtual machines for detected vulnerabilities. | | **AZURE Link** | https://docs.microsoft.com/en-us/azure/security-center/security-center-policy-definitions | -| **Recommended Action** | 1. Go to Azure Security Center 2. Click on Security policy 3. Click on your Subscription Name 4. Look for the "Monitor vulnerability assessment" setting. 5. Ensure that it is not set to Disabled | +| **Recommended Action** | Ensure VM Vulnerability monitoring is configured for virtual machines from the Azure Security Center. | ## Detailed Remediation Steps diff --git a/en/azure/securitycenter/security-configuration-monitoring.md b/en/azure/securitycenter/security-configuration-monitoring.md index b616b16f7..449c0f621 100644 --- a/en/azure/securitycenter/security-configuration-monitoring.md +++ b/en/azure/securitycenter/security-configuration-monitoring.md @@ -9,10 +9,10 @@ | **Plugin Title** | Security Configuration Monitoring | | **Cloud** | AZURE | | **Category** | Security Center | -| **Description** | Ensure that Security Configuration Monitoring is set to audit on the Default Policy | -| **More Info** | By enabling audit on Security Configuration Monitoring, Security Vulnerabilities on machines can be detected, keeping security up to date and following security best practices. | +| **Description** | Ensures that Security Configuration Monitoring is enabled in Security Center | +| **More Info** | When this setting is enabled, Security Center will monitor virtual machines for security configurations. | | **AZURE Link** | https://docs.microsoft.com/en-us/azure/governance/policy/overview | -| **Recommended Action** | 1. Navigate to the Policy service. 2. Select the Assignments blade. 3. Select the ASC Default policy. 4. Select Edit Assignment and Look for Vulnerabilities in Security Configuration On Your Machine Should Be Remediated and select AuditIfNotExists in the drop down menu. | +| **Recommended Action** | Ensure Security Configuration Monitoring is configured for virtual machines from the Azure Security Center. | ## Detailed Remediation Steps diff --git a/en/azure/securitycenter/security-contacts-enabled.md b/en/azure/securitycenter/security-contacts-enabled.md new file mode 100644 index 000000000..438ce0e7c --- /dev/null +++ b/en/azure/securitycenter/security-contacts-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Security Center / Security Contacts Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Security Contacts Enabled | +| **Cloud** | AZURE | +| **Category** | Security Center | +| **Description** | Ensures that security contact phone number and email address are set | +| **More Info** | Setting security contacts ensures that any security incidents detected by Azure are sent to a security team equipped to handle the incident. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details | +| **Recommended Action** | Ensure that email notifications are configured for the subscription from the Security Center. | + +## Detailed Remediation Steps + diff --git a/en/azure/sqldatabases/database-auditing-enabled.md b/en/azure/sqldatabases/database-auditing-enabled.md new file mode 100644 index 000000000..d2e68bac9 --- /dev/null +++ b/en/azure/sqldatabases/database-auditing-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / SQL Databases / Database Auditing Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Database Auditing Enabled | +| **Cloud** | AZURE | +| **Category** | SQL Databases | +| **Description** | Ensures that SQL Database Auditing is enabled | +| **More Info** | Enabling SQL Database Auditing ensures that all database activities are being logged properly, including potential malicious activity. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-auditing-on-sql-databases | +| **Recommended Action** | Ensure that auditing is enabled for each SQL database. | + +## Detailed Remediation Steps + diff --git a/en/azure/sqldatabases/db-restorable.md b/en/azure/sqldatabases/db-restorable.md new file mode 100644 index 000000000..ec60e3b57 --- /dev/null +++ b/en/azure/sqldatabases/db-restorable.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / SQL Databases / DB Restorable + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | DB Restorable | +| **Cloud** | AZURE | +| **Category** | SQL Databases | +| **Description** | Ensures SQL Database instances can be restored to a recent point | +| **More Info** | Automated backups of SQL databases with recent restore points help ensure that database recovery operations can occur without significant data loss. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/sql-database/sql-database-recovery-using-backups | +| **Recommended Action** | Ensure that each SQL database has automated backups configured with a sufficient retention period and that the last known backup operation completes successfully. | + +## Detailed Remediation Steps + diff --git a/en/azure/sqldatabases/sql-db-multiple-az.md b/en/azure/sqldatabases/sql-db-multiple-az.md new file mode 100644 index 000000000..797f8e06c --- /dev/null +++ b/en/azure/sqldatabases/sql-db-multiple-az.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / SQL Databases / SQL DB Multiple AZ + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | SQL DB Multiple AZ | +| **Cloud** | AZURE | +| **Category** | SQL Databases | +| **Description** | Ensures that SQL Database instances are created to be cross-AZ for high availability | +| **More Info** | Creating SQL Database instances in a single availability zone creates a single point of failure for all systems relying on that database. All SQL Database instances should be created in multiple availability zones to ensure proper failover. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/sql-database/sql-database-high-availability#zone-redundant-configuration | +| **Recommended Action** | Ensure that each SQL Database is configured to be zone redundant. | + +## Detailed Remediation Steps + diff --git a/en/azure/sqlserver/advanced-data-security-enabled.md b/en/azure/sqlserver/advanced-data-security-enabled.md new file mode 100644 index 000000000..244cf9681 --- /dev/null +++ b/en/azure/sqlserver/advanced-data-security-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / SQL Server / Advanced Data Security Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Advanced Data Security Enabled | +| **Cloud** | AZURE | +| **Category** | SQL Server | +| **Description** | Ensures that Advanced Data Security is enabled for SQL Servers | +| **More Info** | Enabling Advanced Data Security on all SQL Servers ensures that SQL server data is encrypted and monitored for unusual activity, vulnerabilities, and threats. | +| **AZURE Link** | https://docs.microsoft.com/en-gb/azure/sql-database/sql-database-advanced-data-security | +| **Recommended Action** | Ensure that Advanced Data Security is enabled for all SQL Servers. | + +## Detailed Remediation Steps + diff --git a/en/azure/sqlserver/audit-action-groups-enabled.md b/en/azure/sqlserver/audit-action-groups-enabled.md new file mode 100644 index 000000000..5f19dde3d --- /dev/null +++ b/en/azure/sqlserver/audit-action-groups-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / SQL Server / Audit Action Groups Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Audit Action Groups Enabled | +| **Cloud** | AZURE | +| **Category** | SQL Server | +| **Description** | Ensures that SQL Server Audit Action and Groups is configured properly | +| **More Info** | SQL Server Audit Action and Groups should be configured to at least include SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP and BATCH_COMPLETED_GROUP. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing | +| **Recommended Action** | If SQL Server Audit Action and Groups is not configured properly when enabling Auditing, these settings must be configured in Powershell. | + +## Detailed Remediation Steps + diff --git a/en/azure/sqlserver/sql-server-public-access.md b/en/azure/sqlserver/sql-server-public-access.md new file mode 100644 index 000000000..9adb52eb6 --- /dev/null +++ b/en/azure/sqlserver/sql-server-public-access.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / SQL Server / SQL Server Public Access + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | SQL Server Public Access | +| **Cloud** | AZURE | +| **Category** | SQL Server | +| **Description** | Ensures that SQL Servers do not allow public access | +| **More Info** | Unless there is a specific business requirement, SQL Server instances should not have a public endpoint and should only be accessed from within a VNET. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/sql-database/sql-database-security-overview/ | +| **Recommended Action** | Ensure that the firewall of each SQL Server is configured to prohibit traffic from the public 0.0.0.0 global IP address. | + +## Detailed Remediation Steps + diff --git a/en/azure/sqlserver/tde-protector-encrypted.md b/en/azure/sqlserver/tde-protector-encrypted.md index 1b670a1c6..026067234 100644 --- a/en/azure/sqlserver/tde-protector-encrypted.md +++ b/en/azure/sqlserver/tde-protector-encrypted.md @@ -9,10 +9,10 @@ | **Plugin Title** | TDE Protector Encrypted | | **Cloud** | AZURE | | **Category** | SQL Server | -| **Description** | Ensure SQL server's TDE protector is encrypted with BYOK (Use your own key) | +| **Description** | Ensures SQL Server TDE protector is encrypted with BYOK (Bring Your Own Key) | | **More Info** | Enabling BYOK in the TDE protector allows for greater control and transparency, as well as increasing security by having full control of the encryption keys. | | **AZURE Link** | https://docs.microsoft.com/en-us/azure/sql-database/transparent-data-encryption-byok-azure-sql | -| **Recommended Action** | 1. Enter the SQL Server category in the Azure portal. 2. Choose the sql server. 3. Enter the Transparent Data Encryption blade. 4. Enable Use Your Own Key. 5. Select an existing key or create one. | +| **Recommended Action** | Ensure that a BYOK key is set for the Transparent Data Encryption of each SQL Server. | ## Detailed Remediation Steps diff --git a/en/azure/sqlservers/audit-retention-policy.md b/en/azure/sqlservers/audit-retention-policy.md new file mode 100644 index 000000000..6ec64fecd --- /dev/null +++ b/en/azure/sqlservers/audit-retention-policy.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / SQL Servers / Audit Retention Policy + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Audit Retention Policy | +| **Cloud** | AZURE | +| **Category** | SQL Servers | +| **Description** | Ensures that SQL Server Auditing retention policy is set to greater than 90 days | +| **More Info** | Enabling SQL Server Auditing ensures that all activities are being logged properly, including potentially-malicious activity. Having a long retention policy ensures that all logs are kept for auditing and legal purposes. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing | +| **Recommended Action** | Ensure that the storage account retention policy for each SQL server is set to greater than 90 days. | + +## Detailed Remediation Steps + diff --git a/en/azure/sqlservers/server-auditing-enabled.md b/en/azure/sqlservers/server-auditing-enabled.md new file mode 100644 index 000000000..063e59424 --- /dev/null +++ b/en/azure/sqlservers/server-auditing-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / SQL Servers / Server Auditing Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Server Auditing Enabled | +| **Cloud** | AZURE | +| **Category** | SQL Servers | +| **Description** | Ensures that SQL Server Auditing is enabled for SQL servers | +| **More Info** | Enabling SQL Server Auditing ensures that all activities are being logged properly, including potentially-malicious activity. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing | +| **Recommended Action** | Ensure that auditing is enabled for each SQL server. | + +## Detailed Remediation Steps + diff --git a/en/azure/storageaccounts/blob-service-encryption.md b/en/azure/storageaccounts/blob-service-encryption.md new file mode 100644 index 000000000..da22f934b --- /dev/null +++ b/en/azure/storageaccounts/blob-service-encryption.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Storage Accounts / Blob Service Encryption + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Blob Service Encryption | +| **Cloud** | AZURE | +| **Category** | Storage Accounts | +| **Description** | Ensures encryption is properly configured for Blob Services | +| **More Info** | Blob Services can be configured to encrypt data-at-rest. By default Azure will create a set of keys to encrypt Blob Services, but the recommended approach is to create your own keys using Azure Key Vault. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption | +| **Recommended Action** | Ensure that Blob Service is configured to use a customer-provided key vault key. | + +## Detailed Remediation Steps + diff --git a/en/azure/storageaccounts/file-service-encryption.md b/en/azure/storageaccounts/file-service-encryption.md new file mode 100644 index 000000000..40b47464a --- /dev/null +++ b/en/azure/storageaccounts/file-service-encryption.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Storage Accounts / File Service Encryption + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | File Service Encryption | +| **Cloud** | AZURE | +| **Category** | Storage Accounts | +| **Description** | Ensures data encryption is enabled for File Services | +| **More Info** | File Service encryption protects your data at rest. Azure Storage encrypts your data and automatically decrypts it for you as you access it. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption | +| **Recommended Action** | Ensure that data encryption is enabled for each File Service. | + +## Detailed Remediation Steps + diff --git a/en/azure/storageaccounts/log-container-public-access.md b/en/azure/storageaccounts/log-container-public-access.md index 695a19f4a..104fd4518 100644 --- a/en/azure/storageaccounts/log-container-public-access.md +++ b/en/azure/storageaccounts/log-container-public-access.md @@ -9,10 +9,10 @@ | **Plugin Title** | Log Container Public Access | | **Cloud** | AZURE | | **Category** | Storage Accounts | -| **Description** | Ensure that the Activity Log Container does not have public read access. | -| **More Info** | Enabling private access only on the Activity Log Storage Container ensures that log data is secured and only accessible from within, following security best practices. | +| **Description** | Ensures that the Activity Log Container does not have public read access | +| **More Info** | The container used to store Activity Log data should not be exposed publicly to avoid data exposure of sensitive activity logs. | | **AZURE Link** | https://docs.microsoft.com/en-us/azure/storage/blobs/storage-manage-access-to-resources | -| **Recommended Action** | 1. Enter the activity log service. 2. Choose the export option. 3. Note the storage container in use. 4. Enter the storage account in use by navigating to the storage accounts service. 5. Select the Blob blade under Blob Service. 6. Select insights-operational-logs. 7. Click on Access Level and ensure that access is set to private. | +| **Recommended Action** | Ensure the access level for the storage account containing Activity Log data is set to private. | ## Detailed Remediation Steps diff --git a/en/azure/storageaccounts/log-storage-encryption.md b/en/azure/storageaccounts/log-storage-encryption.md index 8d21f52cd..98e8d5343 100644 --- a/en/azure/storageaccounts/log-storage-encryption.md +++ b/en/azure/storageaccounts/log-storage-encryption.md @@ -9,10 +9,10 @@ | **Plugin Title** | Log Storage Encryption | | **Cloud** | AZURE | | **Category** | Storage Accounts | -| **Description** | Ensures BYOK encryption is properly configured in the Activity Log Storage Account. | -| **More Info** | Storage accounts can be configured to encrypt data-at-rest, by default Azure will create a set of keys to encrypt your storage account, but the recommended approach is to create your own keys using Azure Key Vault. | +| **Description** | Ensures BYOK encryption is properly configured in the Activity Log Storage Account | +| **More Info** | Storage accounts can be configured to encrypt data-at-rest. By default Azure will create a set of keys to encrypt the storage account, but the recommended approach is to create your own keys using Azure Key Vault. | | **AZURE Link** | https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption-customer-managed-keys | -| **Recommended Action** | 1. Enter the activity log service. 2. Choose the export option. 3. Note the storage container in use. 4. Enter the storage account in use by navigating to the storage accounts service. 5. Navigate to encryption and enable Use Your Own Key. | +| **Recommended Action** | Ensure the Storage Account used by Activity Logs is configured with a BYOK key. | ## Detailed Remediation Steps diff --git a/en/azure/storageaccounts/network-access-default-action.md b/en/azure/storageaccounts/network-access-default-action.md index 3b1235b98..990acd900 100644 --- a/en/azure/storageaccounts/network-access-default-action.md +++ b/en/azure/storageaccounts/network-access-default-action.md @@ -9,10 +9,10 @@ | **Plugin Title** | Network Access Default Action | | **Cloud** | AZURE | | **Category** | Storage Accounts | -| **Description** | Ensure that Storage Account access is restricted to trusted networks. | -| **More Info** | Storage Accounts should be configured to accept traffic only from trusted networks. By default, all networks are selected but can be changed when creating a new storage account or in firewall settings. | +| **Description** | Ensures that Storage Account access is restricted to trusted networks | +| **More Info** | Storage Accounts should be configured to accept traffic only from trusted networks. By default, all networks are selected but can be changed when creating a new storage account or in the firewall settings. | | **AZURE Link** | https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security | -| **Recommended Action** | Go to your Storage Account, select "Firewalls and virtual networks", ensure that allow access from all networks is not selected. | +| **Recommended Action** | Configure the firewall of each Storage Account to allow access only from known virtual networks. | ## Detailed Remediation Steps diff --git a/en/azure/storageaccounts/storage-accounts-aad-enabled.md b/en/azure/storageaccounts/storage-accounts-aad-enabled.md new file mode 100644 index 000000000..05156dcab --- /dev/null +++ b/en/azure/storageaccounts/storage-accounts-aad-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Storage Accounts / Storage Accounts AAD Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Storage Accounts AAD Enabled | +| **Cloud** | AZURE | +| **Category** | Storage Accounts | +| **Description** | Ensures that identity-based Directory Service for Azure File Authentication is enabled for all Azure Files | +| **More Info** | Enabling identity-based Authentication ensures that only the authorized Active Directory members can access or connect to the file shares, enforcing granular access control. