Framework/Configurations/SVT/ADO/ADO.CommonSVTControls.json
|
{
"FeatureName": "CommonSVTControls", "Reference": "aka.ms/azsktcp/commonsvtcontrols", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "ADO_Repository_DP_Inactive_Repos", "Description": "Inactive repositories must be removed if no more required.", "Id": "Repository100", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckInactiveRepo", "Rationale": "Each additional repository being accessed by pipelines increases the attack surface. To minimize this risk ensure that only active and legitimate repositories are present in project.", "Recommendation": "To remove inactive repository, follow the steps given here: 1. Navigate to the project settings -> 2. Repositories -> 3. Select the repository and delete.", "Tags": [ "SDL", "TCP", "Automated", "DP", "Repository" ], "Enabled": true }, { "ControlID": "ADO_Repository_AuthZ_Dont_Grant_All_Pipelines_Access", "Description": "Do not make repository accessible to all pipelines.", "Id": "Repository110", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckRepositoryPipelinePermission", "Rationale": "If a repository is granted access to all pipelines, an unauthorized user can steal information from the repository by building a pipeline and accessing the repository.", "Recommendation": "1. Go to Project --> 2. Repositories --> 3. Select the repository --> 4. Security --> 5. Under 'Pipeline Permissions', remove pipelines that repository no more requires access to or click 'Restrict Permission' to avoid granting access to all pipelines.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "ADO_Repository_AuthZ_Dont_Grant_BuildSvc_Permission_On_Branch", "Description": "Do not grant build service groups excessive permissions on repository branches.", "Id": "Repository120", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckBuildServiceAccessOnBranch", "Rationale": "If 'Project Collection Build Service' or 'Project Build Service' groups have excessive permissions on important branches of a repository, then a malicious user can access the repository and tamper its contents by bypassing any defined policies.", "Recommendation": "1. Navigate to Project Settings. --> 2. Click on Repository under Repos. --> 3. Select your repository. --> 4. Click on 'Security'. --> 5. Click on 'All Branches' under 'Git refs permissions'. --> 6. Ensure 'Excessive' permissions of broader groups is not set to 'Allow'. Refer to detailed scan log (Repository.LOG) for broader groups and excessive permissions list. --> 5. Repeat this for any other groups for other individual branches that should not have excessive permissions.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "MSW" ], "Enabled": true }, { "ControlID": "ADO_Feed_AuthZ_Restrict_Broader_Group_Access", "Description": "Do not allow a broad group of users to upload packages to feed.", "Id": "Feed100", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckBroaderGroupAccessOnFeeds", "Rationale": "If a broad group of users (e.g., Contributors) have permissions to upload package to feed, then integrity of your pipeline can be compromised by a malicious user who uploads a package.", "Recommendation": "1. Go to Project --> 2. Artifacts --> 3. Select Feed --> 4. Feed Settings --> 5. Permissions --> 6. Groups --> 7. Review users/groups which have administrator and contributor roles. Ensure broader groups have read-only access. Refer to detailed scan log (Feed.LOG) for broader group list.", "Tags": [ "SDL", "TCP", "AuthZ", "RBAC", "MSW", "AutomatedFix" ], "Enabled": true }, { "ControlID": "ADO_Feed_AuthZ_Dont_Grant_BuildSvcAcct_Permission", "Description": "Do not grant Build Service Account direct access to feed.", "Id": "Feed110", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckBuildSvcAccAccessOnFeeds", "Rationale": "Build service account is default identity used as part every build in project. Providing direct access to this common service account will expose feeds to all build definitions in the project.", "Recommendation": "1. Go to Project --> 2. Artifacts --> 3. Select Feed --> 4. Feed Settings --> 5. Permissions --> 6. Groups --> 7. Review Build service accounts should not have administrator/contributor/collaborator roles.