[create-pull-request] automated change

Azure · Oct 2, 2024 · b810d77 · b810d77
1 parent d2f1f13
commit b810d77
Show file tree

Hide file tree

Showing 41 changed files with 8,645 additions and 5,053 deletions.
diff --git a/checklists-ext/fullwaf_checklist.en.json b/checklists-ext/fullwaf_checklist.en.json
diff --git a/checklists/acr_security_checklist.en.json b/checklists/acr_security_checklist.en.json
diff --git a/checklists/acr_security_checklist.es.json b/checklists/acr_security_checklist.es.json
diff --git a/checklists/acr_security_checklist.ja.json b/checklists/acr_security_checklist.ja.json
diff --git a/checklists/acr_security_checklist.ko.json b/checklists/acr_security_checklist.ko.json
diff --git a/checklists/acr_security_checklist.pt.json b/checklists/acr_security_checklist.pt.json
diff --git a/checklists/acr_security_checklist.zh-Hant.json b/checklists/acr_security_checklist.zh-Hant.json
@@ -0,0 +1,323 @@
+{
+    "categories": [
+        {
+            "name": "安全"
+        },
+        {
+            "name": "網路拓撲和連接"
+        },
+        {
+            "name": "運營管理"
+        },
+        {
+            "name": "平臺自動化"
+        },
+        {
+            "name": "安全"
+        },
+        {
+            "name": "分類帳"
+        },
+        {
+            "name": "伐木"
+        },
+        {
+            "name": "聯網"
+        },
+        {
+            "name": "數據發現和分類"
+        },
+        {
+            "name": "數據掩碼"
+        },
+        {
+            "name": "法典"
+        }
+    ],
+    "items": [
+        {
+            "category": "安全",
+            "description": "禁用圖像匯出以防止數據洩露。請注意，這將阻止將映射導入到另一個 ACR 實例中。",
+            "guid": "ab91932c-9fc9-4d1b-a880-37f5e6bfcb9e",
+            "id": "A01.01",
+            "link": "https://learn.microsoft.com/azure/container-registry/data-loss-prevention",
+            "query": "resources | where type =~ 'Microsoft.ContainerRegistry/registries' | extend acrName = name, acrId = id | extend exportPolicyStatus = properties.policies.exportPolicy.status | extend compliant = iif(exportPolicyStatus =~ 'Disabled', true, false) | project acrName, acrId, exportPolicyStatus, compliant",
+            "service": "ACR",
+            "severity": "高",
+            "subcategory": "數據保護",
+            "text": "禁用 Azure Container Registry 映射導出",
+            "waf": "安全"
+        },
+        {
+            "category": "安全",
+            "description": "通過為 Azure Container Registry 啟用 Azure Policy 來啟用審核合規性可見性",
+            "guid": "d503547c-d447-4e82-9128-a7100f1cac6d",
+            "id": "A01.02",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-azure-policy",
+            "service": "ACR",
+            "severity": "高",
+            "subcategory": "數據保護",
+            "text": "為 Azure 容器註冊表啟用 Azure 策略",
+            "waf": "安全"
+        },
+        {
+            "category": "安全",
+            "description": "Azure Key Vault （AKV） 用於存儲簽名密鑰，該金鑰可通過表示法 AKV 外掛程式 （azure-kv） 來對容器映像和其他專案進行簽名和驗證。Azure 容器註冊表 （ACR） 允許您使用 az？or？oras？ 附加這些簽名。CLI 命令。",
+            "guid": "d345293c-7639-4637-a551-c5c04e401955",
+            "id": "A01.03",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-tutorial-sign-build-push",
+            "service": "ACR",
+            "severity": "高",
+            "subcategory": "數據保護",
+            "text": "使用符號對容器進行簽名和驗證 （Notary v2）",
+            "waf": "安全"
+        },
+        {
+            "category": "安全",
+            "description": "Azure 容器註冊表會自動加密存儲的映像和其他專案。默認情況下，Azure 使用服務託管密鑰自動加密靜態註冊表內容。通過使用客戶管理的金鑰，您可以使用額外的加密層來補充預設加密。",
+            "graph": "resources | where type =~ 'Microsoft.ContainerRegistry/registries' | extend acrName = name, acrId = id | extend encryptionStatus = properties.encryption.status  | extend compliant = iif(encryptionStatus == 'disabled', false, true) | project acrName, acrId, encryptionStatus, compliant",
+            "guid": "0bd05dc2-efd5-4d76-8d41-d2500cc47b49",
+            "id": "A01.04",
+            "link": "https://learn.microsoft.com/azure/container-registry/tutorial-customer-managed-keys",
+            "service": "ACR",
+            "severity": "中等",
+            "subcategory": "數據保護",
+            "text": "使用客戶管理的金鑰加密註冊表",
+            "waf": "安全"
+        },
+        {
+            "category": "安全",
+            "description": "使用託管標識保護來自用戶端應用程式的 ACRPull/Push RBAC 訪問",
+            "guid": "8f42d78e-79dc-47b3-9bd2-a1a27e7a8e90",
+            "id": "A02.01",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity",