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview | +| **Recommended Action** | Ensure that identity-based Directory Service for Azure File Authentication is enabled for all Azure File Shares. | + +## Detailed Remediation Steps + diff --git a/en/azure/storageaccounts/storage-accounts-encryption.md b/en/azure/storageaccounts/storage-accounts-encryption.md index b4b96c818..a0d81bd9b 100644 --- a/en/azure/storageaccounts/storage-accounts-encryption.md +++ b/en/azure/storageaccounts/storage-accounts-encryption.md @@ -9,10 +9,10 @@ | **Plugin Title** | Storage Accounts Encryption | | **Cloud** | AZURE | | **Category** | Storage Accounts | -| **Description** | Ensures encryption is properly configured in storage accounts to protect data-at-rest and meet compliance requirements. | -| **More Info** | Storage accounts can be configured to encrypt data-at-rest, by default Azure will create a set of keys to encrypt your storage account, but the recommended approach is to create your own keys using Azure Key Vault. | +| **Description** | Ensures encryption is enabled for Storage Accounts | +| **More Info** | Storage accounts can be configured to encrypt data-at-rest. By default Azure will create a set of keys to encrypt the storage account, but the recommended approach is to create your own keys using Azure Key Vault. | | **AZURE Link** | https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption-customer-managed-keys | -| **Recommended Action** | Go to your Storage Account, select Encryption, and check the box to use your own key, then select Key Vault, create a new vault if needed; then select Encryption key and create a new key if needed, at a minimum, set an activation date for your key to help with your key rotation policy, click Save when done. | +| **Recommended Action** | Ensure all Storage Accounts are configured with a BYOK key. | ## Detailed Remediation Steps diff --git a/en/azure/storageaccounts/storage-accounts-https.md b/en/azure/storageaccounts/storage-accounts-https.md index 764cdf322..42c09f9f2 100644 --- a/en/azure/storageaccounts/storage-accounts-https.md +++ b/en/azure/storageaccounts/storage-accounts-https.md @@ -9,10 +9,10 @@ | **Plugin Title** | Storage Accounts HTTPS | | **Cloud** | AZURE | | **Category** | Storage Accounts | -| **Description** | Ensures HTTPS-only traffic is allowed to storage account endpoints. | -| **More Info** | Storage accounts can contain sensitive information and should only be accessed over HTTPS. Enabling the HTTPS-only flag ensures that Azure does not allow HTTP traffic to storage accounts. | +| **Description** | Ensures HTTPS-only traffic is allowed to storage account endpoints | +| **More Info** | Storage Accounts can contain sensitive information and should only be accessed over HTTPS. Enabling the HTTPS-only flag ensures that Azure does not allow HTTP traffic to Storage Accounts. | | **AZURE Link** | https://docs.microsoft.com/en-us/azure/governance/policy/samples/ensure-https-storage-account | -| **Recommended Action** | Enable the HTTPS-only option for all storage accounts. | +| **Recommended Action** | Enable the HTTPS-only option for all Storage Accounts. | ## Detailed Remediation Steps diff --git a/en/azure/storageaccounts/trusted-ms-access-enabled.md b/en/azure/storageaccounts/trusted-ms-access-enabled.md new file mode 100644 index 000000000..583e87b01 --- /dev/null +++ b/en/azure/storageaccounts/trusted-ms-access-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Storage Accounts / Trusted MS Access Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Trusted MS Access Enabled | +| **Cloud** | AZURE | +| **Category** | Storage Accounts | +| **Description** | Ensures that Trusted Microsoft Services Access is enabled on Storage Accounts | +| **More Info** | Enabling firewall rules on Storage Accounts blocks all access by default. To ensure that Microsoft and Azure services that connect to the Storage Account still retain access, trusted Microsoft services should be allowed to access the storage account. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security | +| **Recommended Action** | For each Storage Account, configure an exception for trusted Microsoft services. | + +## Detailed Remediation Steps + diff --git a/en/azure/tableservice/table-service-all-access-acl.md b/en/azure/tableservice/table-service-all-access-acl.md index f3e330717..0c56791ef 100644 --- a/en/azure/tableservice/table-service-all-access-acl.md +++ b/en/azure/tableservice/table-service-all-access-acl.md @@ -9,10 +9,10 @@ | **Plugin Title** | Table Service All Access ACL | | **Cloud** | AZURE | | **Category** | Table Service | -| **Description** | Ensures Tables do not allow full write, delete, or read ACL permissions | -| **More Info** | Tables can be configured to allow to read, write or delete objects. This option should not be configured unless there is a strong business requirement. | +| **Description** | Ensures tables do not allow full write, delete, or read ACL permissions | +| **More Info** | Table Service tables can be configured to allow to read, write or delete on objects. This option should not be configured unless there is a strong business requirement. | | **AZURE Link** | https://docs.microsoft.com/en-us/azure/storage/tables/table-storage-quickstart-portal | -| **Recommended Action** | Disable global read/write/detele policies on all Tables and ensure the ACL is configured with least privileges. | +| **Recommended Action** | Disable global read, write, and delete policies on all tables and ensure the ACL is configured with least privileges. | ## Detailed Remediation Steps diff --git a/en/azure/virtualmachines/classic-instances.md b/en/azure/virtualmachines/classic-instances.md new file mode 100644 index 000000000..e3a4cdb24 --- /dev/null +++ b/en/azure/virtualmachines/classic-instances.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Virtual Machines / Classic Instances + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Classic Instances | +| **Cloud** | AZURE | +| **Category** | Virtual Machines | +| **Description** | Ensures Azure Resource Manager is being used for instances instead of Cloud Services (VM Classic) | +| **More Info** | ARM is the latest and most secure method of launching Azure resources. VM Classic should not be used. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-overview | +| **Recommended Action** | Migrate instances from Cloud Service to ARM. | + +## Detailed Remediation Steps + diff --git a/en/azure/virtualmachines/scale-set-multi-az.md b/en/azure/virtualmachines/scale-set-multi-az.md new file mode 100644 index 000000000..810cf2b7b --- /dev/null +++ b/en/azure/virtualmachines/scale-set-multi-az.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Virtual Machines / Scale Set Multi Az + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Scale Set Multi Az | +| **Cloud** | AZURE | +| **Category** | Virtual Machines | +| **Description** | Ensures that Virtual Machine Scale Sets are created to be cross-AZ for high availability | +| **More Info** | Having Virtual Machine Scale Sets in multiple zones increases durability and availability. If there is a catastrophic instance in one zone, the scale set will still be available. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-autoscale-overview | +| **Recommended Action** | Multiple zones can only be created when instantiating a new Scale Set. Ensure that the Scale Set is in multiple zones when creating a new Scale Set. | + +## Detailed Remediation Steps + diff --git a/en/azure/virtualmachines/scale-sets-autoscale-enabled.md b/en/azure/virtualmachines/scale-sets-autoscale-enabled.md new file mode 100644 index 000000000..bf5ede200 --- /dev/null +++ b/en/azure/virtualmachines/scale-sets-autoscale-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Virtual Machines / Scale Sets Autoscale Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Scale Sets Autoscale Enabled | +| **Cloud** | AZURE | +| **Category** | Virtual Machines | +| **Description** | Ensures that Virtual Machine scale sets have autoscale enabled for high availability | +| **More Info** | Autoscale automatically creates new instances when certain metrics are surpassed, or can destroy instances that are being underutilized. This creates a highly available scale set. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-autoscale-overview | +| **Recommended Action** | Ensure that autoscale is enabled for all Virtual Machine Scale Sets. | + +## Detailed Remediation Steps + diff --git a/en/azure/virtualmachines/vm-agent-enabled.md b/en/azure/virtualmachines/vm-agent-enabled.md index 3cccd72e4..42b92fda2 100644 --- a/en/azure/virtualmachines/vm-agent-enabled.md +++ b/en/azure/virtualmachines/vm-agent-enabled.md @@ -9,10 +9,10 @@ | **Plugin Title** | VM Agent Enabled | | **Cloud** | AZURE | | **Category** | Virtual Machines | -| **Description** | Ensure that the VM Agent is enabled | -| **More Info** | The VM agent must be enabled on Azure virtual machines (VMs) in order to enable Azure Security center for data collection | +| **Description** | Ensures that the VM Agent is enabled for virtual machines | +| **More Info** | The VM agent must be enabled on Azure virtual machines in order to enable Azure Security Center for data collection. | | **AZURE Link** | https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-vm-agent | -| **Recommended Action** | Enable the VM agent for all virtual machines | +| **Recommended Action** | Enable the VM agent for all virtual machines. | ## Detailed Remediation Steps diff --git a/en/azure/virtualmachines/vm-auto-update-enabled.md b/en/azure/virtualmachines/vm-auto-update-enabled.md index 83db52a2a..9ee413202 100644 --- a/en/azure/virtualmachines/vm-auto-update-enabled.md +++ b/en/azure/virtualmachines/vm-auto-update-enabled.md @@ -9,8 +9,8 @@ | **Plugin Title** | VM Auto Update Enabled | | **Cloud** | AZURE | | **Category** | Virtual Machines | -| **Description** | Ensure that VM Auto Update is enabled | -| **More Info** | Enabling auto update for the VMs will reduce the security risk of missing security patches | +| **Description** | Ensures that VM Auto Update is enabled for virtual machines | +| **More Info** | Enabling Auto Update on Azure virtual machines reduces the security risk of missing security patches. | | **AZURE Link** | https://docs.microsoft.com/en-us/azure/virtual-machines/windows-or-linux/maintenance-and-updates | | **Recommended Action** | Enable VM auto update on all virtual machines | diff --git a/en/azure/virtualmachines/vm-availability-set-enabled.md b/en/azure/virtualmachines/vm-availability-set-enabled.md new file mode 100644 index 000000000..c5c7eb776 --- /dev/null +++ b/en/azure/virtualmachines/vm-availability-set-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Virtual Machines / VM Availability Set Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | VM Availability Set Enabled | +| **Cloud** | AZURE | +| **Category** | Virtual Machines | +| **Description** | Ensures that Virtual Machines have Availability Set enabled | +| **More Info** | Enabling Availability Sets ensures that during either a planned or unplanned maintenance event, the virtual machine will still be available. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/virtual-machines/windows/manage-availability | +| **Recommended Action** | Virtual Machine Availability Sets can only be configured when creating a new virtual machine. Recreate the Virtual Machine with Availability Sets enabled. | + +## Detailed Remediation Steps + diff --git a/en/azure/virtualmachines/vm-availability-set-limit.md b/en/azure/virtualmachines/vm-availability-set-limit.md new file mode 100644 index 000000000..4436cd53b --- /dev/null +++ b/en/azure/virtualmachines/vm-availability-set-limit.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Virtual Machines / VM Availability Set Limit + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | VM Availability Set Limit | +| **Cloud** | AZURE | +| **Category** | Virtual Machines | +| **Description** | Determine if the number of VM instances is close to the Azure per-availability set limit | +| **More Info** | Azure limits availability sets to certain numbers of resources. Exceeding those limits could prevent resources from launching. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview | +| **Recommended Action** | Contact Azure support to increase the number of instances available | + +## Detailed Remediation Steps + diff --git a/en/azure/virtualmachines/vm-data-disk-encryption.md b/en/azure/virtualmachines/vm-data-disk-encryption.md index a200e8744..8433e0c1d 100644 --- a/en/azure/virtualmachines/vm-data-disk-encryption.md +++ b/en/azure/virtualmachines/vm-data-disk-encryption.md @@ -9,8 +9,8 @@ | **Plugin Title** | VM Data Disk Encryption | | **Cloud** | AZURE | | **Category** | Virtual Machines | -| **Description** | Ensure that VM Data Disk Encryption is enabled | -| **More Info** | Encrypting your IaaS VM Data disks (non-boot volume) ensures that its entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads | +| **Description** | Ensure that Data Disk Encryption is enabled for virtual machines | +| **More Info** | Encrypting VM Data Disks (non-boot volume) ensures that its entire contents are fully unrecoverable without a key, protecting the volume from unwarranted reads | | **AZURE Link** | https://docs.microsoft.com/en-us/azure/security-center/security-center-apply-disk-encryption | | **Recommended Action** | Enable VM Data Disk Encryption on all virtual machines | diff --git a/en/azure/virtualmachines/vm-endpoint-protection.md b/en/azure/virtualmachines/vm-endpoint-protection.md index f9dacd57d..5ee6d6109 100644 --- a/en/azure/virtualmachines/vm-endpoint-protection.md +++ b/en/azure/virtualmachines/vm-endpoint-protection.md @@ -9,10 +9,10 @@ | **Plugin Title** | VM Endpoint Protection | | **Cloud** | AZURE | | **Category** | Virtual Machines | -| **Description** | Ensure that the VM Endpoint Protection is installed for all VMs | -| **More Info** | Installing endpoint protection systems (like Antimalware for Azure) provides for real-time protection capability that helps identify and remove viruses, spyware, and other malicious software, with configurable alerts when known malicious or unwanted software attempts to install itself or run on your Azure systems | +| **Description** | Ensures that VM Endpoint Protection is enabled for all virutal machines | +| **More Info** | Installing endpoint protection systems provides for real-time protection capabilities that help identify and remove viruses, spyware, and other malicious software, with configurable alerts for malicious or unwanted software. | | **AZURE Link** | https://docs.microsoft.com/en-us/azure/security-center/security-center-install-endpoint-protection | -| **Recommended Action** | Install endpoint protection on your Azure systems | +| **Recommended Action** | Install endpoint protection on all virtual machines. | ## Detailed Remediation Steps diff --git a/en/azure/virtualmachines/vm-instance-limit.md b/en/azure/virtualmachines/vm-instance-limit.md new file mode 100644 index 000000000..ae5aa378b --- /dev/null +++ b/en/azure/virtualmachines/vm-instance-limit.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Virtual Machines / VM Instance Limit + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | VM Instance Limit | +| **Cloud** | AZURE | +| **Category** | Virtual Machines | +| **Description** | Determines if the number of VM instances is close to the Azure per-region limit | +| **More Info** | Azure limits regions to certain numbers of resources. Exceeding those limits could prevent resources from launching. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview | +| **Recommended Action** | Contact Azure support to increase the number of instances available | + +## Detailed Remediation Steps + diff --git a/en/azure/virtualmachines/vm-os-disk-encryption.md b/en/azure/virtualmachines/vm-os-disk-encryption.md index ecce89cd8..432ee7346 100644 --- a/en/azure/virtualmachines/vm-os-disk-encryption.md +++ b/en/azure/virtualmachines/vm-os-disk-encryption.md @@ -9,8 +9,8 @@ | **Plugin Title** | VM OS Disk Encryption | | **Cloud** | AZURE | | **Category** | Virtual Machines | -| **Description** | Ensure that VM OS Disk Encryption is enabled | -| **More Info** | Encrypting your IaaS VM OS disk (boot volume) ensures that its entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. | +| **Description** | Ensures that VM OS Disk Encryption is enabled for virtual machines | +| **More Info** | Encrypting VM OS disks (boot volume) ensures that the entire contents are fully unrecoverable without a key, protecting the volume from unwarranted reads. | | **AZURE Link** | https://docs.microsoft.com/en-us/azure/security-center/security-center-apply-disk-encryption | | **Recommended Action** | Enable VM OS Disk Encryption on all virtual machines | diff --git a/en/azure/virtualnetworks/multiple-subnets.md b/en/azure/virtualnetworks/multiple-subnets.md new file mode 100644 index 000000000..f548abb78 --- /dev/null +++ b/en/azure/virtualnetworks/multiple-subnets.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# AZURE / Virtual Networks / Multiple Subnets + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Multiple Subnets | +| **Cloud** | AZURE | +| **Category** | Virtual Networks | +| **Description** | Ensures that Virtual Networks have multiple networks to provide a layered architecture | +| **More Info** | A single network within a Virtual Network increases the risk of a broader blast radius in the event of a compromise. | +| **AZURE Link** | https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-vnet-plan-design-arm | +| **Recommended Action** | Create multiple networks/subnets in each Virtual Network and change the architecture to take advantage of public and private tiers. | + +## Detailed Remediation Steps + diff --git a/en/github/orgs/org-default-permission.md b/en/github/orgs/org-default-permission.md new file mode 100644 index 000000000..fd269d1e4 --- /dev/null +++ b/en/github/orgs/org-default-permission.