AzSKStaging.AzureDevOps

1.0.10

Framework/Configurations/SVT/AzureDevOps/AzureDevOps.AgentPool.json

                                {

    "FeatureName":  "AgentPool",

    "Reference":  "aka.ms/azsktcp/AgentPool",

    "IsMaintenanceMode":  false,

  "Controls": [

    {

      "ControlID": "AzureDevOps_AgentPool_AuthZ_Grant_Min_RBAC_Access",

      "Description": "All teams/groups must be granted minimum required permissions on agent pool",

      "Id": "AgentPool110",

      "ControlSeverity": "High",

      "Automated": "Yes",

      "MethodName": "CheckRBACAccess",

      "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.",

      "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/devops/pipelines/policies/permissions?view=vsts",

      "Tags": [

        "SDL",

        "TCP",

        "Automated",

        "AuthZ",

        "RBAC"

      ],

      "Enabled": true

    },

    {

      "ControlID": "AzureDevOps_AgentPool_SI_Apply_Security_Patches",

      "Description": "Non-hosted agent virtual machine must have all the required security patches installed.",

      "Id": "AgentPool120",

      "ControlSeverity": "High",

      "Automated": "No",

      "MethodName": "",

      "Rationale": "Un-patched VMs are easy targets for compromise from various malware/trojan attacks that exploit known vulnerabilities in operating systems and related software.",

      "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/automation/automation-tutorial-update-management",

      "Tags": [

        "SDL",

        "TCP",

        "Manual",

        "SI"

      ],

      "Enabled": true

    },

    {

        "ControlID": "AzureDevOps_AgentPool_SI_Lockdown_Machine",

        "Description": "Use a security hardened, locked down OS image for self-hosted VMs in agent pool.",

        "Id": "AgentPool130",

        "ControlSeverity": "Medium",

        "Automated": "No",

        "MethodName": "",

        "Rationale": "The connector machine is serving as a 'gateway' into the corporate environment allowing internet based client endpoints access to enterprise data. Using a locked-down, secure baseline configuration ensures that this machine does not get leveraged as an entry point to attack the applications/corporate network.",

        "Recommendation": "Use a locked down OS configuration. Ensure that the system is always fully patched, has real-time malware protection enabled, OS firewall and disk encryption turned on, etc. Also, monitor this VM just like you'd monitor a high-value asset.",

        "Tags": [

          "SDL",

          "TCP",

          "Manual",

          "SI"

        ],

        "Enabled": true

    },

    {

        "ControlID": "AzureDevOps_AgentPool_AuthZ_Disable_Inherited_Permissions",

        "Description": "Do not allow inherited permission on agent pool",

        "Id": "AgentPool140",

        "ControlSeverity": "Medium",

        "Automated": "Yes",

        "MethodName": "CheckInheritPermissions",

        "Rationale": "Disabling inherit permissions lets you finely control access to various operations at the agent level for different stakeholders. This ensures that you follow the principle of least privilege and provide access only to the persons that require it.",

        "Recommendation": "To disable inheritance follow the steps given here: 1.Navigate to the agent pool. 2. Open roles. 3. Add the service lead & service owner as Users with Allow permissions for each permission line item. 4. Select “Off” under Inheritance. 5. Add users/groups to agent and provide only required access. As best practice, All teams/groups must be granted minimum required permissions on agent pool.",

        "Tags": [

          "SDL",

          "TCP",

          "Automated",

          "AuthZ",

          "RBAC"

        ],

        "Enabled": true

      },

      {

        "ControlID": "AzureDevOps_AgentPool_AuthZ_Org_Auto_Provisioning",

        "Description": "Do not allow Auto-provision enables on agent pool",

        "Id": "AgentPool150",

        "ControlSeverity": "High",

        "Automated": "Yes",

        "MethodName": "CheckOrgAgtAutoProvisioning",

        "Rationale": "By enabling the 'Auto-provision' The organization agent pool is imported in all your new team projects and is accessible there immediately.",

        "Recommendation": "To enable auto-provision follow the steps given here: 1.Navigate to the Organization settings. 2. Open agent pool. 3. Select Settings. 4. enable 'Auto-provision this agent pools in new projects'",

        "Tags": [

          "SDL",

          "TCP",

          "Automated",

          "AuthZ",

          "RBAC"

        ],

        "Enabled": true

      },

      {

        "ControlID": "AzureDevOps_AgentPool_AuthZ_Project_Dont_Grant_All_Pipeline_Access",

        "Description": "Do not make agent pool accesible to all pipelines in the project.",

        "Id": "AgentPool160",

        "ControlSeverity": "High",

        "Automated": "Yes",

        "MethodName": "CheckPrjAllPipelineAccess",

        "Rationale": "By enabling the 'Grant access permission to all pipelines' The agent pool is imported in all your pipeline in the current project and is accessible there immediately.",

        "Recommendation": "Go to 'Project settings' --> 'Agent pools' --> Select the agent pool --> Security --> Disable 'Grant access permission to all pipeline'.",

        "Tags": [

          "SDL",

          "TCP",

          "Automated",

          "AuthZ",

          "RBAC"

        ],

        "Enabled": true

      }

  ]

  }