This procedure is deprecated. Lacework recommends using the procedure in Azure Compliance & Activity Log Integrations - Run app.py Python Script.
To install Lacework for Azure Compliance, you must be a Lacework administrator and have access to an Azure Active Directory with Guest Account credentials.
This topic describes how to configure a Lacework Azure integration using Python scripts invoked from the run.sh script in a Linux Terminal window. You can download the Lacework integration scripts from the Lacework csp-integrations GitHub repository as described in more detail below.
To allow Lacework to audit your Microsoft Azure account, Lacework creates an app called LaceworkSAAudit that:
- is assigned the role of 'Reader' in all subscriptions to be evaluated
- has access to the Active Directory Graph API, Key Vault API and Storage API
- has restricted access to Windows Azure Active Directory API
For more information about the permissions granted to Lacework, see Azure Compliance - Lacework Permissions.
Lacework requires access to Microsoft.KeyVault and Microsoft.Storage for each subscription to be audited. By default, neither are registered as resource providers. If these resources are not already registered in the subscriptions that you would like audited, the script prompts if they should be registered as part of the integration. If you enter NO, you must manually complete the registrations.
Verify Requirements
Python
- Linux or Unix based OS, including macOS
- Python 2.7.10 or greater versions of Python 2.7
- Python libraries
- azure==4.0.0
- azure-mgmt-storage==2.0.0
- jsonschema==2.6.0
- prettytable==0.7.2
The above versions have been tested. If using a different combination, the script may need to be edited.
Azure
-
An Azure AD guest user with non-interactive login enabled, which is the default.
-
Important! The source of your Guest Account must not be 'Microsoft Account' because Microsoft accounts require interactive login. Your Guest Account may have a source of 'External Azure Active Directory'.
-
The guest user is not required for the integration itself; only for the creation of the App. It can be deleted or made inactive after the App is built.
-
- The guest user must be assigned the Global administrator role in Azure Active Directory. For more information on administrator role permissions in Azure Active Directory, see: https://docs.microsoft.com/en-us/azure/billing/billing-add-change-azure-subscription-administrator
- The guest user must be assigned the Owner role in all subscriptions to be evaluated. For more information on adding role assignments in Azure, see: https://docs.microsoft.com/en-us/azure/billing/billing-add-change-azure-subscription-administrator
Download and Run the Scripts
Before running the script, complete the following steps:
- Open a command-line terminal.
- Change to the directory where you want to store the python files using the cd command.
-
To download the python scripts using git, enter the command below. (If you do not have git installed, you can download the files using the Download Zip option from the Lacework CSP-integrations GitHub repository. If installing from a ZIP File, you must also unzip the file. )
$ git clone https://github.com/lacework/csp-integrations.git -
Change to the directory that contains the Azure run.sh shell script. The Azure integration scripts are available in the csp-integrations-master/azure-cfg-cli directory.
$ cd csp-integrations-master/azure-cfg-cli
- Run the shell script as described below. The run.sh shell script invokes the integration python scripts.
The script can be run interactively or using a configuration file as input. Lacework recommends running the script interactively to provide a better understanding of the changes being made by Lacework. For more information, see Run the Script Interactively.
To run the script using a configuration file, skip ahead to Run with a Configuration File.
Run the Script Interactively
./run.sh --mode INTERACTIVE
Enter 'exit' and return at any input prompt if you want to exit
When launched, the script prompts for user credentials:
UserName: <the email address of the guest user>
Password: <the password of the guest user>
The script provides a list of tenant IDs where the App can be created. Tenant IDs are equivalent to Directory IDs in the Azure Active Directory portal. Select one.
Select Tenant No. from 1 - 2: <#>
The script provides a list of subscriptions. Select the subscriptions to be evaluated.
Please provide comma separated Subscription No. (eg. 1,3,4) or 'ALL' for all subscriptions: <list>
If there are no subscriptions available, the script prompts if you want to continue. Enter NO and check that your guest user has the correct permissions.
If Microsoft.KeyVault and Microsoft.Storage are not registered across subscriptions, the script prompts if you want to register the providers as part of the script.
Do you Want to register the providers? (YES/NO)
After making a choice, the script prompts if you want to continue
Do You Want to continue? (YES/NO):
If you enter YES, the script creates LaceworkSAAudit. When complete, the script provides the three values that must be entered in the Lacework Console.
{
"CLIENT_ID": "...",
"CLIENT_SECRET": "...",
"TENANT_ID": "..."
}
Run with a Configuration File
Before running the script with a configuration file, create a configuration file called config.json in the client directory - client/config.json.
{
"credentials": {
"userName": "",
"password": ""
},
"clientSecret": "",
"updatePermissionsForExistingApp": true,
"tenantId": "",
"subscriptionList": [],
"allSubscriptions": true,
"registerProviders": false
}
./run.sh --mode CONFIG_FILE
Complete the Integration
- Navigate to Settings > Cloud Accounts.
- Click + Create New.
- Select Azure > Azure Config.
- Enter a unique name for the integration.
- Copy the script output into the matching fields in the Lacework Console
- Click Save.