azure-auditor

command module

v0.0.0-...-a323bfd Latest Latest Go to latest Published: Feb 17, 2024 License: MIT Imports: 23 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/webdevops/azure-auditor

Links

Open Source Insights

README ¶

Azure Auditor

Auditor for Azure resources and settings with Prometheus metrics (violations) for alerting

Audit reports:

ResourceGroups
RoleAssignments
ResourceProviders
ResourceProviderFeatures
Keyvault AccessPolicies
ResourceGraph queries

Usage

Usage:
  azure-auditor [OPTIONS]

Application Options:
      --log.debug                     debug mode [$LOG_DEBUG]
      --log.trace                     trace mode [$LOG_TRACE]
      --log.json                      Switch log output to json format [$LOG_JSON]
      --azure.environment=            Azure environment name (default: AZUREPUBLICCLOUD)
                                      [$AZURE_ENVIRONMENT]
      --azure.subscription=           Azure subscription ID [$AZURE_SUBSCRIPTION_ID]
      --report.title=                 Report title [$REPORT_TITLE]
      --cron.keytvaultaccesspolicies= Cronjob for KeyVault AccessPolicies report (default: 0 * * * *)
                                      [$CRON_KEYTVAULTACCESSPOLICIES]
      --cron.resourcegroups=          Cronjob for ResourceGroups report (default: */30 * * * *)
                                      [$CRON_RESOURCEGROUPS]
      --cron.resourceproviders=       Cronjob for ResourceProviders report (default: 0 * * * *)
                                      [$CRON_RESOURCEPROVIDERS]
      --cron.roleassignments=         Cronjob for RoleAssignments report (default: */5 * * * *)
                                      [$CRON_ROLEASSIGNMENTS]
      --cron.resourcegraph=           Cronjob for ResourceGraph report (default: 15 * * * *)
                                      [$CRON_RESOURCEGRAPH]
      --config=                       Config file path [$CONFIG]
      --dry-run                       Dry Run (report only) [$DRYRUN]
      --bind=                         Server address (default: :8080) [$SERVER_BIND]
      --server.path.report=           Server path for report (default: /report) [$SERVER_PATH_REPORT]

Help Options:
  -h, --help                          Show this help message

crons can be disabled by setting them to empty string or false

for Azure API authentication (using ENV vars) see https://docs.microsoft.com/en-us/azure/developer/go/azure-sdk-authentication

For AzureCLI authentication set AZURE_AUTH=az

Configuration file

see (example.yaml)[/example.yaml] as for example audit rules

Metrics

Metric	Description
`azurerm_audit_violation_roleassignment`	RoleAssingment violations
`azurerm_audit_violation_resourcegroup`	ResourceGroup violations
`azurerm_audit_violation_resourceprovider`	ResourceProvider violations
`azurerm_audit_violation_resourceproviderfeature`	ResourceProviderFeature violations
`azurerm_audit_violation_keyvaultaccesspolicy`	Keyvault AccessPolicy violations
`azurerm_audit_violation_resourcegraph_XXX`	ResourceGraph violations

AzureTracing metrics

(with 22.2.0 and later)

Azuretracing metrics collects latency and latency from azure-sdk-for-go and creates metrics and is controllable using environment variables (eg. setting buckets, disabling metrics or disable autoreset).

Metric	Description
`azurerm_api_ratelimit`	Azure ratelimit metrics (only on /metrics, resets after query due to limited validity)
`azurerm_api_request_*`	Azure request count and latency as histogram

Settings

Environment variable	Example	Description
`METRIC_AZURERM_API_REQUEST_BUCKETS`	`1, 2.5, 5, 10, 30, 60, 90, 120`	Sets buckets for `azurerm_api_request` histogram metric
`METRIC_AZURERM_API_REQUEST_ENABLE`	`false`	Enables/disables `azurerm_api_request_*` metric
`METRIC_AZURERM_API_REQUEST_LABELS`	`apiEndpoint, method, statusCode`	Controls labels of `azurerm_api_request_*` metric
`METRIC_AZURERM_API_RATELIMIT_ENABLE`	`false`	Enables/disables `azurerm_api_ratelimit` metric
`METRIC_AZURERM_API_RATELIMIT_AUTORESET`	`false`	Enables/disables `azurerm_api_ratelimit` autoreset after fetch

`azurerm_api_request` label	Status	Description
`apiEndpoint`	enabled by default	hostname of endpoint (max 3 parts)
`routingRegion`	enabled by default	detected region for API call, either routing region from Azure Management API or Azure resource location
`subscriptionID`	enabled by default	detected subscriptionID
`tenantID`	enabled by default	detected tenantID (extracted from jwt auth token)
`resourceProvider`	enabled by default	detected Azure Management API provider
`method`	enabled by default	HTTP method
`statusCode`	enabled by default	HTTP status code

Endpoints

Metric	Description
`/metrics`	Prometheus metrics incl. audit violations
`/config`	Parsed and processes config file
`/report`	Audit report ui
`/healthz`	Healthz endpoint

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
auditor
types
validator
config

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL