Auteur/autrice : zigmax

14 avril 202119 mai 2021

Azure Disk | Data Exfiltration

Hi!

In this article, I will show you how a malicious actor can leverage the Azure Managed Disk Import / Export feature to exfiltrate data outside of your organization. By default, in Azure all the Azure Disks are configured with a public endpoint enabled.

You can generate a time bound Shared Access Signature (SAS) URI for unattached managed disks and snapshots for exporting the data to other region for regional expansion, disaster recovery and to read the data for forensic analysis. When the URI is generated, you need to define an expiration time (maximum expiration time 4294967295 seconds). After that, everyone who knows the SAS URI can download the disk without any IP filtering before the expiration time.

To prevent this security issue, I will recommend you to:

Enable a Private endpoint (through disk access), or
Configure the connection method with : Deny all

If you want to know which managed disk are configured with the connectivity method « Public endpoint », you can use an Azure Policy in audit mode:

{
      "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/disks"
          },
          {
              "field": "Microsoft.Compute/disks/networkAccessPolicy",
              "equals": "AllowAll"
          }
        ]
      },
      "then": {
        "effect": "audit"
      }
    }
}

And if you want to prevent this usage, you can switch the mode of this policy to « Deny ».

Maxime.

4 avril 20211 avril 2021

Add Custom Policy to Azure Security Center Recommendation

Hi!

In this article, I will show you how you add a custom policy to Azure Security Center Recommendation.

These recommendations are based on industry best practices, which are incorporated into the generic, default security policy supplied to all customers. They can also come from Security Center’s knowledge of industry and regulatory standards.

With this feature, you can add your own custom initiatives. You’ll then receive recommendations if your environment doesn’t follow the policies you create.

In the Azure Security Center Portal, please select « Regulatory compliance » under « Cloud Security ».

Select, « Manage compliance policies »

Select « Add a custom initiative »

Select, « Creare New »

Please define:

Initiative location
Demo (Name of your custom initiative, for example XYZ Security Controls)
Category > Create new > Demo (Your category name could be storage, network, …)
Version 1

Select « Add policy definition(s) »

Select your policies, in this example: « Storage accounts should have infrastructure encryption »

Select « Create Control »

Define a new control, in this example Storage, with the Domain Storage security

Now the custom initiatives is created, please click on « add ».

Please find wait 1 hours before to see our custom initiative in the Azure Security Center Recommendation section.

After 1 hours, we can see our custom initiative in the Azure Security Center Recommendation section:

It’s also possible to Azure Resource Graph to see this custom policies.

securityresources
| where type == "microsoft.security/assessments"
| extend resourceId = properties.resourceDetails.Id
| extend resourceName = tostring(split(resourceId, "/")[8])
| extend resourceGroup = (split(resourceId, "/")[4])
| extend status = properties.status.code
| extend recommendatioName = properties.displayName 
| project subscriptionId,
		  recommendatioName,
		  resourceName,
		  resourceGroup,
		  status,
		  resourceId

Maxime.

3 avril 202131 mars 2021

AKS Security Audit Toolbox

Hi!

In this article, I would like to share with you a list of security tools to audit the security of your AKS clusters.

Kubestriker performs numerous in depth checks on kubernetes infra to identify the security misconfigurations and challenges that devops engineers/developers are likely to encounter when using Kubernetes, especially in production and at scale.https://github.com/vchinnipilli/kubestriker

Kube-hunter hunts for security weaknesses in Kubernetes clusters. The tool was developed to increase awareness and visibility for security issues in Kubernetes environments. https://github.com/aquasecurity/kube-hunter

Kubeaudit is a command line tool and a Go package to audit Kubernetes clusters for various different security concerns, such as: run as non-root ; use a read-only root filesystem ; don’t run privileged ; and more! https://github.com/Shopify/kubeaudit

Kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark. https://github.com/aquasecurity/kube-bench

Kubiscan is a tool for scanning Kubernetes cluster for risky permissions in Kubernetes’s Role-based access control (RBAC) authorization model. https://github.com/cyberark/KubiScan

Kube-Scan gives a risk score, from 0 (no risk) to 10 (high risk) for each workload. The risk is based on the runtime configuration of each workload (currently 20+ settings). The exact rules and scoring formula are part of the open-source framework KCCSS, the Kubernetes Common Configuration Scoring System. https://github.com/octarinesec/kube-scan

Rback – A simple « RBAC in Kubernetes » visualizer. No matter how complex the setup, rback queries all RBAC related information of an Kubernetes cluster in constant time and generates a graph representation of service accounts, (cluster) roles, and the respective access rules in dot format. https://github.com/mhausenblas/rback

ExtensiveRoleCheck is a Python tool that scans the Kubernetes RBAC for risky roles. https://github.com/cyberark/kubernetes-rbac-audit

Peirates, a Kubernetes penetration tool, enables an attacker to escalate privilege and pivot through a Kubernetes cluster. It automates known techniques to steal and collect service accounts, obtain further code execution, and gain control of the cluster. https://github.com/inguardians/peirates

Kubetap is a kubectl plugin that enables an operator to easily deploy intercepting proxies for Kubernetes Services. https://github.com/soluble-ai/kubetap

kube-psp-advisor is a tool that makes it easier to create K8s Pod Security Policies (PSPs) from either a live K8s environment or from a single .yaml file containing a pod specification (Deployment, DaemonSet, Pod, etc). https://github.com/sysdiglabs/kube-psp-advisor

Inspektor Gadget is a collection of tools (or gadgets) to debug and inspect Kubernetes applications. https://github.com/kinvolk/inspektor-gadget

Krane is a simple Kubernetes RBAC static analysis tool. It identifies potential security risks in K8s RBAC design and makes suggestions on how to mitigate them. Krane dashboard presents current RBAC security posture and lets you navigate through its definition. https://github.com/appvia/krane

KubeLinter analyzes Kubernetes YAML files and Helm charts, and checks them against a variety of best practices, with a focus on production readiness and security. https://github.com/stackrox/kube-linter

Kubeletctl is a command line tool that implement kubelet’s API. https://github.com/cyberark/kubeletctl

MKIT is a Managed Kubernetes Inspection Tool that leverages FOSS tools to query and validate several common security-related configuration settings of managed Kubernetes cluster objects and the workloads/resources running inside the cluster. https://github.com/darkbitio/mkit

Conmachi is a tool written in Golang intended to be used to collect information about a container environment and list potential security issues. It can be statically compiled so that it can be dropped into a container environment and run without any dependencies. https://github.com/nccgroup/ConMachi

Ktunnel is a CLI tool that establishes a reverse tunnel between a kubernetes cluster and your local machine. It lets you expose your machine as a service in the cluster or expose it to a specific deployment. You can also use the client and server without the orchestration part. Although ktunnel is identified with kubernetes, it can also be used as a reverse tunnel on any other remote system https://github.com/omrikiei/ktunnel

Dostainer – Kubernetes Resource Exhaustion PoC Container https://github.com/uchi-mata/dostainer

Kubei is a vulnerabilities scanning and CIS Docker benchmark tool that allows users to get an accurate and immediate risk assessment of their kubernetes clusters. Kubei scans all images that are being used in a Kubernetes cluster, including images of application pods and system pods. It doesn’t scan the entire image registries and doesn’t require preliminary integration with CI/CD pipelines. https://github.com/Portshift/Kubei

Kubernetes Cluster dumps -Full cluster export into jsons using both native and specialized exports- https://github.com/alexivkin/kubepwn/blob/master/Tools/kubernetes-cluster-dump.sh

Maxime.