+            "service": "ACR",
+            "severity": "高",
+            "subcategory": "身份和訪問控制",
+            "text": "使用託管標識而不是服務主體進行連接",
+            "waf": "安全"
+        },
+        {
+            "category": "安全",
+            "description": "默認情況下，本地管理員帳戶處於禁用狀態，不應啟用。請改用基於 Token 或 RBAC 的訪問方法",
+            "graph": "resources | where type =~ 'microsoft.containerregistry/registries' | extend localAdminDisabled = properties.adminUserEnabled // Adjust this property as needed | extend compliant = iif(localAdminDisabled == 'false', true, false) // Check if local admin is disabled | project compliant, name, id, tags | distinct id, compliant",
+            "guid": "be0e38ce-e297-411b-b363-caaab79b198d",
+            "id": "A02.02",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication-managed-identity",
+            "service": "ACR",
+            "severity": "高",
+            "subcategory": "身份和訪問控制",
+            "text": "禁用管理平面訪問的本地身份驗證",
+            "waf": "安全"
+        },
+        {
+            "category": "安全",
+            "description": "禁用管理員帳戶並將 RBAC 角色分配給 ACR 拉取/推送操作的主體",
+            "graph": "resources | where type =~ 'microsoft.containerregistry/registries' | extend localAdminDisabled = properties.adminUserEnabled // Adjust this property as needed | extend compliant = iif(localAdminDisabled == 'false', true, false) // Check if local admin is disabled | project compliant, name, id, tags | distinct id, compliant",
+            "guid": "387e5ced-126c-4d13-8af5-b20c6998a646",
+            "id": "A02.03",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-roles?tabs=azure-cli",
+            "service": "ACR",
+            "severity": "高",
+            "subcategory": "身份和訪問控制",
+            "text": "分配AcrPull和AcrPush RBAC角色，而不是授予身份主體管理訪問許可權",
+            "waf": "安全"
+        },
+        {
+            "category": "安全",
+            "description": "禁用匿名拉取/推送訪問",
+            "graph": "resources | where type =~ 'microsoft.containerregistry/registries' | extend compliant = iif(properties.anonymousPullEnabled == false, true, false) | project compliant, name, id, tags | distinct id, compliant",
+            "guid": "e338997e-41c7-47d7-acf6-a62a1194956d",
+            "id": "A02.04",
+            "link": "https://learn.microsoft.com/azure/container-registry/anonymous-pull-access#configure-anonymous-pull-access",
+            "service": "ACR",
+            "severity": "中等",
+            "subcategory": "身份和訪問控制",
+            "text": "禁用匿名拉取訪問許可權",
+            "waf": "安全"
+        },
+        {
+            "category": "安全",
+            "description": "令牌身份驗證不支援分配給 AAD 主體。任何可以訪問令牌的人都可以使用提供的任何令牌",
+            "guid": "698dc3a2-fd27-4b2e-8870-1a1252beedf6",
+            "id": "A02.05",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-authentication?tabs=azure-cli",
+            "service": "ACR",
+            "severity": "高",
+            "subcategory": "身份和訪問控制",
+            "text": "禁用存儲庫範圍的訪問令牌",
+            "waf": "安全"
+        },
+        {
+            "category": "安全",
+            "description": "將容器映像部署到受信任網路中專用終結點後面的 ACR",
+            "guid": "b3bec3d4-f343-47c1-936d-b55f27a71eee",
+            "id": "A02.06",
+            "service": "ACR",
+            "severity": "高",
+            "subcategory": "身份和訪問控制",
+            "text": "從受信任的環境部署映像",
+            "waf": "安全"
+        },
+        {
+            "category": "安全",
+            "description": "只有具有 ACR 受眾的令牌才能用於身份驗證。為 ACR 啟用條件存取策略時使用",
+            "guid": "3a041fd3-2947-498b-8288-b3c6a56ceb54",
+            "id": "A02.07",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-enable-conditional-access-policy",
+            "service": "ACR",
+            "severity": "中等",
+            "subcategory": "身份和訪問控制",
+            "text": "禁用 Azure ARM 受眾令牌進行身份驗證",
+            "waf": "安全"
+        },
+        {
+            "category": "安全",
+            "description": "設置一個診斷設置，將『repositoryEvents』和『LoginEvents』發送到Log Analytics作為記錄和監控的中心目標。這允許您監控 ACR 資源本身的控制平面活動。",
+            "guid": "8a488cde-c486-42bc-9bd2-1be77f26e5e6",
+            "id": "A03.01",
+            "link": "https://learn.microsoft.com/azure/container-registry/monitor-service",
+            "service": "ACR",
+            "severity": "中等",
+            "subcategory": "日誌記錄和監控",
+            "text": "啟用診斷日誌記錄",
+            "waf": "安全"
+        },
+        {
+            "category": "安全",
+            "description": "服務支援通過使用服務級別 IP ACL 篩選規則（而不是 NSG 或 Azure 防火牆）或使用“禁用公用網络訪問”切換開關來禁用公用網络訪問",
