Skip to content

Commit

Permalink
Merge pull request #1231 from jemrobinson/pentest-2022-08-30
Browse files Browse the repository at this point in the history
Fixes for August 2022 penetration test
  • Loading branch information
jemrobinson authored Aug 26, 2022
2 parents 75b58d2 + 78334e8 commit e90ffd3
Show file tree
Hide file tree
Showing 84 changed files with 2,451 additions and 1,195 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/build_docs.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,7 @@ jobs:
--check-img-http \
--enforce-https \
--file-ignore "/_static/" \
--http-status-ignore "403,429" \
--http-status-ignore "403,429,503" \
--url-swap "^\/data-safe-haven:/.." \
--url-ignore "/github.com\/alan-turing-institute\/data-safe-haven/,/github.com\/alan-turing-institute\/data-classification-app/,/turing.ac.uk\//"
- name: Deploy documentation to GitHub Pages
Expand Down
2 changes: 1 addition & 1 deletion CODE_OF_CONDUCT.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ To make clear what is expected, we ask all members of the community to conform t

- [1 Introduction](#1-introduction)
- [2 Code of Conduct](#2-code-of-conduct)
- [2.1 Expected Behaviour](#21-expected-behaviours)
- [2.1 Expected Behaviour](#21-expected-behaviour)
- [2.2 Unacceptable Behaviour](#22-unacceptable-behaviour)
- [2.3 Consequences of Unacceptable Behaviour](#23-consequences-of-unacceptable-behaviour)
- [2.4 Feedback](#24-feedback)
Expand Down
4 changes: 2 additions & 2 deletions deployment/common/AzureAutomation.psm1
Original file line number Diff line number Diff line change
Expand Up @@ -195,7 +195,7 @@ function Register-VmsWithAutomationSchedule {
# Remove any existing update configuration with the same name
$null = Remove-AzAutomationSoftwareUpdateConfiguration -ResourceGroupName "$($Account.ResourceGroupName)" -AutomationAccountName "$($Account.AutomationAccountName)" -Name $Schedule.Name -ErrorAction SilentlyContinue
if ($VmType -eq "Windows") {
$IncludedPackageClassification = @("Critical", "Definition", "FeaturePack", "Security", "ServicePack", "Tools", "Unclassified", "UpdateRollup", "Updates") | Where-Object { $IncludedUpdates.Contains($_) }
$IncludedPackageClassification = @("Critical", "Definition", "FeaturePack", "Security", "ServicePack", "Tools", "Unclassified", "UpdateRollup", "Updates") | Where-Object { $IncludedUpdateCategories.Contains($_) }
$config = New-AzAutomationSoftwareUpdateConfiguration -AutomationAccountName $Account.AutomationAccountName `
-Confirm:$false `
-ErrorAction Stop `
Expand All @@ -205,7 +205,7 @@ function Register-VmsWithAutomationSchedule {
-Windows `
@params
} else {
$IncludedPackageClassification = @("Critical", "Other", "Security", "Unclassified") | Where-Object { $IncludedUpdates.Contains($_) }
$IncludedPackageClassification = @("Critical", "Other", "Security", "Unclassified") | Where-Object { $IncludedUpdateCategories.Contains($_) }
$config = New-AzAutomationSoftwareUpdateConfiguration -AutomationAccountName $Account.AutomationAccountName `
-Confirm:$false `
-ErrorAction Stop `
Expand Down
44 changes: 32 additions & 12 deletions deployment/common/AzureCompute.psm1
Original file line number Diff line number Diff line change
Expand Up @@ -45,8 +45,15 @@ function Confirm-VmDeallocated {
[Parameter(Mandatory = $true, HelpMessage = "Name of resource group that the VM belongs to")]
[string]$ResourceGroupName
)
$vmStatuses = (Get-AzVM -Name $Name -ResourceGroupName $ResourceGroupName -Status).Statuses.Code
return (($vmStatuses -contains "PowerState/deallocated") -and ($vmStatuses -contains "ProvisioningState/succeeded"))
try {
$vmStatuses = (Get-AzVM -Name $Name -ResourceGroupName $ResourceGroupName -Status -ErrorAction Stop).Statuses.Code
if ($vmStatuses -contains "ProvisioningState/failed/VMStoppedToWarnSubscription") {
Add-LogMessage -Level Warning "VM '$Name' has status: VMStoppedToWarnSubscription meaning that it was automatically stopped when the subscription ran out of credit."
}
return (($vmStatuses -contains "PowerState/deallocated") -and ($vmStatuses -contains "ProvisioningState/succeeded"))
} catch {
return $false
}
}
Export-ModuleMember -Function Confirm-VmDeallocated

