microsoft
/
PSRule.Rules.Azure
зеркало из https://github.com/Azure/PSRule.Rules.Azure.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Update App Service rule docs #2570 (#2764)

This commit is contained in:
Bernie White 2024-03-19 03:17:20 +10:00 коммит произвёл GitHub
Родитель a8ecab1db9
Коммит 1bb94a6648
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: B5690EEEBB952194
15 изменённых файлов: 521 добавлений и 299 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

11
data/policy-ignore.json
Просмотреть файл

@ -217,5 +217,16 @@
],
"reason": "Duplicate",
"value": "Azure.ServiceBus.DisableLocalAuth"
},
{
"policyDefinitionIds": [
"/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b",
"/providers/Microsoft.Authorization/policyDefinitions/c285a320-8830-4665-9cc7-bbd05fc7c5c0",
"/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15",
"/providers/Microsoft.Authorization/policyDefinitions/e1a09430-221d-4d4c-a337-1edb5a1fa9bb",
"/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5"
],
"reason": "Duplicate",
"value": "Azure.AppService.WebSecureFtp"
}
]

6
docs/CHANGELOG-v1.md
Просмотреть файл

@ -32,6 +32,12 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers
## Unreleased
What's changed since pre-release v1.35.0-B0030:
- General improvements:
- Quality updates to rule documentation by @BernieWhite.
[#2570](https://github.com/Azure/PSRule.Rules.Azure/issues/2570)
## v1.35.0-B0030 (pre-release)
What's changed since pre-release v1.35.0-B0012:

72
docs/en/rules/Azure.AppService.AlwaysOn.md
Просмотреть файл

@ -32,32 +32,42 @@ Consider enabling Always On for each App Services app.
To deploy App Services that pass this rule:
- Set `properties.siteConfig.alwaysOn` to `true`.
- Set the `properties.siteConfig.alwaysOn` property to `true`.
For example:
```json
{
"type": "Microsoft.Web/sites",
"apiVersion": "2021-02-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"kind": "web",
"properties": {
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]",
"httpsOnly": true,
"siteConfig": {
"alwaysOn": true,
"minTlsVersion": "1.2",
"ftpsState": "FtpsOnly",
"remoteDebuggingEnabled": false,
"http20Enabled": true
"type": "Microsoft.Web/sites",
"apiVersion": "2023-01-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"identity": {
"type": "SystemAssigned"
},
"kind": "web",
"properties": {
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]",
"httpsOnly": true,
"siteConfig": {
"alwaysOn": true,
"minTlsVersion": "1.2",
"ftpsState": "Disabled",
"remoteDebuggingEnabled": false,
"http20Enabled": true,
"netFrameworkVersion": "v8.0",
"healthCheckPath": "/healthz",
"metadata": [
{
"name": "CURRENT_STACK",
"value": "dotnet"
}
},
"tags": "[parameters('tags')]",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]"
]
]
}
},
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]"
]
}
```
@ -65,27 +75,37 @@ For example:
To deploy App Services that pass this rule:
- Set `properties.siteConfig.alwaysOn` to `true`.
- Set the `properties.siteConfig.alwaysOn` property to `true`.
For example:
```bicep
resource webApp 'Microsoft.Web/sites@2021-02-01' = {
resource web 'Microsoft.Web/sites@2023-01-01' = {
name: name
location: location
identity: {
type: 'SystemAssigned'
}
kind: 'web'
properties: {
serverFarmId: appPlan.id
serverFarmId: plan.id
httpsOnly: true
siteConfig: {
alwaysOn: true
minTlsVersion: '1.2'
ftpsState: 'FtpsOnly'
ftpsState: 'Disabled'
remoteDebuggingEnabled: false
http20Enabled: true
netFrameworkVersion: 'v8.0'
healthCheckPath: '/healthz'
metadata: [
{
name: 'CURRENT_STACK'
value: 'dotnet'
}
]
}
}
tags: tags
}
```
@ -100,7 +120,7 @@ On a Premium plan the platform keeps your desired number of pre-warmed instances
## LINKS
- [Azure App Service and reliability](https://learn.microsoft.com/azure/architecture/framework/services/compute/azure-app-service/reliability)
- [Azure App Service and reliability](https://learn.microsoft.com/azure/well-architected/service-guides/azure-app-service/reliability)
- [Configure an App Service app](https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings)
- [The Ultimate Guide to Running Healthy Apps in the Cloud](https://azure.github.io/AppService/2020/05/15/Robust-Apps-for-the-cloud.html#update-your-default-settings)
- [Always on with Azure Functions](https://github.com/Azure/Azure-Functions/wiki/Enable-Always-On-when-running-on-dedicated-App-Service-Plan)