+            "guid": "21d41d25-00b7-407a-b9ea-b40fd3290798",
+            "id": "A04.01",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-private-link",
+            "service": "ACR",
+            "severity": "中等",
+            "subcategory": "網路安全",
+            "text": "使用專用連結控制入站網路訪問",
+            "waf": "安全"
+        },
+        {
+            "category": "安全",
+            "description": "如果使用專用連結保護入站網路訪問，則禁用公用網路訪問",
+            "graph": "resources | where type =~ 'Microsoft.ContainerRegistry/registries' | where sku.name =~ 'Premium' // Check for Premium SKU | extend publicAccessEnabled = properties.publicNetworkAccess | extend defaultAction = tostring(properties.networkRuleSet.defaultAction) // Extract defaultAction | extend compliant = iif(publicAccessEnabled != 'Enabled' or defaultAction == 'Deny', true, false) | project name, id, publicAccessEnabled, defaultAction, compliant",
+            "guid": "cd289ced-6b17-4db8-8554-62f2aee4553a",
+            "id": "A04.02",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-access-selected-networks#disable-public-network-access",
+            "service": "ACR",
+            "severity": "中等",
+            "subcategory": "網路安全",
+            "text": "禁用公共網路訪問",
+            "waf": "安全"
+        },
+        {
+            "category": "安全",
+            "description": "只有 ACR Premium SKU 支援專用連結訪問",
+            "graph": "resources | where type =~ 'Microsoft.ContainerRegistry/registries' | extend skuName = sku.name // Extract the SKU name | extend compliant = iif(skuName == 'Premium', true, false) // Check if SKU is Premium | project name, id, skuName, compliant",
+            "guid": "fc833934-8b26-42d6-ac5f-512925498f6d",
+            "id": "A04.03",
+            "link": "https://learn.microsoft.com/azure/container-registry/container-registry-skus",
+            "service": "ACR",
+            "severity": "中等",
+            "subcategory": "網路安全",
+            "text": "使用支援專用連結的 Azure 容器註冊表 SKU（高級 SKU）",
+            "waf": "安全"
+        },
+        {
+            "category": "安全",
+            "description": "應使用適用於容器的 Azure Defender 或等效服務來掃描容器映像中的漏洞",
+            "guid": "bad37dac-43bc-46ce-8d7a-a9b24604489a",
+            "id": "A04.04",
+            "link": "https://learn.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction",
+            "service": "ACR",
+            "severity": "低",
+            "subcategory": "網路安全",
+            "text": "啟用 Defender for Containers 以掃描 Azure 容器註冊表中的漏洞",
+            "waf": "安全"
+        },
+        {
+            "category": "安全",
+            "description": "部署根據 DevSecOps 實踐進行驗證和漏洞掃描的可信代碼。",
+            "guid": "4451e1a2-d345-4293-a763-9637a551c5c0",
+            "id": "A05.01",
+            "service": "ACR",
+            "severity": "中等",
+            "subcategory": "漏洞管理",
+            "text": "部署經過驗證的容器映像",
+            "waf": "安全"
+        },
+        {
+            "category": "安全",
+            "description": "使用最新版本的受支援平臺、程式設計語言、協定和框架。",
+            "guid": "4e401955-387e-45ce-b126-cd132af5b20c",
+            "id": "A05.02",
+            "service": "ACR",
+            "severity": "高",
+            "subcategory": "漏洞管理",
+            "text": "使用最新的平臺、語言、協定和框架",
+            "waf": "安全"
+        }
+    ],
+    "metadata": {
+        "name": "Azure Container Registry Security Review",
+        "state": "Preview",
+        "timestamp": "October 02, 2024",
+        "waf": "security"
+    },
+    "severities": [
+        {
+            "name": "高"
+        },
+        {
+            "name": "中等"
+        },
+        {
+            "name": "低"
+        }
+    ],
+    "status": [
+        {
+            "description": "尚未查看此檢查",
+            "name": "未驗證"
+        },
+        {
+            "description": "存在與此檢查關聯的操作項",
+            "name": "打開"
+        },
+        {
+            "description": "此檢查已經過驗證，沒有與之關聯的其他操作項",
+            "name": "實現"
+        },
+        {
+            "description": "不適用於當前設計",
+            "name": "不適用"
+        },
+        {
+            "description": "不需要",
+            "name": "不需要"
+        }
+    ],
+    "waf": [
+        {
+            "name": "可靠性"
+        },
+        {
+            "name": "安全"
+        },
+        {
+            "name": "成本"
+        },
+        {
+            "name": "操作"
+        },
+        {
+            "name": "性能"
+        }
+    ],
+    "yesno": [
+        {
+            "name": "是的"
+        },
+        {
+            "name": "不"
+        }
+    ]
+}