Initial commit

.dockerignore

@@ -0,0 +1,10 @@
+log
+Dockerfile*
+docker-compose*
+.dockerignore
+docker
+.git
+.env
+README.md
+LICENSE
+monkey-reports

.gitignore

@@ -0,0 +1,17 @@
+# logs
+azurereview.log
+/log/*.log
+
+# Data folder
+monkey-reports*
+
+site/
+*.csv
+
+config/monkey_365_dev.config
+
+profiles/
+
+rules/findings/extra/*
+rules/rulesets/monkey_azure_1.0.json
+rules/rulesets/monkey_m365_1.0.json

rules/conditions/aad-m365-privileged-roles.json

@@ -0,0 +1,19 @@
+{
+    "conditions":[
+          "or",
+          ["roleTemplateId", "imatch", "62e90394-69f5-4237-9190-012177145e10"],
+          ["roleTemplateId", "imatch", "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3"],
+		  ["roleTemplateId", "imatch", "cf1c38e5-3621-4004-a7cb-879624dced7c"],
+		  ["roleTemplateId", "imatch", "c4e39bd9-1100-46d3-8c65-fb160da0071f"],
+		  ["roleTemplateId", "imatch", "e3973bdf-4987-49ae-837a-ba8e231c7286"],
+		  ["roleTemplateId", "imatch", "7495fdc4-34c4-4d15-a289-98788ce399fd"],
+		  ["roleTemplateId", "imatch", "b0f54661-2d74-4c50-afa3-1ec803f12efe"],
+		  ["roleTemplateId", "imatch", "158c047a-c907-4556-b7ef-446551a6b5f7"],
+		  ["roleTemplateId", "imatch", "17315797-102d-40b4-93e0-432062caca18"],
+		  ["roleTemplateId", "imatch", "b1be1c3e-b65d-4f19-8427-f6fa0d97feb9"],
+		  ["roleTemplateId", "imatch", "9f06204d-73c1-4d4c-880a-6edb90606fd8"],
+		  ["roleTemplateId", "imatch", "9360feb5-f418-4baa-8175-e2a00bac4301"],
+		  ["roleTemplateId", "imatch", "fdd7a751-b60b-444a-984c-02652fe8fa1c"],
+		  ["roleTemplateId", "imatch", "729827e3-9c14-49f7-bb1b-9608f156bbb8"]
+      ]
+}

rules/conditions/aad-privileged-roles.json

@@ -0,0 +1,19 @@
+{
+    "conditions":[
+          "or",
+          ["roleTemplateId", "imatch", "62e90394-69f5-4237-9190-012177145e10"],
+          ["roleTemplateId", "imatch", "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3"],
+		  ["roleTemplateId", "imatch", "cf1c38e5-3621-4004-a7cb-879624dced7c"],
+		  ["roleTemplateId", "imatch", "c4e39bd9-1100-46d3-8c65-fb160da0071f"],
+		  ["roleTemplateId", "imatch", "e3973bdf-4987-49ae-837a-ba8e231c7286"],
+		  ["roleTemplateId", "imatch", "7495fdc4-34c4-4d15-a289-98788ce399fd"],
+		  ["roleTemplateId", "imatch", "b0f54661-2d74-4c50-afa3-1ec803f12efe"],
+		  ["roleTemplateId", "imatch", "158c047a-c907-4556-b7ef-446551a6b5f7"],
+		  ["roleTemplateId", "imatch", "17315797-102d-40b4-93e0-432062caca18"],
+		  ["roleTemplateId", "imatch", "b1be1c3e-b65d-4f19-8427-f6fa0d97feb9"],
+		  ["roleTemplateId", "imatch", "9f06204d-73c1-4d4c-880a-6edb90606fd8"],
+		  ["roleTemplateId", "imatch", "9360feb5-f418-4baa-8175-e2a00bac4301"],
+		  ["roleTemplateId", "imatch", "fdd7a751-b60b-444a-984c-02652fe8fa1c"],
+		  ["roleTemplateId", "imatch", "729827e3-9c14-49f7-bb1b-9608f156bbb8"]
+      ]
+}