83
docs/en/rules/Azure.AppService.MinTLS.md
Просмотреть файл

@ -1,7 +1,7 @@
---
severity: Critical
pillar: Security
category: Encryption
category: SE:07 Encryption
resource: App Service
online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AppService.MinTLS/
ms-content-id: e19fbe7e-da05-47d4-8de1-2fdf52ada662
@ -32,32 +32,42 @@ Also consider using Azure Policy to audit or enforce this configuration.
To deploy App Services that pass this rule:
- Set `properties.siteConfig.minTlsVersion` to `1.2`.
- Set the `properties.siteConfig.minTlsVersion` property to `1.2`.
For example:
```json
{
"type": "Microsoft.Web/sites",
"apiVersion": "2021-02-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"kind": "web",
"properties": {
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]",
"httpsOnly": true,
"siteConfig": {
"alwaysOn": true,
"minTlsVersion": "1.2",
"ftpsState": "FtpsOnly",
"remoteDebuggingEnabled": false,
"http20Enabled": true
"type": "Microsoft.Web/sites",
"apiVersion": "2023-01-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"identity": {
"type": "SystemAssigned"
},
"kind": "web",
"properties": {
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]",
"httpsOnly": true,
"siteConfig": {
"alwaysOn": true,
"minTlsVersion": "1.2",
"ftpsState": "Disabled",
"remoteDebuggingEnabled": false,
"http20Enabled": true,
"netFrameworkVersion": "v8.0",
"healthCheckPath": "/healthz",
"metadata": [
{
"name": "CURRENT_STACK",
"value": "dotnet"
}
},
"tags": "[parameters('tags')]",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]"
]
]
}
},
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]"
]
}
```
@ -65,35 +75,46 @@ For example:
To deploy App Services that pass this rule:
- Set `properties.siteConfig.minTlsVersion` to `1.2`.
- Set the `properties.siteConfig.minTlsVersion` property to `1.2`.
For example:
```bicep
resource webApp 'Microsoft.Web/sites@2021-02-01' = {
resource web 'Microsoft.Web/sites@2023-01-01' = {
name: name
location: location
identity: {
type: 'SystemAssigned'
}
kind: 'web'
properties: {
serverFarmId: appPlan.id
serverFarmId: plan.id
httpsOnly: true
siteConfig: {
alwaysOn: true
minTlsVersion: '1.2'
ftpsState: 'FtpsOnly'
ftpsState: 'Disabled'
remoteDebuggingEnabled: false
http20Enabled: true
netFrameworkVersion: 'v8.0'
healthCheckPath: '/healthz'
metadata: [
{
name: 'CURRENT_STACK'
value: 'dotnet'
}
]
}
}
tags: tags
}
```
## LINKS
- [Data encryption in Azure](https://learn.microsoft.com/azure/architecture/framework/security/design-storage-encryption#data-in-transit)
- [Enforce TLS versions](https://docs.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions)
- [SE:07 Encryption](https://learn.microsoft.com/azure/well-architected/security/encryption#data-in-transit)
- [DP-3: Encrypt sensitive data in transit](https://learn.microsoft.com/security/benchmark/azure/baselines/app-service-security-baseline#dp-3-encrypt-sensitive-data-in-transit)
- [Enforce TLS versions](https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-tls-versions)
- [Preparing for TLS 1.2 in Microsoft Azure](https://azure.microsoft.com/updates/azuretls12/)
- [Insecure protocols](https://docs.microsoft.com/Azure/app-service/overview-security#insecure-protocols-http-tls-10-ftp)
- [Azure Policy built-in definitions for Azure App Service](https://docs.microsoft.com/azure/app-service/policy-reference)
- [Azure deployment reference](https://docs.microsoft.com/azure/templates/microsoft.web/sites#siteconfig-object)
- [Insecure protocols](https://learn.microsoft.com/Azure/app-service/overview-security#insecure-protocols-http-tls-10-ftp)
- [Azure Policy built-in definitions for Azure App Service](https://learn.microsoft.com/azure/app-service/policy-reference)
- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.web/sites)