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GITHUB / Orgs / Org Default Permission + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Org Default Permission | +| **Cloud** | GITHUB | +| **Category** | Orgs | +| **Description** | Checks the default permission given to new users added to an organization. | +| **More Info** | The default permission given to new organization users should be set to none. Read permissions risk exposing private repositories, while write or admin permissions risk sensitive access to repositories for new users. | +| **GITHUB Link** | https://help.github.com/en/articles/repository-permission-levels-for-an-organization | +| **Recommended Action** | Set the default permission to none or read-only and assign permissions on a more granular repository level. | + +## Detailed Remediation Steps + diff --git a/en/github/orgs/org-excessive-owners.md b/en/github/orgs/org-excessive-owners.md new file mode 100644 index 000000000..1f5eca1ef --- /dev/null +++ b/en/github/orgs/org-excessive-owners.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GITHUB / Orgs / Org Excessive Owners + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Org Excessive Owners | +| **Cloud** | GITHUB | +| **Category** | Orgs | +| **Description** | Checks whether the organization has an excessive number of owners relative to its size. | +| **More Info** | Having too many owners of a Git organization increases the risk of a serious compromise from lost credentials. | +| **GITHUB Link** | https://help.github.com/en/articles/permission-levels-for-an-organization | +| **Recommended Action** | Reduce the number of owners for the organization and use repository-level permissions for more granular control. | + +## Detailed Remediation Steps + diff --git a/en/github/orgs/org-mfa-required.md b/en/github/orgs/org-mfa-required.md new file mode 100644 index 000000000..a75b7b433 --- /dev/null +++ b/en/github/orgs/org-mfa-required.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GITHUB / Orgs / Org MFA Required + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Org MFA Required | +| **Cloud** | GITHUB | +| **Category** | Orgs | +| **Description** | Checks whether multi-factor authentication is required at the org-level. | +| **More Info** | MFA should be enabled and enforced for all users of an organization. | +| **GITHUB Link** | https://help.github.com/en/articles/requiring-two-factor-authentication-in-your-organization | +| **Recommended Action** | Enable the setting that requires two-factor authentication for everyone in the organization. | + +## Detailed Remediation Steps + diff --git a/en/github/orgs/org-plan-limit.md b/en/github/orgs/org-plan-limit.md new file mode 100644 index 000000000..46b36d626 --- /dev/null +++ b/en/github/orgs/org-plan-limit.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GITHUB / Orgs / Org Plan Limit + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Org Plan Limit | +| **Cloud** | GITHUB | +| **Category** | Orgs | +| **Description** | Checks that the number of seats is not close to the limit of available licensed seats. | +| **More Info** | Running out of licenses will prevent developers from adding new users. | +| **GITHUB Link** | https://developer.github.com/v3/orgs/#get-an-organization | +| **Recommended Action** | Remove unused users or update GitHub payment plan to support more licensed seats. | + +## Detailed Remediation Steps + diff --git a/en/github/repos/repo-deploy-keys-rotated.md b/en/github/repos/repo-deploy-keys-rotated.md new file mode 100644 index 000000000..fcadaf628 --- /dev/null +++ b/en/github/repos/repo-deploy-keys-rotated.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GITHUB / Repos / Repo Deploy Keys Rotated + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Repo Deploy Keys Rotated | +| **Cloud** | GITHUB | +| **Category** | Repos | +| **Description** | Ensures deploy keys associated with a repository are rotated regularly. | +| **More Info** | Deploy keys can have significant access to a repository and should be rotated on a regular basis. | +| **GITHUB Link** | https://developer.github.com/v3/guides/managing-deploy-keys/ | +| **Recommended Action** | Create a new deploy key in GitHub, update the associated applications, and then delete the old key from GitHub. | + +## Detailed Remediation Steps + diff --git a/en/github/repos/repo-outside-collaborators.md b/en/github/repos/repo-outside-collaborators.md new file mode 100644 index 000000000..497714942 --- /dev/null +++ b/en/github/repos/repo-outside-collaborators.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GITHUB / Repos / Repo Outside Collaborators + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Repo Outside Collaborators | +| **Cloud** | GITHUB | +| **Category** | Repos | +| **Description** | Ensures organization repositories do not have outside collaborators with admin or push permissions. | +| **More Info** | Allowing outside collaborators admin or push access to organization repositories places the organization at risk from non-member contributions that can be pushed without review. | +| **GITHUB Link** | https://help.github.com/en/articles/adding-outside-collaborators-to-repositories-in-your-organization | +| **Recommended Action** | For outside collaborators that need access to organization code, provide read access and require the collaborator to fork the repo and submit a pull request that can be reviewed by organization members. | + +## Detailed Remediation Steps + diff --git a/en/github/users/gpg-keys-rotated.md b/en/github/users/gpg-keys-rotated.md new file mode 100644 index 000000000..c73aba2f6 --- /dev/null +++ b/en/github/users/gpg-keys-rotated.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GITHUB / Users / GPG Keys Rotated + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | GPG Keys Rotated | +| **Cloud** | GITHUB | +| **Category** | Users | +| **Description** | Ensures GitHub GPG keys are rotated frequently. | +| **More Info** | GitHub GPG keys are used to cryptographically sign code commits and should be rotated every 180 days. | +| **GITHUB Link** | https://help.github.com/articles/generating-a-new-gpg-key/ | +| **Recommended Action** | Invalidate and delete old GPG keys and create new ones every 180 days. | + +## Detailed Remediation Steps + diff --git a/en/github/users/public-keys-rotated.md b/en/github/users/public-keys-rotated.md new file mode 100644 index 000000000..bd826a615 --- /dev/null +++ b/en/github/users/public-keys-rotated.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GITHUB / Users / Public Keys Rotated + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Public Keys Rotated | +| **Cloud** | GITHUB | +| **Category** | Users | +| **Description** | Ensures GitHub user keys are rotated frequently. | +| **More Info** | GitHub keys provide full access to repositories within an account and should be rotated every 180 days. | +| **GITHUB Link** | https://help.github.com/articles/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent/ | +| **Recommended Action** | Invalidate and delete old SSH public keys and create new ones every 180 days. | + +## Detailed Remediation Steps + diff --git a/en/github/users/user-mfa-enabled.md b/en/github/users/user-mfa-enabled.md new file mode 100644 index 000000000..0e2dedc3d --- /dev/null +++ b/en/github/users/user-mfa-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GITHUB / Users / User MFA Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | User MFA Enabled | +| **Cloud** | GITHUB | +| **Category** | Users | +| **Description** | Ensures multi-factor authentication is enabled for the default user account | +| **More Info** | GitHub MFA provides additional account security by requiring an additional login device or code. All accounts should have MFA enabled. | +| **GITHUB Link** | https://help.github.com/articles/securing-your-account-with-two-factor-authentication-2fa/ | +| **Recommended Action** | Enable MFA on the default user account. | + +## Detailed Remediation Steps + diff --git a/en/github/users/user-private-emails.md b/en/github/users/user-private-emails.md new file mode 100644 index 000000000..fe8d8ff5f --- /dev/null +++ b/en/github/users/user-private-emails.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GITHUB / Users / User Private Emails + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | User Private Emails | +| **Cloud** | GITHUB | +| **Category** | Users | +| **Description** | Checks that the primary email addresse associated with a GitHub account is set to private visibility. | +| **More Info** | Email addresses added to GitHub should be set to private visibility to increase privacy and prevent account reconnaissance. | +| **GITHUB Link** | https://developer.github.com/v3/users/emails/#toggle-primary-email-visibility | +| **Recommended Action** | Change the visibility of GitHub email addresses to private. | + +## Detailed Remediation Steps + diff --git a/en/google/clb/clb-cdn-enabled.md b/en/google/clb/clb-cdn-enabled.md new file mode 100644 index 000000000..3b6c1b13b --- /dev/null +++ b/en/google/clb/clb-cdn-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / CLB / CLB CDN Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | CLB CDN Enabled | +| **Cloud** | GOOGLE | +| **Category** | CLB | +| **Description** | Ensure that Cloud CDN is enabled on all Load Balancers | +| **More Info** | Cloud CDN increases speed and reliability as well as lowers server costs. Enabling CDN on load balancers creates a highly available system and is part of GCP Best Practices | +| **GOOGLE Link** | https://cloud.google.com/cdn/docs/quickstart | +| **Recommended Action** | 1.Enter the Network Services Service. 2. Select Cloud CDN. 3. Select add origin and connect a backend service. | + +## Detailed Remediation Steps + diff --git a/en/google/clb/clb-https-only.md b/en/google/clb/clb-https-only.md new file mode 100644 index 000000000..751794d23 --- /dev/null +++ b/en/google/clb/clb-https-only.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / CLB / CLB HTTPS Only + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | CLB HTTPS Only | +| **Cloud** | GOOGLE | +| **Category** | CLB | +| **Description** | Ensures CLBs are configured to only accept connections on HTTPS ports. | +| **More Info** | For maximum security, CLBs can be configured to only accept HTTPS connections. Standard HTTP connections will be blocked. This should only be done if the client application is configured to query HTTPS directly and not rely on a redirect from HTTP. | +| **GOOGLE Link** | https://cloud.google.com/vpc/docs/vpc | +| **Recommended Action** | Remove non-HTTPS listeners from load balancer. | + +## Detailed Remediation Steps + diff --git a/en/google/clb/clb-no-instances.md b/en/google/clb/clb-no-instances.md new file mode 100644 index 000000000..e0f793f8d --- /dev/null +++ b/en/google/clb/clb-no-instances.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / CLB / CLB No Instances + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | CLB No Instances | +| **Cloud** | GOOGLE | +| **Category** | CLB | +| **Description** | Detects CLBs that have no backend instances attached | +| **More Info** | GCP does not allow for Load Balancers to be configured without backend instances attached. | +| **GOOGLE Link** | https://cloud.google.com/load-balancing/docs/load-balancing-overview | +| **Recommended Action** | This Security misconfiguration is Covered by GCP. No actions necessary. | + +## Detailed Remediation Steps + diff --git a/en/google/clb/security-policy-enabled.md b/en/google/clb/security-policy-enabled.md new file mode 100644 index 000000000..54fe05605 --- /dev/null +++ b/en/google/clb/security-policy-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / CLB / Security Policy Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Security Policy Enabled | +| **Cloud** | GOOGLE | +| **Category** | CLB | +| **Description** | Ensure that All Backend Services have an attached Security Policy | +| **More Info** | Security Policies on Backend Services control the traffic on the load balancer. This creates edge security and can deny or allow specified IP addresses. | +| **GOOGLE Link** | https://cloud.google.com/armor/docs/security-policy-concepts | +| **Recommended Action** | 1. Enter the Network Security Service. 2. Select Cloud Armor and create a new policy. 3. Attach the newly created policy to the backend. | + +## Detailed Remediation Steps + diff --git a/en/google/compute/autoscale-enabled.md b/en/google/compute/autoscale-enabled.md new file mode 100644 index 000000000..869cdef7e --- /dev/null +++ b/en/google/compute/autoscale-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Compute / Autoscale Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Autoscale Enabled | +| **Cloud** | GOOGLE | +| **Category** | Compute | +| **Description** | Ensures instance groups have auto-scale enabled for high availability. | +| **More Info** | Enabling auto-scale increases efficiency and improves cost management for resources. | +| **GOOGLE Link** | https://cloud.google.com/compute/docs/autoscaler/ | +| **Recommended Action** | 1. Enter the Compute service 2. Enter Instance Groups. 3. Select the Instance Group. 4. Select Edit Group and Enable Autoscaling | + +## Detailed Remediation Steps + diff --git a/en/google/compute/connect-serial-ports-disabled.md b/en/google/compute/connect-serial-ports-disabled.md new file mode 100644 index 000000000..beeff9724 --- /dev/null +++ b/en/google/compute/connect-serial-ports-disabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Compute / Connect Serial Ports Disabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Connect Serial Ports Disabled | +| **Cloud** | GOOGLE | +| **Category** | Compute | +| **Description** | Ensure Enable Connecting to Serial Ports is not enabled for VM Instance | +| **More Info** | The Serial Console does not allow restricting IP Addresses, which allows any IP address to connect to instance. | +| **GOOGLE Link** | https://cloud.google.com/compute/docs/instances/interacting-with-serial-console | +| **Recommended Action** | 1.Enter the Compute Service. 2. Select the Instance. 3. Select Edit then deselect Enable Connecting to Serial Ports. | + +## Detailed Remediation Steps + diff --git a/en/google/compute/csek-encryption-enabled.md b/en/google/compute/csek-encryption-enabled.md new file mode 100644 index 000000000..0e50bc8bd --- /dev/null +++ b/en/google/compute/csek-encryption-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Compute / CSEK Encryption Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | CSEK Encryption Enabled | +| **Cloud** | GOOGLE | +| **Category** | Compute | +| **Description** | Ensure Customer Supplied Encryption Key Encryption is enabled on Disks | +| **More Info** | Google encrypts all disks at rest by default. By using CSEK only the users with the key can access the disk. Anyone else, including Google, cannot access the disk ensuring maximum security on the disk. | +| **GOOGLE Link** | https://cloud.google.com/compute/docs/disks/customer-supplied-encryption | +| **Recommended Action** | CSEK can only be configured when creating a disk, Delete the disk in question and redeploy with CSEK. | + +## Detailed Remediation Steps + diff --git a/en/google/compute/instance-level-ssh-only.md b/en/google/compute/instance-level-ssh-only.md new file mode 100644 index 000000000..59d77fd9f --- /dev/null +++ b/en/google/compute/instance-level-ssh-only.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Compute / Instance Level SSH Only + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Instance Level SSH Only | +| **Cloud** | GOOGLE | +| **Category** | Compute | +| **Description** | Ensure that instances are not configured to allow Project Wide SSH keys. | +| **More Info** | To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not accessible from project wide SSH keys. These keys are accessible through metadata and can become comprimised. | +| **GOOGLE Link** | https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys | +| **Recommended Action** | 1. Enter the Compute Service. 2. Select the Instance in question. 3. Select Edit at the top of the page. 4. Under SSH Keys ensure that Block Project-Wide SSH Keys is enabled. | + +## Detailed Remediation Steps + diff --git a/en/google/compute/instances-multi-az.md b/en/google/compute/instances-multi-az.md new file mode 100644 index 000000000..3fc9ead00 --- /dev/null +++ b/en/google/compute/instances-multi-az.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Compute / Instances Multi AZ + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Instances Multi AZ | +| **Cloud** | GOOGLE | +| **Category** | Compute | +| **Description** | Ensures managed instances are regional for availability purposes. | +| **More Info** | Creating instances in a single zone creates a single point of failure for all systems in the VPC. All managed instances should be created as Regional to ensure proper failover. | +| **GOOGLE Link** | https://cloud.google.com/vpc/docs/vpc | +| **Recommended Action** | Launch new instances as Regional Instance Groups. | + +## Detailed Remediation Steps + diff --git a/en/google/compute/ip-forwarding-disabled.md b/en/google/compute/ip-forwarding-disabled.md new file mode 100644 index 000000000..265a5b56a --- /dev/null +++ b/en/google/compute/ip-forwarding-disabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Compute / Ip Forwarding Disabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Ip Forwarding Disabled | +| **Cloud** | GOOGLE | +| **Category** | Compute | +| **Description** | Ensure that IP forwarding is disabled on all Instances | +| **More Info** | Disabling IP forwarding ensures that the instance only sends and receives packets with matching destination or source IPs. | +| **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-routes | +| **Recommended Action** | IP Forwarding settings can only be chosen when creating a new instance, Delete the affected instances and redeploy with IP Forwarding disabled | + +## Detailed Remediation Steps + diff --git a/en/google/compute/vm-instances-with-no-access.md b/en/google/compute/vm-instances-with-no-access.md new file mode 100644 index 000000000..85dbc4455 --- /dev/null +++ b/en/google/compute/vm-instances-with-no-access.