Azure & Mondoo - Overview

This page details all of the ways you can use Mondoo to assess security configurations and risk for your infrastructure running in Microsoft Azure.

Gather vulnerability information during build-time

• Risk assessment for Azure Container Registry
• Build AMIs with Packer

Gather vulnerability information during run-time

• Scan Azure subscription from your workstation
• Install Mondoo Client via Cloud-Init
• Terraform deployment
• Verify instances managed by Chef/AWS OpsWorks
• Verify instances managed by Ansible

Preparation

Sign in

The Mondoo CLI leverages the configuration from Azure CLI. Install the Azure CLI and log in to your subscription.

• Sign in with user credentials
• Sign in using a service principal

Sign in with user credentials

Command Line

az login

az login

Sign in using a service principal

Test the new service principal's credentials and permissions by signing in. To sign in with a service principal, you need the appId, tenant, and credentials.

To sign in with a service principal using a password:

az login --service-principal --username APP_ID --password PASSWORD --tenant TENANT_ID

To sign in with a certificate, it must be available locally as a PEM or DER file, in ASCII format. When using a PEM file, the PRIVATE KEY and CERTIFICATE must be appended together within the file.

Azure CLI

az login --service-principal --username APP_ID --tenant TENANT_ID --password /path/to/cert

Install Mondoo Client

Follow our instructions to install the Mondoo Client on your workstation.

Scan Azure subscription

1. Activate the CIS Microsoft Azure Foundations Benchmark Level 1 Profile

2. Open your terminal and run

Command Line

mondoo scan azure --subscription {subscriptionid}

3. See the results

Scan Azure subscriptions including virtual machines (VMs)

You need your subscription id and the resource group. Run az account list and az vm list to determine those values:

Command Line

az account list

Name                  CloudName    SubscriptionId                        State    IsDefault
--------------------  -----------  ------------------------------------  -------  -----------
Azure subscription 1  AzureCloud   10192451-09aa-4782-1016-1cdfede1026b  Enabled  True

Command Line

az vm list

Name     ResourceGroup    Location    Zones
-------  ---------------  ----------  -------
centos   DEMO             westus
ubuntu   DEMO             westus
win2019  DEMO             westus

note

Mondoo Client leverages ~/.ssh/config to determine the users for each detected public IP. Instead of using the same ssh username for all instances, you can also configure the SSH config and configure the username for each instance with their username:

Host 123.123.123.123
  User chris

Host www.lunalectric.com
  IdentityFile /your/path/key_name

If you require a specific list of instances with more detailed configuration, consider the use of an Ansible inventory

note

Mondoo supports scanning Windows instances configured to run SSH. In combination with auto-discovery, we rely on SSH Agent and SSH config. Neither method supports password authentication. To increase security, we recommend using public-key authentication for Windows machines that use SSH. Instances can also be scanned ad-hoc using `mondoo scan ssh username@123.123.123.123 --password 'my_password'.

1. Create an inventory

Mondoo has the ability to define a list of assets including the used discovery mechanism.

inventory.yml

apiVersion: v1
kind: Inventory
metadata:
  name: mondoo-inventory
  labels:
    environment: production
spec:
  credential_query: "return { user: 'azureuser', type: 'ssh_agent' }"
  assets:
    - name: azure
      connections:
        - backend: az
          insecure: true # to allow missing host-keys
          discover:
            targets:
              - all
          options:
            subscriptionID: 56843d4a-b742-4917-abb6-7e7c9900d640

• credential_query defines the way credentials are retrieved per discovered asset
• discover defines if mondoo should look for assets within this cloud account
• options.project defines the Azure project to scan

2. Scan the inventory

$ mondoo scan --inventory-file inventory.yml

Scanning multiple Azure subscriptions

To scan multiple subscriptions, create an inventory file and add all the subscriptions as assets:

1. Create an inventory

inventory.yml

apiVersion: v1
kind: Inventory
metadata:
  name: mondoo-inventory
  labels:
    environment: production
spec:
  assets:
    - name: Azure Subscription 1
      connections:
        - backend: az
          options:
            subscriptionID: 10192451-09aa-4782-1016-1cdfede1026b
      annotations:
        - stage: Dev
    - name: Azure Subscription 2
      connections:
        - backend: az
          options:
            subscriptionID: 90192451-09aa-4782-1016-1cdfede1026a
      annotations:
        - stage: Prod

2. Scan the inventory

You can trigger the scan for multiple subscriptions via:

$ mondoo scan --inventory-file inventory.yml