102
docs/en/rules/Azure.AppService.NETVersion.md
Просмотреть файл

@ -1,8 +1,8 @@
---
reviewed: 2022-05-14
reviewed: 2024-03-19
severity: Important
pillar: Security
category: Deployment
category: SE:02 Secured development lifecycle
resource: App Service
online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AppService.NETVersion/
---
@ -16,11 +16,15 @@ Configure applications to use newer .NET versions.
## DESCRIPTION
Within a App Service app, the version of .NET used to run application/ site code is configurable.
Older versions of .NET may not use the latest security features.
Overtime, a specific version of .NET may become outdated and no longer supported by Microsoft.
This can lead to security vulnerabilities or are simply not able to use the latest security features.
.NET 6.0 and .NET 7.0 are approaching end of support.
## RECOMMENDATION
Consider updating the site to use a newer .NET version such as `v6.0`.
Consider updating the site to use a newer .NET version such as `v8.0`.
## EXAMPLES
@ -28,36 +32,46 @@ Consider updating the site to use a newer .NET version such as `v6.0`.
To deploy App Services that pass this rule:
- Set `properties.siteConfig.netFrameworkVersion` to a minimum of `v4.0`.
- For Windows-based plans:
- Set the `properties.siteConfig.netFrameworkVersion` property to `v4.0` or `v8.0`.
- For Linux-based plans:
- Set the `properties.siteConfig.linuxFxVersion` property to `DOTNET|8.0`.
.NET Framework is not support on Linux-based plans.
For example:
```json
{
"type": "Microsoft.Web/sites",
"apiVersion": "2021-03-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"identity": {
"type": "SystemAssigned"
},
"kind": "web",
"properties": {
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]",
"httpsOnly": true,
"siteConfig": {
"alwaysOn": true,
"minTlsVersion": "1.2",
"ftpsState": "FtpsOnly",
"remoteDebuggingEnabled": false,
"http20Enabled": true,
"netFrameworkVersion": "v6.0"
"type": "Microsoft.Web/sites",
"apiVersion": "2023-01-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"identity": {
"type": "SystemAssigned"
},
"kind": "web",
"properties": {
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]",
"httpsOnly": true,
"siteConfig": {
"alwaysOn": true,
"minTlsVersion": "1.2",
"ftpsState": "Disabled",
"remoteDebuggingEnabled": false,
"http20Enabled": true,
"netFrameworkVersion": "v8.0",
"healthCheckPath": "/healthz",
"metadata": [
{
"name": "CURRENT_STACK",
"value": "dotnet"
}
},
"tags": "[parameters('tags')]",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]"
]
]
}
},
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]"
]
}
```
@ -65,12 +79,16 @@ For example:
To deploy App Services that pass this rule:
- Set `properties.siteConfig.netFrameworkVersion` to a minimum of `v4.0`.
- For Windows-based plans:
- Set the `properties.siteConfig.netFrameworkVersion` property to `v4.0` or `v8.0`.
- For Linux-based plans:
- Set the `properties.siteConfig.linuxFxVersion` property to `DOTNET|8.0`.
.NET Framework is not support on Linux-based plans.
For example:
```bicep
resource webApp 'Microsoft.Web/sites@2021-03-01' = {
resource web 'Microsoft.Web/sites@2023-01-01' = {
name: name
location: location
identity: {
@ -83,18 +101,30 @@ resource webApp 'Microsoft.Web/sites@2021-03-01' = {
siteConfig: {
alwaysOn: true
minTlsVersion: '1.2'
ftpsState: 'FtpsOnly'
ftpsState: 'Disabled'
remoteDebuggingEnabled: false
http20Enabled: true
netFrameworkVersion: 'v6.0'
netFrameworkVersion: 'v8.0'
healthCheckPath: '/healthz'
metadata: [
{
name: 'CURRENT_STACK'
value: 'dotnet'
}
]
}
}
tags: tags
}
```
### NOTE
.NET Framework 4.8 is only available on Windows-based plans.
## LINKS
- [Security design principles](https://learn.microsoft.com/azure/architecture/framework/security/security-principles#protect-against-code-level-vulnerabilities)
- [Set .NET Framework runtime version](https://docs.microsoft.com/azure/app-service/configure-language-dotnet-framework#set-net-framework-runtime-version)
- [Azure deployment reference](https://docs.microsoft.com/azure/templates/microsoft.web/sites#siteconfig)
- [SE:02 Secured development lifecycle](https://learn.microsoft.com/azure/well-architected/security/secure-development-lifecycle)
- [Configure ASP.NET](https://learn.microsoft.com/azure/app-service/configure-language-dotnet-framework)
- [Configure an ASP.NET Core app for Azure App Service](https://learn.microsoft.com/azure/app-service/configure-language-dotnetcore)
- [.NET Support Policy](https://dotnet.microsoft.com/platform/support/policy)
- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.web/sites)