rules/conditions/allow-tcp.json

@@ -0,0 +1,7 @@
+{
+    "conditions":[
+          "or",
+          ["Protocol", "eq", "*"],
+          ["Protocol", "eq", "TCP"]
+      ]
+}

rules/conditions/allow-udp.json

@@ -0,0 +1,7 @@
+{
+    "conditions":[
+          "or",
+          ["Protocol", "eq", "*"],
+          ["Protocol", "eq", "UDP"]
+      ]
+}

rules/conditions/app-permissions.json

@@ -0,0 +1,34 @@
+{
+    "conditions":[
+         [ "or",   
+            [ "and",
+                ["Permission", "eq", "Application.ReadWrite.All"],
+                ["ConsentType", "eq", "Admin"]
+            ]
+         ],
+         [ "or",   
+            [ "and",
+                ["Permission", "eq", "Directory.ReadWrite.All"],
+                ["ConsentType", "eq", "Admin"]
+            ]
+         ],
+         [ "or",   
+            [ "and",
+                ["Permission", "eq", "Domain.ReadWrite.All"],
+                ["ConsentType", "eq", "Admin"]
+            ]
+         ],
+         [ "or",   
+            [ "and",
+                ["Permission", "eq", "Member.Read.Hidden"],
+                ["ConsentType", "eq", "Admin"]
+            ]
+         ],
+         [ "or",   
+            [ "and",
+                ["Permission", "eq", "User.ReadWrite.All"],
+                ["ConsentType", "eq", "Admin"]
+            ]
+         ]
+      ]
+}

rules/conditions/exposed-to-the-internet.json

@@ -0,0 +1,16 @@
+{
+    "conditions":[
+          "and",
+          ["direction", "eq", "Inbound"],
+          ["Access", "eq", "Allow"],
+		  [ "and",
+            [ "or",
+                [ "SourceAddressPrefix", "eq", "*" ],
+				[ "SourceAddressPrefix", "eq", "Internet" ],
+				[ "SourceAddressPrefixes", "eq", "*" ],
+				[ "SourceAddressPrefixes", "eq", "Internet" ]
+            ]
+          ]
+      ]
+
+}

rules/conditions/subscription-role-permissions.json

@@ -0,0 +1,8 @@
+{
+    "conditions":[
+         "or",
+          ["properties.permissions.actions", "match", "Microsoft.Compute/virtualMachines/delete"],
+          ["properties.permissions.actions", "match", "Microsoft.Compute/virtualMachines/write"],
+		  ["properties.permissions.actions", "match", "\\*"]
+      ]
+}

rules/conditions/test-names.json

@@ -0,0 +1,7 @@
+{
+    "conditions":[
+          "or",
+          ["displayName", "imatch", "Demo"],
+          ["displayName", "imatch", "test"]
+      ]
+}

rules/findings/Active Directory/Devices/azure-activedirectory-devices-require-mfa-settings.json

@@ -0,0 +1,40 @@
+{
+    "dashboard_name":  "Active Directory",
+    "menu_name":  "Active Directory",
+    "issue_name":  "Joining devices to the active directory should require Multi-factor authentication",
+    "description":  "Multi-factor authentication is recommended when adding devices to Azure AD. When set to \"Yes\", users who are adding devices from the internet must first use the second method of authentication before their device is successfully added to the directory. This ensures that rogue devices are not added to the directory for a compromised user account",
+    "rationale":  "Multi-factor authentication is recommended when adding devices to Azure AD. When set to `Yes`, users who are adding devices from the internet must first use the second method of authentication before their device is successfully added to the directory. This ensures that rogue devices are not added to the directory for a compromised user account.",
+    "impact":  null,
+    "remediation":  "
+					###### From Azure Console
+					1. Go to `Azure Active Directory`
+					2. Go to `Devices`
+					3. Go to `Device settings`
+					4. Ensure that `Require Multi-Factor Auth to join devices` is set to `Yes`
+	",
+    "references":  [
+                       "https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join",
+                       "https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal",
+					   "https://blogs.technet.microsoft.com/janketil/2016/02/29/azure-mfa-for-enrollment-in-intune-and-azure-ad-device-registration-explained/",
+					   "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-4-use-strong-authentication-controls-for-all-azure-active-directory-based-access"
+                   ],
+    "compliance":  [
+                       {
+                           "name":  "CIS Microsoft Azure Foundations",
+                           "version":  "1.4.0",
+                           "reference":  "1.19"
+                       }
+                   ],
+    "tags":  null,
+    "path":  "aad_device_settings",
+    "display_path":  "aad_device_settings",
+    "conditions":  [
+                       "and",
+                       [
+                           "requireMfaSetting",
+                           "eq",
+                           "False"
+                       ]
+                   ],
+    "id_suffix":  "aad_mfa_devices_disabled"
+}

