Saturday, May 26, 2018

CIS Control 2 on Azure - Software Inventory

Continuing on with discussing the CIS Controls on Azure, the goal of this post is to talk about CIS Control 2, which focuses on software assets, specifically 2.4: track software inventory.

I had to think about this one a little bit. In the context of Azure, I would define the software that we need to track as the components of the Azure platform that are currently in use.  As per the documentation, we need to track the following:

  • Name
  • Version
  • Publisher
  • Install date
I would say that most of the above don't make sense in the cause of components on the platform. 

From powershell, you can very easily obtain a list of all the resources you have currently deployed. 

$resources = Get-AzureRmResource

The output of this will work for any resource you have deployed.  The output will follow the information provided in the REST documentation.  The output looks something like this:

You can very easily get a list of unique resource types that are deployed in your Azure subscription.  The following powershell should do the trick.

$resources | sort-object -Property ResourceType -unique | select ResourceType

You should get something like the following:

Now that you can build this list, you can monitor it for changes as required.

The only thing we are not able to get easily off of the Azure platform is the install date of the particular resources.  While there are some methods (such as OMS, or Azure monitor) they are mostly subject to log retention constraints.  One way would to track this would be to make use of tags.