78
docs/en/rules/Azure.AppService.RemoteDebug.md
Просмотреть файл

@ -1,7 +1,7 @@
---
severity: Important
pillar: Security
category: Security configuration
category: SE:08 Hardening resources
resource: App Service
online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AppService.RemoteDebug/
---
@ -29,32 +29,42 @@ Consider disabling remote debugging when not in use.
To deploy App Services that pass this rule:
- Set `properties.siteConfig.remoteDebuggingEnabled` to `false`.
- Set the `properties.siteConfig.remoteDebuggingEnabled` property to `false`.
For example:
```json
{
"type": "Microsoft.Web/sites",
"apiVersion": "2021-02-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"kind": "web",
"properties": {
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]",
"httpsOnly": true,
"siteConfig": {
"alwaysOn": true,
"minTlsVersion": "1.2",
"ftpsState": "FtpsOnly",
"remoteDebuggingEnabled": false,
"http20Enabled": true
"type": "Microsoft.Web/sites",
"apiVersion": "2023-01-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"identity": {
"type": "SystemAssigned"
},
"kind": "web",
"properties": {
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]",
"httpsOnly": true,
"siteConfig": {
"alwaysOn": true,
"minTlsVersion": "1.2",
"ftpsState": "Disabled",
"remoteDebuggingEnabled": false,
"http20Enabled": true,
"netFrameworkVersion": "v8.0",
"healthCheckPath": "/healthz",
"metadata": [
{
"name": "CURRENT_STACK",
"value": "dotnet"
}
},
"tags": "[parameters('tags')]",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]"
]
]
}
},
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]"
]
}
```
@ -62,31 +72,43 @@ For example:
To deploy App Services that pass this rule:
- Set `properties.siteConfig.remoteDebuggingEnabled` to `false`.
- Set the `properties.siteConfig.remoteDebuggingEnabled` property to `false`.
For example:
```bicep
resource webApp 'Microsoft.Web/sites@2021-02-01' = {
resource web 'Microsoft.Web/sites@2023-01-01' = {
name: name
location: location
identity: {
type: 'SystemAssigned'
}
kind: 'web'
properties: {
serverFarmId: appPlan.id
serverFarmId: plan.id
httpsOnly: true
siteConfig: {
alwaysOn: true
minTlsVersion: '1.2'
ftpsState: 'FtpsOnly'
ftpsState: 'Disabled'
remoteDebuggingEnabled: false
http20Enabled: true
netFrameworkVersion: 'v8.0'
healthCheckPath: '/healthz'
metadata: [
{
name: 'CURRENT_STACK'
value: 'dotnet'
}
]
}
}
tags: tags
}
```
## LINKS
- [Configure general settings](https://docs.microsoft.com/azure/app-service/configure-common#configure-general-settings)
- [Azure deployment reference](https://docs.microsoft.com/azure/templates/microsoft.web/sites#siteconfig-object)
- [SE:08 Hardening resources](https://learn.microsoft.com/azure/well-architected/security/harden-resources)
- [PV-2: Audit and enforce secure configurations](https://learn.microsoft.com/security/benchmark/azure/baselines/app-service-security-baseline#pv-2-audit-and-enforce-secure-configurations)
- [Configure general settings](https://learn.microsoft.com/azure/app-service/configure-common#configure-general-settings)
- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.web/sites)

81
docs/en/rules/Azure.AppService.UseHTTPS.md
Просмотреть файл

@ -1,7 +1,7 @@
---
severity: Important
pillar: Security
category: Data protection
category: SE:07 Encryption
resource: App Service
online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AppService.UseHTTPS/
ms-content-id: b26053bc-db4a-487a-8fb1-11c438c8d493
@ -31,32 +31,42 @@ Also consider using Azure Policy to audit or enforce this configuration.
To deploy App Services that pass this rule:
- Set `properties.httpsOnly` to `true`.
- Set the `properties.httpsOnly` property to `true`.
For example:
```json
{
"type": "Microsoft.Web/sites",
"apiVersion": "2021-02-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"kind": "web",
"properties": {
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]",
"httpsOnly": true,
"siteConfig": {
"alwaysOn": true,
"minTlsVersion": "1.2",
"ftpsState": "FtpsOnly",
"remoteDebuggingEnabled": false,
"http20Enabled": true
"type": "Microsoft.Web/sites",
"apiVersion": "2023-01-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"identity": {
"type": "SystemAssigned"
},
"kind": "web",
"properties": {
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]",
"httpsOnly": true,
"siteConfig": {
"alwaysOn": true,
"minTlsVersion": "1.2",
"ftpsState": "Disabled",
"remoteDebuggingEnabled": false,
"http20Enabled": true,
"netFrameworkVersion": "v8.0",
"healthCheckPath": "/healthz",
"metadata": [
{
"name": "CURRENT_STACK",
"value": "dotnet"
}
},
"tags": "[parameters('tags')]",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]"
]
]
}
},
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]"
]
}
```
@ -64,33 +74,44 @@ For example:
To deploy App Services that pass this rule:
- Set `properties.httpsOnly` to `true`.
- Set the `properties.httpsOnly` property to `true`.
For example:
```bicep
resource webApp 'Microsoft.Web/sites@2021-02-01' = {
resource web 'Microsoft.Web/sites@2023-01-01' = {
name: name
location: location
identity: {
type: 'SystemAssigned'
}
kind: 'web'
properties: {
serverFarmId: appPlan.id
serverFarmId: plan.id
httpsOnly: true
siteConfig: {
alwaysOn: true
minTlsVersion: '1.2'
ftpsState: 'FtpsOnly'
ftpsState: 'Disabled'
remoteDebuggingEnabled: false
http20Enabled: true
netFrameworkVersion: 'v8.0'
healthCheckPath: '/healthz'
metadata: [
{
name: 'CURRENT_STACK'
value: 'dotnet'
}
]
}
}
tags: tags
}
```
## LINKS
- [Data encryption in Azure](https://learn.microsoft.com/azure/architecture/framework/security/design-storage-encryption#data-in-transit)
- [Enforce HTTPS](https://docs.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https)
- [Azure Policy built-in definitions for Azure App Service](https://docs.microsoft.com/azure/app-service/policy-reference)
- [Azure deployment reference](https://docs.microsoft.com/azure/templates/microsoft.web/sites#siteproperties)
- [SE:07 Encryption](https://learn.microsoft.com/azure/well-architected/security/encryption#data-in-transit)
- [DP-3: Encrypt sensitive data in transit](https://learn.microsoft.com/security/benchmark/azure/baselines/app-service-security-baseline#dp-3-encrypt-sensitive-data-in-transit)
- [Enforce HTTPS](https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https)
- [Azure Policy built-in definitions for Azure App Service](https://learn.microsoft.com/azure/app-service/policy-reference)
- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.web/sites)

