Azure & Mondoo - Overview
This page details all of the ways you can use Mondoo to assess security configurations and risk for your infrastructure running in Microsoft Azure.
Gather vulnerability information during build-timeβ
- Risk assessment for Azure Container Registry
- Build AMIs with Packer
- Test Docker Images in Azure DevOps
Gather vulnerability information during run-timeβ
- Scan Azure subscription from your workstation
- Install Mondoo Client via Cloud-Init
- Terraform deployment
- Verify instances managed by Chef/AWS OpsWorks
- Verify instances managed by Ansible
Preparationβ
Sign inβ
The Mondoo CLI leverages the configuration from Azure CLI. Install the Azure CLI and log in to your subscription.
- Sign in with user credentials
- Sign in using a service principal
Sign in with user credentials
az login
az login
Sign in using a service principalβ
Test the new service principal's credentials and permissions by signing in. To sign in with a service principal, you need the appId, tenant, and credentials.
To sign in with a service principal using a password:
az login --service-principal --username APP_ID --password PASSWORD --tenant TENANT_ID
To sign in with a certificate, it must be available locally as a PEM or DER file, in ASCII format. When using a PEM file, the PRIVATE KEY and CERTIFICATE must be appended together within the file.
Azure CLI
az login --service-principal --username APP_ID --tenant TENANT_ID --password /path/to/cert
Install Mondoo Clientβ
Follow our instructions to install the Mondoo Client on your workstation.
Scan Azure Subscriptionβ
Activate the
CIS Microsoft Azure Foundations Benchmark Level 1 ProfileOpen your terminal and run
mondoo scan -t az://subscriptions/{subscriptionid}
- See the results
Scan Azure Subscriptions including Virtual Machinesβ
You need your subscription id and the resource group. Run az account list and az vm list to determine those values:
az account list
Name CloudName SubscriptionId State IsDefault
-------------------- ----------- ------------------------------------ ------- -----------
Azure subscription 1 AzureCloud 10192451-09aa-4782-1016-1cdfede1026b Enabled True
az vm list
Name ResourceGroup Location Zones
------- --------------- ---------- -------
centos DEMO westus
ubuntu DEMO westus
win2019 DEMO westus
note
Mondoo Client leverages ~/.ssh/config to determine the users for each detected public IP. Instead of using the same ssh username for all instances, you can also configure the SSH config and configure the username for each instance with their username:
Host 123.123.123.123
User chris
Host yourdomain.com
IdentityFile /your/path/keyname
If you require a specific list of instances with more detailed configuration, consider the use of an Ansible inventory
note
Mondoo supports scanning Windows instances configured to run SSH. In combination with auto-discovery, we rely on SSH Agent and SSH config. Neither method supports password authentication. To increase security, we recommend using public-key authentication for Windows machines that use SSH. Instances can also be scanned ad-hoc using `mondoo scan -t ssh://username@123.123.123.123 --password 'mypassword'.
1. Create an inventory
Mondoo has the ability to define a list of assets including the used discovery mechanism.
apiVersion: v1
kind: Inventory
metadata:
name: mondoo-inventory
labels:
environment: production
spec:
credential_query: "return { user: 'azureuser', type: 'ssh_agent' }"
assets:
- name: azure
connections:
- backend: az
insecure: true # to allow missing host-keys
discover:
targets:
- all
options:
subscriptionID: 56843d4a-b742-4917-abb6-7e7c9900d640
credential_querydefines the way credentials are retrieved per discovered assetdiscoverdefines if mondoo should look for assets within this cloud accountoptions.projectdefines the Azure project to scan
2. Scan the inventory
$ mondoo scan --inventory inventory.yml