SVT/SVT.ps1
Set-StrictMode -Version Latest function Get-AzSKAzureServicesSecurityStatus { <# .SYNOPSIS This command would help in validating the security controls for the Azure resources meeting the specified input criteria. .DESCRIPTION This command will execute the security controls and will validate their status as 'Success' or 'Failure' based on the security guidance. Refer https://aka.ms/azsdkossdocs for more information .PARAMETER SubscriptionId Subscription id for which the security evaluation has to be performed. .PARAMETER ResourceGroupNames ResourceGroups for which the security evaluation has to be performed. Comma separated values are supported. Wildcards are not permitted. By default, the command gets all resources in the subscription. .PARAMETER ResourceType Gets only resources of the specified resource type. Wildcards are not permitted. e.g.: Microsoft.KeyVault/vaults. Run command 'Get-AzSKSupportedResourceTypes' to get the list of supported types. .PARAMETER ResourceTypeName Friendly name of resource type. e.g.: KeyVault. Run command 'Get-AzSKSupportedResourceTypes' to get the list of supported values. .PARAMETER ResourceNames Gets a resource with the specified name. Comma separated values are supported. Wildcards/like searches are not permitted. By default, the command gets all resources in the subscription. .PARAMETER Tag The tag filter for Azure resource. The expected format is @{tagName1=$null} or @{tagName = 'tagValue'; tagName2='value1'}. .PARAMETER TagName The name of the tag to query for Azure resource. .PARAMETER TagValue The value of the tag to query for Azure resource. .PARAMETER ControlIds Comma separated control ids to filter the security controls. e.g.: Azure_Subscription_AuthZ_Limit_Admin_Owner_Count, Azure_Storage_DP_Encrypt_At_Rest_Blob etc. .PARAMETER FilterTags Comma separated tags to filter the security controls. e.g.: RBAC, SOX, AuthN etc. .PARAMETER ExcludeTags Comma separated tags to exclude the security controls. e.g.: RBAC, SOX, AuthN etc. .PARAMETER AttestControls Enables users to attest controls with proper justification .PARAMETER DoNotOpenOutputFolder Switch to specify whether to open output folder containing all security evaluation report or not. .PARAMETER GeneratePDF Enables users to generate PDF file for reports. .PARAMETER UsePartialCommits This switch would partially save the scan status to the AzSDK storage account. On the event of a failure, it tries to recover from the last snapshot. To use this feature, you need to have contributor role on the AzSDK storage account. .PARAMETER UseBaselineControls This switch would scan only for baseline controls defined at org level .PARAMETER GenerateFixScript Switch to specify whether to generate script to fix the control or not. .NOTES This command helps the application team to verify whether their Azure resources are compliant with the security guidance or not .LINK https://aka.ms/azsdkossdocs #> [OutputType([String])] Param ( [string] [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] $SubscriptionId, [string] [Parameter(Mandatory = $false, ParameterSetName = "ResourceFilter")] [Parameter(Mandatory = $false, ParameterSetName = "BulkAttestation")] [Parameter(Mandatory = $false, ParameterSetName = "BulkAttestationClear")] $ResourceGroupNames, [string] [Parameter(Mandatory = $false, ParameterSetName = "ResourceFilter")] [Parameter(Mandatory = $false, ParameterSetName = "BulkAttestation")] [Parameter(Mandatory = $false, ParameterSetName = "BulkAttestationClear")] $ResourceType, [Parameter(Mandatory = $false, ParameterSetName = "ResourceFilter")] [Parameter(Mandatory = $false, ParameterSetName = "BulkAttestation")] [Parameter(Mandatory = $false, ParameterSetName = "BulkAttestationClear")] [ResourceTypeName] $ResourceTypeName = [ResourceTypeName]::All, [string] [Parameter(Mandatory = $false, ParameterSetName = "ResourceFilter")] [Parameter(Mandatory = $false, ParameterSetName = "BulkAttestation")] [Parameter(Mandatory = $false, ParameterSetName = "BulkAttestationClear")] [Alias("ResourceName")] $ResourceNames, [Hashtable] [Parameter(Mandatory = $true, ParameterSetName = "TagHashset")] $Tag, [string] [Parameter(Mandatory = $true, ParameterSetName = "TagName")] $TagName, [string] [Parameter(Mandatory = $true, ParameterSetName = "TagName")] $TagValue, [string] [Parameter(Mandatory = $false, ParameterSetName = "ResourceFilter")] [Parameter(Mandatory = $false, ParameterSetName = "TagHashset")] [Parameter(Mandatory = $true, ParameterSetName = "BulkAttestation")] [Parameter(Mandatory = $true, ParameterSetName = "BulkAttestationClear")] [Alias("BulkAttestControlId")] [AllowEmptyString()] $ControlIds, [string] [Parameter(Mandatory = $false)] $FilterTags, [string] [Parameter(Mandatory = $false)] $ExcludeTags, [ValidateSet("All","AlreadyAttested","NotAttested","None")] [Parameter(Mandatory = $false, ParameterSetName = "ResourceFilter")] [Parameter(Mandatory = $false, ParameterSetName = "TagHashset")] [Parameter(Mandatory = $true, ParameterSetName = "BulkAttestation")] [Parameter(Mandatory = $true, ParameterSetName = "BulkAttestationClear")] $AttestControls = [AttestControls]::None, [switch] [Parameter(Mandatory = $true, ParameterSetName = "BulkAttestationClear")] $BulkClear, [string] [Parameter(Mandatory = $true, ParameterSetName = "BulkAttestation")] $JustificationText, [ValidateSet("NotAnIssue", "WillNotFix", "WillFixLater")] [Parameter(Mandatory = $true, ParameterSetName = "BulkAttestation")] $AttestationStatus = [AttestationStatus]::None, [switch] [Parameter(Mandatory = $false)] $DoNotOpenOutputFolder, [GeneratePDF] [Parameter(Mandatory = $false)] $GeneratePDF = [GeneratePDF]::None, [switch] [Parameter(Mandatory = $false)] $UseBaselineControls, [switch] [Parameter(Mandatory = $false)] $UsePartialCommits, [switch] [Parameter(Mandatory = $false)] $GenerateFixScript ) Begin { [CommandHelper]::BeginCommand($PSCmdlet.MyInvocation); [ListenerHelper]::RegisterListeners(); } Process { try { $resolver = [SVTResourceResolver]::new($SubscriptionId, $ResourceGroupNames, $ResourceNames, $ResourceType, $ResourceTypeName); $resolver.Tag = $Tag; $resolver.TagName = $TagName; $resolver.TagValue = $TagValue; $secStatus = [ServicesSecurityStatus]::new($SubscriptionId, $PSCmdlet.MyInvocation, $resolver); if ($secStatus) { # Just copy all the tags without validation. Validation will be done internally $secStatus.FilterTags = $FilterTags; $secStatus.ExcludeTags = $ExcludeTags; $secStatus.ControlIdString = $ControlIds; $secStatus.GenerateFixScript = $GenerateFixScript; [AttestationOptions] $attestationOptions = [AttestationOptions]::new(); $attestationOptions.AttestControls = $AttestControls $attestationOptions.JustificationText = $JustificationText $attestationOptions.AttestationStatus = $AttestationStatus $attestationOptions.IsBulkClearModeOn = $BulkClear $secStatus.AttestationOptions = $attestationOptions; return $secStatus.EvaluateControlStatus(); } } catch { [EventBase]::PublishGenericException($_); } } End { [ListenerHelper]::UnregisterListeners(); } } function Get-AzSKSubscriptionSecurityStatus { <# .SYNOPSIS This command would help in validating the security controls for the Azure Subscription meeting the specified input criteria. .DESCRIPTION This command will execute the security controls and will validate their status as 'Success' or 