76
docs/en/rules/Azure.AppService.WebProbe.md
Просмотреть файл

@ -1,7 +1,7 @@
---
severity: Important
pillar: Reliability
category: Health modeling
category: RE:04 Target metrics
resource: App Service
online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AppService.WebProbe/
---
@ -30,37 +30,42 @@ Consider configuring a health probe to monitor instance availability.
To deploy Web Apps that pass this rule:
- Set `properties.siteConfig.healthCheckPath` to a valid application path such as `/healthz`.
- Set the `properties.siteConfig.healthCheckPath` property to a valid application path such as `/healthz`.
For example:
```json
{
"type": "Microsoft.Web/sites",
"apiVersion": "2021-03-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"identity": {
"type": "SystemAssigned"
},
"kind": "web",
"properties": {
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]",
"httpsOnly": true,
"siteConfig": {
"alwaysOn": true,
"minTlsVersion": "1.2",
"ftpsState": "FtpsOnly",
"remoteDebuggingEnabled": false,
"http20Enabled": true,
"netFrameworkVersion": "v6.0",
"healthCheckPath": "/healthz"
"type": "Microsoft.Web/sites",
"apiVersion": "2023-01-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"identity": {
"type": "SystemAssigned"
},
"kind": "web",
"properties": {
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]",
"httpsOnly": true,
"siteConfig": {
"alwaysOn": true,
"minTlsVersion": "1.2",
"ftpsState": "Disabled",
"remoteDebuggingEnabled": false,
"http20Enabled": true,
"netFrameworkVersion": "v8.0",
"healthCheckPath": "/healthz",
"metadata": [
{
"name": "CURRENT_STACK",
"value": "dotnet"
}
},
"tags": "[parameters('tags')]",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]"
]
]
}
},
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]"
]
}
```
@ -68,12 +73,12 @@ For example:
To deploy Web Apps that pass this rule:
- Set `properties.siteConfig.healthCheckPath` to a valid application path such as `/healthz`.
- Set the `properties.siteConfig.healthCheckPath` property to a valid application path such as `/healthz`.
For example:
```bicep
resource webApp 'Microsoft.Web/sites@2021-03-01' = {
resource web 'Microsoft.Web/sites@2023-01-01' = {
name: name
location: location
identity: {
@ -86,20 +91,25 @@ resource webApp 'Microsoft.Web/sites@2021-03-01' = {
siteConfig: {
alwaysOn: true
minTlsVersion: '1.2'
ftpsState: 'FtpsOnly'
ftpsState: 'Disabled'
remoteDebuggingEnabled: false
http20Enabled: true
netFrameworkVersion: 'v6.0'
netFrameworkVersion: 'v8.0'
healthCheckPath: '/healthz'
metadata: [
{
name: 'CURRENT_STACK'
value: 'dotnet'
}
]
}
}
tags: tags
}
```
## LINKS
- [RE:04 Target metrics](https://learn.microsoft.com/azure/well-architected/reliability/metrics)
- [Creating good health probes](https://learn.microsoft.com/azure/architecture/framework/resiliency/monitor-model#create-good-health-probes)
- [Route traffic to healthy instances (App Service)](https://docs.microsoft.com/azure/azure-monitor/platform/autoscale-get-started#route-traffic-to-healthy-instances-app-service)
- [Health Check is now Generally Available](https://azure.github.io/AppService/2020/08/24/healthcheck-on-app-service.html)
- [Azure deployment reference](https://docs.microsoft.com/azure/templates/microsoft.web/sites#siteproperties)
- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.web/sites)

