name: azure-security-scanner description: 使用 Azure 安全中心、Azure Policy 和 ScoutSuite 进行 Azure 安全配置扫描与加固 allowed-tools:
- Bash
- Read
- Write
- Glob
- Grep
- WebFetch
Azure 安全扫描器技能
目的
自动化的 Azure 安全配置扫描与加固,用于识别跨 Azure 订阅和租户的错误配置、合规性违规和安全风险。
功能
Azure 安全中心评估
- 运行 Microsoft Defender for Cloud 安全评估
- 检查安全分数和建议
- 查看安全警报和事件
- 验证实时虚拟机访问
- 检查自适应应用程序控制
- 监控法规遵从性仪表板
Azure AD 安全分析
- 分析 Azure AD 条件访问策略
- 检查 MFA 强制执行状态
- 查看特权身份管理 (PIM)
- 识别有风险的登录和用户
- 分析应用注册和服务主体
- 检查来宾用户访问配置
网络安全组分析
- 审查 NSG 规则是否存在过于宽松的访问
- 检查开放的管理端口 (RDP, SSH)
- 验证应用程序安全组
- 查看 Azure 防火墙配置
- 检查 DDoS 防护状态
- 分析虚拟网络配置
存储账户安全
- 识别可公开访问的存储账户
- 检查加密配置 (SSE, CMK)
- 查看共享访问签名 (SAS)
- 验证网络访问规则
- 检查安全传输要求
- 查看访问密钥轮换
Key Vault 安全
- 检查 Key Vault 访问策略
- 验证网络限制
- 查看密钥过期策略
- 检查证书配置
- 验证软删除启用状态
- 审计密钥访问模式
活动日志验证
- 验证 Azure 活动日志配置
- 检查资源的诊断设置
- 查看 Log Analytics 工作区安全性
- 验证 Azure Monitor 警报规则
- 检查 Azure Sentinel 集成
Azure Policy 合规性
- 评估内置策略合规性
- 检查自定义策略分配
- 查看策略豁免
- 验证计划分配
- 生成合规性报告
覆盖的 Azure 服务
| 类别 | 服务 |
|---|---|
| 身份 | Azure AD, PIM, 条件访问 |
| 计算 | 虚拟机, 应用服务, Functions, AKS |
| 存储 | 存储账户, Blobs, 文件 |
| 数据库 | SQL 数据库, Cosmos DB, PostgreSQL |
| 网络 | 虚拟网络, NSGs, Azure 防火墙, WAF |
| 安全 | Defender, Key Vault, Sentinel |
| 监控 | Monitor, Log Analytics, Application Insights |
集成
- Microsoft Defender for Cloud: 云安全态势管理
- Azure Policy: 治理与合规
- Azure AD: 身份安全
- ScoutSuite: 多云安全审计
- Azure Sentinel: SIEM 和 SOAR
目标流程
- 云安全架构审查
- 合规性监控
- Azure 订阅加固
- 安全态势评估
输入模式
{
"type": "object",
"properties": {
"scanType": {
"type": "string",
"enum": ["full", "cis", "pci", "hipaa", "iso27001", "custom"],
"description": "安全扫描类型"
},
"subscriptions": {
"type": "array",
"items": { "type": "string" },
"description": "要扫描的 Azure 订阅 ID"
},
"resourceGroups": {
"type": "array",
"items": { "type": "string" },
"description": "要扫描的特定资源组"
},
"services": {
"type": "array",
"items": { "type": "string" },
"description": "要扫描的特定服务"
},
"severityThreshold": {
"type": "string",
"enum": ["critical", "high", "medium", "low"]
},
"complianceFrameworks": {
"type": "array",
"items": {
"type": "string",
"enum": ["CIS", "PCI-DSS", "HIPAA", "ISO27001", "SOC2", "NIST"]
}
},
"includeAzureAD": {
"type": "boolean",
"description": "包含 Azure AD 安全检查"
}
},
"required": ["scanType"]
}
输出模式
{
"type": "object",
"properties": {
"scanId": {
"type": "string"
},
"scanTimestamp": {
"type": "string",
"format": "date-time"
},
"subscriptionsScanned": {
"type": "array"
},
"secureScore": {
"type": "object",
"properties": {
"current": { "type": "number" },
"max": { "type": "number" },
"percentage": { "type": "number" }
}
},
"summary": {
"type": "object",
"properties": {
"totalChecks": { "type": "integer" },
"passed": { "type": "integer" },
"failed": { "type": "integer" },
"warnings": { "type": "integer" }
}
},
"findingsBySeverity": {
"type": "object",
"properties": {
"critical": { "type": "integer" },
"high": { "type": "integer" },
"medium": { "type": "integer" },
"low": { "type": "integer" }
}
},
"findings": {
"type": "array",
"items": {
"type": "object",
"properties": {
"checkId": { "type": "string" },
"severity": { "type": "string" },
"service": { "type": "string" },
"resourceId": { "type": "string" },
"description": { "type": "string" },
"remediation": { "type": "string" },
"complianceMapping": { "type": "array" }
}
}
},
"azureAdFindings": {
"type": "array"
},
"policyCompliance": {
"type": "object"
},
"recommendations": {
"type": "array",
"items": { "type": "string" }
}
}
}
使用示例
skill: {
name: 'azure-security-scanner',
context: {
scanType: 'cis',
subscriptions: ['subscription-id-1'],
complianceFrameworks: ['CIS', 'SOC2'],
includeAzureAD: true,
severityThreshold: 'medium'
}
}