'Failure' based on the security guidance. Refer https://aka.ms/azsdkossdocs for more information .PARAMETER SubscriptionId Subscription id for which the security evaluation has to be performed. .PARAMETER ControlIds Comma separated control ids to filter the security controls. e.g.: Azure_Subscription_AuthZ_Limit_Admin_Owner_Count, Azure_Storage_DP_Encrypt_At_Rest_Blob etc. .PARAMETER FilterTags Comma separated tags to filter the security controls. e.g.: RBAC, SOX, AuthN etc. .PARAMETER ExcludeTags Comma separated tags to exclude the security controls. e.g.: RBAC, SOX, AuthN etc. .PARAMETER AttestControls Enables users to attest controls with proper justification .PARAMETER BulkClear Enables users to clear the previous attestation per controlId basis in bulk mode .PARAMETER JustificationText Enables users to provide common justification for all the resources failing for a single controlId in the bulk attest mode .PARAMETER AttestationStatus Enables users to provide the attestation status for the failing control in bulk attest mode .PARAMETER DoNotOpenOutputFolder Switch to specify whether to open output folder containing all security evaluation report or not .PARAMETER GeneratePDF Enables users to generate PDF file for reports. .PARAMETER UseBaselineControls This switch would scan only for baseline controls defined at org level .PARAMETER GenerateFixScript Switch to specify whether to generate script to fix the control or not. .NOTES This command helps the application team to verify whether their Azure subscription are compliant with the security guidance or not .LINK https://aka.ms/azsdkossdocs #> [OutputType([String])] Param ( [Parameter(Mandatory = $True, HelpMessage = "Subscription id for which the security evaluation has to be performed.")] [string] [ValidateNotNullOrEmpty()] $SubscriptionId, [string] [Parameter(Mandatory = $false, ParameterSetName = "Default")] [Parameter(Mandatory = $true, ParameterSetName = "BulkAttestation")] [Parameter(Mandatory = $true, ParameterSetName = "BulkAttestationClear")] [Alias("BulkAttestControlId")] $ControlIds, [string] [Parameter(Mandatory = $false, HelpMessage = "Comma separated tags to filter the security controls. e.g.: RBAC, SOX, AuthN etc.")] $FilterTags, [string] [Parameter(Mandatory = $false, HelpMessage = "Comma separated tags to exclude the security controls. e.g.: RBAC, SOX, AuthN etc.")] $ExcludeTags, [ValidateSet("All","AlreadyAttested","NotAttested","None")] [Parameter(Mandatory = $false, ParameterSetName = "Default")] [Parameter(Mandatory = $true, ParameterSetName = "BulkAttestation")] [Parameter(Mandatory = $true, ParameterSetName = "BulkAttestationClear")] $AttestControls = [AttestControls]::None, [switch] [Parameter(Mandatory = $true, ParameterSetName = "BulkAttestationClear")] $BulkClear, [string] [Parameter(Mandatory = $true, ParameterSetName = "BulkAttestation")] $JustificationText, [ValidateSet("NotAnIssue", "WillNotFix", "WillFixLater")] [Parameter(Mandatory = $true, ParameterSetName = "BulkAttestation")] $AttestationStatus = [AttestationStatus]::None, [switch] [Parameter(Mandatory = $false)] $DoNotOpenOutputFolder, [GeneratePDF] [Parameter(Mandatory = $false)] $GeneratePDF = [GeneratePDF]::None, [switch] [Parameter(Mandatory = $false)] $UseBaselineControls, [switch] [Parameter(Mandatory = $false)] $GenerateFixScript ) Begin { [CommandHelper]::BeginCommand($PSCmdlet.MyInvocation); [ListenerHelper]::RegisterListeners(); } Process { try { $sscore = [SubscriptionSecurityStatus]::new($SubscriptionId, $PSCmdlet.MyInvocation); if ($sscore) { # Just copy all the tags without validation. Validation will be done internally $sscore.FilterTags = $FilterTags; $sscore.ExcludeTags = $ExcludeTags; $sscore.ControlIdString = $ControlIds; #build the attestation options object [AttestationOptions] $attestationOptions = [AttestationOptions]::new(); $attestationOptions.AttestControls = $AttestControls $attestationOptions.JustificationText = $JustificationText $attestationOptions.AttestationStatus = $AttestationStatus $attestationOptions.IsBulkClearModeOn = $BulkClear $sscore.AttestationOptions = $attestationOptions; $sscore.GenerateFixScript = $GenerateFixScript return $sscore.EvaluateControlStatus(); } } catch { [EventBase]::PublishGenericException($_); } } End { [ListenerHelper]::UnregisterListeners(); } } function Get-AzSKExpressRouteNetworkSecurityStatus { <# .SYNOPSIS This command would help in validating the security controls for the ExpressRoute enabled VNet resources meeting the specified input criteria. .DESCRIPTION This command will execute the security controls and will validate their status as 'Success' or 'Failure' based on the security guidance. Refer https://aka.ms/azsdkossdocs for more information .PARAMETER SubscriptionId Subscription id for which the security evaluation has to be performed. .PARAMETER ResourceGroupNames ResourceGroups which host ExpressRoute VNets. Comma separated values are supported. Wildcards are not permitted. By default, the command gets all resources in the subscription. .PARAMETER ResourceName ExpressRoute VNet resource name. Wildcards are not permitted. By default, the command gets all resources in the subscription. .PARAMETER FilterTags Comma separated tags to filter the security controls. e.g.: RBAC, SOX, AuthN etc. .PARAMETER ExcludeTags Comma separated tags to exclude the security controls. e.g.: RBAC, SOX, AuthN etc. .PARAMETER AttestControls Enables users to attest controls with proper justification .PARAMETER DoNotOpenOutputFolder Switch to specify whether to open output folder containing all security evaluation report or not. .PARAMETER GeneratePDF Enables users to generate PDF file for reports. .NOTES This command helps the application team to verify whether their ExpressRoute enabled VNets are compliant with the security guidance or not .LINK https://aka.ms/azsdkossdocs #> [OutputType([String])] Param( [string] [Parameter(Mandatory = $true, HelpMessage = "Provide the subscription id for which the security report has to be generated")] [ValidateNotNullOrEmpty()] $SubscriptionId, [string] [Parameter(Mandatory = $false, HelpMessage = "ResourceGroups which host ExpressRoute VNets. Comma separated values are supported. Wildcards are not permitted. By default, the command gets all resources in the subscription.")] $ResourceGroupNames, [string] [Parameter(Mandatory = $false, ParameterSetName = "ResourceFilter", HelpMessage = "ExpressRoute VNet resource name. Wildcards are not permitted. By default, the command gets all resources in the subscription.")] $ResourceName, [string] [Parameter(Mandatory = $false, HelpMessage = "Comma separated control ids to filter the security controls. e.g.: Azure_Subscription_AuthZ_Limit_Admin_Owner_Count, Azure_Storage_DP_Encrypt_At_Rest_Blob etc.")] $ControlIds, [string] [Parameter(Mandatory = $false, HelpMessage = "Comma separated tags to filter the security controls. e.g.: RBAC, SOX, AuthN etc.")] $FilterTags, [string] [Parameter(Mandatory = $false, HelpMessage = "Comma separated tags to exclude the security controls. e.g.: RBAC, SOX, AuthN etc.")] $ExcludeTags, [ValidateSet("All","AlreadyAttested","NotAttested","None")] [AttestControls] [Parameter(Mandatory = $false, HelpMessage = "Enables users to attest controls with proper justification.")] $AttestControls = [AttestControls]::None, [switch] [Parameter(Mandatory = $false, HelpMessage = "Switch to specify whether to open output folder containing all security evaluation report or not.")] $DoNotOpenOutputFolder, [GeneratePDF] [Parameter(Mandatory = $false, HelpMessage = "Enables users to generate PDF file for reports.")] $GeneratePDF = [GeneratePDF]::None, [switch] [Parameter(Mandatory = $false, HelpMessage = "Switch to specify whether to generate script to fix the control or not.")] $GenerateFixScript ) $erResourceGroups = $ResourceGroupNames; if([string]::IsNullOrEmpty($erResourceGroups)) { $erResourceGroups = [ConfigurationManager]::GetAzSdkConfigData().ERvNetResourceGroupNames } Get-AzSKAzureServicesSecurityStatus -SubscriptionId $SubscriptionId -ResourceGroupNames $erResourceGroups -ResourceName $ResourceName ` -ResourceTypeName ([SVTMapping]::ERvNetTypeName) -ControlIds $ControlIds -FilterTags $FilterTags -ExcludeTags $ExcludeTags -DoNotOpenOutputFolder:$DoNotOpenOutputFolder -AttestControls $AttestControls -GeneratePDF $GeneratePDF -GenerateFixScript:$GenerateFixScript } function Get-AzSKControlsStatus { <# .SYNOPSIS This command would help in validating the security controls for the Azure resources meeting the specified input criteria. .DESCRIPTION This command will execute the security controls and will validate their status as 'Success' or 'Failure' based on the security guidance. Refer https://aka.ms/azsdkossdocs for more information .PARAMETER SubscriptionId Subscription id for which the security evaluation has to be performed. .PARAMETER ResourceGroupNames ResourceGroups for which the security evaluation has to be performed. Comma separated values are supported. Wildcards are not permitted. By default, the command gets all resources in the subscription. .PARAMETER ResourceType Gets only resources of the specified resource type. Wildcards are not permitted. e.g.: Microsoft.KeyVault/vaults. Run command 'Get-AzSKSupportedResourceTypes' to get the list of supported types. .PARAMETER ResourceTypeName Friendly name of resource type. e.g.: KeyVault. Run command 'Get-AzSKSupportedResourceTypes' to get the list of supported values. .PARAMETER ResourceNames Gets a resource with the specified name. Comma separated values are supported. Wildcards/like searches are not permitted. By default, the command gets all resources in the subscription. .PARAMETER Tag The tag filter for Azure resource. The expected format is @{tagName1=$null} or @{tagName = 'tagValue'; tagName2='value1'}. .PARAMETER TagName The name of the tag to query for Azure resource. .PARAMETER TagValue The value of the tag to query for Azure resource. .PARAMETER FilterTags Comma separated tags to filter the security controls. e.g.: RBAC, SOX, AuthN etc. .PARAMETER ExcludeTags Comma separated tags to exclude the security controls. e.g.: RBAC, SOX, AuthN etc. .PARAMETER AttestControls Enables users to attest controls with proper justification .PARAMETER DoNotOpenOutputFolder Switch to specify whether to open output folder containing all security evaluation report or not. .PARAMETER GeneratePDF Enables users to generate PDF file for reports. .PARAMETER UsePartialCommits This switch would partially save the scan status to the AzSDK storage account. On the event of a failure, it tries to recover from the last snapshot. To use this feature, you need to have contributor role on the AzSDK storage account. .PARAMETER UseBaselineControls This switch would scan only for baseline controls defined at org level .PARAMETER GenerateFixScript Switch to specify whether to generate script to fix the control or not. .NOTES This command helps the application team to verify whether their Azure