76
docs/en/rules/Azure.AppService.WebProbePath.md
Просмотреть файл

@ -1,7 +1,7 @@
---
severity: Important
pillar: Reliability
category: Health modeling
category: RE:04 Target metrics
resource: App Service
online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AppService.WebProbePath/
---
@ -30,37 +30,42 @@ Consider using a dedicated health probe endpoint that implements functional chec
To deploy Web Apps that pass this rule:
- Set `properties.siteConfig.healthCheckPath` to a dedicated application path such as `/healthz`.
- Set the `properties.siteConfig.healthCheckPath` property to a dedicated application path such as `/healthz`.
For example:
```json
{
"type": "Microsoft.Web/sites",
"apiVersion": "2021-03-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"identity": {
"type": "SystemAssigned"
},
"kind": "web",
"properties": {
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]",
"httpsOnly": true,
"siteConfig": {
"alwaysOn": true,
"minTlsVersion": "1.2",
"ftpsState": "FtpsOnly",
"remoteDebuggingEnabled": false,
"http20Enabled": true,
"netFrameworkVersion": "v6.0",
"healthCheckPath": "/healthz"
"type": "Microsoft.Web/sites",
"apiVersion": "2023-01-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"identity": {
"type": "SystemAssigned"
},
"kind": "web",
"properties": {
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]",
"httpsOnly": true,
"siteConfig": {
"alwaysOn": true,
"minTlsVersion": "1.2",
"ftpsState": "Disabled",
"remoteDebuggingEnabled": false,
"http20Enabled": true,
"netFrameworkVersion": "v8.0",
"healthCheckPath": "/healthz",
"metadata": [
{
"name": "CURRENT_STACK",
"value": "dotnet"
}
},
"tags": "[parameters('tags')]",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]"
]
]
}
},
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]"
]
}
```
@ -68,12 +73,12 @@ For example:
To deploy Web Apps that pass this rule:
- Set `properties.siteConfig.healthCheckPath` to a dedicated application path such as `/healthz`.
- Set the `properties.siteConfig.healthCheckPath` property to a dedicated application path such as `/healthz`.
For example:
```bicep
resource webApp 'Microsoft.Web/sites@2021-03-01' = {
resource web 'Microsoft.Web/sites@2023-01-01' = {
name: name
location: location
identity: {
@ -86,20 +91,25 @@ resource webApp 'Microsoft.Web/sites@2021-03-01' = {
siteConfig: {
alwaysOn: true
minTlsVersion: '1.2'
ftpsState: 'FtpsOnly'
ftpsState: 'Disabled'
remoteDebuggingEnabled: false
http20Enabled: true
netFrameworkVersion: 'v6.0'
netFrameworkVersion: 'v8.0'
healthCheckPath: '/healthz'
metadata: [
{
name: 'CURRENT_STACK'
value: 'dotnet'
}
]
}
}
tags: tags
}
```
## LINKS
- [RE:04 Target metrics](https://learn.microsoft.com/azure/well-architected/reliability/metrics)
- [Creating good health probes](https://learn.microsoft.com/azure/architecture/framework/resiliency/monitor-model#create-good-health-probes)
- [Health check path](https://docs.microsoft.com/azure/azure-monitor/platform/autoscale-get-started#health-check-path)
- [Health Check is now Generally Available](https://azure.github.io/AppService/2020/08/24/healthcheck-on-app-service.html)
- [Azure deployment reference](https://docs.microsoft.com/azure/templates/microsoft.web/sites#siteproperties)
- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.web/sites)

94
docs/en/rules/Azure.AppService.WebSecureFtp.md
Просмотреть файл

@ -1,7 +1,7 @@
---
severity: Important
pillar: Security
category: Data protection
category: SE:07 Encryption
resource: App Service
online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AppService.WebSecureFtp/
---
@ -32,37 +32,42 @@ Also consider using Azure Policy to audit or enforce this configuration.
To deploy Web Apps that pass this rule:
- Set `properties.siteConfig.ftpsState` to `FtpsOnly` or `Disabled`.
- Set the `properties.siteConfig.ftpsState` property to `FtpsOnly` or `Disabled`.
For example:
```json
{
"type": "Microsoft.Web/sites",
"apiVersion": "2021-03-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"identity": {
"type": "SystemAssigned"
},
"kind": "web",
"properties": {
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]",
"httpsOnly": true,
"siteConfig": {
"alwaysOn": true,
"minTlsVersion": "1.2",
"ftpsState": "FtpsOnly",
"remoteDebuggingEnabled": false,
"http20Enabled": true,
"netFrameworkVersion": "v6.0",
"healthCheckPath": "/healthz"
"type": "Microsoft.Web/sites",
"apiVersion": "2023-01-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"identity": {
"type": "SystemAssigned"
},
"kind": "web",
"properties": {
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]",
"httpsOnly": true,
"siteConfig": {
"alwaysOn": true,
"minTlsVersion": "1.2",
"ftpsState": "Disabled",
"remoteDebuggingEnabled": false,
"http20Enabled": true,
"netFrameworkVersion": "v8.0",
"healthCheckPath": "/healthz",
"metadata": [
{
"name": "CURRENT_STACK",
"value": "dotnet"
}
},
"tags": "[parameters('tags')]",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]"
]
]
}
},
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]"
]
}
```
@ -70,12 +75,12 @@ For example:
To deploy Web Apps that pass this rule:
- Set `properties.siteConfig.ftpsState` to `FtpsOnly` or `Disabled`.
- Set the `properties.siteConfig.ftpsState` property to `FtpsOnly` or `Disabled`.
For example:
```bicep
resource webApp 'Microsoft.Web/sites@2021-03-01' = {
resource web 'Microsoft.Web/sites@2023-01-01' = {
name: name
location: location
identity: {
@ -88,19 +93,40 @@ resource webApp 'Microsoft.Web/sites@2021-03-01' = {
siteConfig: {
alwaysOn: true
minTlsVersion: '1.2'
ftpsState: 'FtpsOnly'
ftpsState: 'Disabled'
remoteDebuggingEnabled: false
http20Enabled: true
netFrameworkVersion: 'v6.0'
netFrameworkVersion: 'v8.0'
healthCheckPath: '/healthz'
metadata: [
{
name: 'CURRENT_STACK'
value: 'dotnet'
}
]
}
}
tags: tags
}
```
### Configure with Azure Policy
To address this issue at runtime use the following policies:
- [App Service apps should require FTPS only](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AuditFTPS_WebApp_Audit.json)
`/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b`
- [App Service app slots should require FTPS only](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AuditFTPS_WebApp_Slot_Audit.json)
`/providers/Microsoft.Authorization/policyDefinitions/c285a320-8830-4665-9cc7-bbd05fc7c5c0`
- [Function apps should require FTPS only](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AuditFTPS_FunctionApp_Audit.json)
`/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15`
- [Function app slots should require FTPS only](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AuditFTPS_FunctionApp_Slot_Audit.json)
`/providers/Microsoft.Authorization/policyDefinitions/e1a09430-221d-4d4c-a337-1edb5a1fa9bb`
- [[Deprecated]: FTPS only should be required in your API App](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AuditFTPS_ApiApp_Audit.json)
`/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5`
## LINKS
- [Data encryption in Azure](https://learn.microsoft.com/azure/architecture/framework/security/design-storage-encryption#data-in-transit)
- [Deploy your app to Azure App Service using FTP/S](https://docs.microsoft.com/eazure/app-service/deploy-ftp)
- [Azure deployment reference](https://docs.microsoft.com/azure/templates/microsoft.web/sites#siteproperties)
- [SE:07 Encryption](https://learn.microsoft.com/azure/well-architected/security/encryption#data-in-transit)
- [Deploy your app to Azure App Service using FTP/S](https://learn.microsoft.com/Azure/app-service/deploy-ftp#enforce-ftps)
- [Insecure protocols](https://learn.microsoft.com/Azure/app-service/overview-security#insecure-protocols-http-tls-10-ftp)
- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.web/sites)

