update checks for Azure Compute and Database

Author: silverhack

rules/findings/azure/appservices/azure-app-authentication-disabled.json

@@ -0,0 +1,168 @@
+{
+    "args": [],
+    "provider": "Azure",
+    "serviceType": "App Service",
+    "serviceName": "Hosted Services",
+    "displayName": "Ensure authentication is set to 'Enabled' for _ARG_0_",
+    "description": "App Service authentication can prevent anonymous HTTP requests from reaching an app, or authenticate those with tokens before they reach the app. If an anonymous request is received from a browser, App Service will redirect to a login page. To handle the login process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.",
+    "rationale": "By enabling authentication, every incoming HTTP request passes through it before being handled by the application code. It also handles authentication of users with the specified provider (Entra ID, Facebook, Google, Microsoft Account, and Twitter), validation, storage and refreshing of tokens, managing the authenticated sessions, and injecting identity information into request headers.",
+    "impact": "This is only required for apps that require authentication. Enabling it on a site like a marketing or support website will prevent unauthenticated access, which would be undesirable.<br/><br/>Adding an authentication requirement will increase costs and require additional security components to facilitate the authentication.",
+    "remediation": {
+        "text": "
+			#### Remediate from Azure Portal
+			1. Go to App Services.
+			2. Click the name of an app.
+			3. Under Settings, click Authentication. 
+			4. If an identity provider is not configured: 
+				1. Click Add identity provider. 
+				2. Provide appropriate configuration for an identity provider and click Add. 
+			5. If App Service authentication is set to Disabled: 
+				1. Click Enable authentication. 
+			6. Repeat steps 1-5 for each app requiring remediation.
+		",
+        "code": {
+            "powerShell": null,
+            "iac": null,
+            "terraform": null,
+            "other": null
+        }
+    },
+    "recommendation": null,
+    "references": [
+        "https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization",
+        "https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#website-contributor",
+        "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-privileged-access#pa-3-manage-lifecycle-of-identities-and-entitlements",
+        "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-6-define-and-implement-identity-and-privileged-access-strategy"
+    ],
+    "compliance": [
+        {
+            "name": "CIS Microsoft Azure Foundations",
+            "version": "2.0.0",
+            "reference": "2.1.12",
+            "profile": [
+                "Level 2"
+            ]
+        }
+    ],
+    "level": "low",
+    "tags": [],
+    "rule": {
+        "path": "az_app_services",
+        "subPath": null,
+        "selectCondition": [
+			{
+                "filter": [
+                    {
+                        "include": "_ARG_1_"
+                    }
+                ]
+            }
+		],
+        "query": [
+			{
+				"filter": [
+                    {
+                        "conditions": [
+							[
+								"eq",
+								"authSettingsV2"
+                            ],
+							[
+                                "authSettingsV2.properties.platform.enabled",
+								"eq",
+								"False"
+                            ]
+                        ],
+						"operator":"or"
+                    }
+                ]
+            },
+			{
+				"connectOperator":"and",
+				"filter": [
+                    {
+                        "conditions": [
+							[
+								"eq",
+								"authSettings"
+                            ],
+							[
+                                "authSettings.properties.enabled",
+								"eq",
+								"False"
+                            ]
+                        ],
+						"operator":"or"
+                    }
+                ]
+            }
+        ],
+        "shouldExist": null,
+        "returnObject": null,
+        "removeIfNotExists": null
+    },
+    "output": {
+        "html": {
+            "data": {
+                "properties": {
+                    "name": "Name",
+                    "location": "location",
+                    "resourceGroupName": "Resource Group Name",
+					"authSettings":"Auth Settings",
+					"authSettingsV2":"Auth Settings V2"
+                },
+                "expandObject": null
+            },
+            "table": "default",
+            "decorate": [],
+            "emphasis": [],
+            "actions": {
+                "objectData": {
+                    "properties": [
+						"name",
+						"location",
+						"resourceGroupName",
+						"authSettings",
+						"authSettingsV2"
+					],
+                    "expandObject": null,
+                    "limit": null
+                },
+                "showGoToButton": "True",
+                "showModalButton": "True",
+                "directLink": null
+            }
+        },
+        "text": {
+            "data": {
+                "properties": {
+                    "name": "Name",
+                    "location": "location",
+                    "resourceGroupName": "Resource Group Name",
+					"authSettings":"Auth Settings",
+					"authSettingsV2":"Auth Settings V2"
+                },
+                "expandObject": null
+            },
+            "status": {
+                "keyName": ["name"],
+                "message": "Ensure 'App Service authentication' is set to 'Enabled' for {name}",
+                "defaultMessage": "Ensure authentication is set to 'Enabled' for _ARG_0_"
+            },
+            "properties": {
+                "resourceName": "name",
+                "resourceId": "id",
+                "resourceType": "type"
+            },
+            "onlyStatus": false
+        }
+    },
+    "idSuffix": "azure_app_service_authentication_disabled__ARG_2_",
+    "notes": [],
+    "categories": [],
+    "immutable_properties": [
+		"name",
+		"id"
+	],
+    "id": "azure_app_service__ARG_3_"
+}

rules/findings/azure/appservices/azure-app-service-all-traffic-not-routed-through-vnet.json