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Compute / VM Instances with No Access + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | VM Instances with No Access | +| **Cloud** | GOOGLE | +| **Category** | Compute | +| **Description** | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs. | +| **More Info** | To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account Compute Engine default service account with Scope Allow full access to all Cloud APIs. | +| **GOOGLE Link** | https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances | +| **Recommended Action** | In Service Account Section, ensure Allow full access to all Cloud APIs is not selected if selecting the default service account. | + +## Detailed Remediation Steps + diff --git a/en/google/compute/vm-max-instances.md b/en/google/compute/vm-max-instances.md new file mode 100644 index 000000000..51e6f7e19 --- /dev/null +++ b/en/google/compute/vm-max-instances.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Compute / VM Max Instances + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | VM Max Instances | +| **Cloud** | GOOGLE | +| **Category** | Compute | +| **Description** | Ensures the total number of VM instances does not exceed a set threshold. | +| **More Info** | The number of running VM instances should be carefully audited, especially in unused regions, to ensure only approved applications are consuming compute resources. Many compromised Google accounts see large numbers of VM instances launched. | +| **GOOGLE Link** | https://cloud.google.com/compute/docs/instances/ | +| **Recommended Action** | Ensure that the number of running VM instances matches the expected count. If instances are launched above the threshold, investigate to ensure they are legitimate. | + +## Detailed Remediation Steps + diff --git a/en/google/cryptographickeys/key-rotation.md b/en/google/cryptographickeys/key-rotation.md new file mode 100644 index 000000000..007249740 --- /dev/null +++ b/en/google/cryptographickeys/key-rotation.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Cryptographic Keys / Key Rotation + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Key Rotation | +| **Cloud** | GOOGLE | +| **Category** | Cryptographic Keys | +| **Description** | Ensures Cryptographic keys are set to rotate on a regular schedule | +| **More Info** | All Cryptographic keys should have key rotation enabled. Google will handle the rotation of the encryption key itself, as well as storage of previous keys, so previous data does not need to be re-encrypted before the rotation occurs. | +| **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-cryptoKeys | +| **Recommended Action** | Restrict TCP port 5900 to known IP addresses | + +## Detailed Remediation Steps + diff --git a/en/google/dns/dns-security-enabled.md b/en/google/dns/dns-security-enabled.md new file mode 100644 index 000000000..8c4252644 --- /dev/null +++ b/en/google/dns/dns-security-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / DNS / DNS Security Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | DNS Security Enabled | +| **Cloud** | GOOGLE | +| **Category** | DNS | +| **Description** | Ensures that DNS Security is enabled on all managed zones. | +| **More Info** | DNS Security is a feature that authenticates all responses to domain name lookups. This prevents attackers from committing DNS hijacking or man in the middle attacks. | +| **GOOGLE Link** | https://cloud.google.com/dns/docs/dnssec?hl=en_US&_ga=2.190155811.-922741565.1560964300 | +| **Recommended Action** | 1. Enter the Cloud DNS Service. 2. Select the Managed Zone in question. 3. Enable DNSSEC. | + +## Detailed Remediation Steps + diff --git a/en/google/iam/service-limits.md b/en/google/iam/service-limits.md new file mode 100644 index 000000000..89cc4b14a --- /dev/null +++ b/en/google/iam/service-limits.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / IAM / Service Limits + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Service Limits | +| **Cloud** | GOOGLE | +| **Category** | IAM | +| **Description** | Determine if the number of resources is close to the per-account limit. | +| **More Info** | Google limits accounts to certain numbers of resources. Exceeding those limits could prevent resources from launching. | +| **GOOGLE Link** | https://cloud.google.com/resource-manager/docs/limits | +| **Recommended Action** | Contact GCP support to increase the number of resources available | + +## Detailed Remediation Steps + diff --git a/en/google/kubernetes/monitoring-enabled.md b/en/google/kubernetes/monitoring-enabled.md new file mode 100644 index 000000000..8e33643ca --- /dev/null +++ b/en/google/kubernetes/monitoring-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Kubernetes / Monitoring Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Monitoring Enabled | +| **Cloud** | GOOGLE | +| **Category** | Kubernetes | +| **Description** | Ensures all Kubernetes clusters have monitoring enabled | +| **More Info** | Kubernetes supports monitoring through Stackdriver. | +| **GOOGLE Link** | https://cloud.google.com/monitoring/kubernetes-engine/ | +| **Recommended Action** | 1. Enter the Kubernetes Service. 2. Select Clusters from the left blade. 3. Select edit on the cluster. 4. Enable Stackdriver Kubernetes Engine Monitoring or Legacy Stackdriver Monitoring. | + +## Detailed Remediation Steps + diff --git a/en/google/kubernetes/private-endpoint.md b/en/google/kubernetes/private-endpoint.md new file mode 100644 index 000000000..1cb718b0a --- /dev/null +++ b/en/google/kubernetes/private-endpoint.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Kubernetes / Private Endpoint + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Private Endpoint | +| **Cloud** | GOOGLE | +| **Category** | Kubernetes | +| **Description** | Ensures the private endpoint setting is enabled for kubernetes clusters | +| **More Info** | kubernetes private endpoints can be used to route all traffic between the Kubernetes worker and control plane nodes over a private VPC endpoint rather than across the public internet. | +| **GOOGLE Link** | https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters | +| **Recommended Action** | Enable the private endpoint setting for all EKS clusters when creating the cluster. | + +## Detailed Remediation Steps + diff --git a/en/google/sql/db-automated-backups.md b/en/google/sql/db-automated-backups.md new file mode 100644 index 000000000..ce8189582 --- /dev/null +++ b/en/google/sql/db-automated-backups.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / SQL / DB Automated Backups + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | DB Automated Backups | +| **Cloud** | GOOGLE | +| **Category** | SQL | +| **Description** | Ensures automated backups are enabled for SQL instances | +| **More Info** | Google provides a simple method of backing up SQL instances at a regular interval. This should be enabled to provide an option for restoring data in the event of a database compromise or hardware failure. | +| **GOOGLE Link** | https://cloud.google.com/sql/docs/mysql/instance-settings | +| **Recommended Action** | 1. Enter the SQL category of the Google Console. 2. Select the instance. 3. Select Edit at the top of the section. 4. Enter the Enable auto Backups and ensure automate backups is checked. | + +## Detailed Remediation Steps + diff --git a/en/google/sql/db-multiple-az.md b/en/google/sql/db-multiple-az.md new file mode 100644 index 000000000..711445cab --- /dev/null +++ b/en/google/sql/db-multiple-az.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / SQL / DB Multiple Az + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | DB Multiple Az | +| **Cloud** | GOOGLE | +| **Category** | SQL | +| **Description** | Ensures that SQL instances have a failover replica to be cross-AZ for high availability. | +| **More Info** | Creating SQL instances in with a single AZ creates a single point of failure for all systems relying on that database. All SQL instances should be created in multiple AZs to ensure proper failover. | +| **GOOGLE Link** | https://cloud.google.com/sql/docs/mysql/instance-settings | +| **Recommended Action** | 1. Enter the SQL category of the Google Console. 2. Select the instance. 3. Select the Replicas tab. 4. Select Create Failover Replica and follow the prompts. | + +## Detailed Remediation Steps + diff --git a/en/google/sql/db-publicly-accessible.md b/en/google/sql/db-publicly-accessible.md new file mode 100644 index 000000000..38c2ee23f --- /dev/null +++ b/en/google/sql/db-publicly-accessible.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / SQL / DB Publicly Accessible + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | DB Publicly Accessible | +| **Cloud** | GOOGLE | +| **Category** | SQL | +| **Description** | Ensures that SQL instances have a failover replica to be cross-AZ for high availability. | +| **More Info** | Creating SQL instances in with a single AZ creates a single point of failure for all systems relying on that database. All SQL instances should be created in multiple AZs to ensure proper failover. | +| **GOOGLE Link** | https://cloud.google.com/sql/docs/mysql/instance-settings | +| **Recommended Action** | 1. Enter the SQL category of the Google Console. 2. Select the instance. 3. Select the Replicas tab. 4. Select Create Failover Replica and follow the prompts. | + +## Detailed Remediation Steps + diff --git a/en/google/sql/db-restorable.md b/en/google/sql/db-restorable.md new file mode 100644 index 000000000..0808f828e --- /dev/null +++ b/en/google/sql/db-restorable.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / SQL / DB Restorable + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | DB Restorable | +| **Cloud** | GOOGLE | +| **Category** | SQL | +| **Description** | Ensures SQL instances can be restored to a recent point | +| **More Info** | Google will maintain a point to which the database can be restored. This point should not drift too far into the past, or else the risk of irrecoverable data loss may occur. | +| **GOOGLE Link** | https://cloud.google.com/sql/docs/mysql/instance-settings | +| **Recommended Action** | 1. Enter the SQL category of the Google Console. 2. Select the instance. 3. Select Edit at the top of the section. 4. Enter the Enable auto Backups and ensure that Enable Binary Logging is checked. | + +## Detailed Remediation Steps + diff --git a/en/google/storage/bucket-logging.md b/en/google/storage/bucket-logging.md new file mode 100644 index 000000000..bd59dc07a --- /dev/null +++ b/en/google/storage/bucket-logging.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Storage / Bucket Logging + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Bucket Logging | +| **Cloud** | GOOGLE | +| **Category** | Storage | +| **Description** | Ensures object Logging is enabled on storage buckets | +| **More Info** | Storage bucket logging helps maintain an audit trail of access that can be used in the event of a security incident. | +| **GOOGLE Link** | https://cloud.google.com/storage/docs/access-logs | +| **Recommended Action** | Bucket Logging can only be enabled by using the Command Line Interface and the log bucket must already be created. Use this command to enable Logging: gsutil logging set on -b gs://[LOG_BUCKET_NAME] -o AccessLog gs://[BUCKET_NAME] | + +## Detailed Remediation Steps + diff --git a/en/google/storage/bucket-versioning.md b/en/google/storage/bucket-versioning.md new file mode 100644 index 000000000..4c8b2c61b --- /dev/null +++ b/en/google/storage/bucket-versioning.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Storage / Bucket Versioning + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Bucket Versioning | +| **Cloud** | GOOGLE | +| **Category** | Storage | +| **Description** | Ensures object versioning is enabled on storage buckets | +| **More Info** | Object versioning can help protect against the overwriting of objects or data loss in the event of a compromise. | +| **GOOGLE Link** | https://cloud.google.com/storage/docs/using-object-versioning | +| **Recommended Action** | Bucket Versioning can only be enabled by using the Command Line Interface, use this command to enable Versioning: gsutil versioning set on gs://[BUCKET_NAME] | + +## Detailed Remediation Steps + diff --git a/en/google/storage/storage-bucket-all-users-policy.md b/en/google/storage/storage-bucket-all-users-policy.md new file mode 100644 index 000000000..1795f4398 --- /dev/null +++ b/en/google/storage/storage-bucket-all-users-policy.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / Storage / Storage Bucket All Users Policy + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Storage Bucket All Users Policy | +| **Cloud** | GOOGLE | +| **Category** | Storage | +| **Description** | Ensures Storage bucket policies do not allow global write, delete, or read permissions | +| **More Info** | Storage buckets can be configured to allow the global principal to access the bucket via the bucket policy. This policy should be restricted only to known users or accounts. | +| **GOOGLE Link** | https://cloud.google.com/storage/docs/access-control/iam | +| **Recommended Action** | 1. Enter the Storage Service. 2. Select the ... next to the Bucket and choose Edit Bucket Permissions. 3. In each Permission, ensure that no member is allUsers or allAuthenticatedUsers | + +## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/default-vpc-in-use.md b/en/google/vpcnetwork/default-vpc-in-use.md new file mode 100644 index 000000000..db029ec3d --- /dev/null +++ b/en/google/vpcnetwork/default-vpc-in-use.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / VPC Network / Default VPC In Use + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Default VPC In Use | +| **Cloud** | GOOGLE | +| **Category** | VPC Network | +| **Description** | Determines whether the default VPC is being used for launching VM instances. | +| **More Info** | The default VPC should not be used in order to avoid launching multiple services in the same network which may not require connectivity. Each application, or network tier, should use its own VPC. | +| **GOOGLE Link** | https://cloud.google.com/vpc/docs/vpc | +| **Recommended Action** | Move resources from the default VPC to a new VPC created for that application or resource group. | + +## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/excessive-firewall-rules.md b/en/google/vpcnetwork/excessive-firewall-rules.md new file mode 100644 index 000000000..418fb3bef --- /dev/null +++ b/en/google/vpcnetwork/excessive-firewall-rules.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / VPC Network / Excessive Firewall Rules + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Excessive Firewall Rules | +| **Cloud** | GOOGLE | +| **Category** | VPC Network | +| **Description** | Determine if there are an excessive number of firewall rules in the account | +| **More Info** | Keeping the number of firewall rules to a minimum helps reduce the attack surface of an account. Rather than creating new rules with the same rules for each project, common rules should be grouped under the same firewall rule. For example, instead of adding port 22 from a known IP to every firewall rule, create a single "SSH" firewall rule which can be used on multiple instances. | +| **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | +| **Recommended Action** | Limit the number of firewall rules to prevent accidental authorizations | + +## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/flow-logs-enabled.md b/en/google/vpcnetwork/flow-logs-enabled.md new file mode 100644 index 000000000..268fdaba1 --- /dev/null +++ b/en/google/vpcnetwork/flow-logs-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / VPC Network / Flow Logs Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Flow Logs Enabled | +| **Cloud** | GOOGLE | +| **Category** | VPC Network | +| **Description** | Ensures VPC flow logs are enabled for traffic logging | +| **More Info** | VPC flow logs record all traffic flowing in to and out of a VPC. These logs are critical for auditing and review after security incidents. | +| **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-flow-logs | +| **Recommended Action** | Enable VPC flow logs for each VPC Subnetwork | + +## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/multiple-subnets.md b/en/google/vpcnetwork/multiple-subnets.md new file mode 100644 index 000000000..8b45b1ae1 --- /dev/null +++ b/en/google/vpcnetwork/multiple-subnets.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / VPC Network / Multiple Subnets + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Multiple Subnets | +| **Cloud** | GOOGLE | +| **Category** | VPC Network | +| **Description** | Ensures that VPCs have multiple networks to provide a layered architecture | +| **More Info** | A single network within a VPC increases the risk of a broader blast radius in the event of a compromise. | +| **GOOGLE Link** | https://cloud.google.com/vpc/docs/vpc | +| **Recommended Action** | Create multiple networks/subnets in each VPC and change the architecture to take advantage of public and private tiers. | + +## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/open-all-ports.md b/en/google/vpcnetwork/open-all-ports.md new file mode 100644 index 000000000..2fcf7a047 --- /dev/null +++ b/en/google/vpcnetwork/open-all-ports.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / VPC Network / Open All Ports + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open All Ports | +| **Cloud** | GOOGLE | +| **Category** | VPC Network | +| **Description** | Determine if all ports are open to the public | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, services should be restricted to known IP addresses. | +| **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | +| **Recommended Action** | Restrict ports to known IP addresses | + +## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/open-cifs.md b/en/google/vpcnetwork/open-cifs.md new file mode 100644 index 000000000..07002fac1 --- /dev/null +++ b/en/google/vpcnetwork/open-cifs.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / VPC Network / Open CIFS + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open CIFS | +| **Cloud** | GOOGLE | +| **Category** | VPC Network | +| **Description** | Determine if UDP port 445 for CIFS is open to the public | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as CIFS should be restricted to known IP addresses. | +| **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | +| **Recommended Action** | Restrict UDP port 445 to known IP addresses | + +## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/open-dns.md b/en/google/vpcnetwork/open-dns.md new file mode 100644 index 000000000..496abcd10 --- /dev/null +++ b/en/google/vpcnetwork/open-dns.