51
docs/examples-appservice.bicep
Просмотреть файл

@ -9,25 +9,24 @@ param name string
@description('The name of the App Services Plan.')
param planName string
@description('Tags to apply to the resource.')
param tags object
@description('The location resources will be deployed.')
param location string = resourceGroup().location
// An example App Services Plan
resource plan 'Microsoft.Web/serverfarms@2022-09-01' = {
// An example App Services Plan.
resource plan 'Microsoft.Web/serverfarms@2023-01-01' = {
name: planName
location: location
sku: {
name: 'S1'
tier: 'Standard'
capacity: 2
name: 'P1V3'
tier: 'PremiumV3'
}
properties: {
zoneRedundant: true
}
}
// An example .NET Framework Web App
resource webApp 'Microsoft.Web/sites@2022-09-01' = {
// An example .NET Framework Web App running on a Windows App Services Plan.
resource web 'Microsoft.Web/sites@2023-01-01' = {
name: name
location: location
identity: {
@ -40,18 +39,41 @@ resource webApp 'Microsoft.Web/sites@2022-09-01' = {
siteConfig: {
alwaysOn: true
minTlsVersion: '1.2'
ftpsState: 'FtpsOnly'
ftpsState: 'Disabled'
remoteDebuggingEnabled: false
http20Enabled: true
netFrameworkVersion: 'v6.0'
netFrameworkVersion: 'v8.0'
healthCheckPath: '/healthz'
metadata: [
{
name: 'CURRENT_STACK'
value: 'dotnet'
}
]
}
}
tags: tags
}
// Disable basic publishing credentials for FTP.
resource ftp 'Microsoft.Web/sites/basicPublishingCredentialsPolicies@2023-01-01' = {
parent: web
name: 'ftp'
properties: {
allow: false
}
}
// Disable basic publishing credentials over SCM.
resource scm 'Microsoft.Web/sites/basicPublishingCredentialsPolicies@2023-01-01' = {
parent: web
name: 'scm'
properties: {
allow: false
}
}
// An example PHP Web App
resource webAppPHP 'Microsoft.Web/sites@2022-09-01' = {
resource webAppPHP 'Microsoft.Web/sites@2023-01-01' = {
name: name
location: location
identity: {
@ -72,5 +94,4 @@ resource webAppPHP 'Microsoft.Web/sites@2022-09-01' = {
healthCheckPath: '/healthz'
}
}
tags: tags
}