resources are compliant with the security guidance or not .LINK https://aka.ms/azsdkossdocs #> [OutputType([String])] Param ( [string] [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] $SubscriptionId, [string] [Parameter(Mandatory = $false, ParameterSetName = "ResourceFilter")] $ResourceGroupNames, [string] [Parameter(Mandatory = $false, ParameterSetName = "ResourceFilter")] $ResourceType, [Parameter(Mandatory = $false, ParameterSetName = "ResourceFilter")] [ResourceTypeName] $ResourceTypeName = [ResourceTypeName]::All, [string] [Parameter(Mandatory = $false, ParameterSetName = "ResourceFilter")] [Alias("ResourceName")] $ResourceNames, [Hashtable] [Parameter(Mandatory = $true, ParameterSetName = "TagHashset")] $Tag, [string] [Parameter(Mandatory = $true, ParameterSetName = "TagName")] $TagName, [string] [Parameter(Mandatory = $true, ParameterSetName = "TagName")] $TagValue, [string] [Parameter(Mandatory = $false, ParameterSetName = "ResourceFilter")] [Parameter(Mandatory = $false, ParameterSetName = "TagHashset")] [Parameter(Mandatory = $true, ParameterSetName = "BulkAttestation")] [Parameter(Mandatory = $true, ParameterSetName = "BulkAttestationClear")] [Alias("BulkAttestControlId")] $ControlIds, [string] [Parameter(Mandatory = $false)] $FilterTags, [string] [Parameter(Mandatory = $false)] $ExcludeTags, [ValidateSet("All","AlreadyAttested","NotAttested","None")] [Parameter(Mandatory = $false, ParameterSetName = "ResourceFilter")] [Parameter(Mandatory = $false, ParameterSetName = "TagHashset")] [Parameter(Mandatory = $true, ParameterSetName = "BulkAttestation")] [Parameter(Mandatory = $true, ParameterSetName = "BulkAttestationClear")] $AttestControls = [AttestControls]::None, [switch] [Parameter(Mandatory = $true, ParameterSetName = "BulkAttestationClear")] $BulkClear, [string] [Parameter(Mandatory = $true, ParameterSetName = "BulkAttestation")] $JustificationText, [ValidateSet("NotAnIssue", "WillNotFix", "WillFixLater")] [Parameter(Mandatory = $true, ParameterSetName = "BulkAttestation")] $AttestationStatus = [AttestationStatus]::None, [switch] [Parameter(Mandatory = $false)] $DoNotOpenOutputFolder, [GeneratePDF] [Parameter(Mandatory = $false)] $GeneratePDF = [GeneratePDF]::None, [switch] [Parameter(Mandatory = $false)] $UseBaselineControls, [switch] [Parameter(Mandatory = $false)] $UsePartialCommits, [switch] [Parameter(Mandatory = $false)] $GenerateFixScript ) Begin { [CommandHelper]::BeginCommand($PSCmdlet.MyInvocation); [ListenerHelper]::RegisterListeners(); } Process { try { $resolver = [SVTResourceResolver]::new($SubscriptionId, $ResourceGroupNames, $ResourceNames, $ResourceType, $ResourceTypeName); $resolver.Tag = $Tag; $resolver.TagName = $TagName; $resolver.TagValue = $TagValue; $controlReport = [SVTStatusReport]::new($SubscriptionId, $PSCmdlet.MyInvocation, $resolver); if ($controlReport) { # Just copy all the tags without validation. Validation will be done internally $controlReport.FilterTags = $FilterTags; $controlReport.ExcludeTags = $ExcludeTags; $controlReport.ControlIdString = $ControlIds; $controlReport.GenerateFixScript = $GenerateFixScript; #build the attestation options object [AttestationOptions] $attestationOptions = [AttestationOptions]::new(); $attestationOptions.AttestControls = $AttestControls $attestationOptions.JustificationText = $JustificationText $attestationOptions.AttestationStatus = $AttestationStatus $attestationOptions.IsBulkClearModeOn = $BulkClear $controlReport.AttestationOptions = $attestationOptions; return $controlReport.EvaluateControlStatus(); } } catch { [EventBase]::PublishGenericException($_); } } End { [ListenerHelper]::UnregisterListeners(); } } |