@@ -0,0 +1,138 @@
+{
+    "args": [],
+    "provider": "Azure",
+    "serviceType": "_ARG_0_",
+    "serviceName": "Hosted Services",
+    "displayName": "Ensure all traffic is routed through the virtual network",
+    "description": "Enable vnetRouteAllEnabled to ensure all outbound traffic is routed through the integrated virtual network.<br/><br/>This recommendation should be applied after integrating an App Service app with a virtual network.",
+    "rationale": "Routing all outbound traffic through the virtual network enhances security.",
+    "impact": "Additional configuration may be required to ensure that traffic is routed properly.",
+    "remediation": {
+        "text": "
+			#### Remediate from Azure Portal
+			1. Go to App Services.
+			2. Click the name of an app.
+			3. Under Settings, click Networking.
+			4. Under Outbound traffic configuration, next to Virtual network integration, click the virtual network and subnet name.
+			5. Under Application routing, check the box next to Outbound internet traffic.
+			6. Click Apply. 
+			7. Repeat steps 1-6 for each app requiring remediation.
+		",
+        "code": {
+            "powerShell": null,
+            "iac": null,
+            "terraform": null,
+            "other": null
+        }
+    },
+    "recommendation": null,
+    "references": [
+        "https://learn.microsoft.com/en-us/azure/app-service/configure-vnet-integration-routing#configure-application-routing",
+        "https://learn.microsoft.com/en-us/cli/azure/webapp",
+        "https://learn.microsoft.com/en-us/cli/azure/resource"
+    ],
+    "compliance": [
+        {
+            "name": "_ARG_1_",
+            "version": "_ARG_2_",
+            "reference": "_ARG_3_",
+            "profile": [
+                "Level 1"
+            ]
+        }
+    ],
+    "level": "medium",
+    "tags": [],
+    "rule": {
+        "path": "az_app_services",
+        "subPath": null,
+        "selectCondition": {},
+        "query": [
+            {
+                "filter": [
+                    {
+                        "conditions": [
+							[
+                                "properties.vnetRouteAllEnabled",
+								"ne",
+								"True"
+                            ]
+                        ]
+                    }
+                ]
+            },
+			{
+                "connectOperator": "and",
+                "filter": [
+                    {
+                        "include": "_ARG_4_"
+                    }
+                ]
+            }
+        ],
+        "shouldExist": null,
+        "returnObject": null,
+        "removeIfNotExists": null
+    },
+    "output": {
+        "html": {
+            "data": {
+                "properties": {
+                    "name": "Name",
+                    "location": "location",
+                    "resourceGroupName": "Resource Group Name",
+					"properties.vnetRouteAllEnabled":"Route all traffic"
+                },
+                "expandObject": null
+            },
+            "table": "default",
+            "decorate": [],
+            "emphasis": [],
+            "actions": {
+                "objectData": {
+                    "properties": [
+						"name",
+						"location",
+						"resourceGroupName",
+						"properties.vnetRouteAllEnabled"
+					],
+                    "expandObject": null,
+                    "limit": null
+                },
+                "showGoToButton": "True",
+                "showModalButton": "True",
+                "directLink": null
+            }
+        },
+        "text": {
+            "data": {
+                "properties": {
+                    "name": "Name",
+                    "location": "location",
+                    "resourceGroupName": "Resource Group Name",
+					"properties.vnetRouteAllEnabled":"Route all traffic"
+                },
+                "expandObject": null
+            },
+            "status": {
+                "keyName": ["name"],
+                "message": "Ensure all traffic is routed through the virtual network for {name}",
+                "defaultMessage": null
+            },
+            "properties": {
+                "resourceName": "name",
+                "resourceId": "id",
+                "resourceType": "type"
+            },
+            "onlyStatus": false
+        }
+    },
+    "idSuffix": "azure__ARG_0__routing_all_traffic_not_enabled",
+    "notes": [],
+    "categories": [],
+    "immutable_properties": [
+		"name",
+		"id"
+	],
+    "id": "azure_app_service__ARG_5_"
+}