rules/findings/Active Directory/General/aad-linkedin-sync-enabled.json

@@ -0,0 +1,32 @@
+{
+    "dashboard_name":  "Active Directory",
+    "menu_name":  "Active Directory",
+    "issue_name":  "Ensure that LinkedIn contact synchronization is disabled",
+    "description":  "Consider to disable integration with LinkedIn as a measure to help prevent phishing scams.",
+    "rationale":  null,
+    "impact":  null,
+    "remediation":  null,
+    "references":  [
+                       "https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/methods-for-assigning-users-and-groups",
+                       "https://ezcloudinfo.com/2019/01/22/configure-access-panel-in-azure-active-directory/"
+                   ],
+    "compliance":  [
+                       {
+                           "name":  "CIS Microsoft 365 Foundations",
+                           "version":  "1.4.0",
+                           "reference":  "1.1.14"
+                       }
+	],
+    "tags":  null,
+    "path":  "aad_directory_properties",
+    "display_path":  "aad_directory_properties",
+    "conditions":  [
+                       "and",
+                       [
+                           "enableLinkedInAppFamily",
+                           "eq",
+                           "0"
+                       ]
+                   ],
+    "id_suffix":  "aad_linkedin_sync_enabled"
+}

rules/findings/Active Directory/General/aad-password-protection-disabled.json

@@ -0,0 +1,36 @@
+{
+    "dashboard_name":  "Active Directory",
+    "menu_name":  "Active Directory",
+    "issue_name":  "Ensure that password protection is enabled for Active Directory",
+    "description":  "Enable Azure Active Directory Password Protection to Active Directory to protect against the use of common passwords.",
+    "rationale":  "Azure Active Directory protects an organization by prohibiting the use of weak or leaked passwords. In addition, organizations can create custom banned password lists to prevent their users from using easily guessed passwords that are specific to their industry. Deploying this feature to Active Directory will strengthen the passwords that are used in the environment.",
+    "impact":  "The potential impact associated with implementation of this setting is dependent upon the existing password policies in place in the environment. For environments that have strong password policies in place, the impact will be minimal. For organizations that do not have strong password policies in place, implementation of Azure Active Directory Password Protection may require users to change passwords, and adhere to more stringent requirements than they have been accustomed to.",
+    "remediation":  null,
+    "references":  [
+                       "https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad-on-premises"
+                   ],
+    "compliance":  [
+                       {
+                           "name":  "CIS Microsoft 365 Foundations",
+                           "version":  "1.4.0",
+                           "reference":  "1.1.5"
+                       }
+   ],
+    "tags":  null,
+    "path":  "aad_password_policy",
+    "display_path":  "aad_password_policy",
+    "conditions":  [
+                       "or",
+                       [
+                           "enforceCustomBannedPasswords",
+                           "eq",
+                           "false"
+                       ],
+                       [
+                           "enableBannedPasswordCheckOnPremises",
+                           "eq",
+                           "false"
+                       ]
+                   ],
+    "id_suffix":  "aad_password_protection_disabled"
+}

