What's Changed
- Some strongly typed objects were created to store internal data
- A number of collectors for Azure were completely rewritten to add runspace support
The following rules from Microsoft 365 were automated:
SharePoint Online
7.2.1 Ensure modern authentication for SharePoint applications is required
7.2.2 Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled
7.2.3 Ensure external content sharing is restricted
7.2.4 Ensure OneDrive content sharing is restricted
7.2.5 Ensure that SharePoint guest users cannot share items they don't own
7.2.6 Ensure SharePoint external sharing is managed through domain whitelist/blacklists
7.2.7 Ensure link sharing is restricted in SharePoint and OneDrive
7.2.8 Ensure external sharing is restricted by security group
7.2.9 Ensure guest access to a site or OneDrive will expire automatically
7.2.10 Ensure reauthentication with verification code is restricted
7.3.1 Ensure Office 365 SharePoint infected files are disallowed for download
7.3.2 Ensure OneDrive sync is restricted for unmanaged devices
7.3.4 Ensure custom script execution is restricted on site collections
Microsoft Teams
8.1.1 Ensure external file sharing in Teams is enabled for only approved cloud storage services
8.1.2 Ensure users can't send emails to a channel email address
8.2.1 Ensure 'external access' is restricted in the Teams admin center
8.4.1 Ensure app permission policies are configured
8.5.1 Ensure anonymous users can't join a meeting
8.5.2 Ensure anonymous users and dial-in callers can't start a meeting
8.5.3 Ensure only people in my org can bypass the lobby
8.5.4 Ensure users dialing in can't bypass the lobby
8.5.5 Ensure meeting chat does not allow anonymous users
8.5.6 Ensure only organizers and co-organizers can present
8.5.7 Ensure external participants can't give or request control
The following rules from Azure were automated:
Azure Key Vault
3.3.1 Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
3.3.2 Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults.
3.3.3 Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
3.3.4 Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
3.3.5 Ensure the Key Vault is Recoverable
3.3.6 Enable Role Based Access Control for Azure Key Vault
3.3.7 Ensure that Private Endpoints are Used for Azure Key Vault
3.3.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
Storage Accounts
4.1 Ensure that 'Secure transfer required' is set to 'Enabled'
4.2 Ensure that 'Enable Infrastructure Encryption’ for Each Storage Account in Azure Storage is Set to 'enabled'
4.3 Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
4.4 Ensure that Storage Account Access Keys are Periodically Regenerated
4.6 Ensure that 'Public Network Access' is 'Disabled' for storage accounts
4.7 Ensure Default Network Access Rule for Storage Accounts is Set to Deny
4.8 Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
4.9 Ensure Private Endpoints are used to access Storage Accounts
4.10 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
4.11 Ensure Storage for Critical Data are Encrypted with Customer Managed Keys (CMK)
4.12 Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests
4.13 Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests
4.14 Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests
4.15 Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'
4.16 Ensure 'Cross Tenant Replication' is not enabled
4.17 Ensure that 'Allow Blob Anonymous Access' is set to 'Disabled'
Azure SQL Database
5.1.1 Ensure that 'Auditing' is set to 'On' (Automated)
5.1.2 Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) (Automated)
5.1.3 Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
5.1.4 Ensure that Microsoft Entra authentication is Configured for SQL Servers
5.1.5 Ensure that 'Data encryption' is set to 'On' on a SQL Database
5.1.6 Ensure that 'Auditing' Retention is 'greater than 90 days'
5.1.7 Ensure Public Network Access is Disabled
Azure Database for PostgreSQL
5.2.1 Ensure server parameter 'require_secure_transport' is set to 'ON' for PostgreSQL flexible server
5.2.2 Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL flexible server
5.2.3 Ensure server parameter 'connection_throttle.enable' is set to 'ON' for PostgreSQL flexible server
5.2.4 Ensure server parameter 'logfiles.retention_days' is greater than 3 days for PostgreSQL flexible server
5.2.5 Ensure 'Allow public access from any Azure service within Azure to this server' for PostgreSQL flexible server is disabled
5.2.6 [LEGACY] Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL single server
5.2.7 [LEGACY] Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL single server
5.2.8 [LEGACY] Ensure 'Infrastructure double encryption' for PostgreSQL single server is 'Enabled'
Monitoring
6.1.4 Ensure that logging for Azure Key Vault is 'Enabled'
Virtual Machines
8.2 Ensure Virtual Machines are utilizing Managed Disks
8.3 Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)
8.4 Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)
8.5 Ensure that 'Disk Network Access' is NOT set to 'Enable public access from all networks'
8.6 Ensure that 'Enable Data Access Authentication Mode' is 'Checked'
8.8 Ensure that Endpoint Protection for all Virtual Machines is installed
8.9 [Legacy] Ensure that VHDs are Encrypted
8.11 Ensure Trusted Launch is enabled on Virtual Machines
App Service
9.1 Ensure 'HTTPS Only' is set to On
9.2 Ensure App Service Authentication is set up for apps in Azure App Service
9.3 Ensure 'FTP State' is set to 'FTPS Only' or 'Disabled'
9.4 Ensure Web App is using the latest version of TLS encryption
9.5 Ensure that Register with Entra ID is enabled on App Service
9.6 Ensure that 'Basic Authentication' is 'Disabled'
9.7 Ensure that 'PHP version' is currently supported (if in use)
9.8 Ensure that 'Python version' is currently supported (if in use)
9.9 Ensure that 'Java version' is currently supported (if in use)
9.10 Ensure that 'HTTP20enabled' is set to 'true' (if in use)
9.12 Ensure that 'Remote debugging' is set to 'Off'
Upcoming breaking changes
- Update to latest CIS Benchmarks #122
- Redesign HTML output #114
- Move all rules and rulesets to its own repo #133
Full Changelog: v0.93-beta...v0.94.5-beta