Expand All @@ -60,8 +67,15 @@ function Confirm-VmRunning {
[Parameter(Mandatory = $true, HelpMessage = "Name of resource group that the VM belongs to")]
[string]$ResourceGroupName
)
$vmStatuses = (Get-AzVM -Name $Name -ResourceGroupName $ResourceGroupName -Status).Statuses.Code
return (($vmStatuses -contains "PowerState/running") -and ($vmStatuses -contains "ProvisioningState/succeeded"))
try {
$vmStatuses = (Get-AzVM -Name $Name -ResourceGroupName $ResourceGroupName -Status -ErrorAction Stop).Statuses.Code
if ($vmStatuses -contains "ProvisioningState/failed/VMStoppedToWarnSubscription") {
Add-LogMessage -Level Warning "VM '$Name' has status: VMStoppedToWarnSubscription meaning that it was automatically stopped when the subscription ran out of credit."
}
return (($vmStatuses -contains "PowerState/running") -and ($vmStatuses -contains "ProvisioningState/succeeded"))
} catch {
return $false
}
}
Export-ModuleMember -Function Confirm-VmRunning

Expand All @@ -75,11 +89,15 @@ function Confirm-VmStopped {
[Parameter(Mandatory = $true, HelpMessage = "Name of resource group that the VM belongs to")]
[string]$ResourceGroupName
)
if ($vmStatuses -contains "ProvisioningState/failed/VMStoppedToWarnSubscription") {
Add-LogMessage -Level Warning "VM '$Name' has status: VMStoppedToWarnSubscription meaning that it was automatically stopped when the subscription ran out of credit."
try {
$vmStatuses = (Get-AzVM -Name $Name -ResourceGroupName $ResourceGroupName -Status -ErrorAction Stop).Statuses.Code
if ($vmStatuses -contains "ProvisioningState/failed/VMStoppedToWarnSubscription") {
Add-LogMessage -Level Warning "VM '$Name' has status: VMStoppedToWarnSubscription meaning that it was automatically stopped when the subscription ran out of credit."
}
return (($vmStatuses -contains "PowerState/stopped") -and (($vmStatuses -contains "ProvisioningState/succeeded") -or ($vmStatuses -contains "ProvisioningState/failed/VMStoppedToWarnSubscription")))
} catch {
return $false
}
$vmStatuses = (Get-AzVM -Name $Name -ResourceGroupName $ResourceGroupName -Status).Statuses.Code
return (($vmStatuses -contains "PowerState/stopped") -and (($vmStatuses -contains "ProvisioningState/succeeded") -or ($vmStatuses -contains "ProvisioningState/failed/VMStoppedToWarnSubscription")))
}
Export-ModuleMember -Function Confirm-VmStopped