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / VPC Network / Open DNS + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open DNS | +| **Cloud** | GOOGLE | +| **Category** | VPC Network | +| **Description** | Determine if TCP or UDP port 53 for DNS is open to the public | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as DNS should be restricted to known IP addresses. | +| **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | +| **Recommended Action** | Restrict TCP and UDP port 53 to known IP addresses | + +## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/open-ftp.md b/en/google/vpcnetwork/open-ftp.md new file mode 100644 index 000000000..185928bef --- /dev/null +++ b/en/google/vpcnetwork/open-ftp.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / VPC Network / Open FTP + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open FTP | +| **Cloud** | GOOGLE | +| **Category** | VPC Network | +| **Description** | Determine if TCP port 20 or 21 for FTP is open to the public | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as FTP should be restricted to known IP addresses. | +| **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | +| **Recommended Action** | Restrict TCP port 20 or 21 to known IP addresses | + +## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/open-hadoop-hdfs-namenode-metadata-service.md b/en/google/vpcnetwork/open-hadoop-hdfs-namenode-metadata-service.md new file mode 100644 index 000000000..304d77186 --- /dev/null +++ b/en/google/vpcnetwork/open-hadoop-hdfs-namenode-metadata-service.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / VPC Network / Open Hadoop HDFS NameNode Metadata Service + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open Hadoop HDFS NameNode Metadata Service | +| **Cloud** | GOOGLE | +| **Category** | VPC Network | +| **Description** | Determine if TCP port 8020 for HDFS NameNode metadata service is open to the public. | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as Hadoop/HDFS should be restricted to known IP addresses. | +| **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | +| **Recommended Action** | Restrict TCP port 8020 to known IP addresses for Hadoop/HDFS. | + +## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/open-hadoop-hdfs-namenode-webui.md b/en/google/vpcnetwork/open-hadoop-hdfs-namenode-webui.md new file mode 100644 index 000000000..de35f94a4 --- /dev/null +++ b/en/google/vpcnetwork/open-hadoop-hdfs-namenode-webui.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / VPC Network / Open Hadoop HDFS NameNode WebUI + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open Hadoop HDFS NameNode WebUI | +| **Cloud** | GOOGLE | +| **Category** | VPC Network | +| **Description** | Determine if TCP port 50070 and 50470 for Hadoop/HDFS NameNode WebUI service is open to the public | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as Hadoop/HDFS should be restricted to known IP addresses. | +| **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | +| **Recommended Action** | Restrict TCP port 50070 and 50470 to known IP addresses for Hadoop/HDFS | + +## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/open-kibana.md b/en/google/vpcnetwork/open-kibana.md new file mode 100644 index 000000000..cc26e4d91 --- /dev/null +++ b/en/google/vpcnetwork/open-kibana.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / VPC Network / Open Kibana + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open Kibana | +| **Cloud** | GOOGLE | +| **Category** | VPC Network | +| **Description** | Determine if TCP port 5601 for Kibana is open to the public | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as Kibana should be restricted to known IP addresses. | +| **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | +| **Recommended Action** | Restrict TCP port 5601 to known IP addresses | + +## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/open-mysql.md b/en/google/vpcnetwork/open-mysql.md new file mode 100644 index 000000000..e4678098d --- /dev/null +++ b/en/google/vpcnetwork/open-mysql.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / VPC Network / Open MySQL + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open MySQL | +| **Cloud** | GOOGLE | +| **Category** | VPC Network | +| **Description** | Determine if TCP port 4333 or 3306 for MySQL is open to the public | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as MySQL should be restricted to known IP addresses. | +| **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | +| **Recommended Action** | Restrict TCP ports 4333 and 3306 to known IP addresses | + +## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/open-netbios.md b/en/google/vpcnetwork/open-netbios.md new file mode 100644 index 000000000..86781ca89 --- /dev/null +++ b/en/google/vpcnetwork/open-netbios.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / VPC Network / Open NetBIOS + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open NetBIOS | +| **Cloud** | GOOGLE | +| **Category** | VPC Network | +| **Description** | Determine if UDP port 137 or 138 for NetBIOS is open to the public | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as NetBIOS should be restricted to known IP addresses. | +| **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | +| **Recommended Action** | Restrict UDP ports 137 and 138 to known IP addresses | + +## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/open-oracle-auto-data-warehouse.md b/en/google/vpcnetwork/open-oracle-auto-data-warehouse.md new file mode 100644 index 000000000..512064255 --- /dev/null +++ b/en/google/vpcnetwork/open-oracle-auto-data-warehouse.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / VPC Network / Open Oracle Auto Data Warehouse + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open Oracle Auto Data Warehouse | +| **Cloud** | GOOGLE | +| **Category** | VPC Network | +| **Description** | Determine if TCP port 1522 for Oracle Auto Data Warehouse is open to the public | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as Oracle should be restricted to known IP addresses. | +| **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | +| **Recommended Action** | Restrict TCP ports 1522 to known IP addresses | + +## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/open-oracle.md b/en/google/vpcnetwork/open-oracle.md new file mode 100644 index 000000000..53dee8005 --- /dev/null +++ b/en/google/vpcnetwork/open-oracle.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / VPC Network / Open Oracle + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open Oracle | +| **Cloud** | GOOGLE | +| **Category** | VPC Network | +| **Description** | Determine if TCP port 1521 for Oracle is open to the public | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as Oracle should be restricted to known IP addresses. | +| **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | +| **Recommended Action** | Restrict TCP ports 1521 to known IP addresses | + +## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/open-postgresql.md b/en/google/vpcnetwork/open-postgresql.md new file mode 100644 index 000000000..604d22688 --- /dev/null +++ b/en/google/vpcnetwork/open-postgresql.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / VPC Network / Open PostgreSQL + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open PostgreSQL | +| **Cloud** | GOOGLE | +| **Category** | VPC Network | +| **Description** | Determine if TCP port 5432 for PostgreSQL is open to the public | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as PostgreSQL should be restricted to known IP addresses. | +| **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | +| **Recommended Action** | Restrict TCP port 5432 to known IP addresses | + +## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/open-rdp.md b/en/google/vpcnetwork/open-rdp.md new file mode 100644 index 000000000..8be192827 --- /dev/null +++ b/en/google/vpcnetwork/open-rdp.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / VPC Network / Open RDP + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open RDP | +| **Cloud** | GOOGLE | +| **Category** | VPC Network | +| **Description** | Determine if TCP port 3389 for RDP is open to the public | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as RDP should be restricted to known IP addresses. | +| **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | +| **Recommended Action** | Restrict TCP port 5432 to known IP addresses | + +## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/open-rpc.md b/en/google/vpcnetwork/open-rpc.md new file mode 100644 index 000000000..aed28eec4 --- /dev/null +++ b/en/google/vpcnetwork/open-rpc.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / VPC Network / Open RPC + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open RPC | +| **Cloud** | GOOGLE | +| **Category** | VPC Network | +| **Description** | Determine if TCP port 135 for RPC is open to the public | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as RPC should be restricted to known IP addresses. | +| **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | +| **Recommended Action** | Restrict TCP port 135 to known IP addresses | + +## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/open-smbotcp.md b/en/google/vpcnetwork/open-smbotcp.md new file mode 100644 index 000000000..5d60caa7d --- /dev/null +++ b/en/google/vpcnetwork/open-smbotcp.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / VPC Network / Open SMBoTCP + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open SMBoTCP | +| **Cloud** | GOOGLE | +| **Category** | VPC Network | +| **Description** | Determine if TCP port 445 for Windows SMB over TCP is open to the public | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as SMB should be restricted to known IP addresses. | +| **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | +| **Recommended Action** | Restrict TCP port 445 to known IP addresses | + +## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/open-smtp.md b/en/google/vpcnetwork/open-smtp.md new file mode 100644 index 000000000..bf06cf457 --- /dev/null +++ b/en/google/vpcnetwork/open-smtp.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / VPC Network / Open SMTP + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open SMTP | +| **Cloud** | GOOGLE | +| **Category** | VPC Network | +| **Description** | Determine if TCP port 25 for SMTP is open to the public | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as SMTP should be restricted to known IP addresses. | +| **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | +| **Recommended Action** | Restrict TCP port 25 to known IP addresses | + +## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/open-sqlserver.md b/en/google/vpcnetwork/open-sqlserver.md new file mode 100644 index 000000000..0b7b4a1a4 --- /dev/null +++ b/en/google/vpcnetwork/open-sqlserver.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / VPC Network / Open SQLServer + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open SQLServer | +| **Cloud** | GOOGLE | +| **Category** | VPC Network | +| **Description** | Determine if TCP port 1433 or UDP port 1434 for SQL Server is open to the public | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as SQL server should be restricted to known IP addresses. | +| **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | +| **Recommended Action** | Restrict TCP port 1433 and UDP port 1434 to known IP addresses | + +## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/open-ssh.md b/en/google/vpcnetwork/open-ssh.md new file mode 100644 index 000000000..ef97257ba --- /dev/null +++ b/en/google/vpcnetwork/open-ssh.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / VPC Network / Open SSH + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open SSH | +| **Cloud** | GOOGLE | +| **Category** | VPC Network | +| **Description** | Determine if TCP port 22 for FTP is open to the public | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as SSH should be restricted to known IP addresses. | +| **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | +| **Recommended Action** | Restrict TCP port 22 to known IP addresses | + +## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/open-telnet.md b/en/google/vpcnetwork/open-telnet.md new file mode 100644 index 000000000..741dc4f61 --- /dev/null +++ b/en/google/vpcnetwork/open-telnet.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / VPC Network / Open Telnet + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open Telnet | +| **Cloud** | GOOGLE | +| **Category** | VPC Network | +| **Description** | Determine if TCP port 23 for Telnet is open to the public | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as Telnet should be restricted to known IP addresses. | +| **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | +| **Recommended Action** | Restrict TCP port 23 to known IP addresses | + +## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/open-vnc-client.md b/en/google/vpcnetwork/open-vnc-client.md new file mode 100644 index 000000000..07b8897a3 --- /dev/null +++ b/en/google/vpcnetwork/open-vnc-client.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / VPC Network / Open VNC Client + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open VNC Client | +| **Cloud** | GOOGLE | +| **Category** | VPC Network | +| **Description** | Determine if TCP port 5500 for VNC Client is open to the public | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as VNC Client should be restricted to known IP addresses. | +| **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | +| **Recommended Action** | Restrict TCP port 5500 to known IP addresses | + +## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/open-vnc-server.md b/en/google/vpcnetwork/open-vnc-server.md new file mode 100644 index 000000000..4ff765326 --- /dev/null +++ b/en/google/vpcnetwork/open-vnc-server.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / VPC Network / Open VNC Server + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open VNC Server | +| **Cloud** | GOOGLE | +| **Category** | VPC Network | +| **Description** | Determine if TCP port 5900 for VNC Server is open to the public | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as VNC Server should be restricted to known IP addresses. | +| **GOOGLE Link** | https://cloud.google.com/vpc/docs/using-firewalls | +| **Recommended Action** | Restrict TCP port 5900 to known IP addresses | + +## Detailed Remediation Steps + diff --git a/en/google/vpcnetwork/private-access-enabled.md b/en/google/vpcnetwork/private-access-enabled.md new file mode 100644 index 000000000..b75514385 --- /dev/null +++ b/en/google/vpcnetwork/private-access-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# GOOGLE / VPC Network / Private Access Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Private Access Enabled | +| **Cloud** | GOOGLE | +| **Category** | VPC Network | +| **Description** | Ensures Private Google Access is enabled for all Subnets | +| **More Info** | Private Google Access allows VM instances on a subnet to reach Google APIs and services without an IP address. This creates a more secure network for the internal communication. | +| **GOOGLE Link** | https://cloud.google.com/vpc/docs/configure-private-google-access | +| **Recommended Action** | 1. Enter the VPC Network service. 2. Enter the VPC. 3. Select the subnet in question. 4. Edit the subnet and enable Private Google Access. | + +## Detailed Remediation Steps + diff --git a/en/oracle/audit/log-retention-period.md b/en/oracle/audit/log-retention-period.md new file mode 100644 index 000000000..5e5822600 --- /dev/null +++ b/en/oracle/audit/log-retention-period.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Audit / Log Retention Period + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Log Retention Period | +| **Cloud** | ORACLE | +| **Category** | Audit | +| **Description** | Ensure that the Audit Log Retention Period is configured correctly. | +| **More Info** | Audit logs should be kept for as long as internal compliance requires. If no requirements exist, best practices suggest a minimum of 365 days. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Audit/Tasks/settingretentionperiod.htm | +| **Recommended Action** | 1. Enter the Tenancy Details page in the Administration blade. 2. Select Edit Audit Retention Period at the top of the page. 3. Set the Audit Retention Period in days. | + +## Detailed Remediation Steps + diff --git a/en/oracle/blockstorage/block-storage-policy-protection.md b/en/oracle/blockstorage/block-storage-policy-protection.md new file mode 100644 index 000000000..badacd18c --- /dev/null +++ b/en/oracle/blockstorage/block-storage-policy-protection.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Block Storage / Block Storage Policy Protection + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Block Storage Policy Protection | +| **Cloud** | ORACLE | +| **Category** | Block Storage | +| **Description** | Ensure Policy statements have deletion protection for Block Volumes unless it is an administrator group. | +| **More Info** | Adding deletion protection to Oracle Block Volume policies mitigates unintended deletion of block and boot volumes by unauthorized users or groups. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Security/Reference/iam_security.htm | +| **Recommended Action** | When writing policies, avoid blanket statements, and add a where statement with the line request.permission != {VOLUME_DELETE, VOLUME_BACKUP_DELETE, VOLUME_ATTACHMENT_DELETE}. | + +## Detailed Remediation Steps + diff --git a/en/oracle/blockstorage/block-volume-backup-enabled.md b/en/oracle/blockstorage/block-volume-backup-enabled.md new file mode 100644 index 000000000..068f358b1 --- /dev/null +++ b/en/oracle/blockstorage/block-volume-backup-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Block Storage / Block Volume Backup Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Block Volume Backup Enabled | +| **Cloud** | ORACLE | +| **Category** | Block Storage | +| **Description** | Determine if Block Volumes have backups enabled. | +| **More Info** | Enabling Block Volume backup policies ensures that the block volume can be restored following in the event of data loss. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Block/Concepts/blockvolumebackups.htm | +| **Recommended Action** | 1. Enter the Block Volume Service. 2. Select the Block Volume in question. 3. Select Assign next to Backup Policy. 4. Select the best policy for your services. | + +## Detailed Remediation Steps + diff --git a/en/oracle/blockstorage/block-volume-restorable.md b/en/oracle/blockstorage/block-volume-restorable.md new file mode 100644 index 000000000..3e3be9cc9 --- /dev/null +++ b/en/oracle/blockstorage/block-volume-restorable.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Block Storage / Block Volume Restorable + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Block Volume Restorable | +| **Cloud** | ORACLE | +| **Category** | Block Storage | +| **Description** | Determine if Block Volumes can be restored to a recent point. | +| **More Info** | Ensuring that Block Volumes have an active backup prevents data loss in the case of a catastrophe. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Block/Concepts/blockvolumebackups.htm | +| **Recommended Action** | 1. Enter the Block Volume Service. 2. Select the Block Volume in question. 3. Select Block Volume Backups from the lower left blade. 4. Create a manual backup. | + +## Detailed Remediation Steps + diff --git a/en/oracle/blockstorage/volume-groups-restorable.md b/en/oracle/blockstorage/volume-groups-restorable.md new file mode 100644 index 000000000..7c9180a6a --- /dev/null +++ b/en/oracle/blockstorage/volume-groups-restorable.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Block Storage / Volume Groups Restorable + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Volume Groups Restorable | +| **Cloud** | ORACLE | +| **Category** | Block Storage | +| **Description** | Determine if Volume Groups can be restored to a recent point. | +| **More Info** | Enabling Volume Groups backups ensures that the volume group can be restored following in the event of data loss. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Block/Concepts/volumegroups.htm | +| **Recommended Action** | 1. Enter the Volume Groups Service. 2. Select the Volume Group in question. 3. Select the backups blade on the lower left side. 4. Create a backup. | + +## Detailed Remediation Steps + diff --git a/en/oracle/compute/autoscale-enabled.md b/en/oracle/compute/autoscale-enabled.md new file mode 100644 index 000000000..895163cb1 --- /dev/null +++ b/en/oracle/compute/autoscale-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Compute / Autoscale Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Autoscale Enabled | +| **Cloud** | ORACLE | +| **Category** | Compute | +| **Description** | Ensure Autoscaling is enabled on Instance Pools. | +| **More Info** | Enabling Autoscale increases efficency and improves cost management for resources. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Compute/Tasks/autoscalinginstancepools.htm | +| **Recommended Action** | 1. Enter the Compute service. 2. On the left side select Autoscale Configurations 3. Create an autoscale configuration for all instance pools. | + +## Detailed Remediation Steps + diff --git a/en/oracle/compute/boot-volume-backup-enabled.md b/en/oracle/compute/boot-volume-backup-enabled.md new file mode 100644 index 000000000..dea362e5c --- /dev/null +++ b/en/oracle/compute/boot-volume-backup-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Compute / Boot Volume Backup Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Boot Volume Backup Enabled | +| **Cloud** | ORACLE | +| **Category** | Compute | +| **Description** | Determine if Boot Volumes have a backup policy. | +| **More Info** | Enabling a Boot Volume backup policy ensures that the boot volumes can be restored in the event of a compromised system or hardware failure. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Block/Concepts/bootvolumes.htm | +| **Recommended Action** | 1. Enter the Boot Volume Service. 2. Select the Boot Volume in question. 3. Select Assign next to Backup Policy. 4. Select the best policy for your services. | + +## Detailed Remediation Steps + diff --git a/en/oracle/compute/boot-volume-restorable.md b/en/oracle/compute/boot-volume-restorable.md new file mode 100644 index 000000000..06ab60f04 --- /dev/null +++ b/en/oracle/compute/boot-volume-restorable.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Compute / Boot Volume Restorable + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Boot Volume Restorable | +| **Cloud** | ORACLE | +| **Category** | Compute | +| **Description** | Determine if Boot Volumes can be restored to a recent point. | +| **More Info** | Having an active backup ensures that the boot volumes can be restored in the event of a compromised system or hardware failure. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Block/Concepts/bootvolumes.htm | +| **Recommended Action** | 1. Enter the Boot Volume Service. 2. Select the Boot Volume in question. 3. Select the Boot Volume Backups blade in the lower left corner. 4. Create a backup. | + +## Detailed Remediation Steps + diff --git a/en/oracle/compute/boot-volume-transit-encryption.md b/en/oracle/compute/boot-volume-transit-encryption.md new file mode 100644 index 000000000..c9a740a6c --- /dev/null +++ b/en/oracle/compute/boot-volume-transit-encryption.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Compute / Boot Volume Transit Encryption + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Boot Volume Transit Encryption | +| **Cloud** | ORACLE | +| **Category** | Compute | +| **Description** | Determine if in-transit data encryption is enabled on boot volumes. | +| **More Info** | Enabling Boot Volume in-transit data encryption ensures that Boot Volume data is secured and follows Oracle security best practices. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Block/Concepts/bootvolumes.htm | +| **Recommended Action** | Boot Volume Transit Encryption can only be configured when creating a new instance. Recreate the instance with in-transit encryption enabled. | + +## Detailed Remediation Steps + diff --git a/en/oracle/compute/instance-max-count.md b/en/oracle/compute/instance-max-count.md new file mode 100644 index 000000000..b961292cb --- /dev/null +++ b/en/oracle/compute/instance-max-count.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Compute / Instance Max Count + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Instance Max Count | +| **Cloud** | ORACLE | +| **Category** | Compute | +| **Description** | Ensures the total number of VM instances does not exceed a set threshold. | +| **More Info** | The number of running VM instances should be carefully audited, especially in unused regions, to ensure only approved applications are consuming compute resources. Many compromised Oracle accounts see large numbers of VM instances launched. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Compute/Concepts/instancemanagement.htm | +| **Recommended Action** | Ensure that the number of running VM instances matches the expected count. If instances are launched above the threshold, investigate to ensure they are legitimate. | + +## Detailed Remediation Steps + diff --git a/en/oracle/compute/instance-monitoring-enabled.md b/en/oracle/compute/instance-monitoring-enabled.md new file mode 100644 index 000000000..e5c9b9815 --- /dev/null +++ b/en/oracle/compute/instance-monitoring-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Compute / Instance Monitoring Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Instance Monitoring Enabled | +| **Cloud** | ORACLE | +| **Category** | Compute | +| **Description** | Determine if monitoring is enabled for instances. | +| **More Info** | Enabling instance monitoring allows for metrics to be collected on the instance. Following Security best practices. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Compute/Tasks/enablingmonitoring.htm | +| **Recommended Action** | When creating a new instance, ensure monitoring is enabled under advanced settings. | + +## Detailed Remediation Steps + diff --git a/en/oracle/compute/instance-policy-protection.md b/en/oracle/compute/instance-policy-protection.md new file mode 100644 index 000000000..fdd9cb4c9 --- /dev/null +++ b/en/oracle/compute/instance-policy-protection.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Compute / Instance Policy Protection + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Instance Policy Protection | +| **Cloud** | ORACLE | +| **Category** | Compute | +| **Description** | Ensure Policy statements have deletion protection for Compute Instances unless it is an administrator group. | +| **More Info** | Adding deletion protection to Oracle Compute Instance policies mitigates unintended deletion of instances by unauthorized users or groups. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Security/Reference/iam_security.htm | +| **Recommended Action** | When writing policies, avoid blanket statements, and add a where statement with the line request.permission != INSTANCE_DELETE. | + +## Detailed Remediation Steps + diff --git a/en/oracle/compute/instance-pool-multiple-ad.md b/en/oracle/compute/instance-pool-multiple-ad.md new file mode 100644 index 000000000..64dc2843e --- /dev/null +++ b/en/oracle/compute/instance-pool-multiple-ad.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Compute / Instance Pool Multiple AD + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Instance Pool Multiple AD | +| **Cloud** | ORACLE | +| **Category** | Compute | +| **Description** | Determines if Instance Pools are launched in Multiple Availability Domains. | +| **More Info** | Launching Instance Pools in multiple availability domains follows best practices by creating highly available resources. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/General/Concepts/regions.htm | +| **Recommended Action** | When launching instance pools, Add multiple availability domains. | + +## Detailed Remediation Steps + diff --git a/en/oracle/database/database-backup-enabled.md b/en/oracle/database/database-backup-enabled.md new file mode 100644 index 000000000..c11629bc3 --- /dev/null +++ b/en/oracle/database/database-backup-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Database / Database Backup Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Database Backup Enabled | +| **Cloud** | ORACLE | +| **Category** | Database | +| **Description** | Ensures that all databases have auto backup enabled | +| **More Info** | Enabling Automatic Backup on Databases ensures that all sensitive data is protected from unwarranted deletion or loss of data. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Database/Tasks/backingupOS.htm | +| **Recommended Action** | when creating a new database, under advanced settings enable Auto Backup. | + +## Detailed Remediation Steps + diff --git a/en/oracle/database/database-policy-protection.md b/en/oracle/database/database-policy-protection.md new file mode 100644 index 000000000..312ab6cfa --- /dev/null +++ b/en/oracle/database/database-policy-protection.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Database / Database Policy Protection + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Database Policy Protection | +| **Cloud** | ORACLE | +| **Category** | Database | +| **Description** | Ensure Policy statements have deletion protection for Database Systems, Databases, and Database Homes unless it is an administrator group. | +| **More Info** | Adding deletion protection to Oracle Database policies mitigates unintended deletion of Database Services by unauthorized users or groups. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Security/Reference/dbaas_security.htm | +| **Recommended Action** | When writing policies, avoid blanket statements, and add a where statement with the line request.permission != {DB_SYSTEM_DELETE, DATABASE_DELETE, DB_HOME_DELETE} . | + +## Detailed Remediation Steps + diff --git a/en/oracle/database/db-network-security-groups-enabled.md b/en/oracle/database/db-network-security-groups-enabled.md new file mode 100644 index 000000000..91daf6721 --- /dev/null +++ b/en/oracle/database/db-network-security-groups-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Database / DB Network Security Groups Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | DB Network Security Groups Enabled | +| **Cloud** | ORACLE | +| **Category** | Database | +| **Description** | Ensures that all databases have network security groups enabled. | +| **More Info** | Enabling network security groups on database systems allow for fine grain control over network access to the database, ensuring databases are only accessible from trusted entities and following security best practices. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Database/Tasks/backingupOS.htm | +| **Recommended Action** | 1. Enter the database service. 2. Select the database system. 3. In the system information, edit the network security groups and select the appropriate network security group. | + +## Detailed Remediation Steps + diff --git a/en/oracle/database/db-private-subnet-only.md b/en/oracle/database/db-private-subnet-only.md new file mode 100644 index 000000000..91a5e3c5f --- /dev/null +++ b/en/oracle/database/db-private-subnet-only.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Database / DB Private Subnet Only + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | DB Private Subnet Only | +| **Cloud** | ORACLE | +| **Category** | Database | +| **Description** | Ensure that all database systems are in private subnets only. | +| **More Info** | Database systems in private subnets ensure that access to the database can only be from within the internal architecture, following security best practices. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Security/Reference/dbaas_security.htm | +| **Recommended Action** | When creating a new database, ensure that that subnet it is being launched in is a private subnet. | + +## Detailed Remediation Steps + diff --git a/en/oracle/filestorage/file-storage-policy-protection.md b/en/oracle/filestorage/file-storage-policy-protection.md new file mode 100644 index 000000000..61b0286aa --- /dev/null +++ b/en/oracle/filestorage/file-storage-policy-protection.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / File Storage / File Storage Policy Protection + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | File Storage Policy Protection | +| **Cloud** | ORACLE | +| **Category** | File Storage | +| **Description** | Ensure Policy statements have deletion protection for File Storage Services unless it is an administrator group. | +| **More Info** | Adding deletion protection to Oracle File Storage policies mitigates unintended deletion of File Storage Services by unauthorized users or groups. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Security/Reference/dbaas_security.htm | +| **Recommended Action** | When writing policies, avoid blanket statements, and add a where statement with the line request.permission != {FILE_SYSTEM_DELETE, MOUNT_TARGET_DELETE, EXPORT_SET_DELETE} . | + +## Detailed Remediation Steps + diff --git a/en/oracle/filestorage/nfs-public-access.md b/en/oracle/filestorage/nfs-public-access.md new file mode 100644 index 000000000..80d28591a --- /dev/null +++ b/en/oracle/filestorage/nfs-public-access.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / File Storage / NFS Public Access + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | NFS Public Access | +| **Cloud** | ORACLE | +| **Category** | File Storage | +| **Description** | Ensures that all File Systems do not have public access. | +| **More Info** | All Network File Systems should be configured to only allow access from trusted sources. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/File/Tasks/exportoptions.htm | +| **Recommended Action** | 1. Enter the File Storage service. 2. Enter the File System service 3. Select the File System. 4. Select the export. 5. Ensure that the source is not 0.0.0.0/0, if so edit the NFS Export Options to not allow public access. | + +## Detailed Remediation Steps + diff --git a/en/oracle/identity/empty-groups.md b/en/oracle/identity/empty-groups.md new file mode 100644 index 000000000..9c2dbf034 --- /dev/null +++ b/en/oracle/identity/empty-groups.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Identity / Empty Groups + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Empty Groups | +| **Cloud** | ORACLE | +| **Category** | Identity | +| **Description** | Ensures all groups have at least one member. | +| **More Info** | While having empty groups does not present a direct security risk, it does broaden the management landscape which could potentially introduce risks in the future. | +| **ORACLE Link** | https://docs.oracle.com/cd/E10391_01/doc.910/e10360/usergroups.htm | +| **Recommended Action** | Remove identity groups with no members. | + +## Detailed Remediation Steps + diff --git a/en/oracle/identity/excessive-policies.md b/en/oracle/identity/excessive-policies.md new file mode 100644 index 000000000..e7692f235 --- /dev/null +++ b/en/oracle/identity/excessive-policies.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Identity / Excessive Policies + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Excessive Policies | +| **Cloud** | ORACLE | +| **Category** | Identity | +| **Description** | Determine if there are an excessive number of policies in the account | +| **More Info** | Keeping the number of policies to a minimum helps reduce the chances of compromised accounts causing catastrophic damage to the account. Rather than creating new policies with the same statement for each group, common statements should be grouped under the same policy. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Identity/Concepts/policygetstarted.htm | +| **Recommended Action** | Limit the number of policies to prevent accidental authorizations | + +## Detailed Remediation Steps + diff --git a/en/oracle/identity/excessive-policy-statements.md b/en/oracle/identity/excessive-policy-statements.md new file mode 100644 index 000000000..426065ac0 --- /dev/null +++ b/en/oracle/identity/excessive-policy-statements.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Identity / Excessive Policy Statements + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Excessive Policy Statements | +| **Cloud** | ORACLE | +| **Category** | Identity | +| **Description** | Determine if there are an excessive number of policy Statements in the account | +| **More Info** | Keeping the number of policy statements to a minimum helps reduce the chances of compromised accounts causing catastrophic damage to the account. Common statements should be grouped under the same policy. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Identity/Concepts/policygetstarted.htm | +| **Recommended Action** | Limit the number of policy statements to prevent accidental authorizations | + +## Detailed Remediation Steps + diff --git a/en/oracle/identity/minimum-password-length.md b/en/oracle/identity/minimum-password-length.md new file mode 100644 index 000000000..ae4e79a6b --- /dev/null +++ b/en/oracle/identity/minimum-password-length.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Identity / Minimum Password Length + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Minimum Password Length | +| **Cloud** | ORACLE | +| **Category** | Identity | +| **Description** | Ensures password policy requires a minimum password length. | +| **More Info** | A strong password policy enforces minimum length, expirations, reuse, and symbol usage. | +| **ORACLE Link** | https://docs.oracle.com/cd/E17904_01/admin.1111/e10029/pwdpolicies.htm#OIDAG2472 | +| **Recommended Action** | Update the password policy to require a minimum password length. | + +## Detailed Remediation Steps + diff --git a/en/oracle/identity/password-requires-lowercase.md b/en/oracle/identity/password-requires-lowercase.md new file mode 100644 index 000000000..906001b35 --- /dev/null +++ b/en/oracle/identity/password-requires-lowercase.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Identity / Password Requires Lowercase + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Password Requires Lowercase | +| **Cloud** | ORACLE | +| **Category** | Identity | +| **Description** | Ensures password policy requires at least one lowercase letter. | +| **More Info** | A strong password policy enforces minimum length, expirations, reuse, and symbol usage. | +| **ORACLE Link** | https://docs.oracle.com/cd/E17904_01/admin.1111/e10029/pwdpolicies.htm#OIDAG2472 | +| **Recommended Action** | Update the password policy to require the use of lowercase letters. | + +## Detailed Remediation Steps + diff --git a/en/oracle/identity/password-requires-numbers.md b/en/oracle/identity/password-requires-numbers.md new file mode 100644 index 000000000..09bf93b88 --- /dev/null +++ b/en/oracle/identity/password-requires-numbers.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Identity / Password Requires Numbers + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Password Requires Numbers | +| **Cloud** | ORACLE | +| **Category** | Identity | +| **Description** | Ensures password policy requires at least one number. | +| **More Info** | A strong password policy enforces minimum length, expirations, reuse, and symbol usage. | +| **ORACLE Link** | https://docs.oracle.com/cd/E17904_01/admin.1111/e10029/pwdpolicies.htm#OIDAG2472 | +| **Recommended Action** | Update the password policy to require the use of numbers. | + +## Detailed Remediation Steps + diff --git a/en/oracle/identity/password-requires-symbols.md b/en/oracle/identity/password-requires-symbols.md new file mode 100644 index 000000000..222b6f01d --- /dev/null +++ b/en/oracle/identity/password-requires-symbols.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Identity / Password Requires Symbols + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Password Requires Symbols | +| **Cloud** | ORACLE | +| **Category** | Identity | +| **Description** | Ensures password policy requires at least one symbol. | +| **More Info** | A strong password policy enforces minimum length, expirations, reuse, and symbol usage. | +| **ORACLE Link** | https://docs.oracle.com/cd/E17904_01/admin.1111/e10029/pwdpolicies.htm#OIDAG2472 | +| **Recommended Action** | Update the password policy to require the use of symbols. | + +## Detailed Remediation Steps + diff --git a/en/oracle/identity/password-requires-uppercase.md b/en/oracle/identity/password-requires-uppercase.md new file mode 100644 index 000000000..c8edc6ea4 --- /dev/null +++ b/en/oracle/identity/password-requires-uppercase.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Identity / Password Requires Uppercase + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Password Requires Uppercase | +| **Cloud** | ORACLE | +| **Category** | Identity | +| **Description** | Ensures password policy requires at least one uppercase character. | +| **More Info** | A strong password policy enforces minimum length, expirations, reuse, and symbol usage. | +| **ORACLE Link** | https://docs.oracle.com/cd/E17904_01/admin.1111/e10029/pwdpolicies.htm#OIDAG2472 | +| **Recommended Action** | Update the password policy to require the use of uppercase characters. | + +## Detailed Remediation Steps + diff --git a/en/oracle/identity/policy-least-privilege.md b/en/oracle/identity/policy-least-privilege.md new file mode 100644 index 000000000..ebb460bf7 --- /dev/null +++ b/en/oracle/identity/policy-least-privilege.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Identity / Policy Least Privilege + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Policy Least Privilege | +| **Cloud** | ORACLE | +| **Category** | Identity | +| **Description** | Ensure only service-level admins have blanket statements to manage or use resources without restriction. | +| **More Info** | Adding service-level admins to Oracle policies instead of blanket statements mitigates unintended access to resources by unauthorized users or groups. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Security/Reference/iam_security.htm | +| **Recommended Action** | When writing policies, avoid blanket statements, and instead give full permissions only to Service-level admins, all other groups should have least access to services. | + +## Detailed Remediation Steps + diff --git a/en/oracle/identity/users-mfa-enabled.md b/en/oracle/identity/users-mfa-enabled.md new file mode 100644 index 000000000..6362cc443 --- /dev/null +++ b/en/oracle/identity/users-mfa-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Identity / Users MFA Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Users MFA Enabled | +| **Cloud** | ORACLE | +| **Category** | Identity | +| **Description** | Ensures a multi-factor authentication device is enabled for all users within the account. | +| **More Info** | User accounts should have an MFA device setup to enable two-factor authentication. | +| **ORACLE Link** | https://docs.oracle.com/en/cloud/paas/identity-cloud/uaids/enable-multi-factor-authentication-security-oracle-cloud.html | +| **Recommended Action** | Enable an MFA device for the user account. | + +## Detailed Remediation Steps + diff --git a/en/oracle/networking/default-security-list.md b/en/oracle/networking/default-security-list.md new file mode 100644 index 000000000..c60623684 --- /dev/null +++ b/en/oracle/networking/default-security-list.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Networking / Default Security List + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Default Security List | +| **Cloud** | ORACLE | +| **Category** | Networking | +| **Description** | Ensure the default security lists block all traffic by default | +| **More Info** | The default security list is often used for resources launched without a defined security list. For this reason, the default rules should be to block all traffic to prevent an accidental exposure. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Network/Concepts/securitylists.htm | +| **Recommended Action** | Update the rules for the default security list to deny all traffic by default | + +## Detailed Remediation Steps + diff --git a/en/oracle/networking/excessive-security-lists.md b/en/oracle/networking/excessive-security-lists.md new file mode 100644 index 000000000..cb64025cd --- /dev/null +++ b/en/oracle/networking/excessive-security-lists.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Networking / Excessive Security Lists + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Excessive Security Lists | +| **Cloud** | ORACLE | +| **Category** | Networking | +| **Description** | Determine if there are an excessive number of security lists in the account | +| **More Info** | Keeping the number of security lists to a minimum helps reduce the attack surface of an account. Rather than creating new groups with the same rules for each project, common rules should be grouped under the same security lists. For example, instead of adding port 22 from a known IP to every group, create a single "SSH" security group which can be used on multiple instances. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Network/Concepts/securitylists.htm | +| **Recommended Action** | Limit the number of security lists to prevent accidental authorizations | + +## Detailed Remediation Steps + diff --git a/en/oracle/networking/lb-network-security-groups-enabled.md b/en/oracle/networking/lb-network-security-groups-enabled.md new file mode 100644 index 000000000..46ac2bd2f --- /dev/null +++ b/en/oracle/networking/lb-network-security-groups-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Networking / LB Network Security Groups Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | LB Network Security Groups Enabled | +| **Cloud** | ORACLE | +| **Category** | Networking | +| **Description** | Ensure Load Balancers are using Network Security Groups to restrict network access. | +| **More Info** | Network Security Groups gives fine grained control of resources. Security rules associated with Network Security Groups can be associated with specific resources. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Security/Reference/networking_security.htm | +| **Recommended Action** | 1. Enter the Load Balancer Service. 2. Select the Load Balancer. 3. In the load Balancer Information, Edit Network Security Groups. 4. Select the best Network Security Group for the load balancer. | + +## Detailed Remediation Steps + diff --git a/en/oracle/networking/load-balancer-https-only.md b/en/oracle/networking/load-balancer-https-only.md new file mode 100644 index 000000000..f21cdc6df --- /dev/null +++ b/en/oracle/networking/load-balancer-https-only.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Networking / Load Balancer HTTPS Only + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Load Balancer HTTPS Only | +| **Cloud** | ORACLE | +| **Category** | Networking | +| **Description** | Ensures LBs are configured to only accept connections on HTTPS ports. | +| **More Info** | For maximum security, LBs can be configured to only accept HTTPS connections. Standard HTTP connections will be blocked. This should only be done if the client application is configured to query HTTPS directly and not rely on a redirect from HTTP. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Balance/Tasks/managinglisteners.htm | +| **Recommended Action** | Remove non-HTTPS listeners from load balancer. | + +## Detailed Remediation Steps + diff --git a/en/oracle/networking/load-balancer-no-instances.md b/en/oracle/networking/load-balancer-no-instances.md new file mode 100644 index 000000000..24786e148 --- /dev/null +++ b/en/oracle/networking/load-balancer-no-instances.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Networking / Load Balancer No Instances + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Load Balancer No Instances | +| **Cloud** | ORACLE | +| **Category** | Networking | +| **Description** | Detects LBs that have no backend instances attached | +| **More Info** | All LBs should have backend server resources. Those without any are consuming costs without providing any functionality. Additionally, old ELBs with no instances present a security concern if new instances are accidentally attached. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/GSG/Tasks/loadbalancing.htm | +| **Recommended Action** | Delete old LBs that no longer have backend resources. | + +## Detailed Remediation Steps + diff --git a/en/oracle/networking/open-all-ports-protocols.md b/en/oracle/networking/open-all-ports-protocols.md new file mode 100644 index 000000000..b1fa84fd1 --- /dev/null +++ b/en/oracle/networking/open-all-ports-protocols.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Networking / Open All Ports Protocols + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open All Ports Protocols | +| **Cloud** | ORACLE | +| **Category** | Networking | +| **Description** | Determine if security list has all ports or protocols open to the public | +| **More Info** | Security lists should be created on a per-service basis and avoid allowing all ports or protocols. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Network/Concepts/securitylists.htm | +| **Recommended Action** | Modify the security list to specify a specific port and protocol to allow. | + +## Detailed Remediation Steps + diff --git a/en/oracle/networking/open-autonomous-data-warehouse.md b/en/oracle/networking/open-autonomous-data-warehouse.md new file mode 100644 index 000000000..4ed989444 --- /dev/null +++ b/en/oracle/networking/open-autonomous-data-warehouse.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Networking / Open Autonomous Data Warehouse + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open Autonomous Data Warehouse | +| **Cloud** | ORACLE | +| **Category** | Networking | +| **Description** | Determine if TCP port 1522 for Autonomous Data Warehouse is open to the public | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as Autonomous Data Warehouse should be restricted to known IP addresses. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Network/Concepts/securitylists.htm | +| **Recommended Action** | Restrict TCP port 1522 to known IP addresses | + +## Detailed Remediation Steps + diff --git a/en/oracle/networking/open-cifs.md b/en/oracle/networking/open-cifs.md new file mode 100644 index 000000000..20dc4abc0 --- /dev/null +++ b/en/oracle/networking/open-cifs.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Networking / Open CIFS + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open CIFS | +| **Cloud** | ORACLE | +| **Category** | Networking | +| **Description** | Determine if UDP port 445 for CIFS is open to the public | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as CIFS should be restricted to known IP addresses. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Network/Concepts/securitylists.htm | +| **Recommended Action** | Restrict UDP port 445 to known IP addresses | + +## Detailed Remediation Steps + diff --git a/en/oracle/networking/open-dns.md b/en/oracle/networking/open-dns.md new file mode 100644 index 000000000..8894365d9 --- /dev/null +++ b/en/oracle/networking/open-dns.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Networking / Open DNS + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open DNS | +| **Cloud** | ORACLE | +| **Category** | Networking | +| **Description** | Determine if TCP or UDP port 53 for DNS is open to the public | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as DNS should be restricted to known IP addresses. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Network/Concepts/securitylists.htm | +| **Recommended Action** | Restrict TCP and UDP port 53 to known IP addresses | + +## Detailed Remediation Steps + diff --git a/en/oracle/networking/open-ftp.md b/en/oracle/networking/open-ftp.md new file mode 100644 index 000000000..08cd126e8 --- /dev/null +++ b/en/oracle/networking/open-ftp.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Networking / Open FTP + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open FTP | +| **Cloud** | ORACLE | +| **Category** | Networking | +| **Description** | Determine if TCP port 20 or 21 for FTP is open to the public | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as FTP should be restricted to known IP addresses. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Network/Concepts/securitylists.htm | +| **Recommended Action** | Restrict TCP port 20 or 21 to known IP addresses | + +## Detailed Remediation Steps + diff --git a/en/oracle/networking/open-hadoop-hdfs-namenode-metadata-service.md b/en/oracle/networking/open-hadoop-hdfs-namenode-metadata-service.md new file mode 100644 index 000000000..98b2e5415 --- /dev/null +++ b/en/oracle/networking/open-hadoop-hdfs-namenode-metadata-service.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Networking / Open Hadoop HDFS NameNode Metadata Service + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open Hadoop HDFS NameNode Metadata Service | +| **Cloud** | ORACLE | +| **Category** | Networking | +| **Description** | Determine if TCP port 8020 for HDFS NameNode metadata service is open to the public. | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as Hadoop/HDFS should be restricted to known IP addresses. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Network/Concepts/securitylists.htm | +| **Recommended Action** | Restrict TCP port 8020 to known IP addresses for Hadoop/HDFS. | + +## Detailed Remediation Steps + diff --git a/en/oracle/networking/open-hadoop-hdfs-namenode-webui.md b/en/oracle/networking/open-hadoop-hdfs-namenode-webui.md new file mode 100644 index 000000000..f41cdff71 --- /dev/null +++ b/en/oracle/networking/open-hadoop-hdfs-namenode-webui.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Networking / Open Hadoop HDFS NameNode WebUI + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open Hadoop HDFS NameNode WebUI | +| **Cloud** | ORACLE | +| **Category** | Networking | +| **Description** | Determine if TCP port 50070 and 50470 for Hadoop/HDFS NameNode WebUI service is open to the public | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as Hadoop/HDFS should be restricted to known IP addresses. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Network/Concepts/securitylists.htm | +| **Recommended Action** | Restrict TCP port 50070 and 50470 to known IP addresses for Hadoop/HDFS | + +## Detailed Remediation Steps + diff --git a/en/oracle/networking/open-kibana.md b/en/oracle/networking/open-kibana.md new file mode 100644 index 000000000..0274b12d5 --- /dev/null +++ b/en/oracle/networking/open-kibana.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Networking / Open Kibana + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open Kibana | +| **Cloud** | ORACLE | +| **Category** | Networking | +| **Description** | Determine if TCP port 5601 for Kibana is open to the public | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as Kibana should be restricted to known IP addresses. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Network/Concepts/securitylists.htm | +| **Recommended Action** | Restrict TCP port 5601 to known IP addresses | + +## Detailed Remediation Steps + diff --git a/en/oracle/networking/open-mysql.md b/en/oracle/networking/open-mysql.md new file mode 100644 index 000000000..30df6c84f --- /dev/null +++ b/en/oracle/networking/open-mysql.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Networking / Open MySQL + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open MySQL | +| **Cloud** | ORACLE | +| **Category** | Networking | +| **Description** | Determine if TCP port 4333 or 3306 for MySQL is open to the public | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as MySQL should be restricted to known IP addresses. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Network/Concepts/securitylists.htm | +| **Recommended Action** | Restrict TCP ports 4333 and 3306 to known IP addresses | + +## Detailed Remediation Steps + diff --git a/en/oracle/networking/open-netbios.md b/en/oracle/networking/open-netbios.md new file mode 100644 index 000000000..4202efc12 --- /dev/null +++ b/en/oracle/networking/open-netbios.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Networking / Open NetBIOS + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open NetBIOS | +| **Cloud** | ORACLE | +| **Category** | Networking | +| **Description** | Determine if UDP port 137 or 138 for NetBIOS is open to the public | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as NetBIOS should be restricted to known IP addresses. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Network/Concepts/securitylists.htm | +| **Recommended Action** | Restrict UDP ports 137 and 138 to known IP addresses | + +## Detailed Remediation Steps + diff --git a/en/oracle/networking/open-oracle.md b/en/oracle/networking/open-oracle.md new file mode 100644 index 000000000..be17bb44c --- /dev/null +++ b/en/oracle/networking/open-oracle.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Networking / Open Oracle + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open Oracle | +| **Cloud** | ORACLE | +| **Category** | Networking | +| **Description** | Determine if TCP port 1521 for Oracle is open to the public | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as Oracle should be restricted to known IP addresses. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Network/Concepts/securitylists.htm | +| **Recommended Action** | Restrict TCP ports 1521 to known IP addresses | + +## Detailed Remediation Steps + diff --git a/en/oracle/networking/open-postgresql.md b/en/oracle/networking/open-postgresql.md new file mode 100644 index 000000000..3b16376ab --- /dev/null +++ b/en/oracle/networking/open-postgresql.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Networking / Open PostgreSQL + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open PostgreSQL | +| **Cloud** | ORACLE | +| **Category** | Networking | +| **Description** | Determine if TCP port 5432 for PostgreSQL is open to the public | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as PostgreSQL should be restricted to known IP addresses. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Network/Concepts/securitylists.htm | +| **Recommended Action** | Restrict TCP port 5432 to known IP addresses | + +## Detailed Remediation Steps + diff --git a/en/oracle/networking/open-rdp.md b/en/oracle/networking/open-rdp.md new file mode 100644 index 000000000..5044b7cec --- /dev/null +++ b/en/oracle/networking/open-rdp.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Networking / Open RDP + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open RDP | +| **Cloud** | ORACLE | +| **Category** | Networking | +| **Description** | Determine if TCP port 3389 for RDP is open to the public | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as RDP should be restricted to known IP addresses. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Network/Concepts/securitylists.htm | +| **Recommended Action** | Restrict TCP port 3389 to known IP addresses | + +## Detailed Remediation Steps + diff --git a/en/oracle/networking/open-rpc.md b/en/oracle/networking/open-rpc.md new file mode 100644 index 000000000..da7d2fe87 --- /dev/null +++ b/en/oracle/networking/open-rpc.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Networking / Open RPC + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open RPC | +| **Cloud** | ORACLE | +| **Category** | Networking | +| **Description** | Determine if TCP port 135 for RPC is open to the public | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as RPC should be restricted to known IP addresses. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Network/Concepts/securitylists.htm | +| **Recommended Action** | Restrict TCP port 135 to known IP addresses | + +## Detailed Remediation Steps + diff --git a/en/oracle/networking/open-smbotcp.md b/en/oracle/networking/open-smbotcp.md new file mode 100644 index 000000000..d52ce049f --- /dev/null +++ b/en/oracle/networking/open-smbotcp.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Networking / Open SMBoTCP + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open SMBoTCP | +| **Cloud** | ORACLE | +| **Category** | Networking | +| **Description** | Determine if TCP port 445 for Windows SMB over TCP is open to the public | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as SMB should be restricted to known IP addresses. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Network/Concepts/securitylists.htm | +| **Recommended Action** | Restrict TCP port 445 to known IP addresses | + +## Detailed Remediation Steps + diff --git a/en/oracle/networking/open-smtp.md b/en/oracle/networking/open-smtp.md new file mode 100644 index 000000000..5a71e0898 --- /dev/null +++ b/en/oracle/networking/open-smtp.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Networking / Open SMTP + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open SMTP | +| **Cloud** | ORACLE | +| **Category** | Networking | +| **Description** | Determine if TCP port 25 for SMTP is open to the public | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as SMTP should be restricted to known IP addresses. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Network/Concepts/securitylists.htm | +| **Recommended Action** | Restrict TCP port 25 to known IP addresses | + +## Detailed Remediation Steps + diff --git a/en/oracle/networking/open-sqlserver.md b/en/oracle/networking/open-sqlserver.md new file mode 100644 index 000000000..6754bb952 --- /dev/null +++ b/en/oracle/networking/open-sqlserver.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Networking / Open SQLServer + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open SQLServer | +| **Cloud** | ORACLE | +| **Category** | Networking | +| **Description** | Determine if TCP port 1433 or UDP port 1434 for SQL Server is open to the public | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as SQL server should be restricted to known IP addresses. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Network/Concepts/securitylists.htm | +| **Recommended Action** | Restrict TCP port 1433 and UDP port 1434 to known IP addresses | + +## Detailed Remediation Steps + diff --git a/en/oracle/networking/open-ssh.md b/en/oracle/networking/open-ssh.md new file mode 100644 index 000000000..e68af1278 --- /dev/null +++ b/en/oracle/networking/open-ssh.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Networking / Open SSH + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open SSH | +| **Cloud** | ORACLE | +| **Category** | Networking | +| **Description** | Determine if TCP port 22 for SSH is open to the public | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as SSH should be restricted to known IP addresses. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Network/Concepts/securitylists.htm | +| **Recommended Action** | Restrict TCP port 22 to known IP addresses | + +## Detailed Remediation Steps + diff --git a/en/oracle/networking/open-telnet.md b/en/oracle/networking/open-telnet.md new file mode 100644 index 000000000..9b5e0568d --- /dev/null +++ b/en/oracle/networking/open-telnet.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Networking / Open Telnet + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open Telnet | +| **Cloud** | ORACLE | +| **Category** | Networking | +| **Description** | Determine if TCP port 23 for Telnet is open to the public | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as Telnet should be restricted to known IP addresses. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Network/Concepts/securitylists.htm | +| **Recommended Action** | Restrict TCP port 23 to known IP addresses | + +## Detailed Remediation Steps + diff --git a/en/oracle/networking/open-vnc-client.md b/en/oracle/networking/open-vnc-client.md new file mode 100644 index 000000000..a2448e28b --- /dev/null +++ b/en/oracle/networking/open-vnc-client.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Networking / Open VNC Client + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open VNC Client | +| **Cloud** | ORACLE | +| **Category** | Networking | +| **Description** | Determine if TCP port 5500 for VNC Client is open to the public | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as VNC Client should be restricted to known IP addresses. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Network/Concepts/securitylists.htm | +| **Recommended Action** | Restrict TCP port 5500 to known IP addresses | + +## Detailed Remediation Steps + diff --git a/en/oracle/networking/open-vnc-server.md b/en/oracle/networking/open-vnc-server.md new file mode 100644 index 000000000..66c75b39a --- /dev/null +++ b/en/oracle/networking/open-vnc-server.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Networking / Open VNC Server + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Open VNC Server | +| **Cloud** | ORACLE | +| **Category** | Networking | +| **Description** | Determine if TCP port 5900 for VNC Server is open to the public | +| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as VNC Server should be restricted to known IP addresses. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Network/Concepts/securitylists.htm | +| **Recommended Action** | Restrict TCP port 5900 to known IP addresses | + +## Detailed Remediation Steps + diff --git a/en/oracle/networking/stateless-security-rules.md b/en/oracle/networking/stateless-security-rules.md new file mode 100644 index 000000000..accdc4479 --- /dev/null +++ b/en/oracle/networking/stateless-security-rules.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Networking / Stateless Security Rules + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Stateless Security Rules | +| **Cloud** | ORACLE | +| **Category** | Networking | +| **Description** | Ensure all security rules are stateless. | +| **More Info** | Stateless security rules are one-way-rules that help mitigate DDoS attacks as well as speeding up network traffic. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Network/Concepts/securityrules.htm | +| **Recommended Action** | Update all Security Rules to be stateless. | + +## Detailed Remediation Steps + diff --git a/en/oracle/networking/subnet-multi-ad.md b/en/oracle/networking/subnet-multi-ad.md new file mode 100644 index 000000000..bba0ec5b0 --- /dev/null +++ b/en/oracle/networking/subnet-multi-ad.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Networking / Subnet Multi AD + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Subnet Multi AD | +| **Cloud** | ORACLE | +| **Category** | Networking | +| **Description** | Detects Subnets that are not Regional | +| **More Info** | Creating a Regional Subnet ensures a highly available system. Regional Subnets span across multiple Availability Domains increasing the availability and durability of the resources launched within it. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Network/Tasks/managingVCNs.htm | +| **Recommended Action** | when creating a new Subnet, Under Subnet Type, Ensure that Regional is selected. | + +## Detailed Remediation Steps + diff --git a/en/oracle/networking/vcn-multiple-subnets.md b/en/oracle/networking/vcn-multiple-subnets.md new file mode 100644 index 000000000..bc3eda05f --- /dev/null +++ b/en/oracle/networking/vcn-multiple-subnets.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Networking / VCN Multiple Subnets + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | VCN Multiple Subnets | +| **Cloud** | ORACLE | +| **Category** | Networking | +| **Description** | Ensures that VCNs have multiple networks to provide a layered architecture | +| **More Info** | A single network within a VCN increases the risk of a broader blast radius in the event of a compromise. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Network/Tasks/managingVCNs.htm | +| **Recommended Action** | Create multiple networks/subnets in each VCN and change the architecture to take advantage of public and private tiers. | + +## Detailed Remediation Steps + diff --git a/en/oracle/networking/waf-public-ip-enabled.md b/en/oracle/networking/waf-public-ip-enabled.md new file mode 100644 index 000000000..98af71943 --- /dev/null +++ b/en/oracle/networking/waf-public-ip-enabled.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Networking / WAF Public IP Enabled + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | WAF Public IP Enabled | +| **Cloud** | ORACLE | +| **Category** | Networking | +| **Description** | Determine if Public IPs have WAF enabled | +| **More Info** | Every Public IP address should have a firewall enabled to control access to the endpoints. Enabling a Web Application Firewall follows security best practices and helps prevent malicious attempts to access the network. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/WAF/Concepts/gettingstarted.htm | +| **Recommended Action** | 1. Enter the WAF Policies service under Security. 2. Create a new WAF Policy with the unprotected public IP address. | + +## Detailed Remediation Steps + diff --git a/en/oracle/objectstore/bucket-public-access-type.md b/en/oracle/objectstore/bucket-public-access-type.md new file mode 100644 index 000000000..58d9a5930 --- /dev/null +++ b/en/oracle/objectstore/bucket-public-access-type.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Object Store / Bucket Public Access Type + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Bucket Public Access Type | +| **Cloud** | ORACLE | +| **Category** | Object Store | +| **Description** | Ensures Object Store buckets do not allow global write, delete, or read permissions | +| **More Info** | Object Store buckets can be configured to allow anyone, regardless of whether they are an Oracle Cloud user or not, to write objects to a bucket or delete objects. This option should not be configured unless there is a strong business requirement. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Object/Tasks/managingbuckets.htm | +| **Recommended Action** | Disable global all users policies on all Object Store buckets and ensure the bucket is configured with the least privileges. | + +## Detailed Remediation Steps + diff --git a/en/oracle/objectstore/object-store-policy-protection.md b/en/oracle/objectstore/object-store-policy-protection.md new file mode 100644 index 000000000..72a82da51 --- /dev/null +++ b/en/oracle/objectstore/object-store-policy-protection.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Object Store / Object Store Policy Protection + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Object Store Policy Protection | +| **Cloud** | ORACLE | +| **Category** | Object Store | +| **Description** | Ensure Policy statements have deletion protection for Object Store Services unless it is an administrator group. | +| **More Info** | Adding deletion protection to Oracle Object Store policies mitigates unintended deletion of Object Store Services by unauthorized users or groups. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Security/Reference/dbaas_security.htm | +| **Recommended Action** | When writing policies, avoid blanket statements, and add a where statement with the line request.permission != {OBJECT_DELETE, BUCKET_DELETE} . | + +## Detailed Remediation Steps + diff --git a/en/oracle/objectstore/pre-authenticated-requests-access.md b/en/oracle/objectstore/pre-authenticated-requests-access.md new file mode 100644 index 000000000..fbb895bd6 --- /dev/null +++ b/en/oracle/objectstore/pre-authenticated-requests-access.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Object Store / Pre-Authenticated Requests Access + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Pre-Authenticated Requests Access | +| **Cloud** | ORACLE | +| **Category** | Object Store | +| **Description** | Ensure that Pre-Authenticated Requests have least privilege access. | +| **More Info** | PreAuthenticated requests allow for users who are not in the tenancy to access buckets, ensuring least access prevents malicious entities from leveraging this type of access to edit or delete objects in a bucket. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Object/Tasks/usingpreauthenticatedrequests.htm | +| **Recommended Action** | When creating Pre-Authenticated Requests, ensure only ObjectRead permissions are selected. | + +## Detailed Remediation Steps + diff --git a/en/oracle/objectstore/pre-authenticated-requests-expiry.md b/en/oracle/objectstore/pre-authenticated-requests-expiry.md new file mode 100644 index 000000000..65c6e3209 --- /dev/null +++ b/en/oracle/objectstore/pre-authenticated-requests-expiry.md @@ -0,0 +1,18 @@ +[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com) + +# ORACLE / Object Store / Pre-Authenticated Requests Expiry + +## Quick Info + +| | | +|-|-| +| **Plugin Title** | Pre-Authenticated Requests Expiry | +| **Cloud** | ORACLE | +| **Category** | Object Store | +| **Description** | Ensure that Pre-Authenticated Requests expire within a certain time. | +| **More Info** | Pre-Authenticated requests allow for users who are not in the tenancy to access buckets, having a short expiration time-frame ensures that access does not last longer than intended. | +| **ORACLE Link** | https://docs.cloud.oracle.com/iaas/Content/Object/Tasks/usingPre-Authenticatedrequests.htm | +| **Recommended Action** | When creating Pre-Authenticated Requests, ensure the expiration date-time is limited to the minimum time possible. | + +## Detailed Remediation Steps +