rules/findings/Active Directory/General/aad-security-defaults-disabled.json

@@ -0,0 +1,55 @@
+{
+    "dashboard_name":  "Active Directory",
+    "menu_name":  "Active Directory",
+    "issue_name":  "Ensure Security Defaults is enabled on Azure Active Directory",
+    "description":  "Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks.
+					Microsoft is making security defaults available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. You turn on security defaults in the Azure portal.",
+    "rationale":  "
+					Security defaults provide secure default settings that we manage on behalf of organizations to keep customers safe until they are ready to manage their own identity security settings.
+
+					For example doing the following:
+
+					* Requiring all users and admins to register for MFA.
+					* Challenging users with MFA - mostly when they show up on a new device or app, but more often for critical roles and tasks.
+					* Disabling authentication from legacy authentication clients, which can’t do MFA.
+	",
+    "impact":  "
+					Enabling security defaults may negatively impact the functionality of other Microsoft services, such as MS365. This recommendation should be implemented initially and then may be overridden by other service/product specific CIS Benchmarks.",
+    "remediation":  "
+					###### From Azure Console
+					1. Sign in to the Azure portal as a security administrator, Conditional Access administrator, or global administrator.
+					2. Browse to Azure Active Directory > Properties.
+					3. Select Manage security defaults.
+					4. Set the Enable security defaults toggle to Yes.
+					5. Select Save.
+
+	",
+    "references":  [
+                       "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions",
+                       "http://www.rebeladmin.com/2019/04/step-step-guide-restrict-azure-ad-administration-portal/",
+					   "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults",
+					   "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/introducing-security-defaults/ba-p/1061414"
+
+                   ],
+    "compliance":  [
+                       {
+                           "name":  "CIS Microsoft 365 Foundations",
+                           "version":  "1.4.0",
+                           "reference":  "1.21"
+                       }
+                   ],
+    "tags":  [
+                 "Microsoft 365 CIS benchmark 1.21"
+             ],
+    "path":  "aad_security_default_status",
+    "display_path":  "aad_security_default_status",
+    "conditions":  [
+                       "and",
+                       [
+                           "securityDefaultsEnabled",
+                           "eq",
+                           "False"
+                       ]
+                   ],
+    "id_suffix":  "aad_sbd_disabled"
+}

rules/findings/Active Directory/General/aad-security-defaults-enabled.json

@@ -0,0 +1,57 @@
+{
+    "dashboard_name":  "Active Directory",
+    "menu_name":  "Active Directory",
+    "issue_name":  "Ensure Security Defaults is disabled on Azure Active Directory",
+    "description":  "Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks.
+					Microsoft is making security defaults available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. The use of security defaults however will prohibit custom settings which are being set with more advanced settings.",
+    "rationale":  "
+					Security defaults provide secure default settings that we manage on behalf of organizations to keep customers safe until they are ready to manage their own identity security settings.
+
+					For example doing the following:
+
+					* Requiring all users and admins to register for MFA.
+					* Challenging users with MFA - mostly when they show up on a new device or app, but more often for critical roles and tasks.
+					* Disabling authentication from legacy authentication clients, which can’t do MFA.
+	",
+    "impact":  "The potential impact associated with disabling of Security Defaults is dependent upon the security controls implemented in the environment. It is likely that most organizations disabling Security Defaults plan to implement equivalent controls to replace Security Defaults.
+				It may be necessary to check settings in other Microsoft products, such as Azure, to ensure settings and functionality are as expected when disabling security defaults for MS365.
+
+	",
+    "remediation":  "
+					###### From Azure Console
+					1. Sign in to the Azure portal as a security administrator, Conditional Access administrator, or global administrator.
+					2. Browse to Azure Active Directory > Properties.
+					3. Select Manage security defaults.
+					4. Set the Enable security defaults toggle to No.
+					5. Select Save.
+
+	",
+    "references":  [
+                       "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions",
+                       "http://www.rebeladmin.com/2019/04/step-step-guide-restrict-azure-ad-administration-portal/",
+					   "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults",
+					   "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/introducing-security-defaults/ba-p/1061414"
+
+                   ],
+    "compliance":  [
+                       {
+                           "name":  "CIS Microsoft 365 Foundations",
+                           "version":  "1.4.0",
+                           "reference":  "1.21"
+                       }
+                   ],
+    "tags":  [
+                 "Microsoft 365 CIS benchmark 1.21"
+             ],
+    "path":  "aad_security_default_status",
+    "display_path":  "aad_security_default_status",
+    "conditions":  [
+                       "and",
+                       [
+                           "securityDefaultsEnabled",
+                           "eq",
+                           "True"
+                       ]
+                   ],
+    "id_suffix":  "aad_sbd_enabled"
+}