Expand Down Expand Up @@ -140,9 +158,11 @@ function Deploy-LinuxVirtualMachine {
if ($ImageId) {
$vmConfig = Set-AzVMSourceImage -VM $vmConfig -Id $ImageId
} elseif ($ImageSku) {
if (($ImageSku -eq "Ubuntu-22.04") -or ($ImageSku -eq "Ubuntu-latest")) {
if ($ImageSku -eq "Ubuntu-22.04") {
# Note that we cannot move 'Ubuntu-latest' to 22.04 until migrating to Azure Monitor Agent https://docs.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-migration
Add-LogMessage -Level Warning "Note that Ubuntu 22.04 is not supported by the Azure Log Analytics Agent used to manage automatic updates. Please consider using Ubuntu 20.04."
$vmConfig = Set-AzVMSourceImage -VM $vmConfig -PublisherName Canonical -Offer 0001-com-ubuntu-server-jammy -Skus "22_04-LTS" -Version "latest"
} elseif ($ImageSku -eq "Ubuntu-20.04") {
} elseif (($ImageSku -eq "Ubuntu-20.04") -or ($ImageSku -eq "Ubuntu-latest")) {
$vmConfig = Set-AzVMSourceImage -VM $vmConfig -PublisherName Canonical -Offer 0001-com-ubuntu-server-focal -Skus "20_04-LTS" -Version "latest"
} elseif ($ImageSku -eq "Ubuntu-18.04") {
$vmConfig = Set-AzVMSourceImage -VM $vmConfig -PublisherName Canonical -Offer UbuntuServer -Skus "18.04-LTS" -Version "latest"
Expand Down Expand Up @@ -238,12 +258,12 @@ function Deploy-VirtualMachineMonitoringExtension {
[string]$WorkspaceKey
)
if ($VM.OSProfile.WindowsConfiguration) {
# Install Monitoring Agent
# Install Monitoring Agent - Replacement is Azure Monitor Agent (https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview?tabs=PowerShellWindows)
Set-VirtualMachineExtensionIfNotInstalled -VM $VM -Publisher "Microsoft.EnterpriseCloud.Monitoring" -Type "MicrosoftMonitoringAgent" -Version 1.0 -WorkspaceId $WorkspaceId -WorkspaceKey $WorkspaceKey
# # Install Dependency Agent
# Set-VirtualMachineExtensionIfNotInstalled -VM $VM -Publisher "Microsoft.Azure.Monitoring.DependencyAgent" -Type "DependencyAgentWindows" -Version 9.10 -WorkspaceId $WorkspaceId -WorkspaceKey $WorkspaceKey
} elseif ($VM.OSProfile.LinuxConfiguration) {
# Install Monitoring Agent
# Install Monitoring Agent - does not support Ubuntu 22.04. Replacement is Azure Monitor Agent (https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview?tabs=PowerShellWindows)
Set-VirtualMachineExtensionIfNotInstalled -VM $VM -Publisher "Microsoft.EnterpriseCloud.Monitoring" -Type "OmsAgentForLinux" -EnableAutomaticUpgrade $true -Version 1.14 -WorkspaceId $WorkspaceId -WorkspaceKey $WorkspaceKey
# # Install Dependency Agent - not working with current Ubuntu 20.04 (https://docs.microsoft.com/en-us/answers/questions/938560/unable-to-enable-insights-on-ubuntu-2004-server.html)
# Set-VirtualMachineExtensionIfNotInstalled -VM $VM -Publisher "Microsoft.Azure.Monitoring.DependencyAgent" -Type "DependencyAgentLinux" -Version 9.10 -WorkspaceId $WorkspaceId -WorkspaceKey $WorkspaceKey
Expand Down
33 changes: 33 additions & 0 deletions deployment/common/AzureKeyVault.psm1
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
Import-Module Az.KeyVault -ErrorAction Stop
Import-Module $PSScriptRoot/Cryptography -ErrorAction Stop
Import-Module $PSScriptRoot/DataStructures -ErrorAction Stop
Import-Module $PSScriptRoot/Logging -ErrorAction Stop


Expand Down Expand Up @@ -73,6 +74,38 @@ function Remove-AndPurgeKeyVaultSecret {
Export-ModuleMember -Function Remove-AndPurgeKeyVaultSecret


# Return a certificate with a valid private key if it exists, otherwise remove and purge any certificate with this name
# ---------------------------------------------------------------------------------------------------------------------
function Resolve-KeyVaultPrivateKeyCertificate {
param(
[Parameter(Mandatory = $true, HelpMessage = "Name of secret")]
[ValidateNotNullOrEmpty()]
[string]$CertificateName,
[Parameter(Mandatory = $true, HelpMessage = "Name of key vault this secret belongs to")]
[ValidateNotNullOrEmpty()]
[string]$VaultName
)
# Return existing certificate if it exists and has a private key
$existingCert = Get-AzKeyVaultCertificate -VaultName $VaultName -Name $CertificateName
$privateKey = Get-AzKeyVaultSecret -VaultName $VaultName -Name $CertificateName -AsPlainText
if ($existingCert -and $privateKey) {
Add-LogMessage -Level InfoSuccess "Found existing certificate with private key"
return $existingCert
}
# Remove any existing certificate with this name
Remove-AzKeyVaultCertificate -VaultName $VaultName -Name $CertificateName -Force -ErrorAction SilentlyContinue
Wait-For -Target "removal of old certificate to complete" -Seconds 30
# Purge any removed certificate with this name
$removedCert = Get-AzKeyVaultCertificate -VaultName $VaultName -Name $CertificateName -InRemovedState
if ($removedCert) {
Remove-AzKeyVaultCertificate -VaultName $VaultName -Name $CertificateName -InRemovedState -Force -ErrorAction SilentlyContinue
Wait-For -Target "pruning of old certificate to complete" -Seconds 30
}
return $false
}
Export-ModuleMember -Function Resolve-KeyVaultPrivateKeyCertificate


# Ensure that a password is in the keyvault
# -----------------------------------------
function Resolve-KeyVaultSecret {
Expand Down
Loading

0 comments on commit e90ffd3

Please sign in to comment.