Framework/Configurations/SVT/ADO/ADO.AgentPool.json

{
  "FeatureName": "AgentPool",
  "Reference": "aka.ms/azsktcp/AgentPool",
  "IsMaintenanceMode": false,
  "Controls": [
    {
      "ControlID": "ADO_AgentPool_AuthZ_Grant_Min_RBAC_Access",
      "Description": "All teams/groups must be granted minimum required permissions on agent pool.",
      "Id": "AgentPool110",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckRBACAccess",
      "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.",
      "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/devops/pipelines/policies/permissions?view=vsts",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ",
        "RBAC"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_AgentPool_SI_Apply_Security_Patches",
      "Description": "Non-hosted agent virtual machine must have all the required security patches installed.",
      "Id": "AgentPool120",
      "ControlSeverity": "High",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Un-patched VMs are easy targets for compromise from various malware/trojan attacks that exploit known vulnerabilities in operating systems and related software.",
      "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/automation/automation-tutorial-update-management",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "SI"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_AgentPool_SI_Lockdown_Machine",
      "Description": "Use a security hardened, locked down OS image for self-hosted VMs in agent pool.",
      "Id": "AgentPool130",
      "ControlSeverity": "Medium",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "The connector machine is serving as a 'gateway' into the corporate environment allowing internet based client endpoints access to enterprise data. Using a locked-down, secure baseline configuration ensures that this machine does not get leveraged as an entry point to attack the applications/corporate network.",
      "Recommendation": "Use a locked down OS configuration. Ensure that the system is always fully patched, has real-time malware protection enabled, OS firewall and disk encryption turned on, etc. Also, monitor this VM just like you'd monitor a high-value asset.",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "SI"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_AgentPool_AuthZ_Disable_Inherited_Permissions",
      "Description": "Do not allow inherited permission on agent pool.",
      "Id": "AgentPool140",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckInheritedPermissions",
      "Rationale": "Disabling inherit permissions lets you finely control access to various operations at the agent level for different stakeholders. This ensures that you follow the principle of least privilege and provide access only to the persons that require it.",
      "Recommendation": "To disable inheritance follow the steps given here: 1.Navigate to the agent pool. 2. Select Security. 3. Under User Permissions, add the service lead & service owner as users with allow permissions for each permission line item. 4. Select Off under Inheritance. 5. Add users/groups to agent and provide only required access. As best practice, all teams/groups must be granted minimum required permissions on agent pool.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_AgentPool_AuthZ_Dont_Enable_Auto_Provisioning",
      "Description": "Do not enable auto-provisioning for agent pools.",
      "Id": "AgentPool150",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckOrgAgtAutoProvisioning",
      "Rationale": "By enabling auto-provisioning the organization agent pool is imported in all your new team projects and is accessible there immediately. Therefore, a vulnerability in components used by one project can be leveraged by an attacker to attack other projects.",
      "Recommendation": "To change auto-provision settings: 1.Navigate to the Organization settings. 2. Open Agent pools. 3. Select Settings. 4. Change the settings for 'Auto-provisioning' this agent pools in new projects'",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_AgentPool_AuthZ_Dont_Grant_All_Pipelines_Access",
      "Description": "Do not make agent pool accessible to all pipelines in the project.",
      "Id": "AgentPool160",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckPrjAllPipelineAccess",
      "Rationale": "To support security of the pipeline operations, agent pools must not be granted access to all pipelines. This is in keeping with the principle of least privilege because a vulnerability in components used by one pipeline can be leveraged by an attacker to attack other pipelines having access to critical resources.",
      "Recommendation": "Go to 'Project settings' --> 'Agent pools' --> Select the agent pool --> Security --> Disable 'Grant access permission to all pipeline'.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_AgentPool_DP_Review_Inactive_Pool",
      "Description": "Inactive agent pools must be removed if no more required.",
      "Id": "AgentPool170",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckInActiveAgentPool",
      "Rationale": "Each additional agent pool being used by pipelines to access repositories increases the attack surface. To minimize this risk ensure that only active and legitimate agent pools are present in organization.",
      "Recommendation": "To remove inactive agent pool, follow the steps given here: 1.Navigate to the agent pool settings. 3. Click on Delete.",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "DP"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_AgentPool_DP_Enable_Auto_Update",
      "Description": "Enable auto-update of agents in the pool.",
      "Id": "AgentPool180",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckAutoUpdate",
      "Rationale": "Un-patched agents are easy targets for compromise from various malware/trojan attacks that exploit known vulnerabilities in operating systems and related software. Being on the latest OS version significantly reduces risks from security design issues and security bugs that may be present in older versions.",
      "Recommendation": "To enable auto-update settings: 1.Navigate to the Organization settings. 2. Open Agent pools. 3. Select Settings. 4. Enable 'Allow agents in this pool to automatically update'.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "DP"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_AgentPool_DP_No_Secrets_In_Capabilities",
      "Description": "Secrets and keys must not be stored as plain text in agent capabilities.",
      "Id": "AgentPool190",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckCredInEnvironmentVariables",
      "Rationale": "Keeping secrets such as connection strings, passwords, keys, etc. in plain text can expose the credentials to a wider audience and can lead to credential theft.",
      "Recommendation": "1. Go to agent pool -> 2. Agents -> 3. Select each agent -> 4. Capabilities -> 5. Remove all user defined capabilities that contain secret.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "DP"
      ],
      "Enabled": true
    },
    {
      "ControlID": "ADO_AgentPool_AuthZ_Review_Broader_Group_Access",
      "Description": "Broader groups (contributors, project collection valid users etc.) should not have user/administrator privileges on agent pool.",
      "Id": "AgentPool200",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckBroaderGroupAccess",
      "Rationale": "Granting minimum access to broader groups ensures that users are granted just enough permissions on agent pool to perform their tasks. This minimizes exposure of the resources in case of user account/agent pool compromise.",
      "Recommendation": "Go to Project Settings --> Pipelines --> Agent pools --> Select your agent pool --> Select Security --> Ensure broader groups have read-only access.",
      "Tags": [
        "SDL",
        "TCP",
        "Automated",
        "AuthZ"
      ],
      "Enabled": true
    }
 
  ]
}