Framework/Configurations/SVT/AzureDevOps/AzureDevOps.AgentPool.json
{
"FeatureName": "AgentPool", "Reference": "aka.ms/azsktcp/AgentPool", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "AzureDevOps_AgentPool_AuthZ_Grant_Min_RBAC_Access", "Description": "All teams/groups must be granted minimum required permissions on agent pool", "Id": "AgentPool110", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckRBACAccess", "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/devops/pipelines/policies/permissions?view=vsts", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "AzureDevOps_AgentPool_SI_Apply_Security_Patches", "Description": "Non-hosted agent virtual machine must have all the required security patches installed.", "Id": "AgentPool120", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Rationale": "Un-patched VMs are easy targets for compromise from various malware/trojan attacks that exploit known vulnerabilities in operating systems and related software.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/automation/automation-tutorial-update-management", "Tags": [ "SDL", "TCP", "Manual", "SI" ], "Enabled": true }, { "ControlID": "AzureDevOps_AgentPool_SI_Lockdown_Machine", "Description": "Use a security hardened, locked down OS image for self-hosted VMs in agent pool.", "Id": "AgentPool130", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "The connector machine is serving as a 'gateway' into the corporate environment allowing internet based client endpoints access to enterprise data. Using a locked-down, secure baseline configuration ensures that this machine does not get leveraged as an entry point to attack the applications/corporate network.", "Recommendation": "Use a locked down OS configuration. Ensure that the system is always fully patched, has real-time malware protection enabled, OS firewall and disk encryption turned on, etc. Also, monitor this VM just like you'd monitor a high-value asset.", "Tags": [ "SDL", "TCP", "Manual", "SI" ], "Enabled": true }, { "ControlID": "AzureDevOps_AgentPool_AuthZ_Disable_Inherited_Permissions", "Description": "Do not allow inherited permission on agent pool", "Id": "AgentPool140", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckInheritPermissions", "Rationale": "Disabling inherit permissions lets you finely control access to various operations at the agent level for different stakeholders. This ensures that you follow the principle of least privilege and provide access only to the persons that require it.", "Recommendation": "To disable inheritance follow the steps given here: 1.Navigate to the agent pool. 2. Select Security. 3. Under User Permissions, add the service lead & service owner as users with allow permissions for each permission line item. 4. Select Off under Inheritance. 5. Add users/groups to agent and provide only required access. As best practice, all teams/groups must be granted minimum required permissions on agent pool.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "AzureDevOps_AgentPool_AuthZ_Org_Auto_Provisioning", "Description": "Do not enable Auto-provisioning for agent pools", "Id": "AgentPool150", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckOrgAgtAutoProvisioning", "Rationale": "By enabling the 'Auto-provision' The organization agent pool is imported in all your new team projects and is accessible there immediately.", "Recommendation": "To change auto-provision settings: 1.Navigate to the Organization settings. 2. Open Agent pools. 3. Select Settings. 4. Change the settings for 'Auto-provisioning' this agent pools in new projects'", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "AzureDevOps_AgentPool_AuthZ_Project_Dont_Grant_All_Pipeline_Access", "Description": "Do not make agent pool accesible to all pipelines in the project.", "Id": "AgentPool160", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPrjAllPipelineAccess", "Rationale": "By enabling the 'Grant access permission to all pipelines' the agent pool is imported in all your pipelines in the current project and is accessible there immediately.", "Recommendation": "Go to 'Project settings' --> 'Agent pools' --> Select the agent pool --> Security --> Disable 'Grant access permission to all pipeline'.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true } ] } |