60
docs/examples-appservice.json
Просмотреть файл

@ -4,8 +4,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.18.4.5664",
"templateHash": "820772923620432801"
"version": "0.26.54.24096",
"templateHash": "210994321631769997"
}
},
"parameters": {
@ -21,12 +21,6 @@
"description": "The name of the App Services Plan."
}
},
"tags": {
"type": "object",
"metadata": {
"description": "Tags to apply to the resource."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
@ -38,18 +32,20 @@
"resources": [
{
"type": "Microsoft.Web/serverfarms",
"apiVersion": "2022-09-01",
"apiVersion": "2023-01-01",
"name": "[parameters('planName')]",
"location": "[parameters('location')]",
"sku": {
"name": "S1",
"tier": "Standard",
"capacity": 2
"name": "P1V3",
"tier": "PremiumV3"
},
"properties": {
"zoneRedundant": true
}
},
{
"type": "Microsoft.Web/sites",
"apiVersion": "2022-09-01",
"apiVersion": "2023-01-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"identity": {
@ -62,21 +58,48 @@
"siteConfig": {
"alwaysOn": true,
"minTlsVersion": "1.2",
"ftpsState": "FtpsOnly",
"ftpsState": "Disabled",
"remoteDebuggingEnabled": false,
"http20Enabled": true,
"netFrameworkVersion": "v6.0",
"healthCheckPath": "/healthz"
"netFrameworkVersion": "v8.0",
"healthCheckPath": "/healthz",
"metadata": [
{
"name": "CURRENT_STACK",
"value": "dotnet"
}
]
}
},
"tags": "[parameters('tags')]",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]"
]
},
{
"type": "Microsoft.Web/sites/basicPublishingCredentialsPolicies",
"apiVersion": "2023-01-01",
"name": "[format('{0}/{1}', parameters('name'), 'ftp')]",
"properties": {
"allow": false
},
"dependsOn": [
"[resourceId('Microsoft.Web/sites', parameters('name'))]"
]
},
{
"type": "Microsoft.Web/sites/basicPublishingCredentialsPolicies",
"apiVersion": "2023-01-01",
"name": "[format('{0}/{1}', parameters('name'), 'scm')]",
"properties": {
"allow": false
},
"dependsOn": [
"[resourceId('Microsoft.Web/sites', parameters('name'))]"
]
},
{
"type": "Microsoft.Web/sites",
"apiVersion": "2022-09-01",
"apiVersion": "2023-01-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"identity": {
@ -97,7 +120,6 @@
"healthCheckPath": "/healthz"
}
},
"tags": "[parameters('tags')]",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]"
]

2
src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1
Просмотреть файл

@ -26,7 +26,7 @@ Rule 'Azure.AppService.MinTLS' -Ref 'AZR-000073' -Type 'Microsoft.Web/sites', 'M
}
}
# Synopsis: Disable remote debugging
# Synopsis: Disable remote debugging on App Service apps when not in use.
Rule 'Azure.AppService.RemoteDebug' -Ref 'AZR-000074' -Type 'Microsoft.Web/sites', 'Microsoft.Web/sites/slots' -Tag @{ release = 'GA'; ruleSet = '2020_12'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'PV-2' } {
$siteConfigs = @(GetWebSiteConfig);
if ($siteConfigs.Length -eq 0) {

26
src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.yaml
Просмотреть файл

@ -71,9 +71,9 @@ metadata:
name: Azure.AppService.ARRAffinity
ref: AZR-000083
tags:
release: 'GA'
ruleSet: '2020_06'
Azure.WAF/pillar: 'Performance Efficiency'
release: GA
ruleSet: 2020_06
Azure.WAF/pillar: Performance Efficiency
spec:
type:
- Microsoft.Web/sites
@ -90,9 +90,9 @@ metadata:
name: Azure.AppService.UseHTTPS
ref: AZR-000084
tags:
release: 'GA'
ruleSet: '2020_06'
Azure.WAF/pillar: 'Security'
release: GA
ruleSet: 2020_06
Azure.WAF/pillar: Security
labels:
Azure.MCSB.v1/control: 'DP-3'
spec:
@ -163,10 +163,12 @@ spec:
allOf:
- type: '.'
in:
- 'Microsoft.Web/sites'
- 'Microsoft.Web/sites/slots'
- Microsoft.Web/sites
- Microsoft.Web/sites/slots
- field: kind
equals: 'functionapp'
contains: functionapp
- field: kind
notContains: workflowapp
---
# Synopsis: App Service sites that are Logic App Standard apps.
@ -181,10 +183,10 @@ spec:
allOf:
- type: '.'
in:
- 'Microsoft.Web/sites'
- 'Microsoft.Web/sites/slots'
- Microsoft.Web/sites
- Microsoft.Web/sites/slots
- field: kind
endsWith: 'workflowapp'
contains: workflowapp
---
# Synopsis: App Services plans that are not elastic.

2
tests/PSRule.Rules.Azure.Tests/PolicyAssignmentVisitorTests.cs
Просмотреть файл

@ -95,7 +95,7 @@ namespace PSRule.Rules.Azure
var definitions = context.GetDefinitions();
Assert.NotNull(definitions);
Assert.Equal(117, definitions.Length);
Assert.Equal(115, definitions.Length);
// Check category and version
var actual = definitions.FirstOrDefault(definition => definition.DefinitionId == "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c");