rules/findings/azure/appservices_environment/azure-app-service-environment-cipher-suite-order.json
|
{
"args": [], "provider": "Azure", "serviceType": "App Service Environments", "serviceName": "Hosted Services", "displayName": "Ensure App Service Environment has TLS cipher suite ordering configured", "description": "App Service Environment supports changing the cipher suite from the default. The default set of ciphers is the same set that is used in the multi-tenant App Service.<br/><br/>Changing the cipher suite is only possible with App Service Environment, the single- tenant offering, not the multi-tenant offering, because changing it affects the entire App Service deployment.<br/><br/>There are two cipher suites that are required for an App Service Environment:\nTLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. Additionally, you should include the following cipher suites, which are required for TLS 1.3: TLS_AES_256_GCM_SHA384 and TLS_AES_128_GCM_SHA256.", "rationale": "Configuring your App Service Environment to use only the ciphers it requires helps to keep the environment secure.", "impact": "If incorrect values are set for the cipher suite that SChannel cannot understand, all TLS communication to your server might stop functioning.", "remediation": { "text": " #### Remediate from Azure Portal 1. Go to Resource Explorer. 2. Locate an App Service Environment from the left pane. 3. In the right pane, click Read/Write to allow editing. 4. Click Edit to edit the resource. 5. Update the clusterSettings attribute to include: ```json { 'name': 'FrontEndSSLCipherSuiteOrder', 'value': 'TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256' } ``` 6. Click PUT to commit the change. 7. Repeat steps 1-7 for each App Service Environment requiring remediation. ", "code": { "powerShell": null, "iac": null, "terraform": null, "other": null } }, "recommendation": null, "references": [ "https://learn.microsoft.com/en-us/azure/app-service/environment/app-service-app-service-environment-custom-settings", "https://learn.microsoft.com/en-us/cli/azure/appservice/ase?view=azure-cli-latest" ], "compliance": [ { "name": "CIS Microsoft Azure Foundations", "version": "2.0.0", "reference": "2.10", "profile": [ "Level 1" ] } ], "level": "info", "tags": [], "rule": { "path": "az_app_service_environment", "subPath": null, "selectCondition": {}, "query": [ { "filter": [ { "conditions": [ [ "clusterSettings.FrontEndSSLCipherSuiteOrder", "eq", "TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" ] ] } ] } ], "shouldExist": "true", "returnObject": null, "removeIfNotExists": null }, "output": { "html": { "data": { "properties": { "name": "Name", "location": "location", "resourceGroupName": "Resource Group Name", "clusterSettings":"Cluster Settings" }, "expandObject": null }, "table": "default", "decorate": [], "emphasis": [], "actions": { "objectData": { "properties": [ "name", "location", "properties", "clusterSettings" ], "expandObject": null, "limit": null }, "showGoToButton": "True", "showModalButton": "True", "directLink": null } }, "text": { "data": { "properties": { "name": "Name", "location": "location", "resourceGroupName": "Resource Group Name", "clusterSettings":"Cluster Settings" }, "expandObject": null }, "status": { "keyName": ["name"], "message": "Ensure App Service Environment has TLS cipher suite ordering configured for {name}", "defaultMessage": "Ensure App Service Environment has TLS cipher suite ordering configured" }, "properties": { "resourceName": "name", "resourceId": "id", "resourceType": "type" }, "onlyStatus": false } }, "idSuffix": "azure_app_service_environment_lack_cipher_suite_ordering", "notes": [], "categories": [], "immutable_properties": [ "name", "id" ], "id": "azure_appservice_environment_001" } |