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "MSW", "AutomatedFix" ], "Enabled": true }, { "ControlID": "ADO_SecureFile_AuthZ_Dont_Grant_All_Pipelines_Access", "Description": "Do not make secure files accessible to all pipelines.", "Id": "SecureFile100", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckSecureFilesPermission", "Rationale": "If a secure file is granted access to all pipelines, an unauthorized user can steal information from the secure files by building a pipeline and accessing the secure file.", "Recommendation": "1. Go to Project --> 2. Pipelines --> 3. Library --> 4. Secure Files --> 5. Select your secure file from the list --> 6. Click 'Pipeline Permissions', remove pipelines that secure file no more requires access to or click 'Restrict Permission' to avoid granting access to all pipelines.", "Tags": [ "SDL", "AuthZ", "Automated", "Best Practice", "MSW" ], "Enabled": true }, { "ControlID": "ADO_SecureFile_AuthZ_Restrict_Broader_Group_Access", "Description": "Do not allow secure file to have excessive permissions for a broad group of users.", "Id": "SecureFile110", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckBroaderGroupAccessOnSecureFile", "Rationale": "If a broad group of users (e.g. Contributors) have excessive permissions on a secure file, A malicious user may gain access of stored secret/certificate which may open the door to malicious attack (e.g. SSH for accessing machine/server using these secret/certifcate).", "Recommendation": "1. Go to Project --> 2. Pipelines --> 3. Library --> 4. Secure Files --> 5. Select your secure file from the list --> 6. Click 'Security' --> 7. Review users/groups which have administrator and user roles. Ensure broader groups have read-only access. Refer to detailed scan log (SecureFile.LOG) for broader group list.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "MSW", "AutomatedFix" ], "Enabled": true }, { "ControlID": "ADO_Environment_AuthZ_Dont_Grant_All_Pipelines_Access", "Description": "Do not make environment accessible to all pipelines.", "Id": "Environment100", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckEnviornmentAccess", "Rationale": "To support security of the pipeline operations, environments must not be granted access to all pipelines. This is in keeping with the principle of least privilege because a vulnerability in components used by one pipeline can be leveraged by an attacker to attack other pipelines having access to critical resources.", "Recommendation": "1. Go to Pipelines --> 2. Environments --> 3. Select your environment from the list --> 4. Click Security --> 5. Under 'Pipeline Permissions', remove pipelines that environment no more requires access to or click 'Restrict Permission' to avoid granting access to all pipelines.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "ADO_Environment_AuthZ_Restrict_Broader_Group_Access", "Description": "Do not allow environment to have excessive permissions for a broad group of users.", "Id": "Environment110", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckBroaderGroupAccessOnEnvironment", "Rationale": "If a broad group of users (e.g., Contributors) have excessive permissions on an environment, a malicious user can abuse these permissions to compromise integrity of the environment.", "Recommendation": "1. Go to Project --> 2. Pipelines --> 3. Environments --> 4. Select your environment from the list --> 5. Click 'Security' --> 6. Review users/groups which have administrator and user roles. Ensure broader groups have read-only access. Refer to detailed scan log (Environment.LOG) for broader group list.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "ADO_Repository_AuthZ_Disable_Inherited_Permissions", "Description": "Do not allow inherited permission on repository.", "Id": "Repository130", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckInheritedPermissionsOnRepository", "Rationale": "Disabling inherited permissions lets you finely control access to various operations at the repository level for different stakeholders. This ensures that you follow the principle of least privilege and provide access only to the persons that require it.", "Recommendation": "1. Go to Project Settings --> 2. Repositories --> 3. Select a Repository --> 4. Permissions --> 5. Disable 'Inheritance'.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "ADO_Repository_AuthZ_Dont_Grant_BuildSvcAcct_Permission", "Description": "Do not grant Build Service Account direct access to repositories.", "Id": "Repository140", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckBuildSvcAcctAccessOnRepository", "Rationale": "Build service account is default identity used as part every build in project. Configuring these identities with excessive permissions will expose repository details to all build definitions in the project.", "Recommendation": "1. Go to Project Settings --> 2. Repositories --> 3. Select your repository from the list --> 4. Select security --> 5. 4. Ensure 'Excessive' permissions of 'Project Collection Build Service(organization)/[Project] Build Service' groups is not set to 'Allow'. Refer to detailed scan log (Repository.LOG) for excessive permissions list.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "MSW" ], "Enabled": true } ] } |